Trustix Security Advisor | 1 Oct 16:15 2004

TSLSA-2004-0051 - samba


--------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0051

Package name:      samba
Summary:           access files outside of defined path
Date:              2004-10-01
Affected versions: Trustix Secure Linux 1.5
                   Trustix Secure Linux 2.0

--------------------------------------------------------------------------
Package description:
  Samba provides an SMB server which can be used to provide network
  services to SMB (sometimes called "Lan Manager") clients, including
  various versions of MS Windows, OS/2, and other Linux machines. Samba
  uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI
  (Microsoft Raw NetBIOS frame) protocol.Samba-2 features an almost
  working NT Domain Control capability and includes the new SWAT (Samba
  Web Administration Tool) that allows samba's smb.conf file to be
  remotely managed using your favourite web browser.

Problem description:
  A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and
  Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to
  files which exist outside of the share's defined path. Such files must
  still be readable by the account used for the connection.

  This has been assigned CAN-2004-0815 by the CVE.

Action:
(Continue reading)

Ahmad Muammar | 1 Oct 06:21 2004
Picon

Multiple Vulnerabilities in AJ-Fork


ECHO_ADV_07$2004

---------------------------------------------------------------------------
               Multiple Vulnerabilities in AJ-Fork
---------------------------------------------------------------------------

Author: y3dips
Date: September, 23th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv07-y3dips-2004.txt


---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AJ-Fork is, as the name implies - a fork. Based on the CuteNews 1.3.1 core,
the aim of the project is to improve what can be improved, and extend what
can be extended without adding too much bloat (in fierce opposition to the
mainstream blogging/light publishing tools of today). The project aims to
be backwards-compatible with CuteNews in what areas are sensible.

version : AJ-Fork v. 167
web : http://appelsinjuice.org


---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~
(Continue reading)

James McGlinn | 1 Oct 06:02 2004
Picon

SQL Injection vulnerability in bBlog 0.7.3

Servers.co.nz Security Advisory SCN200409-1
Available in HTML format at 
http://www.servers.co.nz/security/SCN200409-1.php
------------------------------------------------------------

SQL Injection vulnerability in bBlog 0.7.3

Author: James McGlinn, Servers.co.nz Ltd <james_at_servers dot co dot 
nz>
Discovery Date: September 28, 2004
Package: bBlog
Versions Affected: 0.7.2, 0.7.3
Severity: Severe - a remote user can gain administrative privileges.

------------------------------------------------------------

Problem: There is an SQL Injection vulnerability in versions of bBlog 
prior to 0.7.3, which can be exploited to gain administrative access if 
register_globals is enabled on the web server.

Introduction: bBlog is a blogging system written in PHP and released 
under the GPL. It is used by thousands of bloggers worldwide and has 
features not found on other blogging systems including advanced comment 
spam prevention and threaded comments.

Discussion: The array $p is not initialised before being populated and 
passed to $bBlog->make_post_query() on line 30 of rss.php. In an 
environment where register_globals is enabled, $p can be introduced to 
the script with unfiltered elements from user input.

(Continue reading)

Marc Maiffret | 1 Oct 19:37 2004

EEYE: RealPlayer pnen3260.dll Heap Overflow

RealPlayer pnen3260.dll Heap Overflow

Release Date:
October 1, 2004

Date Reported:
August 09, 2004

Severity:
High (Remote Code Execution)

Vendor:
RealNetworks

Systems Affected:
Windows:
RealPlayer 10.5 (6.0.12.1040 and earlier)
RealPlayer 10
RealPlayer 8 (Local Playback)
RealOne Player V2
RealOne Player V1

Mac Player:
RealPlayer 10 Beta for Mac OS X (Local Playback)
RealOne Player (Local Playback)

Linux Player:
Linux RealPlayer 10 (Local Playback)
Helix Player (Local Playback)

(Continue reading)

Luigi Auriemma | 1 Oct 21:24 2004

Broadcast buffer-overflow in Vypress Messenger 3.5.1


#######################################################################

                             Luigi Auriemma

Application:  Vypress Messenger
              http://www.vypress.com/products/messenger/
Versions:     <= 3.5.1
Platforms:    Windows
Bug:          buffer overflow
Risk:         critical
Exploitation: remote, broadcast
Date:         01 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi <at> altervista.org
              web:    http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

(Continue reading)

Babar Shafiq Nazmi | 1 Oct 12:29 2004
Picon

Re: Possible GDI Exploit Vector

I tried to put a jpeg in my profile pic and in emotion panel for
testing the same on msn 6 which is created by GDI flaw(remote shell
binding code), but msn 6 complains about the jpeg image.
(The image can't be displayed or resized, Please try again,or select
another image)
thats y I don't thin msn6 uses GDI to render images in display and in emotions. 
But i can send infected image to ppls who are not using updated
Antivirus/patched by file transfers. This is still dangerous.

Babar Shafiq

On 29 Sep 2004 09:26:19 -0000, james_love <at> agilent.com
<james_love <at> agilent.com> wrote:
> 
> 
> Does anyone know if MSN Messenger 6 uses GDI+ to render jpeg images that appear as the profile images you see
in MSN 6 Chat windows? If so, this could provide an extremely fast way to propagate a worm using the GDI+
flaw. All you would need to do to start it off is set the crafted image as ur profile picture, start
conversations wtih people you know have MSN6 installed, and, if by default they display the other users'
profile picture,they're machine would process the image and carry out any nasty deeds the image has
within it (if the machine's not patched).
> 
> For the worm to propagate, it would need to craft its code into the current users profile picture, and every
time the infected user started a conversation with someone, it would spread as soon as the other user
viewed the profile picture within the chat window.
> 
> The speed of spread would be enormous, granted that most people dont have up to date virus
scanners/definitions and have not patched their machines. Plus it would be nearly impossible to
determine where the virus came from, where it started off.
> 
(Continue reading)

Greg A. Woods | 1 Oct 19:26 2004
X-Face

Re: cdrecord local root exploit

[ On Tuesday, September 28, 2004 at 01:22:17 (-0500), Jason T. Miller wrote: ]
> Subject: Re: cdrecord local root exploit
>
> The notion that a program must be root if an ordinary user doesn't have
> the necessary permissions by default is a dangerous one.

Very well said.

I really liked your way of presenting the idea of a setuid proxy too.
Not very many texts on secure programming techniques are so lucid.

Even those of us who've been trying to practice secure programming
techniques (esp. on unix-like systems, i.e. those using setuid), have
had tremendous difficulty implementing the principle of least privilege.

I can usually get as far as designing my code in the manner of your
outline for something like cdrecord where a program needs certain
privileges to open a device file and where only certain users should be
allowed to run that program.

However with the limitations of file and process ACL technology present
in most unix-like systems following this principle gets a lot more
difficult if, for example, you want to have a second limited group of
users be able to write to a configuration file for the program, but not
make it possible for the program itself to write to any of its
configuration files (e.g. if it were to suffer a buffer overflow and
give its privileges to an attacker).  As far as I've ever been able to
figure out it's almost impossible to do this on unix-like systems if you
also need to protect the content of the configuration file from prying
eyes (i.e. not be "other"-readable).  It might be possible to do
(Continue reading)

newbug Tseng | 1 Oct 21:05 2004

Re: cdrdao local root exploit

In-Reply-To: <1157225765.20040907131857 <at> SECURITY.NNOV.RU>

The vuln is still exist in cdrdao 1.1.9-5mdk + Mandrake 10 (beta 2).
I think cdrdao should drop root permission before save the config.
[newbug <at> localhost tmp]$ ls -al /blah
ls: /blah: No such file or directory
[newbug <at> localhost tmp]$ ln -s /blah .cdrdao
[newbug <at> localhost tmp]$ rpm -qf `which cdrdao`
cdrdao-1.1.9-5mdk
[newbug <at> localhost tmp]$ cdrdao blank --save
.
.
.
[newbug <at> localhost tmp]$ ls -al /blah
-rw-rw-r--  1 root cdwriter 32 10&#26376;  2 10:41 /blah
[newbug <at> localhost tmp]$

newbug Tseng

>Received: (qmail 6527 invoked from network); 7 Sep 2004 21:09:36 -0000
>Received: from mail2.securityfocus.com (205.206.231.1)
>  by mail.securityfocus.com with SMTP; 7 Sep 2004 21:09:36 -0000
>Received: (qmail 13209 invoked by alias); 7 Sep 2004 21:11:52 -0000
>Delivered-To: archive-bugtraq <at> securityfocus.com
>Received: (qmail 13206 invoked from network); 7 Sep 2004 21:11:52 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail2.securityfocus.com with SMTP; 7 Sep 2004 21:11:52 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing2.securityfocus.com (Postfix) with QMQP
>	id 4864914374E; Tue,  7 Sep 2004 09:06:54 -0600 (MDT)
(Continue reading)

MDKSA-2004:104 - Updated samba packages fix vulnerability


 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           samba
 Advisory ID:            MDKSA-2004:104
 Date:                   October 1st, 2004

 Affected versions:	 9.2, Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 Karol Wiesek discovered a bug in the input validation routines used to
 convert DOS path names to path names on the Samba host's file system.
 This bug can be exploited to gain access to files outside of the
 share's path as defined in the smb.conf configuration file.  This
 vulnerability exists in all samba 2.2.x versions up to and including
 2.2.11 and also in samba 3.0.x up to and including 3.0.5.

 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0815
 ______________________________________________________________________

(Continue reading)

Brandon Petty | 1 Oct 19:55 2004
Picon

Re: Oracle 9i Union Flaw

In-Reply-To: <20040930224011.21783.qmail <at> www.securityfocus.com>

>A fellow student, here at UMR, has tested the MSAccess 2K/XP Union Flaw 

If you are wondering about the Access Union Flaw... I posted something that was, for the most part,
incorrect about Access and how it handles Unions.  There are a few quirks... but nothing that should have
been posted.  Mainly, my bad.

I still think that if you are going to union two fields... that the results should not be stored under one of
those fields headings if they are different.  Like doing a union on Login and Password.  It would be best to
return the results under something like LoginKey instead of Login.  That way if I do an SQL Injection by
using the ever popular Union operator... I know that I am not going to return other data if I print out the
contents of the Login results.  This of course would have to be done by the dbs.

The issue with Oracle 9i not allowing you to miss match more than two fields is still strange.  I don't
remember what the exact errors where.  This could be a flaw in Oracle... but I have not looked into this.  I
wouldn't think it would matter how many differing fields you union on.  But then again... I really haven't
look into Oracle to say too much.


Gmane