SecurityFocus Microsoft Newsletter #250

SecurityFocus Microsoft Newsletter #250
----------------------------------------

This Issue is Sponsored By: CrossTec

NetOp Desktop Firewall & Policy Server lets you centrally manage which 
applications can run on your enterprise PCs.  NetOp's tiny driver-centric 
design prevents unauthorized programs and processes, including viruses, 
keyloggers, spyware and more from executing -- without slowing down your 
systems. The future of endpoint protection is available today. Try it FREE.

http://www.securityfocus.com/sponsor/CrossTec_sf-news_050726

------------------------------------------------------------------
I.   FRONT AND CENTER
      1. CardSystems made its choices clear
      2. The CardSystems blame game
II.  MICROSOFT VULNERABILITY SUMMARY
      1. GoodTech SMTP Server RCPT TO Multiple Remote Buffer Overflow 
Vulnerabilities
      2. Sophos Anti-Virus Library Unspecified Remote Heap Overflow 
Vulnerability
      3. Vim ModeLines Further Variant Arbitrary Command Execution 
Vulnerability
      4. Microsoft Windows Unspecified USB Driver Buffer Overflow Vulnerability
      5. Ares Fileshare Remote Buffer Overflow Vulnerability
      6. FTPShell Server Denial of Service Vulnerability
      7. Hosting Controller Unauthorized Access Vulnerability
      8. Novell GroupWise Client Remote Buffer Overflow Vulnerability
      9. Opera Web Browser Content-Disposition Header Download Dialog File 
Extension Spoofing Vulnerability
      10. PHPList Admin Page SQL Injection Vulnerability
      11. Opera Web Browser Image Dragging Cross-Domain Scripting and File 
Retrieval Vulnerability
      12. LibTiff Tiff Image Header Divide By Zero Denial of Service 
Vulnerability
      13. Novell eDirectory NMAS Authentication Bypass Vulnerability
      14. Metasploit Framework Unspecified Remote Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
      1. SecurityFocus Microsoft Newsletter #249
IV.  UNSUBSCRIBE INSTRUCTIONS
V.   SPONSOR INFORMATION

I.   FRONT AND CENTER
---------------------
1. CardSystems made its choices clear
By Daniel Hanson
The last thing that many of us need is another example where a situation needs 
to be solved by ill-conceived legislation that is proposed and passed in the 
heat of something big.
http://www.securityfocus.com/columnists/343

2. The CardSystems blame game
By Mark Rasch
On July 21, 2005, the United States House of Representatives Committee on 
Financial Services, Subcommittee on Oversight held a hearing on "Credit Card 
Data Processing: How Secure Is It?"
http://www.securityfocus.com/columnists/344


II.  MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. GoodTech SMTP Server RCPT TO Multiple Remote Buffer Overflow Vulnerabilities
BugTraq ID: 14357
Remote: Yes
Date Published: 2005-07-23
Relevant URL: http://www.securityfocus.com/bid/14357
Summary:
GoodTech SMTP Server is susceptible to two remote buffer overflow 
vulnerabilities when handling RCPT TO commands. This issue is due to a failure 
of the application to properly bounds check user-supplied data prior to copying 
it to fixed size memory buffers.

These vulnerabilities allow remote attackers to execute arbitrary machine code 
with System level privileges in the context of the affected application.

2. Sophos Anti-Virus Library Unspecified Remote Heap Overflow Vulnerability
BugTraq ID: 14362
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14362
Summary:
An unspecified remote heap overflow vulnerability exists in Sophos Anti-Virus 
Library. This issue is due to a failure of the library to properly bounds check 
user-supplied input prior to copying data to an internal memory buffer.

No further information is known at this time. This BID will be updated as 
further information becomes available.

3. Vim ModeLines Further Variant Arbitrary Command Execution Vulnerability
BugTraq ID: 14374
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14374
Summary:
Vim is susceptible to an arbitrary command execution vulnerability with 
ModeLines. This issue is due to insufficient sanitization of user-supplied 
input.

By modifying a text file to include ModeLines containing the 'glob()', or 
'expand()' functions with shell metacharacters, attackers may cause arbitrary 
commands to be executed.

This vulnerability allows an attacker to execute arbitrary commands with the 
privileges of the vim user. This gives an attacker the ability to gain remote 
access to computers running the vulnerable software.

This issue is similar to BIDs 6384 and 11941.

4. Microsoft Windows Unspecified USB Driver Buffer Overflow Vulnerability
BugTraq ID: 14376
Remote: No
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14376
Summary:
An unspecified buffer overflow vulnerability affects USB drivers in Microsoft 
Windows operating systems. This issue is due to a failure of the affected 
driver to properly bounds check input provided by USB devices.

This issue presents itself when USB devices are attached to computers running 
affected device drivers. Upon insertion, the operating system automatically 
loads the appropriate device driver to handle the new hardware. By maliciously 
altering the data returned to the operating system, it is possible to overflow 
memory used in the affected USB device driver.

The information currently available is insufficient to provide a more in-depth 
technical description. This BID will be updated as more details become 
available.

An attacker may leverage this issue to execute arbitrary machine code with 
System privileges on affected computers, or cause the affected computer to 
crash. This would occur by attaching a malicious USB device to affected 
computers, without the need for an account on the computer.

5. Ares Fileshare Remote Buffer Overflow Vulnerability
BugTraq ID: 14377
Remote: Yes
Date Published: 2005-07-25
Relevant URL: http://www.securityfocus.com/bid/14377
Summary:
Ares Fileshare is affected by a remote buffer overflow vulnerability.

This vulnerability arises when the application handles long search strings.

A successful attack can result in memory corruption leading to arbitrary code 
execution in the context of the user running the application.

Ares FileShare 1.1 is affected by this vulnerability.

6. FTPShell Server Denial of Service Vulnerability
BugTraq ID: 14382
Remote: Yes
Date Published: 2005-07-26
Relevant URL: http://www.securityfocus.com/bid/14382
Summary:
FTPshell server is prone to a denial of service vulnerability.  This issue is 
due to a failure in the application to handle exceptional conditions.

The problem presents itself when an attacker opens and closes, without using 
the 'quit' command, a connection to the application multiple times.  This will 
cause the application to terminate.  An attacker can exploit this vulnerability 
to deny service to legitimate users.

7. Hosting Controller Unauthorized Access Vulnerability
BugTraq ID: 14393
Remote: Yes
Date Published: 2005-07-26
Relevant URL: http://www.securityfocus.com/bid/14393
Summary:
Hosting Controller is prone to an unauthorized access vulnerability.

An attacker can manipulate the application to navigate beyond their folder and 
view the folders for all resellers and Web admin utilizing this instance of the 
Hosting Controller application.  This would result in information disclosure 
and a loss of confidentiality.  Information obtained may also aid in further 
attacks.


8. Novell GroupWise Client Remote Buffer Overflow Vulnerability
BugTraq ID: 14398
Remote: Yes
Date Published: 2005-07-27
Relevant URL: http://www.securityfocus.com/bid/14398
Summary:
Novell GroupWise Client is affected by a remote buffer overflow vulnerability.

Specifically, this vulnerability arises when a user attempts to log in to a 
GroupWise post office that contains a malicious 'GWVW02??.INI' file.

This can facilitate unauthorized access in the context of the user.

This issue affects all versions of Novell GroupWise 6.5 client dated prior to 
July 15, 2005.

9. Opera Web Browser Content-Disposition Header Download Dialog File Extension 
Spoofing Vulnerability
BugTraq ID: 14402
Remote: Yes
Date Published: 2005-07-28
Relevant URL: http://www.securityfocus.com/bid/14402
Summary:
Opera Web Browser is prone to a vulnerability that can allow remote attackers 
to spoof file extensions through the download dialog.

An attacker may exploit this issue by crafting a malformed HTTP 
'Content-Disposition' header that spoofs file extensions to trick vulnerable 
users into opening and executing a malicious file.

Opera Web Browser versions prior to 8.02 are affected by this issue.

10. PHPList Admin Page SQL Injection Vulnerability
BugTraq ID: 14403
Remote: Yes
Date Published: 2005-07-28
Relevant URL: http://www.securityfocus.com/bid/14403
Summary:
PHPList is prone to an SQL injection vulnerability.  This issue is due to a 
failure in the application to properly sanitize user-supplied data before using 
it in an SQL query.

Successful exploitation could result in a compromise of the application, 
disclosure or modification of data, or may permit an attacker to exploit 
vulnerabilities in the underlying database implementation.

11. Opera Web Browser Image Dragging Cross-Domain Scripting and File Retrieval 
Vulnerability
BugTraq ID: 14410
Remote: Yes
Date Published: 2005-07-28
Relevant URL: http://www.securityfocus.com/bid/14410
Summary:
Opera Web Browser is prone to a vulnerability that may allow an attacker to 
carry out cross-domain scripting attacks and retrieve files from the local 
computer.

Opera Web Browser versions prior to 8.02 are affected by this issue.

12. LibTiff Tiff Image Header Divide By Zero Denial of Service Vulnerability
BugTraq ID: 14417
Remote: Yes
Date Published: 2005-07-29
Relevant URL: http://www.securityfocus.com/bid/14417
Summary:
LibTIFF is affected by a vulnerability that may cause a denial of service in 
applications utilizing the library.  This issue is due to a failure in the 
library to sufficiently validate specific header values.

An attacker can exploit this vulnerability to cause a denial of service, or 
loss of data in applications utilizing the affected library.

This issue is known to affect the CUPS printing system and the Evolution email 
client; other applications using the LibTIFF library may also be affected.

This issue may be related to BID 12874 - ImageMagick TIFF Image File 
Unspecified Denial Of Service Vulnerability.

13. Novell eDirectory NMAS Authentication Bypass Vulnerability
BugTraq ID: 14419
Remote: Yes
Date Published: 2005-07-29
Relevant URL: http://www.securityfocus.com/bid/14419
Summary:
Novell eDirectory is prone to an issue that could result in unauthorized access 
to a user's account.

An unauthorized attacker can change a user's password because the application 
fails to verify responses to challenge questions.

eDirectory NMAS versions prior to 2.3.8 are affected.

14. Metasploit Framework Unspecified Remote Vulnerability
BugTraq ID: 14431
Remote: Yes
Date Published: 2005-07-30
Relevant URL: http://www.securityfocus.com/bid/14431
Summary:
Metasploit Framework is prone to an unspecified vulnerability. This issue 
allows remote attackers to compromise the computer of users using the affected 
application.

This vulnerability is likely exploited by returning malicious data to the 
application in unknown network connections, causing arbitrary code to be 
executed in the context of the scanning application.

UPDATE: This BID has been retired as it been determined that the issue is not a 
vulnerability.  Additional information has been provided that states the issue 
is a due to insufficient filtering of potentially malicious terminal escape 
sequences when logging external input.  These escape sequences are not 
interpreted at any point by the application, and only pose a threat if rendered 
with an external viewer within a terminal emulator program that will interpret 
them.  In that instance, this presents a security vulnerability in the terminal 
emulator program.  As Metasploit does not interpret the malicious input itself, 
it is not within the scope of the application to filter this type of input. 
This is not a vulnerability in Metasploit since it does not impact security 
properties of the application itself.


III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #249
http://www.securityfocus.com/archive/88/406595

IV.  UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to 
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The 
contents of the subject or message body do not matter. You will receive a 
confirmation request message to which you will have to answer. Alternatively 
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via 
the website.

If your email address has changed email listadmin@securityfocus.com and ask to 
be manually removed.

V.   SPONSOR INFORMATION
------------------------
This Issue is Sponsored By: CrossTec

NetOp Desktop Firewall & Policy Server lets you centrally manage which 
applications can run on your enterprise PCs.  NetOp's tiny driver-centric 
design prevents unauthorized programs and processes, including viruses, 
keyloggers, spyware and more from executing -- without slowing down your 
systems. The future of endpoint protection is available today. Try it FREE.

http://www.securityfocus.com/sponsor/CrossTec_sf-news_050726






---------------------------------------------------------------------------
---------------------------------------------------------------------------