[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
20 CVE Entries for Interoperability Demo
Below is a re-send of the list of 20 CVE entries for the upcoming
Interoperability Demo. As you do the mappings to your tool/database,
if you can map to a candidate and you haven't voted for it yet, please
do so. That will ensure that all 20 of these entries will have gone
through the voting process.
Thanks,
- Steve
************************************************************************
As mentioned previously, we would like to have a list of 10 Unix and
10 NT problems to support the Interoperability Demo. We'd like to
focus on two primary entries (one Unix and one NT) which will be
listed on the poster boards at the SANS booth; they can highlight the
problem and what we're doing about it.
For the primary entries, please send Dave (damann@mitre.org) and me
your "name" for these entries (advisory title, short name, tool
check/decode number, database ID, etc.)
The Unix and NT lists are provided afterward. Please review them and
verify with me and Dave Mann which ones your tool/database includes.
We want to make sure that all Interoperability Demo participants can
map to most or all of either the Unix or NT entries.
Note that some of these entries are candidates, and will require
additional votes to be accepted into the CVE.
Details of each entry/candidate are provided at the bottom.
Candidates include the voting summaries, and you are strongly
encouraged to vote on these so that we can convert them to real CVE
entries within a week or two.
********************
PRIMARY ENTRIES
********************
We want to have two examples of the different "names" that each
organization has for various CVE entries, one for Unix and one for NT.
A sample slide is included in the previous package that I sent.
UNIX
----
ToolTalk - CVE-1999-0003
- on CERT current activity list
- unknown if all/most tools check
phf - CVE-1999-0067
- all tools
- Is it still active? The Internet Auditing Project thinks so.
Windows NT
----------
There are no CVE entries available that are used by most/all
tools/databases. But there are some good candidates that can be
accepted with another vote or two.
land - CAN-1999-0016
- needs votes
- Same Codebase, so will need to be modified to use dot notation
and record all the different codebases
- all tools check for this
- current activity?
winnuke (out-of-band) - CAN-1999-0153
- one more voter would be good, but could be accepted based on 2
non-MITRE voters and tool usage
- current activity?
********************
OTHER ENTRIES
********************
Below are some *likely* entries that all or most tools/databases
include. These can round out the lists of 10 problems in combination
with the primary entries.
These lists could change based on (a) whether they are included in the
CVE (some are candidates), and (b) whether CERT can confirm that there
is activity related to these problems.
UNIX
********
1) wu-ftp site exec - CVE-1999-0080
2) POP3 buffer overflow based on qpopper - CVE-1999-0006
3) Ping o' Death - CVE-1999-0128
4) Bind problems - CAN-1999-0009, CAN-1999-0010, CAN-1999-0011
- NEED VOTES
5) U-Washington IMAP - CAN-1999-0005
- can be accepted
6) campas - CAN-1999-0146
- could be accepted with current votes
7) aglimpse - CAN-1999-0147
- could be accepted with current votes
8) IRIX wrap - CAN-1999-0149
- could be accepted with current votes
9) rlogin -froot - CAN-1999-0113
- could be accepted with current votes
10) NFS mountd logging buffer overflow - CAN-1999-0002
- needs votes
NT
********
1) RPC Locator DoS - CVE-1999-0228
2) NetMeeting buffer overflow - CVE-1999-0332
3) Sechole - CVE-1999-0344
4) Microsoft Scriptlet Component read files - CVE-1999-0468
5) GetAdmin - CAN-1999-0496
- could use one more vote
6) KnownDLLs - CAN-1999-0376
- can be ACCEPTed
7) Screen Saver privileges - CAN-1999-0382
- needs one more vote
8) BackOffice passswords in setup file - CAN-1999-0372
- needs one more vote
9) IIS FTP ls buffer overflow - CAN-1999-0349
- needs one more vote
10) NT 4.0 SP4 null hash/password - CAN-1999-0366
- needs one more vote
************ CVE ENTRIES ************
CVE version: 199908272309
----------------------
Name: CVE-1999-0003
Category: SF
Reference: XF:aix-ttdbserver
Reference: XF:tooltalk
Reference: CERT:CA-98.11.tooltalk
Reference: NAI:NAI-29
Reference: SGI:19981101-01-A
Reference: SGI:19981101-01-PX
Created: 19990720
Execute commands as root via buffer overflow in Tooltalk database
server (rpc.ttdbserverd)
----------------------
Name: CVE-1999-0006
Category: SF
Reference: CERT:CA-98.08.qpopper_vul
Reference: SGI:19980801-01-I
Reference: AUSCERT:AA-98.01
Reference: XF:qpopper-pass-overflow
Created: 19990720
Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows
remote attackers to gain root access using a long PASS command.
----------------------
Name: CVE-1999-0067
Category: SF
Reference: CERT:CA-96.06.cgi_example_code
Reference: XF:http-cgi-phf
Created: 19990827
CGI phf program allows remote command execution through shell
metacharacters.
----------------------
Name: CVE-1999-0080
Category: SF
Reference: CERT:CA-95:16.wu-ftpd.vul
Reference: XF:ftp-execdotdot
Created: 19990720
wu-ftp FTP server allows root access via "site exec" command.
----------------------
Name: CVE-1999-0128
Category: SF
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping
Created: 19990827
Oversized ICMP ping packets can result in a denial of service,
aka Ping o' Death.
----------------------
Name: CVE-1999-0228
Category: SF
Reference: XF:nt-rpc-ver
Reference: MSKB:Q162567
Created: 19990827
Denial of service in RPCSS.EXE program (RPC Locator) in Windows NT.
----------------------
Name: CVE-1999-0332
Category: SF
Reference: XF:nt-netmeeting
Reference: MSKB:Q184346
Created: 19990827
Buffer overflow in NetMeeting allows denial of service and remote
command execution.
----------------------
Name: CVE-1999-0344
Category: SF
Reference: MS:MS98-009
Reference: MSKB:Q190288
Reference: XF:nt-priv-fix
Created: 19990827
NT users can gain debug-level access on a system process using the
Sechole exploit.
----------------------
Name: CVE-1999-0468
Category: SF
Reference: MS:MS99-012
Reference: XF:ie-scriplet-fileread
Reference: BUGTRAQ:Apr9,1999
Created: 19990827
Internet Explorer 5.0 allows a remote server to read arbitrary files
on the client's file system using the Microsoft Scriptlet Component.
*********** CANDIDATE ENTRIES ***********
=================================
Candidate: CAN-1999-0002
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990726
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.12.mountd
Reference: XF:linux-mountd-bo
Buffer overflow in NFS mountd gives root access to remote attackers,
mostly in Linux systems.
VOTES:
ACCEPT(1) Frech
NOOP(1) Wall
=================================
Candidate: CAN-1999-0005
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.09.imapd
Reference: XF:imap-authenticate-bo
Reference: SUN:00177
Arbitrary command execution via IMAP buffer overflow, as in
CERT:CA-98.09.imapd.
VOTES:
ACCEPT(4) Hill, Shostack, Frech, Wall
MODIFY(1) Christey
REVIEWING(1) Northcutt
COMMENTS:
Northcutt> there are multiple similar exploits which may imply
Northcutt> multiple vulnerabilties
Christey> It's difficult to distinguish between this vulnerability and
another
Christey> IMAP vulnerability via just the textual description. (The other
Christey> vulnerability is CVE-00042, not yet proposed as a candidate for
some
Christey> odd reason). I had to reference the different CERT advisories to
Christey> distinguish between this candidate and CVE-00042. The X-Force
Christey> database says that "[the CVE-00042 vulnerability is in] the IMAP
LOGIN
Christey> command whereas [CAN-1999-0005] affects the IMAP AUTHENTICATE
Christey> command." I propose modifying the description to say something
to
Christey> this effect, though the typical analyst may still need to rely on
the
Christey> references.
=================================
Candidate: CAN-1999-0009
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-bo
Reference: SUN:00180
Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0010
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-dos
Denial of Service vulnerability in BIND 8 Releases via maliciously
formatted DNS messages.
VOTES:
ACCEPT(1) Frech
=================================
Candidate: CAN-1999-0011
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.05.bind_problems
Reference: SGI:19980603-01-PX
Reference: HP:HPSBUX9808-083
Reference: XF:bind-dos
Reference: SUN:00180
Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases
via CNAME record and zone transfer.
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> Change XF reference to:
Frech> XF:bind-axfr-dos
=================================
Candidate: CAN-1999-0016
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.28.Teardrop_Land
Reference: FreeBSD:FreeBSD-SA-98:01
Reference: XF:cisco-land
Reference: XF:land
Reference: XF:95-verv-tcp
Reference: XF:land-exploit
Reference: XF:land-patch
Reference: CISCO:http://www.cisco.com/warp/public/770/land-pub.shtml
Land IP denial of service
VOTES:
MODIFY(1) Frech
COMMENTS:
Frech> XF:ver-tcpip-sys (applies to a check, not a vulnerability, and is
thus not
Frech> listed on website)
Frech> XF:land-exploit (obsolete, replaced by land)
=================================
Candidate: CAN-1999-0113
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990714
Assigned: 19990607
Category: SF
Reference: CERT:CA-94.09.bin.login.vulnerability
Some implementations of rlogin would allow root access if given a
-froot parameter.
VOTES:
ACCEPT(2) Northcutt, Shostack
MODIFY(1) Frech
COMMENTS:
Frech> XF:rlogin-froot
=================================
Candidate: CAN-1999-0146
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-campas
The campas CGI program provided with some NCSA web servers allows an
attacker to read arbitrary files.
VOTES:
ACCEPT(3) Northcutt, Prosser, Frech
COMMENTS:
Prosser> additional source,
Prosser> Bugtraq
Prosser> "Francisco Torres"
Prosser> http://www.securityfocus.com
=================================
Candidate: CAN-1999-0147
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-cgi-glimpse
The aglimpse CGI program of the Glimpse package allows remote
execution of arbitrary commands
VOTES:
ACCEPT(3) Northcutt, Prosser, Frech
COMMENTS:
Prosser> additional source
Prosser> AUSCERT Alert AA-97.28
Prosser> http://www.auscert.org.au
=================================
Candidate: CAN-1999-0149
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990623
Assigned: 19990607
Category: SF
Reference: XF:http-sgi-wrap
The wrap CGI program in IRIX allows arbitrary command execution from
remote users.
VOTES:
ACCEPT(3) Northcutt, Prosser, Frech
COMMENTS:
Prosser> additional source
Prosser> SGI Security Advisory 19970501-02-PX
Prosser> http://www.sgi.com/Support/security/advisories.html
=================================
Candidate: CAN-1999-0153
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Windows 95/NT out of band (OOB) data denial of service through NETBIOS
port, aka WinNuke.
VOTES:
ACCEPT(2) Hill, Wall
MODIFY(1) Frech
COMMENTS:
Frech> XF:win-oob
=================================
Candidate: CAN-1999-0349
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-003
Reference: MSKB:Q188348
Reference: BUGTRAQ:Jan27,1999
Reference: EEYE:IIS Remote FTP Exploit/DoS Attack
A buffer overflow in the FTP list (ls) command in IIS allows remote
attackers to conduct a denial of service and, in some cases, execute
arbitrary commands.
VOTES:
ACCEPT(2) Hill, Wall
MODIFY(1) Frech
COMMENTS:
Frech> XF:iis-remote-ftp
Frech> It is extremely hard to find articles by their dates, especially
Frech> for heavily trafficked groups like *Bugtraq. Is it possible to
convert them
Frech> to titles instead?
=================================
Candidate: CAN-1999-0366
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-004
Reference: MSKB:Q214840
In some cases, Service Pack 4 for Windows NT 4.0 can allow access to
network shares using a blank password, through a problem with a null
NT hash value.
VOTES:
ACCEPT(2) Hill, Wall
MODIFY(1) Frech
COMMENTS:
Frech> XF:nt-sp4-auth-error
=================================
Candidate: CAN-1999-0372
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-005
The installer for BackOffice Server includes account names and
passwords in a setup file which is not deleted.
VOTES:
ACCEPT(1) Hill
MODIFY(2) Wall, Frech
COMMENTS:
Wall> "The installer for BackOffice Server 4.0 includes account names
Wall> and passwords in a setup file (reboot.ini) which is not deleted."
Wall> Also reference Q217004
Frech> XF:nt-backoffice-setup
=================================
Candidate: CAN-1999-0376
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-006
Reference: BUGTRAQ:Feb20,1999
Reference: L0PHT:Feb18,1999
Local users in Windows NT can obtain administrator privileges by
changing the KnownDLLs list to reference malicious programs.
VOTES:
ACCEPT(2) Hill, Wall
MODIFY(1) Frech
COMMENTS:
Frech> XF:nt-knowndlls-list
=================================
Candidate: CAN-1999-0382
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19990630
Assigned: 19990607
Category: SF
Reference: MS:MS99-008
The screen saver in Windows NT does not verify that its security
context has been changed properly, allowing attackers to run programs
with elevated privileges.
VOTES:
ACCEPT(2) Hill, Wall
MODIFY(1) Frech
COMMENTS:
Frech> XF:nt-screen-saver