Weekly Vulnerabilities Reports > December 23 to 29, 2002

Overview

38 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 40 products from 29 vendors including Apple, Microsoft, Easy Software Products, Cisco, and Oracle. Vulnerabilities are notably categorized as "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Unchecked Return Value".

  • 31 reported vulnerabilities are remotely exploitables.
  • 38 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

10 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-12-27 CVE-2002-1584 SGI
SUN
Privilege Escalation vulnerability in Sun Solaris RPC AUTH_DES

Unknown vulnerability in the AUTH_DES authentication for RPC in Solaris 2.5.1, 2.6, and 7, SGI IRIX 6.5 to 6.5.19f, and possibly other platforms, allows remote attackers to gain privileges.

10.0
2002-12-26 CVE-2002-1383 Easy Software Products
Apple
Multiple integer overflows in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allow remote attackers to execute arbitrary code via (1) the CUPSd HTTP interface, as demonstrated by vanilla-coke, and (2) the image handling code in CUPS filters, as demonstrated by mksun.
10.0
2002-12-26 CVE-2002-1369 Easy Software Products
Apple
Buffer Overflow vulnerability in CUPS strncat() Function Call

jobs.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly use the strncat function call when processing the options string, which allows remote attackers to execute arbitrary code via a buffer overflow attack.

10.0
2002-12-26 CVE-2002-1367 Easy Software Products
Apple
Remote Printer Addition vulnerability in CUPS

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to add printers without authentication via a certain UDP packet, which can then be used to perform unauthorized activities such as stealing the local root certificate for the administration server via a "need authorization" page, as demonstrated by new-coke.

10.0
2002-12-23 CVE-2002-1361 SUN Unspecified vulnerability in SUN Cobalt RAQ 4

overflow.cgi CGI script in Sun Cobalt RaQ 4 with the SHP (Security Hardening Patch) installed allows remote attackers to execute arbitrary code via a POST request with shell metacharacters in the email parameter.

10.0
2002-12-23 CVE-2002-1360 Cisco
Fissh
Intersoft
Netcomposite
Pragma Systems
Putty
Winscp
Improper Input Validation vulnerability in multiple products

Multiple SSH2 servers and clients do not properly handle strings with null characters in them when the string length is specified by a length field, which could allow remote attackers to cause a denial of service or possibly execute arbitrary code due to interactions with the use of null-terminated strings as implemented using languages such as C, as demonstrated by the SSHredder SSH protocol test suite.

10.0
2002-12-23 CVE-2002-1359 Cisco
Fissh
Intersoft
Netcomposite
Pragma Systems
Putty
Winscp
Improper Input Validation vulnerability in multiple products

Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite.

10.0
2002-12-23 CVE-2002-1358 Cisco
Fissh
Intersoft
Netcomposite
Pragma Systems
Putty
Winscp
Improper Input Validation vulnerability in multiple products

Multiple SSH2 servers and clients do not properly handle lists with empty elements or strings, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.

10.0
2002-12-23 CVE-2002-1357 Cisco
Fissh
Intersoft
Netcomposite
Pragma Systems
Putty
Winscp
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite.

10.0
2002-12-23 CVE-2002-1257 Microsoft Unspecified vulnerability in Microsoft products

Microsoft Virtual Machine (VM) up to and including build 5.0.3805 allows remote attackers to execute arbitrary code by including a Java applet that invokes COM (Component Object Model) objects in a web site or an HTML mail.

10.0

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-12-26 CVE-2002-1372 Apple
Debian
Unchecked Return Value vulnerability in multiple products

Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service (resource exhaustion) by causing file descriptors to be assigned and not released, as demonstrated by fanta.

7.5
2002-12-26 CVE-2002-1371 Easy Software Products
Apple
filters/image-gif.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check for zero-length GIF images, which allows remote attackers to execute arbitrary code via modified chunk headers, as demonstrated by nogif.
7.5
2002-12-26 CVE-2002-1368 Easy Software Products
Apple
Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing negative arguments to be fed into memcpy() calls via HTTP requests with (1) a negative Content-Length value or (2) a negative length in a chunked transfer encoding.
7.5
2002-12-26 CVE-2002-1363 Greg Roelofs Buffer Overflow vulnerability in LibPNG Incorrect Offset Calculation

Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers.

7.5
2002-12-26 CVE-2002-1327 Microsoft Buffer Overrun vulnerability in Microsoft Windows XP WMA/MP3 Attributes

Buffer overflow in the Windows Shell function in Microsoft Windows XP allows remote attackers to execute arbitrary code via an .MP3 or .WMA audio file with a corrupt custom attribute, aka "Unchecked Buffer in Windows Shell Could Enable System Compromise."

7.5
2002-12-26 CVE-2002-1177 Nullsoft Buffer Overrun vulnerability in Nullsoft Winamp 3.0

Multiple buffer overflows in Winamp 3.0, when displaying an MP3 in the Media Library window, allows remote attackers to execute arbitrary code via an MP3 file containing a long (1) Artist or (2) Album ID3v2 tag.

7.5
2002-12-26 CVE-2002-1176 Nullsoft Remote Security vulnerability in Nullsoft Winamp 2.81

Buffer overflow in Winamp 2.81 allows remote attackers to execute arbitrary code via a long Artist ID3v2 tag in an MP3 file.

7.5
2002-12-23 CVE-2002-1382 Macromedia SWF Buffer Overflow vulnerability in Macromedia Flash

Macromedia Flash Player before 6.0.65.0 allows remote attackers to execute arbitrary code via certain malformed data headers in Shockwave Flash file format (SWF) files, a different issue than CAN-2002-0846.

7.5
2002-12-23 CVE-2002-1376 Oracle
Symantec Veritas
Buffer Overflow vulnerability in MySQL libmysqlclient Library Read_Rows

libmysqlclient client library in MySQL 3.x to 3.23.54, and 4.x to 4.0.6, does not properly verify length fields for certain responses in the (1) read_rows or (2) read_one_row routines, which allows remote attackers to cause a denial of service and possibly execute arbitrary code.

7.5
2002-12-23 CVE-2002-1375 Oracle
Symantec Veritas
The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to 4.0.6, allows remote attackers to execute arbitrary code via a long response.
7.5
2002-12-23 CVE-2002-1374 Oracle
Symantec Veritas
The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password.
7.5
2002-12-23 CVE-2002-1365 Fetchmail Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Fetchmail

Heap-based buffer overflow in Fetchmail 6.1.3 and earlier does not account for the "@" character when determining buffer lengths for local addresses, which allows remote attackers to execute arbitrary code via a header with a large number of local addresses.

7.5
2002-12-23 CVE-2002-1350 LBL Unspecified vulnerability in LBL Tcpdump

The BGP decoding routines in tcpdump 3.6.x before 3.7 do not properly copy data, which allows remote attackers to cause a denial of service (application crash).

7.5
2002-12-23 CVE-2002-1260 Microsoft Unspecified vulnerability in Microsoft products

The Java Database Connectivity (JDBC) APIs in Microsoft Virtual Machine (VM) 5.0.3805 and earlier allow remote attackers to bypass security checks and access database contents via an untrusted Java applet.

7.5
2002-12-26 CVE-2002-1385 Open Webmail Unspecified vulnerability in Open Webmail Open Webmail

openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via ..

7.2
2002-12-23 CVE-2002-1381 University OF Cambridge Unspecified vulnerability in University of Cambridge Exim 3.35/3.36/4.10

Format string vulnerability in daemon.c for Exim 4.x through 4.10, and 3.x through 3.36, allows exim administrative users to execute arbitrary code by modifying the pid_file_path value.

7.2
2002-12-23 CVE-2002-1364 Ehud Gavron Local Buffer Overflow vulnerability in Traceroute-nanog

Buffer overflow in the get_origin function in traceroute-nanog allows attackers to execute arbitrary code via long WHOIS responses.

7.2
2002-12-23 CVE-2002-1296 SUN Local Root vulnerability in Solaris priocntl() System Call

Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.

7.2

9 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-12-26 CVE-2002-1366 Easy Software Products
Apple
Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows local users with lp privileges to create or overwrite arbitrary files via file race conditions, as demonstrated by ice-cream.
6.2
2002-12-24 CVE-2002-1351 Melange Remote Buffer Overflow vulnerability in Melange Chat System 1.10

Buffer overflow in Melange Chat System 1.10 allows remote attackers to cause a denial of service (chat server crash) and possibly execute arbitrary code via the msgText buffer in the chat_InterpretData function, as demonstrated via a long Nick (nickname) request.

5.0
2002-12-23 CVE-2002-1373 Oracle Unspecified vulnerability in Oracle Mysql

Signed integer vulnerability in the COM_TABLE_DUMP package for MySQL 3.23.x before 3.23.54 allows remote attackers to cause a denial of service (crash or hang) in mysqld by causing large negative integers to be provided to a memcpy call.

5.0
2002-12-23 CVE-2002-1362 Matthew Smith Denial Of Service vulnerability in mICQ

mICQ 0.4.9 and earlier allows remote attackers to cause a denial of service (crash) via malformed ICQ message types without a 0xFE separator character.

5.0
2002-12-23 CVE-2002-1345 Ncftp Software
Openbsd
SUN
Directory traversal vulnerabilities in multiple FTP clients on UNIX systems allow remote malicious FTP servers to create or overwrite files as the client user via filenames containing /absolute/path or ..
5.0
2002-12-23 CVE-2002-1325 Microsoft Information Disclosure vulnerability in Microsoft Java Virtual Machine user.dir Access

Microsoft Virtual Machine (VM) build 5.0.3805 and earlier allows remote attackers to determine a local user's username via a Java applet that accesses the user.dir system property, aka "User.dir Exposure Vulnerability."

5.0
2002-12-23 CVE-2002-1258 Microsoft Unspecified vulnerability in Microsoft products

Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error.

5.0
2002-12-23 CVE-2002-1256 Microsoft Unspecified vulnerability in Microsoft products

The SMB signing capability in the Server Message Block (SMB) protocol in Microsoft Windows 2000 and Windows XP allows attackers to disable the digital signing settings in an SMB session to force the data to be sent unsigned, then inject data into the session without detection, e.g.

5.0
2002-12-23 CVE-2002-1377 VIM Development Group Unspecified vulnerability in VIM Development Group VIM

vim 6.0 and 6.1, and possibly other versions, allows attackers to execute arbitrary commands using the libcall feature in modelines, which are not sandboxed but may be executed when vim is used to edit a malicious file, as demonstrated using mutt.

4.6

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2002-12-23 CVE-2002-1380 Linux Local Denial of Service vulnerability in Linux Kernel 2.2 mmap()

Linux kernel 2.2.x allows local users to cause a denial of service (crash) by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface.

2.1