Weekly Vulnerabilities Reports > December 20 to 26, 2004

Overview

44 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 91 products from 46 vendors including Microsoft, Gentoo, SCO, Mandrakesoft, and Apple. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", and "SQL Injection".

  • 28 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 42 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • Sybase has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-12-23 CVE-2004-0646 Macromedia Remote vulnerability in Macromedia Coldfusion and Jrun

Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 web server connectors, such as (1) mod_jrun and (2) mod_jrun20 for Apache, with verbose logging enabled, allows remote attackers to execute arbitrary code via a long HTTP header Content-Type field or other fields.

10.0
2004-12-22 CVE-2005-0441 Sybase Unspecified vulnerability in Sybase Adaptive Server Enterprise

Multiple stack-based buffer overflows in Sybase Adaptive Server Enterprise (ASE) 12.x before 12.5.3 ESD#1 allow remote authenticated users to execute arbitrary code via the (1) attrib_valid function, (2) covert function, (3) declare statement, or (4) a crafted query plan, or remote authenticated users with database owner or "sa" role privileges to execute arbitrary code via (5) a crafted install java statement.

10.0

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-12-23 CVE-2004-1373 Nullsoft Unspecified vulnerability in Nullsoft Shoutcast Server 1.9.4

Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file.

7.5
2004-12-23 CVE-2004-0998 Telnetd Unspecified vulnerability in Telnetd and Telnetd-Ssl

Format string vulnerability in telnetd-ssl 0.17 and earlier allows remote attackers to execute arbitrary code.

7.5
2004-12-23 CVE-2004-0873 Apple Unspecified vulnerability in Apple Ichat and Ichat AV

Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execute arbitrary programs via a "link" that references the program.

7.5
2004-12-23 CVE-2004-0867 KDE
Microsoft
Mozilla
Suse
Permissions, Privileges, and Access Controls vulnerability in multiple products

Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session.

7.5
2004-12-23 CVE-2004-0842 Microsoft
Avaya
Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."
7.5
2004-12-23 CVE-2004-0833 Debian Unspecified vulnerability in Debian Linux 3.0

Sendmail before 8.12.3 on Debian GNU/Linux, when using sasl and sasl-bin, uses a Sendmail configuration script with a fixed username and password, which could allow remote attackers to use Sendmail as an open mail relay and send spam messages.

7.5
2004-12-23 CVE-2004-0805 Mpg123
Mandrakesoft
Remote Stereo Boundary Buffer Overflow vulnerability in MPG123

Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file.

7.5
2004-12-23 CVE-2004-0803 Libtiff
Pdflib
Wxgtk2
Apple
KDE
Mandrakesoft
Redhat
Suse
Trustix
Buffer Overflow vulnerability in LibTIFF

Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.

7.5
2004-12-23 CVE-2004-0601 Distcc Unspecified vulnerability in Distcc

distcc before 2.16, when running on 64-bit platforms, does not interpret IP-based access control rules correctly, which could allow remote attackers to bypass intended restrictions.

7.5
2004-12-23 CVE-2001-1413 Ncompress Unspecified vulnerability in Ncompress

Stack-based buffer overflow in the comprexx function for ncompress 4.2.4 and earlier, when used in situations that cross security boundaries (such as FTP server), may allow remote attackers to execute arbitrary code via a long filename argument.

7.5
2004-12-21 CVE-2004-1307 Avaya
F5
Libtiff
SGI
Conectiva
Apple
Gentoo
Mandrakesoft
SCO
SUN
Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
7.5
2004-12-20 CVE-2004-0852 Htget Unspecified vulnerability in Htget 0.93

Buffer overflow in htget 0.93 allows remote attackers to execute arbitrary code via a crafted URL.

7.5
2004-12-23 CVE-2004-1337 GNU
Conectiva
Ubuntu
The POSIX Capability Linux Security Module (LSM) for Linux kernel 2.6 does not properly handle the credentials of a process that is launched before the module is loaded, which allows local users to gain privileges.
7.2
2004-12-23 CVE-2004-0850 Joerg Schilling Local SetUID vulnerability in Joerg Schilling Star Tape Archiver 1.5A45

Star before 1.5_alpha46 does not drop the effective user ID (euid) before calling external programs, which could allow local users to gain privileges by modifying the RSH environment variable to reference a malicious program.

7.2
2004-12-23 CVE-2004-0834 Mandrakesoft
Speedtouch
Gentoo
Format string vulnerability in Speedtouch USB driver before 1.3.1 allows local users to execute arbitrary code via (1) modem_run, (2) pppoa2, or (3) pppoa3.
7.2
2004-12-23 CVE-2004-0510 SCO Multiple vulnerability in SCO Multi-channel Memorandum Distribution Facility

Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to execute arbitrary code, as demonstrated via the execmail program.

7.2
2004-12-20 CVE-2004-1329 IBM Local Privilege Escalation vulnerability in IBM AIX Diag

Untrusted execution path vulnerability in the diag commands (1) lsmcode, (2) diag_exec, (3) invscout, and (4) invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program.

7.2
2004-12-20 CVE-2004-1326 Ultrix Local Buffer Overflow vulnerability in Ultrix DXTerm Setup Parameter

Buffer overflow in dxterm in Ultrix 4.5 allows local users to execute arbitrary code via a long -setup parameter.

7.2

17 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-12-23 CVE-2004-0875 Phpgroupware Unspecified vulnerability in PHPgroupware

Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware (aka webdistro) 0.9.16.002 and earlier allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to the wiki module.

6.8
2004-12-23 CVE-2004-1339 Oracle SQL Injection vulnerability in Oracle Database Server and Oracle9I

SQL injection vulnerability in the (1) MDSYS.SDO_GEOM_TRIG_INS1 and (2) MDSYS.SDO_LRS_TRIG_INS default triggers in Oracle 9i and 10g allows remote attackers to execute arbitrary SQL commands via the new.table_name or new.column_name parameters.

6.5
2004-12-23 CVE-2004-1338 Oracle Permissions, Privileges, and Access Controls vulnerability in Oracle Database Server and Oracle9I

The triggers in Oracle 9i and 10g allow local users to gain privileges by using a sequence of partially privileged actions: using CCBKAPPLROWTRIG or EXEC_CBK_FN_DML to add arbitrary functions to the SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE, then performing a DELETE on the SDO_TXN_IDX_INSERTS table, which causes the SDO_CMT_CBK_TRIG trigger to execute the user-supplied functions.

6.5
2004-12-23 CVE-2004-1361 Microsoft Integer Overflow vulnerability in Microsoft Windows winhlp32 Phrase

Integer underflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a malformed .hlp file, which leads to a heap-based buffer overflow.

5.0
2004-12-23 CVE-2004-1305 Nortel
Microsoft
The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.
5.0
2004-12-23 CVE-2004-0849 GNU Unspecified vulnerability in GNU Radius

Integer overflow in the asn_decode_string() function defined in asn1.c in radiusd for GNU Radius 1.1 and 1.2 before 1.2.94, when compiled with the --enable-snmp option, allows remote attackers to cause a denial of service (daemon crash) via certain SNMP requests.

5.0
2004-12-23 CVE-2004-0841 Microsoft
Avaya
Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."
5.0
2004-12-23 CVE-2004-0816 Linux
Suse
Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet.
5.0
2004-12-23 CVE-2004-0810 Netopia Remote Buffer Overflow vulnerability in Netopia Timbuktu PRO mac 6.0.1

Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to cause a denial of service (server process crash) via a certain data string that is sent to multiple simultaneous client connections to TCP port 407.

5.0
2004-12-23 CVE-2004-0749 Subversion
Gentoo
Information Disclosure vulnerability in Subversion Mod_Authz_Svn Metadata

The mod_authz_svn module in Subversion 1.0.7 and earlier does not properly restrict access to all metadata on unreadable paths, which could allow remote attackers to gain sensitive information via (1) svn log -v, (2) svn propget, or (3) svn blame, and other commands that follow renames.

5.0
2004-12-22 CVE-2005-0068 TCP Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP

The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced.

5.0
2004-12-22 CVE-2005-0067 TCP Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP

The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced.

5.0
2004-12-22 CVE-2005-0066 TCP Remote Denial Of Service vulnerability in Multiple Vendor TCP/IP Implementation ICMP

The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced.

5.0
2004-12-23 CVE-2004-1375 HP Privilege Escalation vulnerability in HP-UX System Administration Manager

Unknown vulnerability in System Administration Manager (SAM) in HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 allows local users to gain privileges.

4.6
2004-12-23 CVE-2004-0685 Linux
Redhat
Trustix
Information Disclosure vulnerability in Linux Kernel USB Driver Uninitialized Structure

Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage.

4.6
2004-12-22 CVE-2004-1778 Skype Technologies Skype 0.92.0.12 and 1.0.0.1 for Linux, and possibly other versions, creates the /usr/share/skype/lang directory with world-writable permissions, which allows local users to modify language files and possibly conduct social engineering or other attacks.
4.6
2004-12-23 CVE-2004-2130 Phpbb Group Cross-Site Scripting vulnerability in PHPbb Group PHPbb 2.0.6

Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables.

4.3

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-12-21 CVE-2004-0452 Larry Wall Local Race Condition vulnerability in Perl RMTree

Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.

2.6
2004-12-23 CVE-2004-1336 Debian
Gentoo
The xdvizilla script in tetex-bin 2.0.2 creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack.
2.1
2004-12-23 CVE-2004-0564 Roaring Penguin
Debian
Roaring Penguin pppoe (rp-ppoe), if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files.
2.1
2004-12-23 CVE-2004-0563 Freenet6 Unspecified vulnerability in Freenet6 0.9.6/1.0

The tspc.conf configuration file in freenet6 before 0.9.6 and before 1.0 on Debian Linux has world readable permissions, which could allow local users to gain sensitive information, such as a username and password.

2.1
2004-12-23 CVE-2004-0512 SCO Multiple vulnerability in SCO Multi-channel Memorandum Distribution Facility

Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a core dump.

2.1
2004-12-23 CVE-2004-0511 SCO Multiple vulnerability in SCO Multi-channel Memorandum Distribution Facility

Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a null dereference.

2.1
2004-12-23 CVE-2004-0814 Linux
Ubuntu
Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel data via a TIOCSETD ioctl call to a terminal interface that is being accessed by another thread, or (2) remote attackers to cause a denial of service (panic) by switching from console to PPP line discipline, then quickly sending data that is received during the switch.
1.2