[UNIX] HylaFAX, Various Vulnerabilities Fixed
From: support@securiteam.comDate: 07/30/02
- Previous message: support@securiteam.com: "[UNIX] PHP dotProject Vulnerable to Authentication Bypassing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 30 Jul 2002 08:41:53 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
HylaFAX, Various Vulnerabilities Fixed
------------------------------------------------------------------------
SUMMARY
<http://www.hylafax.org/> HylaFAX is a mature enterprise-class
open-source software package for sending and receiving facsimiles as well
as for sending alphanumeric pages. It runs on a wide variety of UNIX-like
platforms including Linux, BSD (including Mac OS X), SunOS and Solaris,
SCO, IRIX, AIX, and HP-UX. A new version of the product has come out
fixing several security vulnerabilities that were found in the product.
DETAILS
Immune systems:
* HylaFAX version 4.1.3
iFax Solutions recently discovered that HylaFAX faxgetty in versions prior
to 4.1.3 does not check the TSI string that is received from the remote
facsimile system before it uses it in logging and elsewhere. However,
reception protocol limits the length of the TSI string to twenty
characters. Consequently, a remote sender with a specially formatted TSI
string can cause faxgetty to segmentation fault, and although it is
unlikely that this could be used to execute arbitrary commands, it does
expose an easily exploitable denial of service vulnerability.
Development discussion to eliminate this vulnerability is available at:
<http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300>
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=300
Christer Oberg reported on Bugtraq in September 2001 that HylaFAX faxrm
and faxalter had format strings vulnerabilities (see
<http://www.securiteam.com/unixfocus/6D0050U2UE.html>
http://www.securiteam.com/unixfocus/6D0050U2UE.html). HylaFAX development
found this vulnerability to be applicable to all executables in versions
prior to 4.1.3 which accept the "-h host" option because the mentioned
user input was not checked before sending an error message to standard
error/output. These binaries include faxalter, faxrm, faxstat, sendfax,
sendpage, and faxwatch. In distributions such as FreeBSD which
independently made any of these binaries set-uid (not the HylaFAX
default), an attacker could use these vulnerabilities to gain elevated
system privileges.
Development discussion to eliminate these vulnerabilities is available at:
<http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=202>
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=202
In recent testing, Lee Howard discovered that faxgetty would segfault due
to a buffer overflow after receiving a very large line of image data.
Potentially, this vulnerability could allow an attacker to maliciously
construct an exploiting faxsend mechanism to call a vulnerable host,
conceivably using the buffer overflow to execute arbitrary commands on the
host system. Since on most installations faxgetty is run as root, such
exploitation would allow the abuse of root permissions. This vulnerability
could more easily be abused for denial of service purposes.
Development discussion to eliminate this vulnerability is available at:
<http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=312>
http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=312
Vendor status:
HylaFAX development has corrected all of the vulnerabilities described
here as well as provided numerous other bug fixes and enhancements in its
recent 4.1.3 patch level code release. All users are strongly encouraged
to upgrade. See <http://www.hylafax.org/download.html>
http://www.hylafax.org/download.html to obtain 4.1.3 source code.
For users who are somehow unable to upgrade, HylaFAX CVS-based patches are
available for these vulnerabilities individually at
<http://bugs.hylafax.org/bugzilla/attachment.cgi?id=290&action=view>
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=290&action=view,
<http://bugs.hylafax.org/bugzilla/attachment.cgi?id=300&action=view>
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=300&action=view, and
<http://bugs.hylafax.org/bugzilla/attachment.cgi?id=318&action=view>
http://bugs.hylafax.org/bugzilla/attachment.cgi?id=318&action=view
respectively.
There are no known exploits for any of the described vulnerabilities
beyond what is stated above.
ADDITIONAL INFORMATION
The information has been provided by <mailto:faxguy@deanox.com> Lee
Howard.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] PHP dotProject Vulnerable to Authentication Bypassing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
