SecurityFocus Microsoft Newsletter #250

From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 08/03/05

  • Next message: Rodrigo Blanco: "IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"
    Date: Wed, 3 Aug 2005 07:39:53 -0600 (MDT)
    To: Focus-MS <focus-ms@securityfocus.com>
    
    

    SecurityFocus Microsoft Newsletter #250
    ----------------------------------------

    This Issue is Sponsored By: CrossTec

    NetOp Desktop Firewall & Policy Server lets you centrally manage which
    applications can run on your enterprise PCs. NetOp's tiny driver-centric
    design prevents unauthorized programs and processes, including viruses,
    keyloggers, spyware and more from executing -- without slowing down your
    systems. The future of endpoint protection is available today. Try it FREE.

    http://www.securityfocus.com/sponsor/CrossTec_sf-news_050726

    ------------------------------------------------------------------
    I. FRONT AND CENTER
           1. CardSystems made its choices clear
           2. The CardSystems blame game
    II. MICROSOFT VULNERABILITY SUMMARY
           1. GoodTech SMTP Server RCPT TO Multiple Remote Buffer Overflow
    Vulnerabilities
           2. Sophos Anti-Virus Library Unspecified Remote Heap Overflow
    Vulnerability
           3. Vim ModeLines Further Variant Arbitrary Command Execution
    Vulnerability
           4. Microsoft Windows Unspecified USB Driver Buffer Overflow Vulnerability
           5. Ares Fileshare Remote Buffer Overflow Vulnerability
           6. FTPShell Server Denial of Service Vulnerability
           7. Hosting Controller Unauthorized Access Vulnerability
           8. Novell GroupWise Client Remote Buffer Overflow Vulnerability
           9. Opera Web Browser Content-Disposition Header Download Dialog File
    Extension Spoofing Vulnerability
           10. PHPList Admin Page SQL Injection Vulnerability
           11. Opera Web Browser Image Dragging Cross-Domain Scripting and File
    Retrieval Vulnerability
           12. LibTiff Tiff Image Header Divide By Zero Denial of Service
    Vulnerability
           13. Novell eDirectory NMAS Authentication Bypass Vulnerability
           14. Metasploit Framework Unspecified Remote Vulnerability
    III. MICROSOFT FOCUS LIST SUMMARY
           1. SecurityFocus Microsoft Newsletter #249
    IV. UNSUBSCRIBE INSTRUCTIONS
    V. SPONSOR INFORMATION

    I. FRONT AND CENTER
    ---------------------
    1. CardSystems made its choices clear
    By Daniel Hanson
    The last thing that many of us need is another example where a situation needs
    to be solved by ill-conceived legislation that is proposed and passed in the
    heat of something big.
    http://www.securityfocus.com/columnists/343

    2. The CardSystems blame game
    By Mark Rasch
    On July 21, 2005, the United States House of Representatives Committee on
    Financial Services, Subcommittee on Oversight held a hearing on "Credit Card
    Data Processing: How Secure Is It?"
    http://www.securityfocus.com/columnists/344

    II. MICROSOFT VULNERABILITY SUMMARY
    ------------------------------------
    1. GoodTech SMTP Server RCPT TO Multiple Remote Buffer Overflow Vulnerabilities
    BugTraq ID: 14357
    Remote: Yes
    Date Published: 2005-07-23
    Relevant URL: http://www.securityfocus.com/bid/14357
    Summary:
    GoodTech SMTP Server is susceptible to two remote buffer overflow
    vulnerabilities when handling RCPT TO commands. This issue is due to a failure
    of the application to properly bounds check user-supplied data prior to copying
    it to fixed size memory buffers.

    These vulnerabilities allow remote attackers to execute arbitrary machine code
    with System level privileges in the context of the affected application.

    2. Sophos Anti-Virus Library Unspecified Remote Heap Overflow Vulnerability
    BugTraq ID: 14362
    Remote: Yes
    Date Published: 2005-07-25
    Relevant URL: http://www.securityfocus.com/bid/14362
    Summary:
    An unspecified remote heap overflow vulnerability exists in Sophos Anti-Virus
    Library. This issue is due to a failure of the library to properly bounds check
    user-supplied input prior to copying data to an internal memory buffer.

    No further information is known at this time. This BID will be updated as
    further information becomes available.

    3. Vim ModeLines Further Variant Arbitrary Command Execution Vulnerability
    BugTraq ID: 14374
    Remote: Yes
    Date Published: 2005-07-25
    Relevant URL: http://www.securityfocus.com/bid/14374
    Summary:
    Vim is susceptible to an arbitrary command execution vulnerability with
    ModeLines. This issue is due to insufficient sanitization of user-supplied
    input.

    By modifying a text file to include ModeLines containing the 'glob()', or
    'expand()' functions with shell metacharacters, attackers may cause arbitrary
    commands to be executed.

    This vulnerability allows an attacker to execute arbitrary commands with the
    privileges of the vim user. This gives an attacker the ability to gain remote
    access to computers running the vulnerable software.

    This issue is similar to BIDs 6384 and 11941.

    4. Microsoft Windows Unspecified USB Driver Buffer Overflow Vulnerability
    BugTraq ID: 14376
    Remote: No
    Date Published: 2005-07-25
    Relevant URL: http://www.securityfocus.com/bid/14376
    Summary:
    An unspecified buffer overflow vulnerability affects USB drivers in Microsoft
    Windows operating systems. This issue is due to a failure of the affected
    driver to properly bounds check input provided by USB devices.

    This issue presents itself when USB devices are attached to computers running
    affected device drivers. Upon insertion, the operating system automatically
    loads the appropriate device driver to handle the new hardware. By maliciously
    altering the data returned to the operating system, it is possible to overflow
    memory used in the affected USB device driver.

    The information currently available is insufficient to provide a more in-depth
    technical description. This BID will be updated as more details become
    available.

    An attacker may leverage this issue to execute arbitrary machine code with
    System privileges on affected computers, or cause the affected computer to
    crash. This would occur by attaching a malicious USB device to affected
    computers, without the need for an account on the computer.

    5. Ares Fileshare Remote Buffer Overflow Vulnerability
    BugTraq ID: 14377
    Remote: Yes
    Date Published: 2005-07-25
    Relevant URL: http://www.securityfocus.com/bid/14377
    Summary:
    Ares Fileshare is affected by a remote buffer overflow vulnerability.

    This vulnerability arises when the application handles long search strings.

    A successful attack can result in memory corruption leading to arbitrary code
    execution in the context of the user running the application.

    Ares FileShare 1.1 is affected by this vulnerability.

    6. FTPShell Server Denial of Service Vulnerability
    BugTraq ID: 14382
    Remote: Yes
    Date Published: 2005-07-26
    Relevant URL: http://www.securityfocus.com/bid/14382
    Summary:
    FTPshell server is prone to a denial of service vulnerability. This issue is
    due to a failure in the application to handle exceptional conditions.

    The problem presents itself when an attacker opens and closes, without using
    the 'quit' command, a connection to the application multiple times. This will
    cause the application to terminate. An attacker can exploit this vulnerability
    to deny service to legitimate users.

    7. Hosting Controller Unauthorized Access Vulnerability
    BugTraq ID: 14393
    Remote: Yes
    Date Published: 2005-07-26
    Relevant URL: http://www.securityfocus.com/bid/14393
    Summary:
    Hosting Controller is prone to an unauthorized access vulnerability.

    An attacker can manipulate the application to navigate beyond their folder and
    view the folders for all resellers and Web admin utilizing this instance of the
    Hosting Controller application. This would result in information disclosure
    and a loss of confidentiality. Information obtained may also aid in further
    attacks.

    8. Novell GroupWise Client Remote Buffer Overflow Vulnerability
    BugTraq ID: 14398
    Remote: Yes
    Date Published: 2005-07-27
    Relevant URL: http://www.securityfocus.com/bid/14398
    Summary:
    Novell GroupWise Client is affected by a remote buffer overflow vulnerability.

    Specifically, this vulnerability arises when a user attempts to log in to a
    GroupWise post office that contains a malicious 'GWVW02??.INI' file.

    This can facilitate unauthorized access in the context of the user.

    This issue affects all versions of Novell GroupWise 6.5 client dated prior to
    July 15, 2005.

    9. Opera Web Browser Content-Disposition Header Download Dialog File Extension
    Spoofing Vulnerability
    BugTraq ID: 14402
    Remote: Yes
    Date Published: 2005-07-28
    Relevant URL: http://www.securityfocus.com/bid/14402
    Summary:
    Opera Web Browser is prone to a vulnerability that can allow remote attackers
    to spoof file extensions through the download dialog.

    An attacker may exploit this issue by crafting a malformed HTTP
    'Content-Disposition' header that spoofs file extensions to trick vulnerable
    users into opening and executing a malicious file.

    Opera Web Browser versions prior to 8.02 are affected by this issue.

    10. PHPList Admin Page SQL Injection Vulnerability
    BugTraq ID: 14403
    Remote: Yes
    Date Published: 2005-07-28
    Relevant URL: http://www.securityfocus.com/bid/14403
    Summary:
    PHPList is prone to an SQL injection vulnerability. This issue is due to a
    failure in the application to properly sanitize user-supplied data before using
    it in an SQL query.

    Successful exploitation could result in a compromise of the application,
    disclosure or modification of data, or may permit an attacker to exploit
    vulnerabilities in the underlying database implementation.

    11. Opera Web Browser Image Dragging Cross-Domain Scripting and File Retrieval
    Vulnerability
    BugTraq ID: 14410
    Remote: Yes
    Date Published: 2005-07-28
    Relevant URL: http://www.securityfocus.com/bid/14410
    Summary:
    Opera Web Browser is prone to a vulnerability that may allow an attacker to
    carry out cross-domain scripting attacks and retrieve files from the local
    computer.

    Opera Web Browser versions prior to 8.02 are affected by this issue.

    12. LibTiff Tiff Image Header Divide By Zero Denial of Service Vulnerability
    BugTraq ID: 14417
    Remote: Yes
    Date Published: 2005-07-29
    Relevant URL: http://www.securityfocus.com/bid/14417
    Summary:
    LibTIFF is affected by a vulnerability that may cause a denial of service in
    applications utilizing the library. This issue is due to a failure in the
    library to sufficiently validate specific header values.

    An attacker can exploit this vulnerability to cause a denial of service, or
    loss of data in applications utilizing the affected library.

    This issue is known to affect the CUPS printing system and the Evolution email
    client; other applications using the LibTIFF library may also be affected.

    This issue may be related to BID 12874 - ImageMagick TIFF Image File
    Unspecified Denial Of Service Vulnerability.

    13. Novell eDirectory NMAS Authentication Bypass Vulnerability
    BugTraq ID: 14419
    Remote: Yes
    Date Published: 2005-07-29
    Relevant URL: http://www.securityfocus.com/bid/14419
    Summary:
    Novell eDirectory is prone to an issue that could result in unauthorized access
    to a user's account.

    An unauthorized attacker can change a user's password because the application
    fails to verify responses to challenge questions.

    eDirectory NMAS versions prior to 2.3.8 are affected.

    14. Metasploit Framework Unspecified Remote Vulnerability
    BugTraq ID: 14431
    Remote: Yes
    Date Published: 2005-07-30
    Relevant URL: http://www.securityfocus.com/bid/14431
    Summary:
    Metasploit Framework is prone to an unspecified vulnerability. This issue
    allows remote attackers to compromise the computer of users using the affected
    application.

    This vulnerability is likely exploited by returning malicious data to the
    application in unknown network connections, causing arbitrary code to be
    executed in the context of the scanning application.

    UPDATE: This BID has been retired as it been determined that the issue is not a
    vulnerability. Additional information has been provided that states the issue
    is a due to insufficient filtering of potentially malicious terminal escape
    sequences when logging external input. These escape sequences are not
    interpreted at any point by the application, and only pose a threat if rendered
    with an external viewer within a terminal emulator program that will interpret
    them. In that instance, this presents a security vulnerability in the terminal
    emulator program. As Metasploit does not interpret the malicious input itself,
    it is not within the scope of the application to filter this type of input.
    This is not a vulnerability in Metasploit since it does not impact security
    properties of the application itself.

    III. MICROSOFT FOCUS LIST SUMMARY
    ---------------------------------
    1. SecurityFocus Microsoft Newsletter #249
    http://www.securityfocus.com/archive/88/406595

    IV. UNSUBSCRIBE INSTRUCTIONS
    -----------------------------
    To unsubscribe send an e-mail message to
    ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
    contents of the subject or message body do not matter. You will receive a
    confirmation request message to which you will have to answer. Alternatively
    you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
    the website.

    If your email address has changed email listadmin@securityfocus.com and ask to
    be manually removed.

    V. SPONSOR INFORMATION
    ------------------------
    This Issue is Sponsored By: CrossTec

    NetOp Desktop Firewall & Policy Server lets you centrally manage which
    applications can run on your enterprise PCs. NetOp's tiny driver-centric
    design prevents unauthorized programs and processes, including viruses,
    keyloggers, spyware and more from executing -- without slowing down your
    systems. The future of endpoint protection is available today. Try it FREE.

    http://www.securityfocus.com/sponsor/CrossTec_sf-news_050726

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Rodrigo Blanco: "IEEE 802.1x & EAP-TLS design based on Windows 2000 Server"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #231
      ... Stormy Studios KNet Remote Buffer Overflow Vulnerability ... Mozilla Firefox Address Bar Image Dragging Remote Script Exe... ... Relevant URL: http://www.securityfocus.com/bid/12669 ... This vulnerability is reported to exist in RealNetworks products for Microsoft Windows, Linux, and Apple Mac platforms. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #207
      ... Samba Multiple ASN.1 and MailSlot Parsing Remote Denial Of S... ... Jigunet TwinFTP Server Directory Traversal Vulnerability ... IBM OEM Microsoft Windows XP And Windows XP SP1 Default Admi... ... Relevant URL: http://www.securityfocus.com/bid/11155 ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #226
      ... Golden FTP Server Remote Buffer Overflow Vulnerability ... Redmond's plan to make you install Windows authentication software before ... Relevant URL: http://www.securityfocus.com/bid/12333 ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #213
      ... Microsoft Internet Explorer Malformed IFRAME Remote Buffer O... ... GD Graphics Library Remote Integer Overflow Vulnerability ... Relevant URL: http://www.securityfocus.com/bid/11510 ... Internet Explorer version 6.0.2900.2180 running on Windows XP SP2 is reportedly not vulnerable to this issue. ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #217
      ... MICROSOFT VULNERABILITY SUMMARY ... Sacred Multiple Connection Denial Of Service Vulnerability ... Gearbox Software Halo Game Client Remote Denial Of Service V... ... Relevant URL: http://www.securityfocus.com/bid/11716 ...
      (Focus-Microsoft)