FINAL DECISION: ACCEPT 47 various candidates

To: cve-editorial-board-list@lists.mitre.org
Subject: FINAL DECISION: ACCEPT 47 various candidates
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Fri, 27 Aug 1999 18:37:04 -0400 (EDT)
Delivery-Date: Fri Aug 27 18:39:19 1999
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  Voting
details and comments are provided afterwards.

The CVE names for candidates that reach Final Decision should be
regarded as stable.  In the case of these and all other candidates
that reach Final Decision during this validation period, accepted
candidates won't reach Publication phase until the CVE goes fully
public.  The only difference between Publication and Final Decision is
that the CVE name is officially "announced" by MITRE during
Publication.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-0018	CVE-1999-0018
CAN-1999-0032	CVE-1999-0032
CAN-1999-0046	CVE-1999-0046
CAN-1999-0062	CVE-1999-0062
CAN-1999-0067	CVE-1999-0067
CAN-1999-0081	CVE-1999-0081
CAN-1999-0082	CVE-1999-0082
CAN-1999-0083	CVE-1999-0083
CAN-1999-0097	CVE-1999-0097
CAN-1999-0099	CVE-1999-0099
CAN-1999-0120	CVE-1999-0120
CAN-1999-0128	CVE-1999-0128
CAN-1999-0132	CVE-1999-0132
CAN-1999-0185	CVE-1999-0185
CAN-1999-0190	CVE-1999-0190
CAN-1999-0208	CVE-1999-0208
CAN-1999-0228	CVE-1999-0228
CAN-1999-0252	CVE-1999-0252
CAN-1999-0294	CVE-1999-0294
CAN-1999-0295	CVE-1999-0295
CAN-1999-0303	CVE-1999-0303
CAN-1999-0305	CVE-1999-0305
CAN-1999-0308	CVE-1999-0308
CAN-1999-0310	CVE-1999-0310
CAN-1999-0311	CVE-1999-0311
CAN-1999-0312	CVE-1999-0312
CAN-1999-0313	CVE-1999-0313
CAN-1999-0314	CVE-1999-0314
CAN-1999-0316	CVE-1999-0316
CAN-1999-0324	CVE-1999-0324
CAN-1999-0325	CVE-1999-0325
CAN-1999-0328	CVE-1999-0328
CAN-1999-0332	CVE-1999-0332
CAN-1999-0340	CVE-1999-0340
CAN-1999-0341	CVE-1999-0341
CAN-1999-0342	CVE-1999-0342
CAN-1999-0344	CVE-1999-0344
CAN-1999-0357	CVE-1999-0357
CAN-1999-0374	CVE-1999-0374
CAN-1999-0396	CVE-1999-0396
CAN-1999-0468	CVE-1999-0468
CAN-1999-0471	CVE-1999-0471
CAN-1999-0472	CVE-1999-0472
CAN-1999-0473	CVE-1999-0473
CAN-1999-0474	CVE-1999-0474
CAN-1999-0475	CVE-1999-0475
CAN-1999-0485	CVE-1999-0485






=================================
Candidate: CAN-1999-0018
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.26.statd
Reference: XF:statd
Reference: AUSCERT:AA-97.29

Buffer overflow in statd allows root privileges.

Modifications:
  DESC remove CERT advisory from text

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0032
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.19.bsdlp
Reference: AUSCERT:AA-96.12
Reference: CIAC:I-042
Reference: SGI:19980402-01-PX
Reference: XF:bsd-lprbo2
Reference: XF:bsd-lprbo
Reference: XF:lpr-bo

Buffer overflow in BSD-based lpr package allows local users to gain
root privileges.

Modifications:
  DESC remove lp, reword
  ADDREF XF:bsd-lprbo
  ADDREF XF:lpr-bo

VOTES:
   ACCEPT(3) Northcutt, Hill, Wall
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> the mention of (lp) is misleading.  The problem was with
 Shostack> the BSD lpr family, not the SYSV lp family.
 Frech> References: XF:bsd-lprbo
 Frech> References: XF:lpr-bo


=================================
Candidate: CAN-1999-0046
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-02
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:rlogin-termbo

Buffer overflow of rlogin program using TERM environmental variable.

Modifications:
  DELREF XF:bsdi-rlogind
  ADDREF XF:rlogin-termbo
  DESC Add period.

VOTES:
   ACCEPT(3) Shostack, Northcutt, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> Every sentence is followed by a period (unless you are a criminal,
 Frech> and then it follows with an appeal.)


=================================
Candidate: CAN-1999-0062
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:openbsd-chpass
Reference: NAI:NAI-28

The chpass command in OpenBSD allows a local user to gain root access
through file descriptor leakage.

Modifications:
  DESC per Prosser's comments
  ADDREF NAI:NAI-28

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> I believe this is a file leakage problem where the temp
 Prosser> password file can be modified and used to overwrite the original
 Prosser> password file.  The reference source for this is a NAI Security
 Prosser> Advisory #28, no longer available from the now defunct old NAI site
 Prosser> but is on Bugtraq
 Prosser> http://netspace.org/cgi-bin/wa?A2=ind9808B&L=bugtraq&P=R455


=================================
Candidate: CAN-1999-0067
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.06.cgi_example_code
Reference: XF:http-cgi-phf

CGI phf program allows remote command execution through shell
metacharacters.

Modifications:
  DESC reword slightly

VOTES:
   ACCEPT(4) Hill, Shostack, Frech, Wall
   MODIFY(2) Northcutt, Christey

COMMENTS:
 Northcutt> this is not about phf it is about escape_shell_cmd(),
 Northcutt> you had the same thing with php and so forth.
 Christey> I agree with Adam that "shell metacharacters" is too high a level of
 Christey> abstraction.  I believe that phf and php and the others should be
 Christey> distinguished.  However, it might be better to change the description
 Christey> to say "CGI phf program allows remote command execution via shell
 Christey> metacharacters."


=================================
Candidate: CAN-1999-0081
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-rnfr

wu-ftp allows files to be overwritten via the rnfr command.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0082
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ftp-cwd
Reference: FarmerVenema:Improving the Security of Your Site by Breaking Into it

CWD ~root command in ftpd allows root access.

Modifications:
  DESC reword

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(2) Shostack, Prosser

COMMENTS:
 Shostack> 'in ftpD allows root access'
 Prosser> Dan Farmer and Wietse Venema covered this vulnerability as
 Prosser> well in their guide "Improving the Security of Your Site by Breaking
 Prosser> Into it"


=================================
Candidate: CAN-1999-0083
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:cwdleak

getcwd() file descriptor leak in FTP

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0097
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: ERS:ERS-SVA-E01-1997:009.1
Reference: XF:ibm-ftp

The AIX FTP client can be forced to execute commands from a malicious
server through shell metacharacters (e.g. a pipe character).

Modifications:
  ADDREF XF:ibm-ftp
  DESC slight change

VOTES:
   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Northcutt> Per 97, general issue of mishandling metachars is a lot
 Northcutt> like my comment about CGI-BINs (not just PHF) [Someone]
 Northcutt> recently did a content search for about
 Northcutt> CGI-BIN and /etc/passwd and found about 10 cig programs
 Northcutt> that someone attempted to exploit...  However we resolve the
 Northcutt> CGI-BIN bit, we ought to consider applying the same logic to
 Northcutt> candidates like 97.
 Frech> Reference: XF:ibm-ftp
 Prosser> Concur with Adam's modification


=================================
Candidate: CAN-1999-0099
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-02
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog

Buffer overflow in syslog utility allows local or remote attackers to
gain root privileges.

Modifications:
  DESC could be through other mailers besides Sendmail
  DESC applies to syslog period, not just mail servers

VOTES:
   ACCEPT(3) Frech, Northcutt, Landfield
   MODIFY(1) Shostack

COMMENTS:
 Shostack> Anything that passes bad data to syslog might be used to proxy this,
 Shostack> not just mail servers.


=================================
Candidate: CAN-1999-0120
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CERT:CA-94.06.utmp.vulnerability
Reference: XF:utmp-write

Sun/Solaris utmp file allows local users to gain root access if it
is writable by users other than root.

VOTES:
   ACCEPT(5) Northcutt, Shostack, Prosser, Baker, Frech

COMMENTS:
 Shostack> |


=================================
Candidate: CAN-1999-0128
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping

Oversized ICMP ping packets can result in a denial of service,
aka Ping o' Death.

Modifications:
  ADDREF XF:ping-death
  COMMENT Andre's other suggested ref's were for a buffer overflow
  COMMENT in the ping program, which is a different vulnerability.
  DESC slight wording change to identify this as Ping o' Death *only*

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0132
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990621-01
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: XF:expreserve
Reference: CERT:CA-96.19.expreserve

Expreserve, used in vi and ex, allows local users to overwrite
arbitrary files and gain root access.

Modifications:
  ADDREF XF:expreserve

VOTES:
   ACCEPT(4) Frech, Shostack, Northcutt, Landfield


=================================
Candidate: CAN-1999-0185
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00156
Reference: XF:sun-ftpd/logind

In SunOS or Solaris, a remote user could connect from an FTP server's
data port to an rlogin server on a host that trusts the FTP server,
allowing remote command execution.

Modifications:
  DESC wording change
  ADDREF XF:sun-ftpd/logind

VOTES:
   ACCEPT(2) Northcutt, Prosser
   MODIFY(1) Frech

COMMENTS:
 Frech> Also reported as vulnerable on SunOS, which is similar, but different.
 Frech> Reference: XF:sun-ftpd/logind


=================================
Candidate: CAN-1999-0190
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SUN:00167
Reference: XF:sun-rpcbind

Solaris rpcbind can be exploited to overwrite arbitrary files and gain
root access.

Modifications:
  ADDREF XF:sun-rpcbind

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Prosser

COMMENTS:
 Frech> Reference: XF:sun-rpcbind
 Prosser> The way rpcbind handles indirect calls is vulnerable in this advisory.
 Prosser> As there are lots of rpcbind problems, maybe should be more specific?


=================================
Candidate: CAN-1999-0208
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-02
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: XF:rpc-update
Reference: CERT:CA-95.17.rpc.ypupdated.vul

rpc.ypupdated (NIS) allows remote users to execute arbitrary commands.

Modifications:
  ADDREF XF:rpc-update
  DESC change to present tense

VOTES:
   ACCEPT(3) Shostack, Northcutt, Landfield
   MODIFY(1) Frech

COMMENTS:
 Frech> "allows remote users..." since this vuln's context pertains to
 Frech> when the service was vulnerable.


=================================
Candidate: CAN-1999-0228
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-rpc-ver
Reference: MSKB:Q162567

Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.

Modifications:
  ADDREF MSKB:Q162567

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> this is a 100% CPU utilization through the rpc port 135
 Prosser> on an NT box. Source is Microsoft Knowledge Base article Q162567


=================================
Candidate: CAN-1999-0252
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:smtp-listserv

Buffer overflow in listserv allows arbitrary command execution.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0294
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-wins-snmp2

All records in a WINS database can be deleted through SNMP for
a denial of service.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0295
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sun-sysdef
Reference: SUN:00157

Solaris sysdef command allows local users to read kernel memory,
potentially leading to root privileges.

VOTES:
   ACCEPT(5) Northcutt, Shostack, Prosser, Baker, Frech

COMMENTS:
 Prosser> reference though should be Sun Security Bulletin 00157


=================================
Candidate: CAN-1999-0303
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:bnu-uucpd-bo
Reference: RSI:RSI.0002.05-18-98.BNU.UUCPD

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

Modifications:
  ADDREF RSI:RSI.0002.05-18-98.BNU.UUCPD

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> source should be REPSEC Security Advisory
 Prosser> RSI.0002.05-18-98.BNU.UUCPD


=================================
Candidate: CAN-1999-0305
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:bsd-sourceroute
Reference: OPENBSD:Feb15,1998 "IP Source Routing Problem"

BSD sysctl control does not properly restrict source routing.

Modifications:
  ADDREF OPENBSD:Feb15,1998

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> reference:  OpenBSD Security Advisory February 15, 1998 IP
 Prosser> Source Routing Problem


=================================
Candidate: CAN-1999-0308
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9410-018
Reference: XF:hpux-gwind-overwrite
Reference: CIAC:H-03: HP-UX suid Vulnerabilities

HP-UX gwind program allows users to modify arbitrary files.

Modifications:
  ADDREF HP:HPSBUX9410-018

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> add source HP Security Bulletin HPSBUX9410-018


=================================
Candidate: CAN-1999-0310
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:ssh-1225

SSH 1.2.25 on HP-UX allows access to new user accounts.

VOTES:
   ACCEPT(4) Northcutt, Prosser, Baker, Frech
   NOOP(1) Shostack


=================================
Candidate: CAN-1999-0311
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hpux-fpkg2swpk
Reference: HP:HPSBUX9612-042

fpkg2swpk in HP-UX allows local users to gain root access.

Modifications:
  ADDREF HP:HPSBUX9612-042

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> add source:  HP Security Advisory HPSBUX9612-042


=================================
Candidate: CAN-1999-0312
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nis-ypbind
Reference: CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability

HP ypbind allows attackers with root privileges to modify NIS data.

Modifications:
  ADDREF CERT:CA-93:01.REVISED.HP.NIS.ypbind.vulnerability

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> Source is an older CERT Bulletin CA-93.1, Revised
 Prosser> Hewlett-Packard NIS ypbind Vulnerability


=================================
Candidate: CAN-1999-0313
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sgi-disk-bandwidth
Reference: SGI:19980701-01-P

IRIX disk_bandwidth program allows local users to gain root access
using relative pathnames.

Modifications:
  ADDREF SGI:19980701-01-P

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> Source is SGI Security Advisory 19980701-01-P


=================================
Candidate: CAN-1999-0314
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:sgi-ioconfig
Reference: SGI:19980701-01-P

IRIX ioconfig program allows local users to gain root access
using relative pathnames.

Modifications:
  ADDREF SGI:19980701-01-P

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> Source is SGI Security Advisory 19980701-01-P


=================================
Candidate: CAN-1999-0316
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:linux-splitvt
Reference: CIAC:G-08

Buffer overflow in Linux splitvt command gives root access to local
users.

Modifications:
  ADDREF CIAC:G-08

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> Source is CIAC Bulletin G-08


=================================
Candidate: CAN-1999-0324
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: HP:HPSBUX9702-053
Reference: CIAC:H-31
Reference: XF:hp-ppllog

ppl program in HP-UX allows local users to create root files through
symlinks.

Modifications:
  ADDREF CIAC:H-31
  ADDREF HP:HPSBUX9702-053

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> reference CIAC Bulletin H-31, HP Security Bulletin
 Prosser> HPSBUX9702-053


=================================
Candidate: CAN-1999-0325
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:hp-vhe
Reference: HP:HPSBUX9406-013

vhe_u_mnt program in HP-UX allows local users to create root files through
symlinks.

Modifications:
  ADDREF HP:HPSBUX9406-013

VOTES:
   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack

COMMENTS:
 Prosser> reference:  HPSBUX9406-013


=================================
Candidate: CAN-1999-0328
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: SGI:19971103-01-PX
Reference: XF:sgi-permtool

SGI permissions program allows local users to gain root privileges.

Modifications:
  ADDREF XF:sgi-permtool

VOTES:
   ACCEPT(1) Northcutt
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> include a path to /usr/bin/permissions to clarify that it is a
 Shostack> program.
 Frech> Reference: XF:sgi-permtool


=================================
Candidate: CAN-1999-0332
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:nt-netmeeting
Reference: MSKB:Q184346

Buffer overflow in NetMeeting allows denial of service and remote
command execution.

Modifications:
  ADDREF MSKB:Q184346

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Christey

COMMENTS:
 Shostack> All BOs can be dos attacks.  When should or should not that be listed?
 Prosser> reference:
 Prosser> www.microsoft.com/windows/ie/security/netmbuff.asp, Knowledgebase
 Prosser> Q184346
 Christey> The DoS (a crash) occurs before the exploit, so both cases
 Christey> should be listed here.


=================================
Candidate: CAN-1999-0340
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: KSRT:005
Reference: XF:linux-crond

Buffer overflow in Linux Slackware crond program allows local users
to gain root access.

Modifications:
  ADDREF KSRT:005

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser

COMMENTS:
 Prosser> advisory comes from KSRT, KSR[T] Advisory #005
 Prosser> Date:   Dec  6, 1997


=================================
Candidate: CAN-1999-0341
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: KSRT:006
Reference: XF:linux-deliver

Buffer overflow in the Linux mail program "deliver" allows local users
to gain root access.

Modifications:
  ADDREF KSRT:006

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser

COMMENTS:
 Prosser> advisory comes from KSRT, Advisory #006
 Prosser> Date:   Jan 14, 1998


=================================
Candidate: CAN-1999-0342
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam
Reference: XF:linux-pam-passwd-tmprace

Linux PAM modules allow local users to gain root access using
temporary files.

Modifications:
  ADDREF REDHAT:http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> one source from Bugtraq, another from
 Prosser> http://www.redhat.com/corp/support/errata/rh42-errata-general.html#pam


=================================
Candidate: CAN-1999-0344
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: MS:MS98-009
Reference: MSKB:Q190288
Reference: XF:nt-priv-fix

NT users can gain debug-level access on a system process using the
Sechole exploit.

Modifications:
  ADDREF MS:MS98-009
  ADDREF MSKB:Q190288

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> Source: MS Bulletin ms98-009 and Microssoft Knowledge
 Prosser> Base article Q190288


=================================
Candidate: CAN-1999-0357
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: BUGTRAQ:Jan25,1999
Reference: XF:win98-oshare-dos

Denial of service in Windows systems using malformed oshare packets.

Modifications:
  ADDREF XF:win98-oshare-dos

VOTES:
   ACCEPT(3) Northcutt, Shostack, Baker
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> XF:win98-oshare-dos


=================================
Candidate: CAN-1999-0374
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: DEBIAN:19990215
Reference: BUGTRAQ:Feb16,1999
Reference: XF:linux-cfengine-symlinks

Debian Linux cfengine package is susceptible to a symlink attack.

Modifications:
  ADDREF DEBIAN:19990215
  ADDREF XF:linux-cfengine-symlinks

VOTES:
   ACCEPT(3) Northcutt, Shostack, Baker
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> XF:linux-cfengine-symlinks


=================================
Candidate: CAN-1999-0396
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: NETBSD:1999-001
Reference: OPENBSD:Feb17,1999
Reference: XF:netbsd-tcp-race

A race condition between the select() and accept() calls in NetBSD TCP
servers allows remote attackers to cause a denial of service.

Modifications:
  ADDREF XF:netbsd-tcp-race

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.
 Frech> Reference: XF:netbsd-tcp-race


=================================
Candidate: CAN-1999-0468
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: MS:MS99-012
Reference: XF:ie-scriplet-fileread
Reference: BUGTRAQ:Apr9,1999

Internet Explorer 5.0 allows a remote server to read arbitrary files
on the client's file system using the Microsoft Scriptlet Component.

Modifications:
  ADDREF MS:MS99-012

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> Source:  MS bulletin ms99-012


=================================
Candidate: CAN-1999-0471
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:winroute-config
Reference: BUGTRAQ:Apr9,1999

The remote proxy server in Winroute allows a remote attacker to
reconfigure the proxy without authentication through the "cancel"
button.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0472
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:netcache-snmp
Reference: BUGTRAQ:Apr7,1999

The SNMP default community name "public" is not properly removed in
NetApps C630 Netcache, even if the administrator tries to disable it.

Modifications:
  DESC Changed NetApps to NetApp per vendor usage

VOTES:
   ACCEPT(3) Northcutt, Shostack, Baker
   MODIFY(1) Frech
   NOOP(1) Prosser

COMMENTS:
 Frech> Verify that the company's name is not correctly spelled Network Appliances.
 Frech> XF Reference is ok.


=================================
Candidate: CAN-1999-0473
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CALDERA:CSSA-1999:010.0
Reference: XF:rsync-permissions
Reference: BUGTRAQ:Apr7,1999

The rsync command before rsync 2.3.1 may inadvertently change the
permissions of the client's working directory to the permissions of
the directory being transferred.

Modifications:
  ADDREF CALDERA:CSSA-1999:010.0

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   MODIFY(1) Prosser

COMMENTS:
 Prosser> Source:  Caldera Security Advisory CSSA-1999:010.0


=================================
Candidate: CAN-1999-0474
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:icq-webserver-read
Reference: BUGTRAQ:Apr5,1999

The ICQ Webserver allows remote attackers to use .. to access
arbitrary files outside of the user's personal directory.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0475
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: XF:procmail-race
Reference: BUGTRAQ:Apr5,1999

A race condition in how procmail handles .procmailrc files allows
a local user to read arbitrary files available to the user who is
running procmail.

VOTES:
   ACCEPT(4) Northcutt, Shostack, Baker, Frech
   NOOP(1) Prosser


=================================
Candidate: CAN-1999-0485
Published:
Final-Decision: 19990827
Interim-Decision: 19990823
Modified: 19990821-01
Proposed: 19990617
Assigned: 19990607
Category: SF
Reference: OPENBSD:Feb19,1999
Reference: XF:openbsd-ipintr-race

Remote attackers can cause a system crash through ipintr() in ipq in
OpenBSD.

Modifications:
  ADDREF XF:openbsd-ipintr-race
  DESC change DoS to system crash

VOTES:
   ACCEPT(2) Northcutt, Hill
   MODIFY(2) Shostack, Frech

COMMENTS:
 Shostack> For denial of service attacks, we should distinguish between
 Shostack> host availability, service, and CPU absorbtion DOS attacks.
 Frech> Reference: XF:openbsd-ipintr-race
Prev by Date: Re: CD MODIFICATION: DEFINITION version 2 - Interim Decision 8/30
Prev by thread: RE: PROPOSAL: Cluster 11 - BUF (32 candidates)
Index(es):
- Date
- Thread