SecurityTracker Monday Morning Vulnerability Summary - Feb 4 2002 http://www.securitytracker.com Get a FREE trial! SecurityTracker is offering a premium, subscription-based Vulnerability Notification Service to help you keep track of the absolute latest vulnerabilities and their patches, fixes, and workarounds. With this service, you can specify one or more profiles to indicate which technologies, vendors, and types of vulnerabilities you are interested in. Then, when we learn of a vulnerability or a patch that matches your profile, we'll send you an instant e-mail notification. Our service features a 24 x 7 x 365 real-time vulnerability feed, customized alerts, expert analysis, and tailored content. An exclusive discount is available for subscribers to this newsletter. We invite all qualified organizations to apply for a free trial subscription: http://securitytracker.com/server/info?3551+learn/premium.html ------------------------------------------------------------ If you run a web site and would like to publish SecurityTracker vulnerability headlines on your web site for free, then join our Affiliate Program: http://www.securitytracker.com/learn/affiliate.html You can help us defray the costs of distributing this newsletter by sponsoring this newsletter. We'll insert a brief sponsorship message in return. For more information, please contact us via e-mail: sponsor@securitytracker.com Subscriptions to this newsletter are available for free. Just visit our web site to sign up: http://www.securitytracker.com/signup/signup_now.html As always, if you discover a bug, let us know by e-mail at: bugs@securitytracker.com ------------------------------------------------------------------------ In This Week's SecurityTracker Vulnerability Summary SecurityTracker Alerts: 36 Vendors: Calmejane, Christophe - Cisco - CNET - Compaq - Daniels, Paul L. - DCScripts - Etype - Ganglia.sourceforge.net - HostingController.com - IBM - Infopop - Intel - Microsoft - NETGEAR - NetScreen - Network Associates - Novell - SAP - SAS Institute Inc. - Silicon Graphics - Sony - Sun - Symantec - Tarantella, Inc. - TOLIS Group, Inc. - User-mode-linux.sourceforge.net - Xinet - Xoops.sourceforge.net - [Multiple Authors/Vendors] Products: Agora.cgi - BRU - Catalyst Switch - CNET CatchUp - DCForum - Distributed Transaction Coordinator (MSDTC) - Domino/Notes (Lotus) - EServ - Ganglia - Hosting Controller - Intel PRO/Wireless LAN Series - Java Runtime Environment (JRE) - Jgroff - NETGEAR Router - NetWare NDS for NT - Norton Anti-Virus - PhpSmsSend - RipMIME - SAP GUI - SAS - Job Spawner (sastcp) - ScreenOS - SGI O2 Workstation - Site Server (Microsoft) - Tac_plus - Tarantella - TCP Stack Implementation - UBBThreads - User-Mode Linux - ... Headlines: 1. NETGEAR Router Web Content Filtering Mechanism Can Be Bypassed By Remote Users With Certain Malformed HTTP GET Requests 2. McAfee VirusScan Fails to Scan Files With Certain Types of Long NTFS File Path Names 3. Symantec's Norton Anti-Virus Fails to Scan Files With Certain Types of Long NTFS File Path Names 4. Compaq Tru64 Networking Stack Allows Remote Users to Cause Connections to Freeze 5. SAP GUI Can Be Crashed By Remote Users Connecting to the GUI's Listening Port 6. Jgroff pic Utility Format String Vulnerability Allows Remote Users to Execute Arbitrary Commands on the Server with 'lp' User Privileges 7. RipMIME MIME Decoder Buffer Overflow Allows For Code Execution During Decoding 8. UBBThreads Bulletin Board Application Lets Remote Users With Accounts on the Bulletin Board Upload Files With Prohibited Extensions, Including PHP Scripts Which Can Subsequently Be Executed on the System 9. Microsoft Windows NT 4.0 and Windows 2000 Domain Controllers May Give Elevated Privileges to Remote Users Who Are Valid Administrators on Other Trusted Domains 10. CNET Catchup Software Update Utility Lets Remote Users Execute Arbitrary Code on Another User's Computer 11. PhpSmsSend Front-End to SmsSend Allows Remote Users to Execute Arbitrary System Commands on the Server 12. EServ FTP Server Allows Remote Users to Generate Bounce Attacks Against Remote Servers and Allows Remote Users to Cause Denial of Service Conditions on the Server 13. SAS Job Spawner Buffer Overflow and Format String Bug Let Local Users Execute Arbitrary Code on the System with Root Privileges and Gain Root Privileges on the System 14. Cisco Catalyst CatOS Telnet Daemon Buffer Overflow Lets Remote Users Crash and Reload the Switch 15. XOOPS Portal Software Private Message System Lets Remote Users Execute Javascript on the Recipient's Computer 16. SGI IRIX O2 Video Workstation Allows Remote Users to View the Screen Display on the System 17. Agora.cgi E-Commerce System Discloses Path Names to Remote Users When in Debug Mode 18. 'User-mode Linux' (UML) Environment Lets Local Users Obtain Root Privileges Within the Environment and May Let Local Users Break Out of the UML Environment into the Underlying Operating System 19. Hosting Controller Web Hosting Management Application Discloses Information About Valid User Account Names and Allows Brute Force Username and Password Guessing Attacks 20. Windows 2000 TCP Stack Bug Lets Remote Users Cause All Memory to Be Consumed on the Server 21. BRU Backup Utility Has Temporary File Symlink Bug That Lets Local Users Overwrite Any File on the System 22. Intel PRO/Wireless LAN Device Discloses Wireless Encryption Key to Local Users 23. Xinet's 'xkas' AppleShare Administration Tool Discloses Any Local File Contents to Local Users 24. Ganglia Clustering Environment Web Client Lets Remote Users Execute Arbitrary Commands on the Server 25. Sony VAIO Personal Computers May Allow Remote Users to Access to Computer and Take Full Control of the System 26. Tarantella Enterprise Application Server Uses Unsafe Temporary Files During Installation, Allowing Local Users to Obtain Root Privileges on the System 27. XOOPS Object-Oriented Web Portal Software Lets Remote Users Inject SQL Commands that Will Be Executed By the Underlying SQL Database 28. DCForum Messaging Board Lets Remote Users Gain Access to Other User Bulletin Board Accounts 29. NetScreen Firewalls Can Be Made Unresponsive By a Remote User on the Trusted Interface Side Conducting Port Scans Through the Firewall 30. Microsoft Site Server Commerce Edition Discloses Potentially Sensitive Administration Information and Source Code to Remote Users With Valid Accounts and Discloses User Passwords from the LDAP Directory to Anonymous Remote Users 31. Microsoft Site Server Commerce Edition Lets Remote Users With Valid NT Accounts Upload and Then Execute ASP Scripts on the Server or Consume Disk Space on the Server 32. Sun Java Virtual Machine Can Be Crashed By Malicious Java Code 33. Lotus Domino Web Server Discloses User Account Validity Information to Remote Users 34. NetWare NDS for NT Configuration Error May Lets Remote Users Obtain NT Domain Administration Privileges 35. Microsoft Distributed Transaction Coordinator (MSDTC) Service Can Be Crashed By Remote Users 36. Cisco Tac_plus TACACS+ Developer Kit Uses Unsafe File Permissions That May Allow Local Users to Modify the Logs, Overwrite Arbitrary Files, and Potentially Execute Arbitrary Code on the System ------------------------------------------------------------------------ Your SecurityTracker Vulnerability Alerts 1. NETGEAR Router Vendor: NETGEAR A vulnerability was reported in NETGEAR's RO318 Cable/DSL Security Router. A remote user can bypass the web content filtering restrictions. Impact: Host/resource access via network Alert: http://securitytracker.com/alerts/2002/Jan/1003411.html 2. VirusScan Vendor: Network Associates A vulnerability was reported in McAfee VirusScan (and potentially other virus scanning products). A local user or a virus may create a file with an NTFS file path name that cannot be scanned by the anti-virus engine. Impact: Modification of system information Alert: http://securitytracker.com/alerts/2002/Jan/1003410.html 3. Norton Anti-Virus Vendor: Symantec A vulnerability was reported in Norton Anti-Virus (and potentially other virus scanning products). A local user or a virus may create a file with an NTFS file path name that cannot be scanned by the anti-virus engine. Impact: Modification of system information Alert: http://securitytracker.com/alerts/2002/Jan/1003409.html 4. TCP Stack Implementation Vendor: Compaq A denial of service vulnerability was reported in Compaq's Tru64 operating system's networking stack. A remote user can cause connections to freeze and/or be blocked. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Jan/1003408.html 5. SAP GUI Vendor: SAP A denial of service vulnerability was reported in SAP's SAP GUI product. A remote user may be able to cause the SAP GUI to crash. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Jan/1003407.html 6. Jgroff Vendor: [Multiple Authors/Vendors] A format string vulnerability was reported in the jgroff package, a version of groff with Japanese character sets. A remote user to execute arbitrary commands on the printer server with the privileges of the 'lp' user. Impact: Execution of arbitrary code via network Alert: http://securitytracker.com/alerts/2002/Jan/1003405.html 7. RipMIME Vendor: Daniels, Paul L. A buffer overflow vulnerability was reported in the RipMIME MIME decoder. Arbitrary code may be executed during the decoding process. Impact: Execution of arbitrary code via local system Alert: http://securitytracker.com/alerts/2002/Jan/1003404.html 8. UBBThreads Vendor: Infopop A vulnerability was reported in Infopop's UBBThreads message board software. A remote user with a valid account on the bulletin board can upload a file with a file extension that should be blocked. PHP scripts can be uploaded and executed. Impact: Execution of arbitrary code via network Alert: http://securitytracker.com/alerts/2002/Jan/1003403.html 9. Windows Domain Controller Vendor: Microsoft Microsoft reported a vulnerability in their Windows NT and Windows 2000 Domain Controller software. A remote user with administrative privileges on a domain controller can gain elevated privileges on another domain that trusts the user's domain controller. Impact: Root access via network Alert: http://securitytracker.com/alerts/2002/Jan/1003402.html 10. CNET CatchUp Vendor: CNET Newsbytes reported a vulnerability in CNet Catchup, a Windows-based software update utility. A remote user could execute arbitrary code on the system running CNet Catchup. Impact: Execution of arbitrary code via network Alert: http://securitytracker.com/alerts/2002/Jan/1003397.html 11. PhpSmsSend Vendor: Calmejane, Christophe A vulnerability was reported in the PhpSmsSend frontend to SmsSend. A user can execute arbitrary commands on the web server. Impact: Execution of arbitrary code via network Alert: http://securitytracker.com/alerts/2002/Jan/1003395.html 12. EServ Vendor: Etype Two vulnerabilities were reported in EServ's FTP server. A remote user can prevent other users from using passive mode. A remote user can also conduct 'bounce attacks' against arbitrary ports on arbitrary remote servers. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Jan/1003394.html 13. SAS - Job Spawner (sastcp) Vendor: SAS Institute Inc. Ministry-of-Peace reported a buffer overflow and format string vulnerability in the SAS Job Spawner (sastcpd). A local user can obtain root privileges on the system. Impact: Execution of arbitrary code via local system Alert: http://securitytracker.com/alerts/2002/Jan/1003393.html 14. Catalyst Switch Vendor: Cisco Cisco reported a buffer overflow vulnerability in their CatOS software for Catalyst switches. A remote user can cause the switch to crash and reload. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Jan/1003391.html 15. XOOPS Vendor: Xoops.sourceforge.net iSecureLabs reported a vulnerability in the XOOPS Private Message System. A remote user can cause arbitrary javascript to be executed on the message recipient's computer. Impact: Execution of arbitrary code via network Alert: http://securitytracker.com/alerts/2002/Jan/1003390.html 16. SGI O2 Workstation Vendor: Silicon Graphics SGI issued an advisory warning of a vulnerability in their SGI O2 video workstation. In a certain configuration, a remote user can view the screen display of the remote system. Impact: Disclosure of authentication information Alert: http://securitytracker.com/alerts/2002/Jan/1003389.html 17. Agora.cgi Vendor: [Multiple Authors/Vendors] An information disclosure vulnerability was reported in Agora.cgi. A remote user can view the path name of the Agora.cgi installation if the server is configured in debug mode. Impact: Disclosure of system information Alert: http://securitytracker.com/alerts/2002/Jan/1003387.html 18. User-Mode Linux Vendor: User-mode-linux.sourceforge.net A vulnerability was reported in the 'User-mode Linux' environment for Linux. A local user can obtain elevated privileges on the system. Impact: Denial of service via local system Alert: http://securitytracker.com/alerts/2002/Jan/1003384.html 19. Hosting Controller Vendor: HostingController.com ALPER Research Labs reported a vulnerability in Hosting Controller, a Windows-based management application for web hosting environments. A remote user can obtain information about valid user account names and can conduct password guessing attacks. Impact: Disclosure of system information Alert: http://securitytracker.com/alerts/2002/Jan/1003383.html 20. Windows TCP/IP Stack Vendor: Microsoft Security.NNOV reported a denial of service vulnerability in Microsoft Windows 2000. A remote user can cause the server to consume all available memory. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Jan/1003382.html 21. BRU Vendor: TOLIS Group, Inc. A vulnerability was reported in the BRU file backup application. A local user can overwrite any file on the system. Impact: Denial of service via local system Alert: http://securitytracker.com/alerts/2002/Jan/1003381.html 22. Intel PRO/Wireless LAN Series Vendor: Intel A vulnerability was reported in Intel's PRO/Wireless 2011B Local Area Network (LAN) device. A local user can view the wireless encryption protocol (WEP) key for the device. Impact: Disclosure of authentication information Alert: http://securitytracker.com/alerts/2002/Jan/1003380.html 23. Xkas Vendor: Xinet Hackerslab reported a vulnerability in Xinet's 'xkas' AppleShare administration tool for UNIX systems. A local user can view files on the server with root privileges. Impact: Disclosure of system information Alert: http://securitytracker.com/alerts/2002/Jan/1003379.html 24. Ganglia Vendor: Ganglia.sourceforge.net A vulnerability was reported in the Ganglia clustering environment PHP RRD web client. A remote user can cause commands to be executed by the web server. Impact: Execution of arbitrary code via network Alert: http://securitytracker.com/alerts/2002/Jan/1003376.html 25. VAIO Personal Computer Software Vendor: Sony Sony issued a security notice warning of a vulnerability in software pre-installed on certain VAIO Personal Computers. A remote user could access the system and take full control of the system. Impact: Execution of arbitrary code via network Alert: http://securitytracker.com/alerts/2002/Jan/1003375.html 26. Tarantella Vendor: Tarantella, Inc. An installation vulnerability has been reported in Tarantella Enterprise 3. A local user can obtain root access to the system during installation. Impact: Execution of arbitrary code via local system Alert: http://securitytracker.com/alerts/2002/Jan/1003373.html 27. XOOPS Vendor: Xoops.sourceforge.net iSecureLabs.com reported a security vulnerability in the XOOPS portal script. A remote user can inject SQL queries that will be executed by the underlying MySQL database. Impact: Disclosure of system information Alert: http://securitytracker.com/alerts/2002/Jan/1003374.html 28. DCForum Vendor: DCScripts An access control vulnerability was reported in DCScript's DCForum messaging web board software. A remote user with an account on DCForum can gain access to any other user's account on DCForum. Impact: Disclosure of authentication information Alert: http://securitytracker.com/alerts/2002/Feb/1003422.html 29. ScreenOS Vendor: NetScreen A denial of service vulnerability was reported in NetScreen firewalls (Screen OS). A remote user on the trusted interface can cause the interface to hang. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Feb/1003421.html 30. Site Server (Microsoft) Vendor: Microsoft rfp.labs reported some information disclosure vulnerabilities in Microsoft Site Server Commerce Edition. A remote user can browse the associated LDAP directory. A remote user can also view ASP source code and server information and can view plain text user passwords stored in the LDAP directory. Impact: Disclosure of authentication information Alert: http://securitytracker.com/alerts/2002/Feb/1003420.html 31. Site Server (Microsoft) Vendor: Microsoft rfp.labs reported a vulnerability in Microsoft Site Server's content publishing feature. A remote user with a valid NT account can upload and then execute arbitrary ASP code on the server or can consume disk space on the server to create a denial of service condition on the server. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Feb/1003419.html 32. Java Runtime Environment (JRE) Vendor: Sun A denial of service vulnerability was reported in Sun's Java Virtual Machine (JVM) where malicious Java code can cause the JVM to crash. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Feb/1003418.html 33. Domino/Notes (Lotus) Vendor: IBM An information disclosure vulnerability was reported in the Lotus Domino web server. A remote user can obtain information about valid user account names on the server. Impact: Disclosure of system information Alert: http://securitytracker.com/alerts/2002/Feb/1003417.html 34. NetWare NDS for NT Vendor: Novell A configuration vulnerability was reported in Novell's NDS for NT. A remote user with a valid NDS account may be able to obtain NT domain administrator privileges on a remote NT server. Impact: User access via network Alert: http://securitytracker.com/alerts/2002/Feb/1003416.html 35. Distributed Transaction Coordinator (MSDTC) Vendor: Microsoft A denial of service vulnerability was reported in Microsoft's Distributed Transaction Coordinator (MSDTC) service. A remote user may be able to cause the service to crash. Impact: Denial of service via network Alert: http://securitytracker.com/alerts/2002/Feb/1003415.html 36. Tac_plus Vendor: Cisco A vulnerability was reported in Cisco's unsupported tac_plus TACACS+ developers kit. A local user can modify the log files and may be able to cause arbitrary files to be overwritten on the system. Impact: Execution of arbitrary code via local system Alert: http://securitytracker.com/alerts/2002/Feb/1003414.html ------------------------------------------------------------------------ To join, delete, or otherwise change your subscription, visit: http://www.securitytracker.com/help/accounts.html To contact us, send e-mail to help@securitytracker.com (mailto:help@securitytracker.com) If you need to refer to this weekly vulnerability summary when you mail us, please provide us with following SecurityTracker message ID: Keep Track of the Latest Vulnerabilities with SecurityTracker! http://www.securitytracker.com copyright 2002, SecurityGlobal.net LLC See disclaimer notice at: http://www.securitytracker.com/learn/disclaimer.html ------------------------------------------------------------------------