[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

INTERIM DECISION: ACCEPT 47 various candidates (Final 8/27)



I have made an Interim Decision to ACCEPT the following 47 candidates.
They are universal vulnerabilities that are not affected by any
outstanding content decisions.  Almost all are validated either by the
affected vendor, a CERT advisory, or the equivalent.  All have at
least 3 non-MITRE votes for inclusion (e.g. ACCEPT or minor MODIFY).

The candidates come from the following clusters:

   8 CERT
  33 ONEREF
   1 VEN-AIX
   2 VEN-BSD
   1 VEN-SGI
   2 VEN-SUN

I will make a Final Decision on these candidates this Friday, 8/27.
Acceptance will increase the size of the "real" CVE to 140
vulnerabilities.

- Steve


=================================
Candidate: CAN-1999-0018
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.26.statd
Reference: XF:statd
Reference: AUSCERT:AA-97.29

Buffer overflow in statd allows root privileges.

Modifications:
  DESC remove CERT advisory from text

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0032
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.19.bsdlp
Reference: AUSCERT:AA-96.12
Reference: CIAC:I-042
Reference: SGI:19980402-01-PX
Reference: XF:bsd-lprbo2
Reference: XF:bsd-lprbo
Reference: XF:lpr-bo

Buffer overflow in BSD-based lpr package allows local users to gain
root privileges.

Modifications:
  DESC remove lp, reword
  ADDREF XF:bsd-lprbo
  ADDREF XF:lpr-bo

VOTES:
   ACCEPT(3) Northcutt, Hill, Wall
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> the mention of (lp) is misleading.  The problem was with
 Shostack> the BSD lpr family, not the SYSV lp family.
 Frech> References: XF:bsd-lprbo
 Frech> References: XF:lpr-bo


=================================
Candidate: CAN-1999-0046
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-02
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:rlogin-termbo

Buffer overflow of rlogin program using TERM environmental variable.

Modifications:
  DELREF XF:bsdi-rlogind
  ADDREF XF:rlogin-termbo
  DESC Add period.

VOTES:
   ACCEPT(3) Shostack, Northcutt, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> Every sentence is followed by a period (unless you are a criminal,
 Frech> and then it follows with an appeal.)


=================================
Candidate: CAN-1999-0062
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:openbsd-chpass
Reference: NAI:NAI-28

The chpass command in OpenBSD allows a local user to gain root access
through file descriptor leakage.

Modifications:
  DESC per Prosser's comments
  ADDREF NAI:NAI-28

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> I believe this is a file leakage problem where the temp
 Prosser> password file can be modified and used to overwrite the original
 Prosser> password file.  The reference source for this is a NAI Security
 Prosser> Advisory #28, no longer available from the now defunct old NAI site
 Prosser> but is on Bugtraq
 Prosser> http://netspace.org/cgi-bin/wa?A2=ind9808B&L=bugtraq&P=R455


=================================
Candidate: CAN-1999-0067
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.06.cgi_example_code
Reference: XF:http-cgi-phf

CGI phf program allows remote command execution through shell
metacharacters.

Modifications:
  DESC reword slightly

VOTES:
   ACCEPT(4) Hill, Shostack, Frech, Wall
   MODIFY(2) Northcutt, Christey

COMMENTS:
 Northcutt> this is not about phf it is about escape_shell_cmd(),
 Northcutt> you had the same thing with php and so forth.
 Christey> I agree with Adam that "shell metacharacters" is too high a level of
 Christey> abstraction.  I believe that phf and php and the others should be
 Christey> distinguished.  However, it might be better to change the description
 Christey> to say "CGI phf program allows remote command execution via shell
 Christey> metacharacters."


=================================
Candidate: CAN-1999-0081
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-rnfr

wu-ftp allows files to be overwritten via the rnfr command.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0082
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-cwd
Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it

CWD ~root command in ftpd allows root access.

Modifications:
  DESC reword

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(2) Shostack, Prosser

COMMENTS:
 Shostack> 'in ftpD allows root access'
 Prosser> Dan Farmer and Wietse Venema covered this vulnerability as
 Prosser> well in their guide "Improving the Security of Your Site by Breaking
 Prosser> Into it"


=================================
Candidate: CAN-1999-0083
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:cwdleak

getcwd() file descriptor leak in FTP

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0097
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:009.1
Reference: XF:ibm-ftp

The AIX FTP client can be forced to execute commands from a malicious
server through shell metacharacters (e.g. a pipe character).

Modifications:
  ADDREF XF:ibm-ftp
  DESC slight change

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Northcutt> Per 97, general issue of mishandling metachars is a lot
 Northcutt> like my comment about CGI-BINs (not just PHF) [Someone]
 Northcutt> recently did a content search for about
 Northcutt> CGI-BIN and /etc/passwd and found about 10 cig programs
 Northcutt> that someone attempted to exploit...  However we resolve the
 Northcutt> CGI-BIN bit, we ought to consider applying the same logic to
 Northcutt> candidates like 97.
 Frech> Reference: XF:ibm-ftp
 Prosser> Concur with Adam's modification


=================================
Candidate: CAN-1999-0099
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-02
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog

Buffer overflow in syslog utility allows local or remote attackers to
gain root privileges.

Modifications:
  DESC could be through other mailers besides Sendmail
  DESC applies to syslog period, not just mail servers

VOTES:
   ACCEPT(3) Frech, Northcutt, Landfield
   MODIFY(1) Shostack

COMMENTS:
 Shostack> Anything that passes bad data to syslog might be used to proxy this,
 Shostack> not just mail servers.


=================================
Candidate: CAN-1999-0120
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CERT:CA-94.06.utmp.vulnerability
Reference: XF:utmp-write

Sun/Solaris utmp file allows local users to gain root access if it
is writable by users other than root.

VOTES:
   ACCEPT(5) Northcutt, Shostack, Prosser, Baker, Frech

COMMENTS:
 Shostack> |


=================================
Candidate: CAN-1999-0128
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping

Oversized ICMP ping packets can result in a denial of service,
aka Ping o' Death.

Modifications:
  ADDREF XF:ping-death
  COMMENT Andre's other suggested ref's were for a buffer overflow
  COMMENT in the ping program, which is a different vulnerability.
  DESC slight wording change to identify this as Ping o' Death *only*

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0132
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: XF:expreserve
Reference: CERT:CA-96.19.expreserve

Expreserve, used in vi and ex, allows local users to overwrite
arbitrary files and gain root access.

Modifications:
  ADDREF XF:expreserve

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0185
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00156
Reference: XF:sun-ftpd/logind

In SunOS or Solaris, a remote user could connect from an FTP server's
data port to an rlogin server on a host that trusts the FTP server,
allowing remote command execution.

Modifications:
  DESC wording change
  ADDREF XF:sun-ftpd/logind

VOTES:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> Also reported as vulnerable on SunOS, which is similar, but different.
 Frech> Reference: XF:sun-ftpd/logind


=================================
Candidate: CAN-1999-0190
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00167
Reference: XF:sun-rpcbind

Solaris rpcbind can be exploited to overwrite arbitrary files and gain
root access.

Modifications:
  ADDREF XF:sun-rpcbind

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Reference: XF:sun-rpcbind
 Prosser> The way rpcbind handles indirect calls is vulnerable in this advisory.
 Prosser> As there are lots of rpcbind problems, maybe should be more specific?


=================================
Candidate: CAN-1999-0208
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-02
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: XF:rpc-update
Reference: CERT:CA-95.17.rpc.ypupdated.vul

rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.

Modifications:
  ADDREF XF:rpc-update
  DESC change to present tense

VOTES:
   ACCEPT(3) Shostack, Northcutt, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> "allows remote users..." since this vuln's context pertains to
 Frech> when the service was vulnerable.


=================================
Candidate: CAN-1999-0228
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-rpc-ver
Reference: MSKB:Q162567

Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.

Modifications:
  ADDREF MSKB:Q162567

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> this is a 100% CPU utilization through the rpc port 135
 Prosser> on an NT box. Source is Microsoft Knowledge Base article Q162567


=================================
Candidate: CAN-1999-0252
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:smtp-listserv

Buffer overflow in listserv allows arbitrary command execution.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0294
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-wins-snmp2

All records in a WINS database can be deleted through SNMP for
a denial of service.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0295
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sun-sysdef
Reference: SUN:00157

Solaris sysdef command allows local users to read kernel memory,
potentially leading to root privileges.

VOTES:
   ACCEPT(5) Northcutt, Shostack, Prosser, Baker, Frech

COMMENTS:
 Prosser> reference though should be Sun Security Bulletin 00157


=================================
Candidate: CAN-1999-0303
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:bnu-uucpd-bo
Reference: RSI:RSI.0002.05-18-98.BNU.UUCPD

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Modifications:
  ADDREF RSI:RSI.0002.05-18-98.BNU.UUCPD

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> source should be REPSEC Security Advisory
 Prosser> RSI.0002.05-18-98.BNU.UUCPD


=================================
Candidate: CAN-1999-0305
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:bsd-sourceroute
Reference: OPENBSD:Feb15,1998 "IP Source Routing Problem"

BSD sysctl control does not properly restrict source routing.

Modifications:
  ADDREF OPENBSD:Feb15,1998

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> reference:  OpenBSD Security Advisory February 15, 1998 IP
 Prosser> Source Routing Problem


=================================
Candidate: CAN-1999-0308
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9410-018
Reference: XF:hpux-gwind-overwrite
Reference: CIAC:H-03: HP-UX suid Vulnerabilities

HP-UX gwind program allows users to modify arbitrary files.

Modifications:
  ADDREF HP:HPSBUX9410-018

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> add source HP Security Bulletin HPSBUX9410-018


=================================
Candidate: CAN-1999-0310
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ssh-1225

SSH 1.2.25 on HP-UX allows access to new user accounts.

VOTES:
   ACCEPT(4) Northcutt, Prosser, Baker, Frech
   NOOP(1) Shostack


=================================
Candidate: CAN-1999-0311
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hpux-fpkg2swpk
Reference: HP:HPSBUX9612-042

fpkg2swpk in HP-UX allows local users to gain root access.

Modifications:
  ADDREF HP:HPSBUX9612-042

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> add source:  HP Security Advisory HPSBUX9612-042


=================================
Candidate: CAN-1999-0312
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nis-ypbind
Reference: CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability

HP ypbind allows attackers with root privileges to modify NIS data.

Modifications:
  ADDREF CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> Source is an older CERT Bulletin CA-93.1, Revised
 Prosser> Hewlett-Packard NIS ypbind Vulnerability


=================================
Candidate: CAN-1999-0313
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sgi-disk-bandwidth
Reference: SGI:19980701-01-P

IRIX disk_bandwidth program allows local users to gain root access
using relative pathnames.

Modifications:
  ADDREF SGI:19980701-01-P

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> Source is SGI Security Advisory 19980701-01-P


=================================
Candidate: CAN-1999-0314
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sgi-ioconfig
Reference: SGI:19980701-01-P

IRIX ioconfig program allows local users to gain root access
using relative pathnames.

Modifications:
  ADDREF SGI:19980701-01-P

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> Source is SGI Security Advisory 19980701-01-P


=================================
Candidate: CAN-1999-0316
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:linux-splitvt
Reference: CIAC:G-08

Buffer overflow in Linux splitvt command gives root access to local
users.

Modifications:
  ADDREF CIAC:G-08

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> Source is CIAC Bulletin G-08


=================================
Candidate: CAN-1999-0324
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9702-053
Reference: CIAC:H-31
Reference: XF:hp-ppllog

ppl program in HP-UX allows local users to create root files through
symlinks.

Modifications:
  ADDREF CIAC:H-31
  ADDREF HP:HPSBUX9702-053

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> reference CIAC Bulletin H-31, HP Security Bulletin
 Prosser> HPSBUX9702-053


=================================
Candidate: CAN-1999-0325
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hp-vhe
Reference: HP:HPSBUX9406-013

vhe_u_mnt program in HP-UX allows local users to create root files through
symlinks.

Modifications:
  ADDREF HP:HPSBUX9406-013

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> reference:  HPSBUX9406-013


=================================
Candidate: CAN-1999-0328
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SGI:19971103-01-PX
Reference: XF:sgi-permtool

SGI permissions program allows local users to gain root privileges.

Modifications:
  ADDREF XF:sgi-permtool

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> include a path to /usr/bin/permissions to clarify that it is a
 Shostack> program.
 Frech> Reference: XF:sgi-permtool


=================================
Candidate: CAN-1999-0332
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-netmeeting
Reference: MSKB:Q184346

Buffer overflow in NetMeeting allows denial of service and remote
command execution.

Modifications:
  ADDREF MSKB:Q184346

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Christey

COMMENTS:
 Shostack> All BOs can be dos attacks.  When should or should not that be listed?
 Prosser> reference:
 Prosser> www.microsoft.com/windows/ie/security/netmbuff.asp, Knowledgebase
 Prosser> Q184346
 Christey> The DoS (a crash) occurs before the exploit, so both cases
 Christey> should be listed here.


=================================
Candidate: CAN-1999-0340
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: KSRT:005
Reference: XF:linux-crond

Buffer overflow in Linux Slackware crond program allows local users
to gain root access.

Modifications:
  ADDREF KSRT:005

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser

COMMENTS:
 Prosser> advisory comes from KSRT, KSR[T] Advisory #005
 Prosser> Date:   Dec  6, 1997


=================================
Candidate: CAN-1999-0341
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: KSRT:006
Reference: XF:linux-deliver

Buffer overflow in the Linux mail program "deliver" allows local users
to gain root access.

Modifications:
  ADDREF KSRT:006

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser

COMMENTS:
 Prosser> advisory comes from KSRT, Advisory #006
 Prosser> Date:   Jan 14, 1998


=================================
Candidate: CAN-1999-0342
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam
Reference: XF:linux-pam-passwd-tmprace

Linux PAM modules allow local users to gain root access using
temporary files.

Modifications:
  ADDREF REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> one source from Bugtraq, another from
 Prosser> http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam


=================================
Candidate: CAN-1999-0344
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: MS:MS98-009
Reference: MSKB:Q190288
Reference: XF:nt-priv-fix

NT users can gain debug-level access on a system process using the
Sechole exploit.

Modifications:
  ADDREF MS:MS98-009
  ADDREF MSKB:Q190288

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> Source: MS Bulletin ms98-009 and Microssoft Knowledge
 Prosser> Base article Q190288


=================================
Candidate: CAN-1999-0357
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan25,1999
Reference: XF:win98-oshare-dos

Denial of service in Windows systems using malformed oshare packets.

Modifications:
  ADDREF XF:win98-oshare-dos

VOTES:
   ACCEPT(3) Northcutt, Shostack, Baker
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> XF:win98-oshare-dos


=================================
Candidate: CAN-1999-0374
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: DEBIAN:19990215
Reference: BUGTRAQ:Feb16,1999
Reference: XF:linux-cfengine-symlinks

Debian Linux cfengine package is susceptible to a symlink attack.

Modifications:
  ADDREF DEBIAN:19990215
  ADDREF XF:linux-cfengine-symlinks

VOTES:
   ACCEPT(3) Northcutt, Shostack, Baker
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> XF:linux-cfengine-symlinks


=================================
Candidate: CAN-1999-0396
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: NETBSD:1999-001
Reference: OPENBSD:Feb17,1999
Reference: XF:netbsd-tcp-race

A race condition between the select() and accept() calls in NetBSD TCP
servers allows remote attackers to cause a denial of service.

Modifications:
  ADDREF XF:netbsd-tcp-race

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.
 Frech> Reference: XF:netbsd-tcp-race


=================================
Candidate: CAN-1999-0468
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: MS:MS99-012
Reference: XF:ie-scriplet-fileread
Reference: BUGTRAQ:Apr9,1999

Internet Explorer 5.0 allows a remote server to read arbitrary files
on the client's file system using the Microsoft Scriptlet Component.

Modifications:
  ADDREF MS:MS99-012

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> Source:  MS bulletin ms99-012


=================================
Candidate: CAN-1999-0471
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:winroute-config
Reference: BUGTRAQ:Apr9,1999

The remote proxy server in Winroute allows a remote attacker to
reconfigure the proxy without authentication through the "cancel"
button.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0472
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:netcache-snmp
Reference: BUGTRAQ:Apr7,1999

The SNMP default community name "public" is not properly removed in
NetApps C630 Netcache, even if the administrator tries to disable it.

Modifications:
  DESC Changed NetApps to NetApp per vendor usage

VOTES:
   ACCEPT(3) Northcutt, Shostack, Baker
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> Verify that the company's name is not correctly spelled Network Appliances.
 Frech> XF Reference is ok.


=================================
Candidate: CAN-1999-0473
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CALDERA:CSSA-1999:010.0
Reference: XF:rsync-permissions
Reference: BUGTRAQ:Apr7,1999

The rsync command before rsync 2.3.1 may inadvertently change the
permissions of the client's working directory to the permissions of
the directory being transferred.

Modifications:
  ADDREF CALDERA:CSSA-1999:010.0

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> Source:  Caldera Security Advisory CSSA-1999:010.0


=================================
Candidate: CAN-1999-0474
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:icq-webserver-read
Reference: BUGTRAQ:Apr5,1999

The ICQ Webserver allows remote attackers to use .. to access
arbitrary files outside of the user's personal directory.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0475
Published:
Final-Decision:
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:procmail-race
Reference: BUGTRAQ:Apr5,1999

A race condition in how procmail handles .procmailrc files allows
a local user to read arbitrary files available to the user who is
running procmail.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0485
Published:
Final-Decision:
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: OPENBSD:Feb19,1999
Reference: XF:openbsd-ipintr-race

Remote attackers can cause a system crash through ipintr() in ipq in
OpenBSD.

Modifications:
  ADDREF XF:openbsd-ipintr-race
  DESC change DoS to system crash

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.
 Frech> Reference: XF:openbsd-ipintr-race

Page Last Updated or Reviewed: May 22, 2007