[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PROPOSAL] Cluster RECENT-47 - 27 candidates



The following cluster contains 27 candidates that were announced
between November 29 and December 13, 2000.

Note that the voting web site will not be updated with this cluster
until sometime Wednesday.

The candidates are listed in order of priority.  Priority 1 and
Priority 2 candidates both deal with varying levels of vendor
confirmation, so they should be easy to review and it can be trusted
that the problems are real.

If you discover that any RECENT-XX cluster is incomplete with respect
to the problems discovered during the associated time frame, please
send that information to me so that candidates can be assigned.

- Steve


Summary of votes to use (in ascending order of "severity")
----------------------------------------------------------

ACCEPT - voter accepts the candidate as proposed
NOOP - voter has no opinion on the candidate
MODIFY - voter wants to change some MINOR detail (e.g. reference/description)
REVIEWING - voter is reviewing/researching the candidate, or needs more info
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

1) Please write your vote on the line that starts with "VOTE: ".  If
   you want to add comments or details, add them to lines after the
   VOTE: line.

2) If you see any missing references, please mention them so that they
   can be included.  References help greatly during mapping.

3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes.
   So if you don't have sufficient information for a candidate but you
   don't want to NOOP, use a REVIEWING.

********** NOTE ********** NOTE ********** NOTE ********** NOTE **********

Please keep in mind that your vote and comments will be recorded and
publicly viewable in the mailing list archives or in other formats.

======================================================
Candidate: CAN-2000-1039
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1039
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001128
Category: SF/CF/MP/SA/AN/unknown
Reference: BINDVIEW:20001130 The NAPTHA DoS vulnerabilities
Reference: URL:http://razor.bindview.com/publish/advisories/adv_NAPTHA.html
Reference: WIN2KSEC:20001204 NAPTHA Advisory Updated - BindView RAZOR
Reference: URL:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0105.html
Reference: CERT:CA-2000-21
Reference: URL:http://www.cert.org/advisories/CA-2000-21.html
Reference: MS:MS00-091
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-091.asp
Reference: BID:2022
Reference: URL:http://www.securityfocus.com/bid/2022

Various TCP/IP stacks and network applications allow remote attackers
to cause a denial of service by flooding a target host with TCP
connection attempts and completing the TCP/IP handshake without
maintaining the connection state on the attacker host, aka the
"NAPTHA" class of vulnerabilities.  NOTE: this candidate may change
significantly as the security community discusses the technical
nature of NAPTHA and learns more about the affected applications.
This candidate is at a higher level of abstraction than is typical for
CVE.

Analysis
----------------
ED_PRI CAN-2000-1039 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1085
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1085
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2040
Reference: URL:http://www.securityfocus.com/bid/2040

The xp_peekqueue function in Microsoft SQL Server 2000 and SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1085 1
Vendor Acknowledgement: yes advisory

ABSTRACTION:

CD:SF-LOC suggests having separate items, one for each buffer overflow
in each separate "line of code."  Thus xp_peekqueue,
xp_printstatements, xp_proxiedmetadata, and xp_SetSQLSecurity should
be separate.  However, CD:SF-LOC is still under discussion by the
Editorial Board, so these may be MERGED together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1086
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1086
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2041
Reference: URL:http://www.securityfocus.com/bid/2041

The xp_printstatements function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1086 1
Vendor Acknowledgement: yes advisory

ABSTRACTION:

CD:SF-LOC suggests having separate items, one for each buffer overflow
in each separate "line of code."  Thus xp_peekqueue,
xp_printstatements, xp_proxiedmetadata, and xp_SetSQLSecurity should
be separate.  However, CD:SF-LOC is still under discussion by the
Editorial Board, so these may be MERGED together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1087
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1087
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2042
Reference: URL:http://www.securityfocus.com/bid/2042

The xp_proxiedmetadata function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1087 1
Vendor Acknowledgement: yes advisory

ABSTRACTION:

CD:SF-LOC suggests having separate items, one for each buffer overflow
in each separate "line of code."  Thus xp_peekqueue,
xp_printstatements, xp_proxiedmetadata, and xp_SetSQLSecurity should
be separate.  However, CD:SF-LOC is still under discussion by the
Editorial Board, so these may be MERGED together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1088
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1088
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:20001201 SQL Server 2000 Extended Stored Procedure Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570884410184&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2043
Reference: URL:http://www.securityfocus.com/bid/2043

The xp_SetSQLSecurity function in Microsoft SQL Server 2000 and SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1088 1
Vendor Acknowledgement: yes advisory

ABSTRACTION:

CD:SF-LOC suggests having separate items, one for each buffer overflow
in each separate "line of code."  Thus xp_peekqueue,
xp_printstatements, xp_proxiedmetadata, and xp_SetSQLSecurity should
be separate.  However, CD:SF-LOC is still under discussion by the
Editorial Board, so these may be MERGED together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1089
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1089
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF
Reference: ATSTAKE:A120400-1
Reference: URL:http://www.stake.com/research/advisories/2000/a120400-1.txt
Reference: MS:MS00-094
Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS00-094.asp
Reference: BID:2048
Reference: URL:http://www.securityfocus.com/bid/2048

Buffer overflow in Microsoft Phone Book Service allows local users to
execute arbitrary commands, aka the "Phone Book Service Buffer
Overflow" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1089 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1099
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1099
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: SUN:00199
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/199&type=0&nav=sec.sba
Reference: HP:HPSBUX0011-132
Reference: URL:http://archives.neohapsis.com/archives/hp/2000-q4/0061.html

Java Runtime Environment in Java Development Kit (JDK) 1.2.2_05 and
earlier can allow an untrusted Java class to call into a disallowed
class, which could allow an attacker to escape the Java sandbox and
conduct unauthorized activities.

Analysis
----------------
ED_PRI CAN-2000-1099 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1135
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1135
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: DEBIAN:20001130 DSA-002-1 fsh: symlink attack
Reference: URL:http://www.debian.org/security/2000/20001130

fshd (fsh daemon) in Debian Linux allows local users to overwrite
files of other users via a symlink attack.

Analysis
----------------
ED_PRI CAN-2000-1135 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1137
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1137
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: DEBIAN:20001129 DSA-001-1 ed: symlink attack
Reference: URL:http://www.debian.org/security/2000/20001129
Reference: MANDRAKE:MDKSA-2000:076
Reference: URL:http://www.linux-mandrake.com/en/security/MDKSA-2000-076.php3
Reference: REDHAT:RHSA-2000:123-01
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-123.html
Reference: BUGTRAQ:20001211 Immunix OS Security update for ed

GNU ed before 0.2-18.1 allows local users to overwrite the files of
other users via a symlink attack.

Analysis
----------------
ED_PRI CAN-2000-1137 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1189
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1189
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: REDHAT:RHSA-2000:120
Reference: URL:http://www.redhat.com/support/errata/RHSA-2000-120.html

Buffer overflow in pam_localuser PAM module in Red Hat Linux 7.x and
6.x allows attackers to gain privileges.

Analysis
----------------
ED_PRI CAN-2000-1189 1
Vendor Acknowledgement: yes advisory

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1097
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1097
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001129 DoS in Sonicwall SOHO firewall
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0406.html
Reference: BUGTRAQ:20001201 FW: SonicWALL SOHO Vulnerability (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0435.html
Reference: BID:2013
Reference: URL:http://www.securityfocus.com/bid/2013

The web server for the Sonicwall SOHO firewall allows remote attackers
to cause a denial of service via a long username in the authentication
page.

Analysis
----------------
ED_PRI CAN-2000-1097 2
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1098
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1098
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001201 Re: DoS in Sonicwall SOHO firewall
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0439.html
Reference: BUGTRAQ:20001201 FW: SonicWALL SOHO Vulnerability (fwd)
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0435.html

The web server for the Sonicwall SOHO firewall allows remote attackers
to cause a denial of service via an empty GET or POST request.

Analysis
----------------
ED_PRI CAN-2000-1098 2
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1120
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1120
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97569466809056&w=2
Reference: AIXAPAR:IY08143
Reference: AIXAPAR:IY08287
Reference: BID:2033
Reference: URL:http://www.securityfocus.com/bid/2033

Buffer overflow in digest command in IBM AIX 4.3.x and earlier
allows local users to execute arbitrary commands.

Analysis
----------------
ED_PRI CAN-2000-1120 2
Vendor Acknowledgement: yes

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1081
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1081
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2030
Reference: URL:http://www.securityfocus.com/bid/2030

The xp_displayparamstmt function in SQL Server and Microsoft SQL
Server Desktop Engine (MSDE) does not properly restrict the length of
a buffer before calling the srv_paraminfo function in the SQL Server
API for Extended Stored Procedures (XP), which allows an attacker to
cause a denial of service or execute arbitrary commands, aka the
"Extended Stored Procedure Parameter Parsing" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1081 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION:

CD:SF-LOC suggests having separate items, one for each buffer overflow
in each separate "line of code."  Thus xp_displayparamstmt,
xp_enumresultset, xp_showcolv, and xp_showcolv should be separate.
However, CD:SF-LOC is still under discussion by the Editorial Board,
so these may be MERGED together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1082
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1082
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2031
Reference: URL:http://www.securityfocus.com/bid/2031

The xp_enumresultset function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1082 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION:

CD:SF-LOC suggests having separate items, one for each buffer overflow
in each separate "line of code."  Thus xp_displayparamstmt,
xp_enumresultset, xp_showcolv, and xp_showcolv should be separate.
However, CD:SF-LOC is still under discussion by the Editorial Board,
so these may be MERGED together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1083
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1083
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2038
Reference: URL:http://www.securityfocus.com/bid/2038

The xp_showcolv function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1083 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION:

CD:SF-LOC suggests having separate items, one for each buffer overflow
in each separate "line of code."  Thus xp_displayparamstmt,
xp_enumresultset, xp_showcolv, and xp_showcolv should be separate.
However, CD:SF-LOC is still under discussion by the Editorial Board,
so these may be MERGED together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1084
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1084
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001201
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:20001201 Microsoft SQL Server extended stored procedure vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97570878710037&w=2
Reference: MS:MS00-092
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-092.asp
Reference: BID:2039
Reference: URL:http://www.securityfocus.com/bid/2039

The xp_updatecolvbm function in SQL Server and Microsoft SQL Server
Desktop Engine (MSDE) does not properly restrict the length of a
buffer before calling the srv_paraminfo function in the SQL Server API
for Extended Stored Procedures (XP), which allows an attacker to cause
a denial of service or execute arbitrary commands, aka the "Extended
Stored Procedure Parameter Parsing" vulnerability.

Analysis
----------------
ED_PRI CAN-2000-1084 3
Vendor Acknowledgement: yes advisory
Content Decisions: SF-LOC

ABSTRACTION:

CD:SF-LOC suggests having separate items, one for each buffer overflow
in each separate "line of code."  Thus xp_displayparamstmt,
xp_enumresultset, xp_showcolv, and xp_showcolv should be separate.
However, CD:SF-LOC is still under discussion by the Editorial Board,
so these may be MERGED together.

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1092
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1092
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001211
Category: SF/CF/MP/SA/AN/unknown

loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote
attackers to list and read files in the EZshopper data directory by
inserting a "/" in front of the target filename in the "file"
parameter.

Analysis
----------------
ED_PRI CAN-2000-1092 3
Vendor Acknowledgement: unknown
Content Decisions: SF-EXEC, SF-LOC

ABSTRACTION:

An extremely similar problem is documented in CAN-2000-0187, but that
one is a .. directory traversal problem.  In this case, it appears
that the ".." are being filtered, but the program isn't restricting
which files in the data directory can be accessed (presumably there
are some HTML pages that *should* be loaded that are stored somewhere
in the data directory).

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1093
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1093
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001212
Category: SF
Reference: ATSTAKE:A121200-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a121200-1.txt

Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote
attackers to execute arbitrary commands via a long "goim" command.

Analysis
----------------
ED_PRI CAN-2000-1093 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1094
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1094
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001212
Category: SF/CF/MP/SA/AN/unknown
Reference: ATSTAKE:A121200-1
Reference: URL:http://www.atstake.com/research/advisories/2000/a121200-1.txt

Buffer overflow in AOL Instant Messenger before 4.3.2229 allows remote
attackers to execute arbitrary commands via a "buddyicon" command with
a long "src" argument.

Analysis
----------------
ED_PRI CAN-2000-1094 3
Vendor Acknowledgement: unknown

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1100
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1100
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001130 PostACI Webmail Vulnerability
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/2000-11/0433.html
Reference: BID:2029
Reference: URL:http://www.securityfocus.com/bid/2029

The default configuration for PostACI webmail system installs the
/includes/global.inc configuration file within the web root, which
allows remote attackers to read sensitive information such as database
usernames and passwords via a direct HTTP GET request.

Analysis
----------------
ED_PRI CAN-2000-1100 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1111
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1111
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001129 Windows 2000 Telnet Service DoS
Reference: URL:http://www.securityfocus.com/archive/1/147914
Reference: BID:2018
Reference: URL:http://www.securityfocus.com/bid/2018

Telnet Service for Windows 2000 Professional does not properly
terminate incomplete connection attempts, which allows remote
attackers to cause a denial of service by connecting to the server and
not providing any input.

Analysis
----------------
ED_PRI CAN-2000-1111 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1119
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1119
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97569466809056&w=2
Reference: BID:2032
Reference: URL:http://www.securityfocus.com/bid/2032

Buffer overflow in setsenv command in IBM AIX 4.3.x and earlier allows
local users to execute arbitrary commands via a long "x=" argument.

Analysis
----------------
ED_PRI CAN-2000-1119 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1121
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1121
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97569466809056&w=2
Reference: AIXAPAR:IY08143
Reference: AIXAPAR:IY08287
Reference: BID:2034
Reference: URL:http://www.securityfocus.com/bid/2034

Buffer overflow in enq command in IBM AIX 4.3.x and earlier may allow
local users to execute arbitrary commands via a long -M argument.

Analysis
----------------
ED_PRI CAN-2000-1121 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1122
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1122
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97569466809056&w=2
Reference: BID:2035
Reference: URL:http://www.securityfocus.com/bid/2035

Buffer overflow in setclock command in IBM AIX 4.3.x and earlier may
allow local users to execute arbitrary commands via a long argument.

Analysis
----------------
ED_PRI CAN-2000-1122 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1123
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1123
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97569466809056&w=2
Reference: AIXAPAR:IY12638
Reference: BID:2036
Reference: URL:http://www.securityfocus.com/bid/2036

Buffer overflow in pioout command in IBM AIX 4.3.x and earlier may
allow local users to execute arbitrary commands.

Analysis
----------------
ED_PRI CAN-2000-1123 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

======================================================
Candidate: CAN-2000-1124
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1124
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20001219
Assigned: 20001214
Category: SF
Reference: BUGTRAQ:20001201 Fixed local AIX V43 vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97569466809056&w=2
Reference: AIXAPAR:IY12638
Reference: BID:2037
Reference: URL:http://www.securityfocus.com/bid/2037

Buffer overflow in piobe command in IBM AIX 4.3.x allows local users
to gain privileges via long environmental variables.

Analysis
----------------
ED_PRI CAN-2000-1124 3
Vendor Acknowledgement:

Voting Section
--------------
Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT
If ACCEPT or MODIFY, include reason for acceptance:
  VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST,
  HAS-INDEPENDENT-CONFIRMATION, or provide other reason.

VOTE:
ACCEPT_REASON:

COMMENTS:

Page Last Updated or Reviewed: May 22, 2007