[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: First candidate cluster for validation: CERT




All:

Here's the first review that came in from Steve Northcutt.  I've
forwarded it along to the list.  I'll comment on his non-ACCEPTs
later.

Bill Hill of MITRE has given me an implicit "ACCEPT" of all the
candidates in the CERT cluster.  Later today or tomorrow, I expect to
present my own review of the cluster (there are a couple descriptions
that I think could be improved.)

I hope to see comments from more of you soon!

- Steve


------------------------------------------
Candidate: CAN-1999-0003
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.11.tooltalk
Reference: NAI:NAI-29
Reference: SGI:19981101-01-A
Reference: SGI:19981101-01-PX

Execute commands as root via buffer overflow in Tooltalk database
server (rpc.ttdbserverd)
ACCEPT
------------------------------------------
Candidate: CAN-1999-0004
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175

MIME buffer overflows in mail/news clients, e.g. Solaris mailtool.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0005
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.09.imapd
Reference: XF:imap-authenticate-bo
Reference: SUN:00177

Arbitrary command execution via IMAP buffer overflow, as in
CERT:CA-98.09.imapd.
REVIEWING, there are multiple similar exploits which may imply
multiple vulnerabilties
------------------------------------------
Candidate: CAN-1999-0006
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.08.qpopper_vul
Reference: SGI:19980801-01-I
Reference: AUSCERT:AA-98.01
Reference: XF:qpopper-pass-overflow

Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows
remote attackers to gain root access using a long PASS command.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0007
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.07.PKCS
Reference: XF:nt-ssl-fix

Information from SSL-encrypted sessions via PKCS #1
ACCEPT
------------------------------------------
Candidate: CAN-1999-0008
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.06.nisd
Reference: SUN:00170
Reference: ISS:June10,1998
Reference: XF:nisd-bo-check

Buffer overflow in NIS+, in Sun's rpc.nisd program
ACCEPT
------------------------------------------
Candidate: CAN-1999-0013
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.03.ssh-agent
Reference: NAI:NAI-24
Reference: XF:ssh-agent

Stolen credentials from SSH clients via ssh-agent program, allowing
other local users to access remote accounts belonging to the
ssh-agent user.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0014
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-98.02.CDE
Reference: SUN:00185

Unauthorized privileged access or denial of service via dtappgather
program in CDE.
NO OPINION
------------------------------------------
Candidate: CAN-1999-0017
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.27.FTP_bounce
Reference: XF:ftp-bounce
Reference: XF:ftp-privileged-port

FTP bounce attack to connect to arbitrary ports on machines other than
the FTP client.
MODIFY - the primary vulnerability is in some FTP server implementations
that allow this as opposed to the actual connecting to the ports
------------------------------------------
Candidate: CAN-1999-0018
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.26.statd
Reference: XF:statd
Reference: AUSCERT:AA-97.29

Root privileges via statd, as in CERT:CA-97.26.statd, due to
buffer overflow.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0019
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.09.rpc.statd
Reference: XF:rpc-stat
Reference: SUN:00135

Delete or create a file via rpc.statd, due to invalid information.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0021
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.24.Count_cgi
Reference: XF:http-cgi-count

Arbitrary command execution via buffer overflow in Count.cgi
(wwwcount) cgi-bin program.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0022
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.23.rdist
Reference: XF:rdist-bo3
Reference: XF:rdist-sept97

Local user gains root privileges via buffer overflow in rdist, via
expstr() function.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0023
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.14.rdist_vul
Reference: XF:rdist-bo
Reference: XF:rdist-bo2

Local user gains root privileges via buffer overflow in rdist, via
lookup() function.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0024
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.22.bind
Reference: XF:bind
Reference: NAI:NAI-11

DNS cache poisoning via BIND, by predictable query IDs.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0032
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.19.bsdlp
Reference: AUSCERT:AA-96.12
Reference: XF:bsd-lprbo2
Reference: CIAC:I-042
Reference: SGI:19980402-01-PX

Command execution in BSD-based lpr package (lp) due to buffer
overflow.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0033
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo

Command execution in Sun systems via buffer overflow in the at program
ACCEPT
------------------------------------------
Candidate: CAN-1999-0034
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.17.sperl
Reference: XF:perl-suid

Buffer overflow in suidperl (sperl), Perl 4.x and 5.x
ACCEPT
------------------------------------------
Candidate: CAN-1999-0035
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.16.ftpd
Reference: AUSCERT:AA-97.03

Race condition in signal handling routine in ftpd, allowing read/write
arbitrary files
ACCEPT
------------------------------------------
Candidate: CAN-1999-0036
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.15.sgi_login
Reference: AUSCERT:AA-97.12
Reference: SGI:19970508-02-PX
Reference: XF:sgi-lockout

IRIX login program with a nonzero LOCKOUT parameter allows creation or
damage to files.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0038
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.13.xlock
Reference: XF:xlock-bo

Buffer overflow in xlock program allows local users to execute
commands as root.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0039
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.12.webdist
Reference: AUSCERT:AA-97.14
Reference: SGI:19970501-02-PX
Reference: XF:http-sgi-webdist

Arbitrary command execution using webdist CGI program in IRIX.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0040
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.11.libXt
Reference: XF:libXt-bo

Buffer overflow in Xt library of X Windowing System allows local
users to execute commands with root privileges.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0041
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.10.nls
Reference: XF:nls-bo

Buffer overflow in NLS (Natural Language Service)
NO OPINION
------------------------------------------
Candidate: CAN-1999-0043
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.08.innd
Reference: XF:inn-controlmsg

Command execution via shell metachars in INN daemon (innd) 1.5
using "newgroup" and "rmgroup" control messages, and others.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0045
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.07.nph-test-cgi_script
Reference: XF:http-cgi-nph

List of arbitrary files on Web host via nph-test-cgi script
ACCEPT
------------------------------------------
Candidate: CAN-1999-0046
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:bsdi-rlogind

Buffer overflow of rlogin program using TERM environmental variable
ACCEPT
------------------------------------------
Candidate: CAN-1999-0049
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.03.csetup

Csetup under IRIX allows arbitrary file creation or overwriting.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0050
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.02.hp_newgrp
Reference: AUSCERT:AA-96.16.HP-UX.newgrp.Buffer.Overrun.Vulnerability
Reference: XF:hp-newgrpbo

Buffer overflow in HP-UX newgrp program
ACCEPT
------------------------------------------
Candidate: CAN-1999-0051
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-97.01.flex_lm
Reference: AUSCERT:AA-96.03

Arbitrary file creation and program execution using FLEXlm
LicenseManager, from versions 4.0 to 5.0, in IRIX.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0067
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.06.cgi_example_code
Reference: XF:http-cgi-phf

CGI phf program allows remote command execution
MODIFY, this is not about phf it is about escape_shell_cmd(),
you had the same thing with php and so forth.
------------------------------------------
Candidate: CAN-1999-0073
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95:14.Telnetd_Environment_Vulnerability
Reference: XF:linkerbug

Telnet allows a remote client to specify environment variables including
LD_LIBRARY_PATH, allowing an attacker to bypass the normal system
libraries and gain root access.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0078
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd
Reference: XF:nfs-pcnfsd

pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions,
or execute arbitrary commands through arguments in the RPC call.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0080
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95:16.wu-ftpd.vul
Reference: XF:ftp-execdotdot

wu-ftp FTP server allows root access via "site exec" command.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0099
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog

A buffer overflow in the syslog utility allows remote execution
through Sendmail.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0117
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-92:07.AIX.passwd.vulnerability

AIX passwd allows local users to gain root access.
NO OPINION
------------------------------------------
Candidate: CAN-1999-0128
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.26.ping

Oversized ICMP ping packets can result in a denial of service,
e.g. from the Ping o' Death exploit.
ACCEPT

------------------------------------------
Candidate: CAN-1999-0129
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.25.sendmail_groups

Sendmail allows local users to write to a file and gain group
permissions via a .forward or :include: file.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0130
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.24.sendmail.daemon.mode

Local users can start Sendmail in daemon mode and gain root privileges.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0131
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.20.sendmail_vul

Buffer overflow and denial of service in Sendmail 8.7.5 and
earlier through GECOS field gives root access to local users.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0132
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.19.expreserve
Reference: XF:expreserve

Expreserve, used in vi and ex, allows local users to overwrite
arbitrary files and gain root access.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0133
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.18.fm_fls
Reference: XF:fmaker-logfile

fm_fls license server for Adobe Framemaker allows local users to
overwrite arbitrary files and gain root access.
ACCEPT

------------------------------------------
Candidate: CAN-1999-0134
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.17.Solaris_vold_vul
Reference: AUSCERT:AL-96.04

vold in Solaris 2.x allows local users to gain root access
ACCEPT
------------------------------------------
Candidate: CAN-1999-0135
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.16.Solaris_admintool_vul
Reference: AUSCERT:AL-96.03

admintool in Solaris allows a local user to write to arbitrary files
and gain root access.
NO OPINION
------------------------------------------
Candidate: CAN-1999-0136
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: AUSCERT:AL-96.02
Reference: CERT:CA-96.15.Solaris_KCMS_vul

Kodak Color Management System (KCMS) on Solaris allows a local user to
write to arbitrary files and gain root access.
NO OPINION
------------------------------------------
Candidate: CAN-1999-0137
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.13.dip_vul
Reference: XF:dip-bo

The dip program on many Linux systems allows local users to gain root
access via a buffer overflow.

ACCEPT
---------------------------------------
Candidate: CAN-1999-0141
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.07.java_bytecode_verifier
Reference: SUN:00134

Java Bytecode Verifier allowed malicious applets to execute
arbitrary commands as the user of the applet.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0142
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.05.java_applet_security_mgr

Java Applet Security Manager allows an applet to connect to arbitrary
hosts.
RECAST - Please note I am not a Java expert, but I think jdk 2.0 and
so forth do not have a sandbox notion and applets (perhaps trusted
applets) can connect to arbitrary hosts as a matter of course.  You
might want to contact Li Gong (li.gong@sun.com) or a similar
expert before issuing this one.  NOTE: another reason to consider
the original date!!!
------------------------------------------
Candidate: CAN-1999-0143
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.03.kerberos_4_key_server
Reference: XF:kerberos-bf

Kerberos 4 key servers allow a user to masquerade as another by
breaking and generating session keys.
NO OPINION
------------------------------------------
Candidate: CAN-1999-0155
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95.10.ghostscript

The ghostscript command with the -dSAFER option allows remote
attackers to execute commands.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0164
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: AUSCERT:AA-95.07
Reference: CERT:CA-95.09.Solaris.ps.vul

A race condition in the Solaris ps command allows an attacker to
overwrite critical files.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0207
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: XF:majordomo-exe
Reference: CERT:CA-94.11.majordomo.vulnerabilities

Remote attacker can execute commands through Majordomo using the
Reply-To field and a "lists" command.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0208
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95.17.rpc.ypupdated.vul

rpc.ypupdated (NIS) allowed remote users to execute arbitrary commands.
ACCEPT with a warning, this is from the so called slammer exploit true?
If I recall, the exploit was posted, but some library needed to be
purchased to compile the thing.  It was never clear to me if this was
true, or a marketing gimmick.
------------------------------------------
Candidate: CAN-1999-0209
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-90.05.sunselection.vulnerability

The SunView (SunTools) selection_svc facility allows remote users to
read files.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0267
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability

Buffer overflow in NCSA HTTP daemon v1.3 allowed remote command execution.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0277
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-96.23.workman_vul

The WorkMan program can be used to overwrite any file to get root access.
NO OPINION
------------------------------------------
Candidate: CAN-1999-0334
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: XF:sol-startup
Reference: CERT:CA-93.19.Solaris.Startup.vulnerability

In Solaris 2.2 and 2.3, when fsck fails on startup, it allows a local
user with physical access to obtain root access.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0337
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: CERT:CA-94.10.IBM.AIX.bsh.vulnerability.html
Reference: XF:ibm-bsh

AIX batch queue (bsh) allows local and remote users to gain additional
privileges when network printing is enabled.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0338
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: SF
Reference: XF:ibm-perf-tools
Reference: CERT:CA-94.03.AIX.performance.tools 

AIX Licensed Program Product performance tools allow local users to
gain root access.
ACCEPT
------------------------------------------
Candidate: CAN-1999-0513
Proposer: 001
Assigned: 19990607
Announced: 19990607
Category: CF
Reference: CERT:CA-98.01.smurf
Reference: FreeBSD:FreeBSD-SA-98:06
Reference: XF:smurf

ICMP messages to broadcast addresses are allowed, allowing for a
Smurf attack that can cause a denial of service.

MODIFY - If you put it this way then ping mapping becomes part of 
smurf.  I would consider calling the vulnerability ICMP to broadcast
addresses
and in the text state allowing for a Smurf denial or service or ICMP ping
mapping
to acquire intelligence data about a network.

Page Last Updated or Reviewed: May 22, 2007