[Start] [Organized] [Chronological] [Date Prev] [Date Next]

[SECWS] Bul - 1544 - 08/11/2005


The SECURITY WATCH                                    APOGÉE-Communications
Edition of Thursday, August 11 2005                     All rights reserved
___________________________________________________________________________

 SUMMARY OF THIS BULLETIN
 ------------------------

* ALERTS (5)
 - NORTEL         - Local privileges escalation in 'VPN Client'
 - NOVELL/XIMIAN  - Multiple flaws in 'Evolution'
 - LINKSYS        - Local privileges escalation in 'WLAN Monitor'
 - NOVELL         - Buffer overflow in Novell 'eDirectory'
 - WORDPRESS      - Arbitrary scripts execution in 'Wordpress'

* INFORMATION (7)
 - LINUX REDHAT   - Patches for 'gpdf'
 - LINUX REDHAT   - Patches for 'Ethereal'
 - MICROSOFT      - Revision of the bulletin MS05-038 (896727)
 - SUN            - Patches for 'Apache' on Solaris 8
 - SUN            - Revision of the advisory 101799 ('JRE')
 - MICROSOFT      - Exploitation code for 'Internet Explorer' (MS05-038)
 - HP             - Revision of the bulletin HPSBMA01212

* REISSUES OF ALERTS (9)
 - US-CERT        - Reissue of the Microsoft bulletins
 - CIAC           - Reissue of the Sun 100881 alert
 - CIAC           - Reissue of the Microsoft MS05-038 (IE) alert
 - CIAC           - Reissue of the Microsoft MS05-043 (896423) alert
 - CIAC           - Reissue of the Microsoft MS05-040 (893756) alert
 - CIAC           - Reissue of the Microsoft MS05-042 (Kerberos) alert
 - CIAC           - Reissue of the Red Hat RHSA-2005:627-11 alert
 - CIAC           - Reissue of the Red Hat RHSA-2005:687 (Ethereal) alert
 - CIAC           - Reissue of the HP HPSBTU01217 (SSRT5957) alert
___________________________________________________________________________

ALERTS
___________________________________________________________________________

* NORTEL         - Local privileges escalation in 'VPN Client'

A design error in Nortel 'VPN Client' allows a local user to obtain the
"LocalSystem" privileges.

 - Date:        August 10 2005
 - Platform:    Nortel 'VPN Client' version V05_01.030 (Windows)
                Previous versions are probably vulnerable.
 - Severity:    High
 - Origin:      Certificate selection window
 - Problem:     Design error
 - Damage:      Local privileges escalation
 - CVE names:   No CVE name assigned at the present time
 - Description: There is a window, in the graphical user interface of the
                vulnerable client, used to select a certificate file. This
                window is a regular file explorer, and can thus be diverted
                from its planned use to launch a command shell. This shell
                will be granted the "LocalSystem" privileges. The same
                manipulation is possible through the connection wizard of
                the product.
 - References:  Bugtraq [2005-08/0157]
                 http://archives.neohapsis.com/archives/bugtraq/2005-08/0157.html
 - Solution:    Install the latest version of the product. The original
                advisory states that Nortel has fixed the vulnerability,
                but does not specify in which version of the product.
                 http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?level=1&category=10&tranProduct=10621&resetFilter=1&pfTypeList=alpha&level1List=21&productList=10621&contentTypeList=10
___________________________________________________________________________

* NOVELL/XIMIAN  - Multiple flaws in 'Evolution'

Several vulnerabilities in the 'Evolution' mail client can cause a denial
of service and/or the execution of arbitrary code.

 - Date:        August 10 2005
 - Platform:    Novell/Ximian 'Evolution' versions 1.5 to 2.3.6.1
 - Severity:    High
 - Origin:      Handling of 'vCard'
                Contacts provided by a 'LDAP' server
                Handling of the task list data
 - Problem:     Format string vulnerability
 - Damage:      Denial of service
                Arbitrary code execution
 - CVE names:   No CVE name assigned at the present time
 - Description: Multiple format string vulnerabilities affect the
                'Evolution' client. A remote attacker can exploit them to
                cause a denial of service of the client and/or the
                execution of arbitrary code.
 - References:  Bugtraq [112370355819832]
                 http://marc.theaimsgroup.com/?l=bugtraq&m=112370355819832&w=2
 - Solution:    Install the version 2.3.7 that fixes these problems.
                 http://ftp.gnome.org/pub/gnome/sources/evolution/
___________________________________________________________________________

* LINKSYS        - Local privileges escalation in 'WLAN Monitor'

A design error in the WiFi adapter administration tool 'WLAN Monitor'
allows a local user to obtain the "LocalSystem" privileges.

 - Date:        August 10 2005
 - Platform:    Linksys 'WLAN Monitor' version 2.0
                Other versions are probably vulnerable.
 - Severity:    High
 - Origin:      Profile loading window
 - Problem:     Design error
 - Damage:      Local privileges escalation
 - CVE names:   No CVE name assigned at the present time
 - Description: There is, in 'WLAN Monitor' graphical user interface, a
                window used to open a saved profile. A sequence of actions,
                from this window, allows launching a command shell. This
                shell will be granted the privileges of the user executing
                'WLAN Monitor', i.e. the "LocalSystem" privileges.
 - References:  Full-Disclosure [2005-08/0308]
                 http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0308.html
 - Solution:    There is no official patch currently available.
___________________________________________________________________________

* NOVELL         - Buffer overflow in Novell 'eDirectory'

A buffer overflow in Novell 'eDirectory' can cause a denial of service or
an information disclosure.

 - Date:        August 10 2005
 - Platform:    Novell 'eDirectory' version 8.7.3
 - Severity:    High
 - Origin:      'imonitor' component
 - Problem:     Buffer overflow
 - Damage:      Denial of service
                Information disclosure
 - CVE names:   No CVE name assigned at the present time
 - Description: The 'imonitor' component of Novell 'eDirectory' is
                vulnerable to a buffer overflow. An attacker can exploit
                this flaw to cause a denial of service or to access
                arbitrary files.
                It is no specified if this flaw is remotely or locally
                exploitable.
 - References:  Novell [10098568]
                 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098568.htm
 - Solution:    Apply the available patch.
                 http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972038.htm
                 http://support.novell.com/servlet/filedownload/sec/pub/edir873ptf_imon1.exe
___________________________________________________________________________

* WORDPRESS      - Arbitrary scripts execution in 'Wordpress'

A flaw in 'Wordpress' allows a remote attacker to trigger the execution of
arbitrary PHP scripts on a vulnerable server.

 - Date:        August 10 2005
 - Platform:    Wordpress 'Wordpress' versions 1.5.1.3
                Previous versions are probably vulnerable.
 - Severity:    High
 - Origin:      Cookies handling, 'cache_lastpostdate' parameter
 - Problem:     Insufficient validation of input data
 - Damage:      Arbitrary PHP scripts execution
 - CVE names:   No CVE name assigned at the present time
 - Description: A flaw has been discovered, which allows a remote attacker
                to trigger the execution of arbitrary PHP scripts on a
                vulnerable 'Wordpress' server. Exploitation is achieved
                through the 'cache_lastpostdate' parameter of a crafted
                cookie.
 - References:  Secunia [16386]
                 http://secunia.com/advisories/16386
                Milworm [1145]
                 http://www.milw0rm.com/id.php?id=1145
 - Solution:    There is no official patch currently available.
___________________________________________________________________________

INFORMATION
___________________________________________________________________________

* LINUX REDHAT   - Patches for 'gpdf'

Red Hat has announced, in the RHSA-2005:708 advisory, the availability of
patches for 'gpdf' on Red Hat Desktop version 4, and Red Hat Enterprise
Linux AS, ES and WS version 4.
They fix a flaw in a 'gpdf' conversion filter that allowed triggering at
least a denial of service of the application.
CAN-2005-2097
GLYPH AND COG 'xpdf' [USN-163-1] (bulletin 1543 dated 08/10/2005)

https://rhn.redhat.com/errata/RHSA-2005-708.html
___________________________________________________________________________

* LINUX REDHAT   - Patches for 'Ethereal'

Red Hat has announced, in the RHSA-2005:687 advisory, the availability of
patches for 'Ethereal' on Red Hat Desktop versions 3 and 4, Red Hat
Enterprise Linux AS, ES and WS versions 2.1, 3 and 4, and Red Hat Linux
Advanced Workstation version 2.1 (Itanium).
They fix numerous flaws in several protocol dissectors that allowed
triggering denials of service and the corruption of information, as well as
achieving a privileges escalation.
CAN-2005-2360, CAN-2005-2361, CAN-2005-2362, CAN-2005-2363, CAN-2005-2364,
CAN-2005-2365, CAN-2005-2366, CAN-2005-2367
Ethereal 'Ethereal' [enpa-sa-00020] (bulletin 1533 dated 07/27/2005)

https://rhn.redhat.com/errata/RHSA-2005-687.html
___________________________________________________________________________

* MICROSOFT      - Revision of the bulletin MS05-038 (896727)

Microsoft has revised the bulletin MS05-038 (896727) about several flaws in
the 'Internet Explorer' browser. These flaws allowed executing arbitrary
scripts and codes. This revision announces the availability of new patches
on the "Microsoft Download Center". The original patches failled during the
installation.
CAN-2005-1988, CAN-2005-1989, CAN-2005-1990
MICROSOFT 'Internet Explorer', 'Web Folder', 'COM', 'JView Profiler',
'Javaprxy.dll' [2005-07/0289], [MS05-038], [MS05-037], [MS05-025]
(bulletins 1526 dated 07/18/2005, 1524 dated 07/13/2005, 1517 dated
07/04/2005, 1504 dated 06/15/2005 and 1543 dated 08/10/2005)

http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx
___________________________________________________________________________

* SUN            - Patches for 'Apache' on Solaris 8

Sun has announced, in the advisory 101841, the availability of patches for
'Apache' on Solaris 8 (Sparc and x86).
They complete the patches released with the Sun 57628 and 57496, which
happened to be incomplete on Solaris 8. The fixed flaws allow a local or
remote user to trigger the execution of arbitrary code on a vulnerable
server.
CAN-2003-0987, CAN-2003-0993, CAN-2004-0492, CAN-2003-0542
APACHE 'mod_digest', 'mod_access', 'mod_proxy', 'mod_alias', 'mod_rewrite'
[014], [#69] (bulletins 1157 dated 02/04/2004, 1185 dated 03/15/2004, 1246
dated 06/11/2004 and 1091 dated 10/30/2003)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1
___________________________________________________________________________

* SUN            - Revision of the advisory 101799 ('JRE')

Sun has revised the advisory 101799 regarding a flaw in the "Java Runtime
Environment" ('JRE') that allows a Java applet to achieve a privileges
escalation.
The revision updates the "Impact" section of the advisory. One will notice
that Sun reports that this flaw is the same as the one reported in the
advisory 101749.
SUN 'Java SDK', 'Java JRE', 'J2SE' [57591], [101749] (bulletins 1360 dated
11/23/2005 and 1503 dated 06/14/2005)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-101799-1
___________________________________________________________________________

* MICROSOFT      - Exploitation code for 'Internet Explorer' (MS05-038)

An exploitation code has been published on the FrSIRT Web site about a
design error in the 'Internet Explorer' browser that allowed executing
arbitrary code. This exploitation code allows generating a malicious HTML
page that will execute a code to obtain a remote command shell on the TCP
port 28876, when this page will be loaded by a vulnerable 'Internet
Explorer' browser.
CAN-2005-1990
MICROSOFT 'COM' [MS05-038] (bulletin 1543 dated 08/10/2005)

http://www.frsirt.com/exploits/20050809.MS05-038.pl.php
___________________________________________________________________________

* HP             - Revision of the bulletin HPSBMA01212

HP has revised the bulletin HPSBMA01212 related to multiple flaws in "HP
System Management Homepage" that allowed triggering denials of service or
the execution of arbitrary code.
The revision brings precisions in the "SUPPORTED SOFTWARE VERSIONS"
section.
CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064,
CAN-2004-1065
PHP, NAMAZU 'pack()', 'unpack()', 'safe_mode_exec_dir', 'safe_mode',
'realpath()', 'unserialize()', 'namazu.cgi' [012004], [FEDORA-2004-557]
(bulletins 1377 dated 12/16/2004 and 1380 dated 12/21/2004)

http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01212
___________________________________________________________________________

REISSUES OF ALERTS
___________________________________________________________________________

* US-CERT        - Reissue of the Microsoft bulletins

The US-CERT has reissued, under the TA05-221A reference, the Microsoft
advisories MS05-038, MS05-039, MS05-041 and MS05-043 about several flaws in
the 'Internet explorer' browser and the Windows platforms. These
vulnerabilities can cause, among other things, the remote execution of
arbitrary code.
CAN-2005-1988, CAN-2005-1990, CAN-2005-1983, CAN-2005-1218, CAN-2005-1984
MICROSOFT 'COM', 'Plug-and-Play', 'RDP' [MS05-038], [MS05-039], [904797]
(bulletins 1526 dated 07/18/2005, 1543 dated 08/10/2005 and 1526 dated
07/18/2005)

http://www.us-cert.gov/cas/techalerts/TA05-221A.html
___________________________________________________________________________

* CIAC           - Reissue of the Sun 100881 alert

The CIAC has reissued, under the P-264 reference, the Sun bulletin 100881
about a vulnerability in 'XView' that allows corrupting arbitrary files.
SUN 'XView' [100881] (bulletin 1540 dated 08/05/2005)

http://www.ciac.org/ciac/bulletins/p-264.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Microsoft MS05-038 (IE) alert

The CIAC has reissued, under the reference P-265, the Microsoft bulletin
MS05-038 (896727) related to several flaws in 'Internet Explorer' that can
lead to the execution of arbitrary code and scripts.
CAN-2005-1988, CAN-2005-1989, CAN-2005-1990
MICROSOFT 'Internet Explorer', 'Web Folder', 'COM', 'JView Profiler',
'Javaprxy.dll' [2005-07/0289], [MS05-038], [MS05-037], [MS05-025]
(bulletins 1526 dated 07/18/2005, 1524 dated 07/13/2005, 1517 dated
07/04/2005, 1504 dated 06/15/2005 and 1543 dated 08/10/2005)

http://www.ciac.org/ciac/bulletins/p-265.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Microsoft MS05-043 (896423) alert

The CIAC has reissued, under the P-267 reference, the Microsoft bulletin
MS05-043 (896423) about a buffer overflow in the 'Print Spooler' of Windows
that allows executing arbitrary code with elevated privileges.
CAN-2005-1984
MICROSOFT 'Print Spooler' [MS05-043] (bulletin 1543 dated 08/10/2005)

http://www.ciac.org/ciac/bulletins/p-267.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Microsoft MS05-040 (893756) alert

The CIAC has reissued, under the P-268 reference, the Microsoft bulletin
MS05-040 (893756) about a buffer overflow in the 'TAPI' telephony API of
Windows. This flaw can cause the remote execution of arbitrary code and a
local privileges escalation.
CAN-2005-0058
MICROSOFT 'TAPI' [MS05-040] (bulletin 1543 dated 08/10/2005)

http://www.ciac.org/ciac/bulletins/p-268.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Microsoft MS05-042 (Kerberos) alert

The CIAC has reissued, under the reference P-269, the Microsoft bulletin
MS05-042 (899587) related to two flaws in the implementation of the
Kerberos protocol in several versions of Windows that allow triggering a
denial of service, disclosing information, and leading "man-in-the-middle"
attacks.
CAN-2005-1981, CAN-2005-1982
MICROSOFT 'PKINIT' [MS05-042] (bulletin 1543 dated 08/10/2005)

http://www.ciac.org/ciac/bulletins/p-269.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Red Hat RHSA-2005:627-11 alert

The CIAC has reissued, under the P-270 reference, the Red Hat bulletin
RHSA-2005:627-11 about several flaws in the 'Gaim' instant messaging. These
flaws can cause the execution of arbitrary code and/or a denial of service.
CAN-2005-2103, CAN-2005-2102, CAN-2005-2370
GAIM, EKG 'AIM', 'ICQ', 'libgadu' [RHSA-2005:627], [DSA-769] (bulletins
1543 dated 08/10/2005 and 1535 dated 07/29/2005)

http://www.ciac.org/ciac/bulletins/p-270.shtml
___________________________________________________________________________

* CIAC           - Reissue of the Red Hat RHSA-2005:687 (Ethereal) alert

The CIAC has reissued, under the reference P-271, the Red Hat advisory
RHSA-2005:687-03 related to numerous flaws in 'Ethereal' that allow
triggering denials of service and the corruption of information, and
achieving a privileges escalation.
CAN-2005-2360, CAN-2005-2361, CAN-2005-2362, CAN-2005-2363, CAN-2005-2364,
CAN-2005-2365, CAN-2005-2366, CAN-2005-2367
Ethereal 'Ethereal' [enpa-sa-00020] (bulletin 1533 dated 07/27/2005)

http://www.ciac.org/ciac/bulletins/p-271.shtml
___________________________________________________________________________

* CIAC           - Reissue of the HP HPSBTU01217 (SSRT5957) alert

The CIAC has reissued, under the P-272 reference, the HP bulletin
HPSBTU01217 (SSRT5957) about vulnerabilities in 'IPSec' on the HP Tru64
Unix platform. These flaws can cause a sensitive information disclosure.
CAN-2005-0039
IP 'CBC', 'IPSec' [004033/NISCC/IPSEC] (bulletin 1478 dated 05/10/2005)

http://www.ciac.org/ciac/bulletins/p-272.shtml
___________________________________________________________________________

Yours sincerely,

The Security Watch Team



--
Security Watch Service
mailto:veille-sec@veille.apogee-com.fr
APOGEE Communications
15, Avenue du Cap Horn
ZA de Courtaboeuf 
91940 LES ULIS
Tel : + 33 1 69 85 78 00
Fax : + 33 1 69 85 78 51

Technical support : + 33 1 73 23 17 00

Nota: Trademarks and products appearing in this bulletin are property
      of their respective depositaries.