|
Name: CVE-1999-0001
Description:
ip_input.c in BSD-derived TCP/IP implementations allows
remote attackers to cause a denial of service (crash or
hang) via crafted packets.
Status: Candidate
Phase: Modified (20051217)
Reference: CERT:CA-98-13-tcp-denial-of-service
Reference: BUGTRAQ:19981223 Re: CERT Advisory
CA-98.13 - TCP/IP Denial of Service
Reference:
CONFIRM:http://www.openbsd.org/errata23.html#tcpfix
Reference: OSVDB:5707
Reference: URL:http://www.osvdb.org/5707
Votes:
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> A Bugtraq posting indicates that the bug has to do with
"short packets with certain options set," so the description
should be modified accordingly.
But is this the same as CVE-1999-0052? That one is related
to nestea (CVE-1999-0257) and probably the one described in
BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
The patch for nestea is in ip_input.c around line 750.
The patches for CVE-1999-0001 are in lines 388&446. So,
CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052.
The FreeBSD patch for CVE-1999-0052 is in line 750.
So, CVE-1999-0257 and CVE-1999-0052 may be the same, though
CVE-1999-0052 should be RECAST since this bug affects Linux
and other OSes besides FreeBSD.
Frech> XF:teardrop(338)
This assignment was based solely on references to the CERT advisory.
Christey> The description for BID:190, which links to CVE-1999-0052 (a
FreeBSD advisory), notes that the patches provided by FreeBSD in
CERT:CA-1998-13 suggest a connection between CVE-1999-0001 and
CVE-1999-0052. CERT:CA-1998-13 is too vague to be sure without
further analysis.
Name: CVE-1999-0004
Description:
MIME buffer overflow in email clients, e.g. Solaris
mailtool and Outlook.
Status: Candidate
Phase: Modified (19990621-01)
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
Reference: MS:MS98-008
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp
Votes:
ACCEPT(8) Magdych, Northcutt, Wall, Baker, Landfield, Cole, Dik, Collins
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Shostack
Voter Comments:
Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
this suggestion, I will not be devastated.) :-)
Christey> This issue seems to have been rediscovered in
BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
Also see
BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
Christey>
CVE-2000-0415 may be a later rediscovery of this problem
for Outlook.
Dik> Sun bug 4163471,
Christey> ADDREF BID:125
Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2
Name: CVE-1999-0015
Description:
Teardrop IP denial of service.
Status: Candidate
Phase: Proposed (19990726)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF: teardrop-mod
Christey> Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> MSKB:Q154174
MSKB:Q154174 (CVE-1999-0015) and MSKB:Q179129 (CVE-1999-0104)
indicate that CVE-1999-0015 was fixed in NT SP3, but
CVE-1999-0104 was not. Thus CD:SF-LOC suggests that the
problems keep separate candidates because one problem appears
in a different version than the other.
Christey> BID:124
http://www.securityfocus.com/bid/124
Consider MSKB:Q154174
http://support.microsoft.com/support/kb/articles/q154/1/74.asp
Consider BUGTRAQ:19971113 Linux IP fragment overlap bug
http://www.securityfocus.com/archive/1/8014
Name: CVE-1999-0020
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-1999-0032. Reason: This candidate is a
duplicate of CVE-1999-0032. Notes: All CVE users should
reference CVE-1999-0032 instead of this candidate. All
references and descriptions in this candidate have been
removed to prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
MODIFY(1) Frech
NOOP(4) Levy, Northcutt, Wall, Shostack
REJECT(2) Christey, Baker
Voter Comments:
Frech> XF:lpr-bo
Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo
Name: CVE-1999-0030
Description:
root privileges via buffer overflow in xlock command on
SGI IRIX systems.
Status: Candidate
Phase: Proposed (19990623)
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference:
AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: XF:sgi-xlockbo
Reference: SGI:19970508-02-PX
Votes:
ACCEPT(3) Ozancin, Levy, Prosser
NOOP(1) Baker
RECAST(1) Frech
REJECT(1) Christey
Voter Comments:
Frech> XF:xlock-bo (also add)
As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
several Linii.
Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
login/scheme.
Levy> Notice that this xlock overflow is the same as in
CA-97.13. CA-97.21 simply is a reminder.
Christey> As pointed out by Elias, CA-97.21 states: "For more
information about vulnerabilities in xlock... see CA-97.13"
CA-97.13 = CVE-1999-0038.
This may also be a duplicate with CVE-1999-0306.
See exploits at:
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2
Sun also has this problem, at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba
Name: CVE-1999-0033
Description:
Command execution in Sun systems via buffer overflow in
the at program.
Status: Candidate
Phase: Modified (20040811)
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo
Votes:
ACCEPT(8) Hill, Northcutt, Wall, Baker, Cole, Dik, Shostack, Collins
NOOP(1) Christey
RECAST(1) Frech
Voter Comments:
Frech> This vulnerability also manifests itself for the following
platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
please add the following:
Reference: XF:at-bo
Dik> Sun bug 1265200, 4063161
Christey> ADDREF SGI:19971102-01-PX
ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX
SCO:SB.97:01
ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a
Christey> CIAC:F-15
http://ciac.llnl.gov/ciac/bulletins/f-15.shtml
HP:HPSBUX9502-023
Christey> Add period to the end of the description.
Name: CVE-1999-0061
Description:
File creation and deletion, and remote execution, in the
BSD line printer daemon (lpd).
Status: Candidate
Phase: Proposed (19990630)
Reference: NAI:NAI-20
Reference: XF:bsd-lpd
Votes:
ACCEPT(3) Hill, Northcutt, Frech
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> This should be split into three separate problems based on
the SNI advisory. But there's newer information to further
complicate things.
What do we do about this one? in 1997 or so, SNI did an
advisory on this problem. In early 2000, it was still
discovered to be present in some Linux systems. So an
SF-DISCOVERY content decision might say that this is a
long enough time between the two, so this should be recorded
separately. But they're the same codebase... so if we keep
them in the same entry, how do we make sure that this entry
reflects that some new information has been discovered?
The use of dot notation may help in this regard, to use one
dot for the original problem as discovered in 1997, and
another dot for the resurgence of the problem in 2000.
Baker> We should merge these.
Christey> Perhaps this should be NAI-19 instead of NAI-20?
The original Bugtraq post for the SNI advisory suggests SNI-19:
BUGTRAQ:19971002 SNI-19:BSD lpd vulnerability
URL:SNI-19:BSD lpd vulnerability
Also add:
BUGTRAQ:19971021 SNI-19: BSD lpd vulnerabilities (UPDATE)
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87747479514310&w=2
However, archives of "NAI-0020" point to the lpd vuln.
If I recall correctly, some of the NAI advisory numbers got
switched when NAI acquired SNI.
Name: CVE-1999-0076
Description:
Buffer overflow in wu-ftp from PASV command causes a
core dump.
Status: Candidate
Phase: Modified (19990925-01)
Reference: XF:ftp-args
Votes:
ACCEPT(3) Ozancin, Baker, Frech
NOOP(1) Balinsky
REVIEWING(1) Christey
Voter Comments:
Balinsky> Don't know what this is. Is this the LIST Core dump vulnerability?
Christey> Need to add more references and details.
Name: CVE-1999-0078
Description:
pcnfsd (aka rpc.pcnfsd) allows local users to change
file permissions, or execute arbitrary commands through
arguments in the RPC call.
Status: Candidate
Phase: Modified (19990621-01)
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd
Votes:
ACCEPT(5) Collins, Northcutt, Landfield, Frech, Shostack
NOOP(1) Baker
RECAST(1) Christey
Voter Comments:
Christey> This candidate should be SPLIT, since there are two separate
software flaws. One is a symlink race and the other is a
shell metacharacter problem.
Christey> The permissions part of this vulnerability appears to
overlap with CVE-1999-0353
Christey> SGI:20020802-01-I
Name: CVE-1999-0086
Description:
AIX routed allows remote users to modify sensitive
files.
Status: Candidate
Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed
Votes:
ACCEPT(2) Northcutt, Shostack
MODIFY(2) Prosser, Frech
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Frech> Reference: XF:ibm-routed
Prosser> This vulnerability allows debug mode to be turned on which is
the problem. Should this be more specific in the description? This
one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
is in the SGI cluster, shouldn't these be cross-referenced as the same
vuln affects multiple OSes.
Christey> This appears to be subsumed by CVE-1999-0215
Name: CVE-1999-0088
Description:
IRIX and AIX automountd services (autofsd) allow remote
users to execute root commands.
Status: Candidate
Phase: Proposed (19990617)
Reference: ERS:ERS-SVA-E01-1998:004.1
Reference:
URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt
Votes:
ACCEPT(2) Northcutt, Shostack
MODIFY(2) Prosser, Frech
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> ERS (and other references, BTW) explicitly stipulate 'local and
remote'.
Reference: XF:irix-autofsd
Prosser> Include the SGI Alert as well since it is mentioned in the
description.
SGI Security Advisory 19981005-01-PX
Christey> DUPE CVE-1999-0210?
Christey> ADDREF CIAC:J-014
Baker> It does look very similar to 1999-0210. Perhaps they should be a single entry
Name: CVE-1999-0089
Description:
Buffer overflow in AIX libDtSvc library can allow local
users to gain root access.
Status: Candidate
Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc
Votes:
ACCEPT(2) Northcutt, Shostack
MODIFY(2) Prosser, Frech
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> Reference: XF:ibm-libDtSvc
Prosser> The overflow is in the dtaction utility. Also affects
dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
specific.
Christey> Same Codebase as CVE-1999-0121, so the two entries should be
merged.
Name: CVE-1999-0092
Description:
Various vulnerabilities in the AIX portmir command
allows local users to obtain root access.
Status: Candidate
Phase: Proposed (19990623)
Reference: ERS:ERS-SVA-E01-1997:006.1
Votes:
ACCEPT(2) Baker, Bollinger
MODIFY(1) Frech
NOOP(1) Ozancin
Voter Comments:
Frech> XF:ibm-portmir
Name: CVE-1999-0098
Description:
Buffer overflow in SMTP HELO command in Sendmail allows
a remote attacker to hide activities.
Status: Candidate
Phase: Proposed (19990726)
Reference: XF:smtp-helo-bo
Votes:
MODIFY(2) Baker, Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> (Accept XF reference.)
Our references do not mention hiding activities. This issue can crash the
SMTP server or execute arbitrary byte-code. Is there another reference
available?
Christey> Should this be merged with CVE-1999-0284, which is Sendmail
with SMTP HELO?
Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2
BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2
Baker> Apparently this XF reference is not for this issue, but for the other issue. This should be modified to have the Bugtraq references, and remove the XF reference.
Name: CVE-1999-0104
Description:
A later variation on the Teardrop IP denial of service
attack, a.k.a. Teardrop-2.
Status: Candidate
Phase: Modified (20040811)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop-mod
Votes:
ACCEPT(2) Wall, Frech
REVIEWING(1) Christey
Voter Comments:
Wall> Another reference is Microsoft Knowledge Base Q179129.
Christey> Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> MSKB:Q179129
http://support.microsoft.com/support/kb/articles/q179/1/29.asp
Christey> MSKB:Q179129
http://support.microsoft.com/support/kb/articles/q179/1/29.asp
Note that the hotfix name is teardrop2, but the keywords
included in the KB article specifically name bonk
(CVE-1999-0258) and boink.
Since teardrop2 was fixed in a slightly different version
(at least in a separate patch) than Teardrop, CD:SF-LOC
suggests keeping them separate.
Christey> Add period to the end of the description.
Name: CVE-1999-0105
Description:
finger allows recursive searches by using a long string
of @ symbols.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(3) Shostack, Baker, Frech
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Shostack> fingerD
Frech> XF:finger-bomb
Christey> aka redirection or forwarding requests? (but then might
overlap CVE-1999-0106)
Baker> should change description to indicate the recursive searching can consume enough system resources to cause a DoS.
Name: CVE-1999-0106
Description:
Finger redirection allows finger bombs.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Northcutt
MODIFY(2) Shostack, Frech
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Shostack> fingerd allows redirection
This is a larger modification, since there are two applications of the
vulnerability, one that I can finger anonymously, and the other that I
can finger bomb anonymously.
Frech> XF:finger-bomb
Christey> need more refs
Baker> This should be merged with 1999-0105
Name: CVE-1999-0107
Description:
Buffer overflow in Apache 1.2.5 and earlier allows a
remote attacker to cause a denial of service with a
large number of GET requests containing a large number
of / characters.
Status: Candidate
Phase: Modified (19991223-01)
Reference: XF:apache-dos
Reference: BUGTRAQ:19971230 Apache DoS attack?
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Shostack, Northcutt, Wall
REVIEWING(1) Levy
REVOTE(1) Christey
Voter Comments:
Wall> - Although this is probably the phf hack.
Frech> XF:apache-dos
Christey> This sounds like the incident reported in:
NTBUGTRAQ:20000810 Apache Distributed Denial of Service
Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service.
BUGTRAQ: http://www.securityfocus.com/archive/1/10228
BUGTRAQ: http://www.securityfocus.com/archive/1/10516
Name: CVE-1999-0110
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-1999-0315. Reason: This candidate's
original description had a typo that delayed it from
being detected as a duplicate of CVE-1999-0315. Notes:
All CVE users should reference CVE-1999-0315 instead of
this candidate. All references and descriptions in this
candidate have been removed to prevent accidental usage.
Status: Candidate
Phase: Interim (19990810)
Votes:
MODIFY(1) Frech
NOOP(4) Shostack, Levy, Northcutt, Wall
REJECT(3) Dik, Christey, Baker
Voter Comments:
Frech> XF:fdformat-bo
Christey> Duplicate of CVE-1999-0315
Dik> dup
Name: CVE-1999-0114
Description:
Local users can execute commands as other users, and
read other users' files, through the filter command in
the Elm elm-2.4 mail package using a symlink attack.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990912 elm filter program
Reference: BUGTRAQ:19951226 filter (elm package)
security hole
Reference: XF:elm-filter2
Votes:
ACCEPT(7) Shostack, Bishop, Blake, Wall, Landfield, Cole, Armstrong
MODIFY(2) Baker, Frech
NOOP(3) Ozancin, Christey, Northcutt
REVIEWING(1) Levy
Voter Comments:
Frech> XF:elm-filter2
CHANGE> [Wall changed vote from NOOP to ACCEPT]
Landfield> with Frech modifications
Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm Official Advisory
Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm
Need to make sure that this CERT advisory describes the right
problem, especially since the CERT advisory is dated December
18, 1995 and the original Bugtraq post was December 26, 1995.
Christey> BID:1802
URL:http://www.securityfocus.com/bid/1802
BID:1802 doesn't include the 1999 posting - does Security
Focus think that the 1999 post describes a different
vulnerability?
Christey> XF:elm-filter2 isn't on the X-Force web site. How about XF:elm-filter(402) ?
Its references point to the December 26, 1995 BUgtraq post.
Also consider CIAC:G-36 and CERT:VB-95:10
Frech> DELREF:XF:elm-filter2(711)
ADDREF:XF:elm-filter(402)
Name: CVE-1999-0119
Description:
Windows NT 4.0 beta allows users to read and delete
shares.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(2) Northcutt, Baker
REJECT(1) Wall
Voter Comments:
Wall> Reject based on beta copy.
Frech> XF:nt-beta(11)
Reconsider reject, because this beta was in widespread use.
Name: CVE-1999-0121
Description:
Buffer overflow in dtaction command gives root access.
Status: Candidate
Phase: Proposed (19990617)
Reference: SUN:00164
Reference: ERS:ERS-SVA-E01-1997:005.1
Votes:
ACCEPT(2) Dik, Northcutt
MODIFY(3) Prosser, Baker, Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Reference: XF:dtaction-bo
Reference: XF:sun-dtaction
Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
library in AIX 4.x, but reference for this Sun vulnerability should
only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
Bulletin
Christey> This is the Same Codebase as CVE-1999-0089, so the two entries
should be merged.
Frech> Replace sun-dtaction(732) with dtaction-bo(879)
Baker> Merge with 1999-0089
Name: CVE-1999-0123
Description:
Race condition in Linux mailx command allows local users
to read user files.
Status: Candidate
Phase: Modified (20000105-01)
Reference: XF:linux-mailx
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware
/bin/mail) security hole
Votes:
ACCEPT(3) Ozancin, Baker, Frech
NOOP(1) Wall
Name: CVE-1999-0127
Description:
swinstall and swmodify commands in SD-UX package in
HP-UX systems allow local users to create or overwrite
arbitrary files to gain root access.
Status: Candidate
Phase: Proposed (19990623)
Reference: CERT:CA-96.27.hp_sw_install
Reference: AUSCERT:AA-96.04
Reference: XF:hpux-swinstall
Votes:
ACCEPT(2) Prosser, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> (keep current XF: reference, and add)
XF:hpux-sqwmodify
Christey> Perhaps this should be split, per SF-LOC.
Christey> CIAC:H-81
http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
HP:HPSBUX9707-064 references CERT:CA-96.27
http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
The original AUSCERT advisory says that the programs "create
files in an insecure manner" and "Exploit details involving
this vulnerability have been made publicly available." which
leads one to assume that the following original Bugtraq post
provides the details for a standard symlink problem:
BUGTRAQ:19961005 swinst,bug
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2
Name: CVE-1999-0140
Description:
Denial of service in RAS/PPTP on NT systems.
Status: Candidate
Phase: Proposed (19990630)
Votes:
ACCEPT(1) Hill
MODIFY(2) Frech, Meunier
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Meunier> Add "pptp invalid packet length in header" to distinguish from other
vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
discovered in the future.
Frech> XF:nt-ras-bo
ONLY IF reference is to MS:MS99-016
Christey> According to my mappings, this is not the MS:MS99-016 problem
referred to by Andre. However, I have yet to dig up a
source.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> This is too general to know which problem is being discussed.
More precise candidates should be created.
Christey> Consider adding BID:2111
Name: CVE-1999-0144
Description:
Denial of service in Qmail by specifying a large number
of recipients with the RCPT command.
Status: Candidate
Phase: Modified (20010301-02)
Reference: BUGTRAQ:19970612 qmail-dos-2.c,
another denial of service attack
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: BUGTRAQ:19970612 Re: Denial of service
(qmail-smtpd)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference:
MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: BID:2237
Reference:
URL:http://www.securityfocus.com/bid/2237
Reference: XF:qmail-rcpt
Reference:
URL:http://xforce.iss.net/static/208.php
Votes:
ACCEPT(4) Frech, Meunier, Hill, Baker
REVIEWING(1) Christey
Voter Comments:
Christey> DUPE CVE-1999-0418 and CVE-1999-0250?
Christey> Dan Bernstein, author of Qmail, says that this is not a
vulnerability in qmail because Unix has built-in resource
limits that can restrict the size of a qmail process; other
limits can be specified by the administrator. See
http://cr.yp.to/qmail/venema.html
Significant discussion of this issue took place on the qmail
list. The fundamental question appears to be whether
application software should set its own limits, or rely
on limits set by the parent operating system (in this case,
UNIX). Also, some people said that the only problem was that
the suggested configuration was not well documented, but this
was refuted by others.
See the following threads at
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
"Denial of service (qmail-smtpd)"
"qmail-dos-2.c, another denial of service"
"[PATCH] denial of service"
"just another qmail denial-of-service"
"the UNIX way"
"Time for a reality check"
Also see Bugtraq threads on a different vulnerability that
is related to this topic:
BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
Baker> http://cr.yp.to/qmail/venema.html
Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema.
His page states this is not a qmail problem, rather it is a UNIX problem
that many apps can consume all available memory, and that the administrator
is responsible to set limits in the OS, rather than expect applications to
individually prevent memory exhaustion. CAN 1999-0250 does appear to
be a duplicate of this entry, based on the research I have done so far.
There were two different bugtraq postings, but the second one references
the first, stating that the new exploit uses perl instead of shell scripting
to accomplish the same attack/exploit.
Baker> http://www.securityfocus.com/archive/1/6970
http://www.securityfocus.com/archive/1/6969
http://cr.yp.to/qmail/venema.html
Should probably reject CVE-1999-0250, and add these references to this
Candidate.
Baker> http://www.securityfocus.com/bid/2237
CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
Christey> qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
use any RCPT commands. Instead, it sends long strings
of "X" characters. A followup by "super@UFO.ORG" includes
an exploit that claims to do the same thing; however, that
exploit does not send long strings of X characters - it sends
a large number of RCPT commands. It appears that super@ufo.org
followed up to the wrong message.
NOTE: the ufo.org domain was purchased by another party in
2003, so the current owner is not associated with any
statements by "super@ufo.org" that were made before 2003.
qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
sends a large number of RCPT commands.
ADDREF BID:2237
ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
Also see a related thread:
BUGTRAQ:19990308 SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
This also describes a problem with mail servers not being able
to handle too many "RCPT TO" requests. A followup message
notes that application-level protection is used in Sendmail
to prevent this:
BUGTRAQ:19990309 Re: SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
The person further says, "This attack can easily be
prevented with configuration methods."
Name: CVE-1999-0154
Description:
IIS 2.0 and 3.0 allows remote attackers to read the
source code for ASP pages by appending a . (dot) to the
end of the URL.
Status: Candidate
Phase: Proposed (20010912)
Reference: MSKB:Q163485
Reference: MSKB:Q164059
Reference: BUGTRAQ:19970220 ! [ADVISORY] Major
Security Hole in MS ASP
Reference: XF:http-iis-aspdot
Reference: XF:http-iis-aspsource
Votes:
ACCEPT(4) Frech, Stracener, Wall, Foat
NOOP(3) Christey, Baker, Cole
Voter Comments:
Christey> This is the precursor to the problem that is identified in
CVE-1999-0253.
Christey> CIAC:H-48
URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml
CHANGE> [Foat changed vote from NOOP to ACCEPT]
Name: CVE-1999-0156
Description:
wu-ftpd FTP daemon allows any user and password
combination.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:ftp-pwless
Votes:
ACCEPT(2) Shostack, Northcutt
NOOP(1) Baker
RECAST(1) Frech
REVIEWING(2) Christey, Prosser
Voter Comments:
Prosser> but so far can find no reference to this one
Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie,
also affects IIS FTP server).
Christey> The references for XF:ftp-pwless are not specific enough,
e.g. in terms of version numbers. Perhaps this candidate
should be rejected due to insufficient information.
Name: CVE-1999-0163
Description:
In older versions of Sendmail, an attacker could use a
pipe character to execute root commands.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:smtp-pipe
Votes:
ACCEPT(2) Frech, Northcutt
MODIFY(1) Prosser
NOOP(2) Christey, Baker
RECAST(1) Shostack
Voter Comments:
Shostack> there was a 'To: |' and a 'From: |' attack, which I
think are seperate.
Prosser> older vulnerability, but one additional reference is-
The Ultimate Sendmail Hole List by Markus Hübner @
bau2.uibk.ac.at/matic/buglist.htm
'|PROGRAM '
Christey> Description needs to be more specific to distinguish between
this and CVE-1999-0203, as alluded to by Adam Shostack
Name: CVE-1999-0165
Description:
NFS cache poisoning.
Status: Candidate
Phase: Modified (20040811)
Reference: XF:nfs-cache
Votes:
ACCEPT(3) Frech, Northcutt, Baker
MODIFY(1) Shostack
NOOP(1) Prosser
REVIEWING(1) Christey
Voter Comments:
Shostack> need more data
Christey> need more refs
Christey> Add period to the end of the description.
Name: CVE-1999-0169
Description:
NFS allows attackers to read and write any file on the
system by specifying a false UID.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:nfs-uid
Votes:
ACCEPT(2) Frech, Northcutt
MODIFY(1) Baker
REJECT(1) Shostack
Voter Comments:
Shostack> this is not a vulnerability but a design feature.
Baker> Maybe we should reword it so that it is clear that this was a problem to something like:
"A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID."
Name: CVE-1999-0171
Description:
Denial of service in syslog by sending it a large number
of superfluous messages.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:syslog-flood
Votes:
ACCEPT(2) Frech, Northcutt
NOOP(1) Baker
REJECT(2) Shostack, Christey
Voter Comments:
Shostack> design issue, not a vulnerability. Alternately, add:
DOS on server by opening a large number of telnet sessions..
Christey> Duplicate of CVE-1999-0566
Name: CVE-1999-0186
Description:
In Solaris, an SNMP subagent has a default community
string that allows remote attackers to execute arbitrary
commands as root, or modify system parameters.
Status: Candidate
Phase: Modified (20071119)
Reference:
CONFIRM:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10080762.htm
Reference: SUN:00178
Reference: XF:snmp-backdoor-access
Votes:
ACCEPT(2) Dik, Baker
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
Add ISS:Hidden Community String in SNMP Implementation
Christey> What is the proper level of abstraction to use here? Should
we have a separate entry for each different default community
string? See:
http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
Until the associated content decisions have been approved
by the Editorial Board, this candidate cannot be accepted
for inclusion in CVE.
Christey> ADDREF BID:177
Christey> ISS:19981102 Hidden community string in SNMP implementation
http://xforce.iss.net/alerts/advise11.php
Change description to include "hidden"
Christey> XF:snmp-backdoor-access is missing.
Name: CVE-1999-0187
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-1999-0022. Reason: This candidate is a
duplicate of CVE-1999-0022. Notes: All CVE users should
reference CVE-1999-0022 instead of this candidate. All
references and descriptions in this candidate have been
removed to prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
ACCEPT(2) Hill, Northcutt
RECAST(3) Frech, Prosser, Baker
REJECT(1) Dik
REVIEWING(1) Christey
Voter Comments:
Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in
rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
(ref CERT 97-23) and various vendor bulletins. However both of these rdist
BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
FreeBSD, SCO, SGI, etc. Believe this falls into the SF-codebase content
decision
Frech> XF:rdist-bo (error msg formation)
XF:rdist-bo2 (execute code)
XF:rdist-bo3 (execute user-created code)
XF:rdist-sept97 (root from local)
Christey> Duplicate of CVE-1999-0022 (SUN:00179 is referenced in
CERT:CA-97.23.rdist), but as Mike and Andre noted, there
are multiple flaws here, so a RECAST may be necessary.
Dik> As currently phrasedm thissa duplicate of CVE-1999-0022
Baker> Based on our new philosophy, this should be recast/merged or re-described.
Name: CVE-1999-0193
Description:
Denial of service in Ascend and 3com routers, which can
be rebooted by sending a zero length TCP option.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(5) Shostack, Bishop, Ozancin, Northcutt, Cole
MODIFY(2) Blake, Baker
NOOP(4) Frech, Wall, Landfield, Armstrong
REVIEWING(2) Levy, Christey
Voter Comments:
Frech> possibly XF:ascend-kill
I can't find a reference that lists both routers in the same reference.
Wall> Comment: There is a reference about the zero length TCP option in BugTraq on
Feb 5, 1999
and it mentions Cisco, but not directly Ascend or 3Com. CIAC Advisory I-038
mentions
vulnerabilities in Ascend, but does not mention TCP. CIAC Advisory I-052
mentions
3Com vulnerabilities, but not TCP. Too confusing withour better references.
Landfield> What are the references for this ? I cannot find a means to check it out.
CHANGE> [Frech changed vote from REVIEWING to NOOP]
Frech> Cannot reconcile to our database without further references.
Blake> I'm with Andre. I only remember and can find reference to the Ascend
issue. Do we have a refernce to the 3Coms? If not, that should be
removed from the description.
Baker> http://xforce.iss.net/static/614.php Misc Defensive Info
http://www.securityfocus.com/archive/1/5682 Misc Offensive Info
http://www.securityfocus.com/archive/1/5647 Misc Defensive Info
http://www.securityfocus.com/archive/1/5640 Misc Defensive Info
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Name: CVE-1999-0195
Description:
Denial of service in RPC portmapper allows attackers to
register or unregister RPC services or spoof RPC
services using a spoofed source IP address such as
127.0.0.1.
Status: Candidate
Phase: Modified (19991130-01)
Reference: BUGTRAQ:19990128 rpcbind: deceive,
enveigle and obfuscate
Votes:
ACCEPT(2) Shostack, Balinsky
MODIFY(1) Frech
NOOP(3) Northcutt, Wall, Baker
REVIEWING(2) Levy, Christey
Voter Comments:
Frech> XF:rpcbind-spoof
Christey> CVE-1999-0195 = CVE-1999-0461 ?
If this is approved over CVE-1999-0461, make sure it gets
XF:pmap-sset
Name: CVE-1999-0197
Description:
finger 0@host on some systems may print information on
some user accounts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Shostack
REJECT(1) Northcutt
Voter Comments:
Shostack> fingerd may respond to 'finger 0@host' with account info
Frech> Need more reference to establish this 'exposure'.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:finger-unused-accounts(8378)
We're entering it into our database solely to track
competition. The only references seem to be product listings:
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002
Finger 0@host check)
http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check)
http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host
feature)
Name: CVE-1999-0198
Description:
finger .@host on some systems may print information on
some user accounts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Shostack
REJECT(1) Northcutt
Voter Comments:
Shostack> as above
Frech> Need more reference to establish this 'exposure'.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:finger-unused-accounts(8378)
We're entering it into our database solely to track
competition. The only references seem to be product listings:
http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004
Finger .@target-host check)
http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host
check )
http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host
feature)
Name: CVE-1999-0200
Description:
Windows NT FTP server (WFTP) with the guest account
enabled without a password allows an attacker to log
into the FTP server using any username and password.
Status: Candidate
Phase: Modified (19991130-01)
Reference: MSKB:Q137853
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Shostack
NOOP(2) Northcutt, Wall
REJECT(1) Christey
REVIEWING(1) Levy
Voter Comments:
Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another?
Frech> Other have mentioned this before, but it may be WU-FTP.
POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
access without anon FTP or a regular account?
POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
non-anon FTP account and gain root privs.
Christey> added MSKB reference
CHANGE> [Christey changed vote from REVOTE to REJECT]
Christey> The MSKB article may have confused things even more. There
were reports of problems in a Windows-based FTP server called
WFTP (http://www.wftpd.com/) that is not a Microsft FTP
server. It's best to just kill this candidate where it
stands and start fresh.
Name: CVE-1999-0205
Description:
Denial of service in Sendmail 8.6.11 and 8.6.12.
Status: Candidate
Phase: Modified (19990925-01)
Reference: BUGTRAQ:19990708 SM 8.6.12
Votes:
ACCEPT(2) Hill, Northcutt
MODIFY(2) Frech, Prosser
NOOP(1) Baker
REVIEWING(2) Ozancin, Christey
Voter Comments:
Frech> XF:sendmail-alias-dos
Prosser> additional source
Bugtraq
"Re: SM 8.6.12"
http://www.securityfocus.com
Christey> The Bugtraq thread does not provide any proof, including a
comment by Eric Allman that he hadn't been provided any
details either.
See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
for the thread.
Christey> Change Bugtraq reference date to 19950708.
Name: CVE-1999-0213
Description:
libnsl in Solaris allowed an attacker to perform a
denial of service of rpcbind.
Status: Candidate
Phase: Modified (20001009-01)
Reference: XF:sun-libnsl
Reference: SUNBUG:4305859
Votes:
ACCEPT(6) Dik, Ozancin, Hill, Blake, Landfield, Cole
MODIFY(3) Frech, Levy, Baker
NOOP(4) Bishop, Meunier, Wall, Armstrong
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sun-libnsl
Dik> Sun bug #4305859
Baker> http://xforce.iss.net/static/1204.php Misc Defensive Info
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba Vendor Info
http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt Vendor Info
http://www.securityfocus.com/archive/1/9749 Misc Defensive Info
Christey> I don't think this is the bug that everyone thinks it is.
This candidate came from CyberCop Scanner 2.4/2.5, which
only reports this as a DoS problem. If SUN:00172 is an
advisory for this, then it may be a duplicate of
CVE-1999-0055. There appears to be overlap with other
references as well. HOWEVER, this particular one deals with a
DoS in rpcbind - which isn't mentioned in the sources for
CVE-1999-0055.
Levy> BID 148
Name: CVE-1999-0216
Description:
Denial of service of inetd on Linux through SYN and RST
packets.
Status: Candidate
Phase: Modified (19991203-01)
Reference: BUGTRAQ:19971130 Linux inetd..
Reference: XF:linux-inetd-dos
Reference: HP:HPSBUX9803-077
Reference: XF:hp-inetd
Votes:
ACCEPT(1) Hill
MODIFY(2) Frech, Baker
RECAST(1) Meunier
Voter Comments:
Meunier> The location of the vulnerability, whether in the Linux kernel or the
application, is debatable. Any program making the same (reasonnable)
assumption is vulnerable, i.e., implements the same vulnerability:
"Assumption that TCP-three-way handshake is complete after calling Linux
kernel function accept(), which returns socket after getting SYN. Result
is process death by SIGPIPE"
Moreover, whether it results in DOS (to third parties) depends on the
process that made the assumption.
I think that the present entry should be split, one entry for every
application that implements the vulnerability (really describing threat
instances, which is what other people think about when we talk about
vulnerabilities), and one entry for the Linux kernel that allows the
vulnerability to happen.
Frech> XF:hp-inetd
XF:linux-inetd-dos
Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it? It applies to mulitple OS and should be likely either modified, or in extreme case, recast
Name: CVE-1999-0220
Description:
Attackers can do a denial of service of IRC by crashing
the server.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(2) Northcutt, Baker
REJECT(2) Frech, Christey
Voter Comments:
Frech> Would reconsider if any references were available.
Christey> No references available, combined with extremely vague
description, equals REJECT.
Name: CVE-1999-0222
Description:
Denial of service in Cisco IOS web server allows
attackers to reboot the router using a long URL.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(1) Baker
MODIFY(3) Frech, Shostack, Levy
NOOP(3) Balinsky, Northcutt, Wall
RECAST(1) Ziese
REJECT(1) Christey
Voter Comments:
Shostack> I follow cisco announcements and problems pretty closely, and haven't
seen this. Source?
Frech> XF:cisco-web-crash
Christey> XF:cisco-web-crash has no additional references. I can't find
any references in Bugtraq or Cisco either. This bug is
supposedly tested by at least one security product, but that
product's database doesn't have any references either. So
a question becomes, how did it make it into at least two
security companies' databases?
Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159
BID 1154
Ziese> The vulnerability is addressed by a vendor acknowledgement. This one, if
recast to reflect that "...after using a long url..." should be replaced
with
"...A defect in multiple releases of Cisco IOS software will cause a Cisco
router or switch to halt and reload if the IOS HTTP service is enabled,
browsing to "http://router-ip/anytext?/" is attempted, and the enable
password is supplied when requested. This defect can be exploited to produce
a denial of service (DoS) attack."
Then I can accept this and mark it as "Verfied by my Company". If it can't
be recast because this (long uri) is diffferent then our release (special
url construction).
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> Elias Levy's suggested reference is CVE-2000-0380.
I don't think that Kevin's description is really addressing
this either. The lack of references and a specific
description make this candidate unusable, so it should be
rejected.
Name: CVE-1999-0226
Description:
Windows NT TCP/IP processes fragmented IP packets
improperly, causing a denial of service.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Christey> Too general, and no references.
Frech> XF:nt-frag(528)
See reference from BugTraq Mailing List, "A New Fragmentation Attack" at
http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms
g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net
Name: CVE-1999-0229
Description:
Denial of service in Windows NT IIS server using ..\..
Status: Candidate
Phase: Modified (19991228-02)
Reference: MSKB:Q115052
Votes:
ACCEPT(2) Shostack, Baker
MODIFY(2) Frech, Wall
NOOP(1) Northcutt
REJECT(1) Christey
REVIEWING(1) Levy
Voter Comments:
Wall> Denial of service in Windows NT IIS Server 1.0 using ..\...
Source: Microsoft Knowledge Base Article Q115052 - IIS Server.
Frech> XF:http-dotdot (not necessarily IIS?)
Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot
problem.
Christey> This actually looks like XF:iis-dot-dot-crash(1638)
http://xforce.iss.net/static/1638.php
If so, include the version number (2.0)
CHANGE> [Christey changed vote from REVOTE to REJECT]
Christey> Bill Wall intended to suggest Q155052, but the affected
IIS version there is 1.0; the effect is to read files,
so this sounds like a directory traversal problem,
instead of an inability to process certain strings.
As a result, this candidate is too general, since it could
apply to 2 different problems, so it should be REJECTed.
Christey> Consider adding BID:2218
Name: CVE-1999-0231
Description:
Buffer overflow in IP-Switch IMail and Seattle Labs
Slmail 2.6 packages using a long VRFY command, causing a
denial of service and possibly remote access.
Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS -
Imail also
Votes:
ACCEPT(2) Levy, Baker
NOOP(3) Christey, Northcutt, Landfield
RECAST(1) Frech
REVIEWING(1) Ozancin
Voter Comments:
Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
XF:smtp-vrfy-bo (many mail packages)
Northcutt> (There is no way I will have access to these systems)
Christey> Some sources report that VRFY and EXPN are both affected.
Name: CVE-1999-0232
Description:
Buffer overflow in NCSA WebServer (version 1.5c) gives
remote access.
Status: Candidate
Phase: Modified (19991220-01)
Votes:
ACCEPT(2) Hill, Northcutt
MODIFY(1) Frech
NOOP(1) Prosser
REJECT(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> Unable to provide a match due to vague/insufficient description/references.
Possible matches are:
XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
XF:http-ncsa-longurl (highest probability)
Christey> CVE-1999-0235 is the one associated with XF:http-ncsa-longurl
More research is necessary for this one.
Baker> Since this has no references at all, and is vague and we have a
CAN for the most likely issue, we should kill this one
Name: CVE-1999-0235
Description:
Buffer overflow in NCSA WebServer (1.4.1 and below)
gives remote access.
Status: Candidate
Phase: Modified (19991220-01)
Reference: CERT:CA-95:04
Reference: CIAC:F-11
Votes:
ACCEPT(3) Hill, Prosser, Northcutt
MODIFY(1) Frech
REJECT(2) Christey, Baker
Voter Comments:
Frech> XF:http-ncsa-longurl
Christey> CVE-1999-0235 has the same ref's as CVE-1999-0267
Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both
refer to the same problem. This should be rejected as 1999-0267 is the same problem.
Name: CVE-1999-0238
Description:
php.cgi allows attackers to read any file on the system.
Status: Candidate
Phase: Proposed (19990623)
Reference: XF:http-cgi-phpfileread
Votes:
ACCEPT(5) Frech, Collins, Prosser, Northcutt, Baker
NOOP(1) Christey
Voter Comments:
Prosser> additional source
AUSCERT External Security Bulletin ESB-97.047
http://www.auscert.org.au
Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole
URL:http://www.dataguard.no/bugtraq/1997_2/0069.html
The attacker specifies the filename as an argument to the
program.
Add "PHP/FI" to description to facilitate search.
AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047
Christey> Consider adding BID:2250
Name: CVE-1999-0240
Description:
Some filters or firewalls allow fragmented SYN packets
with IP reserved bits in violation of their implemented
policy.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
NOOP(1) Baker
REJECT(1) Frech
Voter Comments:
Frech> Would reconsider if any references were available.
Name: CVE-1999-0241
Description:
Guessable magic cookies in X Windows allows remote
attackers to execute commands, e.g. through xterm.
Status: Candidate
Phase: Modified (19990925-01)
Reference: XF:http-xguess-cookie
Votes:
ACCEPT(3) Hill, Northcutt, Proctor
MODIFY(2) Frech, Prosser
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> Also add to references:
XF:sol-mkcookie
Prosser> additional source
Bugtraq
"X11 cookie hijacker"
http://www.securityfocus.com
Christey> The cookie hijacker thread has to do with stealing cookies
through a file with bad permissions. I'm not sure the
X-Force reference identifies this problem either.
Christey> CIAC:G-04
URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml
SGI:19960601-01-I
URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I
CERT:VB-95:08
Name: CVE-1999-0242
Description:
Remote attackers can access mail files via POP3 in some
Linux systems that are using shadow passwords.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware
/bin/mail) security hole
Reference: XF:linux-pop3d
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Shostack, Christey, Northcutt, Wall
REVIEWING(1) Levy
Voter Comments:
Frech> Ambiguous description: need more detail. Possibly:
XF:linux-pop3d (mktemp() leads to reading e-mail)
Christey> At first glance this might look like CVE-1999-0123 or
CVE-1999-0125, however this particular candidate arises out
of a brief mention of the problem in a larger posting which
discusses CVE-1999-0123 (which may be the same bug as
CVE-1999-0125). See the following phrase in the Bugtraq
post: "one such example of this is in.pop3d"
However, the original source of this candidate's description
explicitly mentions shadowed passwords, though it has no
references to help out here.
Name: CVE-1999-0243
Description:
Linux cfingerd could be exploited to gain root access.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(1) Shostack
NOOP(4) Levy, Northcutt, Wall, Baker
REJECT(2) Frech, Christey
Voter Comments:
Christey> This has no sources; neither does the original database that
this entry came from. It's a likely duplicate of
CVE-1999-0813.
Frech> I disagree on the dupe; see Linux-Security Mailing List,
"[linux-security] Cfinger (Yet more :)" at
http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains
to 1.4.x and below and shows up two years later.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> If the reference I previously supplied is correct, then
it appears as if the poster modified the source using authorized
access to make it vulnerable. Modifying the source in this manner
does not qualify as being listed a vulnerability.
I disagree on the dupe; see Linux-Security Mailing List,
"[linux-security] Cfinger (Yet more :)" at
http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
if v1.2.3 is vulnerable, perhaps 1.3.0 also. CVE-1999-0813 pertains
to 1.4.x and below and shows up two years later.
Name: CVE-1999-0246
Description:
HP Remote Watch allows a remote user to gain root
access.
Status: Candidate
Phase: Proposed (19990630)
Reference: XF:hp-remote
Votes:
ACCEPT(4) Frech, Hill, Prosser, Northcutt
NOOP(1) Baker
RECAST(1) Christey
Voter Comments:
Frech> Comment: Determine if it's RemoteWatch or Remote Watch.
Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
Remote Watch (the advisory uses two words, not one, for the
"Remote Watch" name)
ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit)
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com
Prosser> agree that the advisory mentions two vulnerabilities in Remote
Watch, one being a socket connection and other with the showdisk utility
which seems to be a suid vulnerability. Never get much details on this
anywhere since the recommendation is to remove the program since it is
obsolete and superceded by later tools. Believe the biggest concern here is
to just not run the tool at all.
Christey> CIAC:H-16
Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp
And possibly AUSCERT:AA-96.07 at
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul
Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit
http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2
Include "remwatch" in the description to facilitate search.
Name: CVE-1999-0249
Description:
Windows NT RSHSVC program allows remote users to execute
arbitrary commands.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Wall
NOOP(2) Shostack, Northcutt
RECAST(1) Christey
REVIEWING(1) Levy
Voter Comments:
Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows
remote
users to execute arbitrary commands.
Source: rshsvc.txt from the Windows NT Resource Kit.
Frech> XF:rsh-svc
Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case
where remote users coming from authorized machines are
allowed access regardless of what .rhosts says. XF:rsh-svc
refers to a bug circa 1997 where any remote entity could
execute commands as system.
Name: CVE-1999-0250
Description:
Denial of service in Qmail through long SMTP commands.
Status: Candidate
Phase: Modified (20010301-01)
Reference: BUGTRAQ:19970612 qmail-dos-2.c,
another denial of service attack
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference:
MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: XF:qmail-leng
Votes:
ACCEPT(2) Meunier, Hill
MODIFY(1) Frech
REJECT(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> XF:qmail-rcpt
Christey> DUPE CVE-1999-0418 and CVE-1999-0144?
Christey> Dan Bernstein, author of Qmail, says that this is not a
vulnerability in qmail because Unix has built-in resource
limits that can restrict the size of a qmail process; other
limits can be specified by the administrator. See
http://cr.yp.to/qmail/venema.html
Significant discussion of this issue took place on the qmail
list. The fundamental question appears to be whether
application software should set its own limits, or rely
on limits set by the parent operating system (in this case,
UNIX). Also, some people said that the only problem was that
the suggested configuration was not well documented, but this
was refuted by others.
See the following threads at
http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
"Denial of service (qmail-smtpd)"
"qmail-dos-2.c, another denial of service"
"[PATCH] denial of service"
"just another qmail denial-of-service"
"the UNIX way"
"Time for a reality check"
Also see Bugtraq threads on a different vulnerability that
is related to this topic:
BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
Baker> This appears to be the same vulnerability listed in CAN 1999-0144. In reading
through both bugtraq postings, the one that is referenced by 0144 is
based on a shell code exploit to cause memory exhaustion. The bugtraq
posting referenced by this entry refers explicitly to the prior
posting for 0144, and states that the same effect could be
accomplished by a perl exploit, which was then attached.
Baker> http://www.securityfocus.com/archive/1/6969 CVE-1999-0144
http://www.securityfocus.com/archive/1/6970 CVE-1999-0250
Both references should be added to CVE-1999-0144, and CVE-1999-0250
should likely be rejected.
CHANGE> [Baker changed vote from REVIEWING to REJECT]
Christey> XF:qmail-leng no longer exists; check with Andre to see if they
regarded it as a duplicate as well.
qmail-dos-1.c, as published by Wietse Venema (CVE-1999-0250)
in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
use any RCPT commands. Instead, it sends long strings
of "X" characters. A followup by "super@UFO.ORG" includes
an exploit that claims to do the same thing; however, that
exploit does not send long strings of X characters - it sends
a large number of RCPT commands. It appears that super@ufo.org
followed up to the wrong message.
qmail-dos-2.c, as published by Wietse Venema (CVE-1999-0144)
in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
sends a large number of RCPT commands.
ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd)
ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Also see a related thread:
BUGTRAQ:19990308 SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
This also describes a problem with mail servers not being able
to handle too many "RCPT TO" requests. A followup message
notes that application-level protection is used in Sendmail
to prevent this:
BUGTRAQ:19990309 Re: SMTP server account probing
http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
The person further says, "This attack can easily be
prevented with configuration methods."
Name: CVE-1999-0253
Description:
IIS 3.0 with the iis-fix hotfix installed allows remote
intruders to read source code for ASP programs by using
a %2e instead of a . (dot) in the URL.
Status: Candidate
Phase: Modified (20000106-01)
Reference: XF:http-iis-2e
Reference: L0PHT:19970319
Votes:
ACCEPT(9) Frech, Bishop, Collins, Blake, Northcutt, Baker, Landfield, Cole, Armstrong
MODIFY(1) LeBlanc
NOOP(3) Ozancin, Prosser, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> This is a problem that was introduced after patching a
previous dot bug with the iis-fix hotfix (see CVE-1999-0154).
Since the hotfix introduced the problem, this should be
treated as a seaprate issue.
Wall> Agree with the comment.
LeBlanc> - this one is so old, I don't remember it at all and can't verify or
deny the issue. If you can find some documentation that says we fixed it (KB
article, hotfix, something), then I would change this to ACCEPT
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:1814
URL:http://www.securityfocus.com/bid/1814
Name: CVE-1999-0254
Description:
A hidden SNMP community string in HP OpenView allows
remote attackers to modify MIB tables and obtain
sensitive information.
Status: Candidate
Phase: Proposed (19990726)
Reference: ISS:Hidden SNMP community in HP
OpenView
Reference: XF:hpov-hidden-snmp-comm
Votes:
ACCEPT(2) Frech, Baker
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Christey> What is the proper level of abstraction to use here? Should
we have a separate entry for each different default community
string? See:
http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
Until the associated content decisions have been approved
by the Editorial Board, this candidate cannot be accepted
for inclusion in CVE.
Name: CVE-1999-0255
Description:
Buffer overflow in ircd allows arbitrary command
execution.
Status: Candidate
Phase: Proposed (19990623)
Votes:
ACCEPT(3) Hill, Northcutt, Baker
MODIFY(1) Frech
NOOP(1) Prosser
REJECT(1) Christey
Voter Comments:
Frech> XF:irc-bo
Christey> This is too general and doesn't have any references. The
XF reference doesn't appear toe xist any more.
Perhaps this reference would help:
BUGTRAQ:19970701 ircd buffer overflow
Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post.
Name: CVE-1999-0257
Description:
Nestea variation of teardrop IP fragmentation denial of
service.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:nestea-linux-dos
Christey> Not sure how many separate "instances" of Teardrop
and its ilk. Also see comments on CVE-1999-0001.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
Is CVE-1999-0001 the same as CVE-1999-0052? That one is related
to nestea (CVE-1999-0257) and probably the one described in
BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
The patch for nestea is in ip_input.c around line 750.
The patches for CVE-1999-0001 are in lines 388&446. So,
CVE-1999-0001 is different from CVE-1999-0257 and CVE-1999-0052.
The FreeBSD patch for CVE-1999-0052 is in line 750.
So, CVE-1999-0257 and CVE-1999-0052 may be the same, though
CVE-1999-0052 should be RECAST since this bug affects Linux
and other OSes besides FreeBSD.
Also see BUGTRAQ:19990909 CISCO and nestea.
Finally, note that there is no fundamental difference between
nestea and nestea2/nestea-v2; they are different ports that
exploit the same problem.
The original nestea advisory is at
http://www.technotronic.com/rhino9/advisories/06.htm
but notice that the suggested fix is in line 375 of
ip_fragment.c, not ip_input.c.
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> BUGTRAQ:19980501 nestea does other things
http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2
BUGTRAQ:19980508 nestea2 and HP Jet Direct cards.
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2
BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2
Nestea source code is in
MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html
Name: CVE-1999-0258
Description:
Bonk variation of teardrop IP fragmentation denial of
service.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(2) Frech, Wall
REVIEWING(1) Christey
Voter Comments:
Wall> Reference Q179129
Frech> XF:teardrop-mod
Christey> Not sure how many separate "instances" of Teardrop there are.
See: CVE-1999-0015, CVE-1999-0104, CVE-1999-0257, CVE-1999-0258
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
Christey> BUGTRAQ:19980108 bonk.c
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2
NTBUGTRAQ:19980108 bonk.c
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2
NTBUGTRAQ:19980109 Re: Bonk.c
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2
NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2
BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2
CIAC:I-031a
http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml
CERT summary CS-98.02 implies that bonk, boink, and newtear
all exploit the same vulnerability.
Name: CVE-1999-0261
Description:
Netmanager Chameleon SMTPd has several buffer overflows
that cause a crash.
Status: Candidate
Phase: Modified (20000827-01)
Reference: BUGTRAQ:19980504 Netmanage Holes
Reference:
MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Landfield
NOOP(3) Ozancin, Christey, Northcutt
Voter Comments:
Frech> XF:chamelion-smtp-dos
Landfield> - Specify what "a crash" means.
Christey> ADDREF XF:chameleon-smtp-dos ? (but it's not on the web site)
Christey> Consider adding BID:2387
Name: CVE-1999-0271
Description:
Progressive Networks Real Video server (pnserver) can be
crashed remotely.
Status: Candidate
Phase: Modified (19990925-01)
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: BUGTRAQ:19980817 Re: Real Audio Server
Version 5 bug?
Votes:
ACCEPT(3) Blake, Northcutt, Baker
MODIFY(1) Frech
NOOP(1) Prosser
REVIEWING(1) Christey
Voter Comments:
Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq
posting), but may be multiple codebases since several
Real Audio servers are affected.
Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow.
See CVE-1999-0896
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:realvideo-telnet-dos
Name: CVE-1999-0282
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This
candidate combined references from one issue with the
description from another issue. Notes: Users should
consult CVE-1999-1584 and CVE-1999-1586 to obtain the
appropriate name. All references and descriptions in
this candidate have been removed to prevent accidental
usage.
Status: Candidate
Phase: Modified (20050830)
Votes:
ACCEPT(2) Dik, Baker
MODIFY(1) Frech
NOOP(1) Ozancin
RECAST(1) Prosser
REJECT(1) Christey
Voter Comments:
Frech> XF:sun-loadmodule
XF:sun-modload (CERT CA-93.18 very old!)
Prosser> Believe the reference given, 95-12, is referencing a later
loadmodule(8) setuid problem in the X11/NeWS windowing system. There is an
earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
for the SunOS 4.1.x/Solbourne and OpenWindow 3.0. In fact, there may be the
same as the HP patches are 100448-02 for the 93 loadmodule/modload
vulnerability and 100448-03 for the 95 loadmodule vulnerability which
normally indicated a patch update. Looks like the original patch either
didn't completely fix the problem or it resurfaced in X11 NeWS. Can't tell
much beyond that and this is my opinion only as have no way to check it.
Which one is this CVE referencing? I accept both.
Dik> There are three similar Sun bug ids associated with the patches.
1076118 loadmodule has a security vulnerability
1148753 loadmodule has a security vulnerability
1222192 loadmodule has a security vulnerability
as well as:
1137491
Ancient stuff.
Christey> Add period to the end of the description.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> This is distinct from CVE-1999-1584 - CVE-1999-1584 is for
CA-93.18.
CHANGE> [Christey changed vote from REVIEWING to REJECT]
Christey> This candidate combines two separate issues. It uses the CERT
alert reference from 1995, from one issue, but a description that
is associated with a separate issue.
Name: CVE-1999-0283
Description:
The Java Web Server would allow remote users to obtain
the source code for CGI programs.
Status: Candidate
Phase: Modified (19991203-01)
Reference: BUGTRAQ:19970716 Viewable .jhtml
source with JavaWebServer
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2
Votes:
ACCEPT(7) Dik, Collins, Blake, Northcutt, Wall, Baker, Cole
MODIFY(1) Frech
NOOP(5) Armstrong, Bishop, Christey, Prosser, Landfield
REVIEWING(1) Ozancin
Voter Comments:
Wall> Acknowledged by vendor at
http://www.sun.com/software/jwebserver/techinfo/jws112info.html.
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/7260 Misc Defensive Info
http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info
Christey> BID:1891
URL:http://www.securityfocus.com/bid/1891
Christey> Add version number (1.1 beta) and details of attack (appending
a . or a \)
The Sun URL referenced by Dave Baker no longer exists, so I
wasn't able to verify that it addressed the problem described
in the Bugtraq post. This might not even be Sun's
"Java Web Server," as CVE-2001-0186 describes some product
called "Free Java Web Server"
Dik> There appears to be some confusion.
The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed
in 1.1.2 (get foo.jthml source by appending "." of "\" to URL)
There are other bugs that give access and that require a configuration
change.
http://www.sun.com/software/jwebserver/techinfo/security_advisory.html
Christey> Need to make sure to create CAN's for the other bugs,
as documented in:
NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS
http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2
BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS
http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2
The reported bugs are:
1) file read by appending %20
2) Directly call /servlet/file
URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html
#2 is explicitly mentioned in the Sun advisory for
CVE-1999-0283.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:javawebserver-cgi-source(5383)
Name: CVE-1999-0284
Description:
Denial of service to NT mail servers including Ipswitch,
Mdaemon, and Exchange through a buffer overflow in the
SMTP HELO command.
Status: Candidate
Phase: Proposed (19990623)
Reference: XF:smtp-helo-bo
Votes:
ACCEPT(2) Blake, Northcutt
MODIFY(3) Frech, Ozancin, Levy
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
XF:mdaemon-helo-bo
XF:lotus-notes-helo-crash
XF:slmail-helo-overflow
XF:smtp-helo-bo (mentions several products)
XF:smtp-exchangedos
Levy> - Need one per software. Each one should be its own
vulnerability.
Ozancin> => Windows NT is correct
Christey> These are probably multiple codebases, so we'll need to use
dot notation. Also need to see if this should be merged
with CVE-1999-0098 (Sendmail SMTP HELO).
Name: CVE-1999-0285
Description:
Denial of service in telnet from the Windows NT Resource
Kit, by opening then immediately closing a connection.
Status: Candidate
Phase: Proposed (19990630)
Votes:
ACCEPT(1) Hill
NOOP(2) Wall, Baker
REJECT(2) Frech, Christey
Voter Comments:
Christey> No references, no information.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> No references; closest documented match is with
CVE-2001-0346, but that's for Windows 2000.
Name: CVE-1999-0286
Description:
In some NT web servers, appending a space at the end of
a URL may allow attackers to read source code for active
pages.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(3) Armstrong, Shostack, Cole
MODIFY(3) Levy, Blake, Wall
NOOP(5) Bishop, Ozancin, Northcutt, Baker, Landfield
REJECT(1) Frech
REVIEWING(1) Christey
Voter Comments:
Wall> In some NT web servers, appending a dot at the end of a URL may
allows attackers to read source code for active pages.
Source: MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
in Browser"
Frech> In the meantime, reword description as 'Windows NT' (trademark issue)
Christey> Q163485 does not refer to a space, it refers to a dot.
However, I don't have other references.
Reading source code with a dot appended is in CVE-1999-0154,
which will be proposed. A subsequent bug similar to the
dot bug is CVE-1999-0253.
Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014
NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019
BID 273
Blake> Reference: http://www.allaire.com/handlers/index.cfm?ID=10967
CHANGE> [Christey changed vote from NOOP to REVIEWING]
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> BID articles)
Name: CVE-1999-0287
Description:
Vulnerability in the Wguest CGI program.
Status: Candidate
Phase: Proposed (19990714)
Votes:
MODIFY(2) Frech, Shostack
NOOP(4) Levy, Blake, Northcutt, Wall
REJECT(2) Christey, Baker
Voter Comments:
Shostack> allows file reading
Frech> XF:http-cgi-webcom-guestbook
Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In
NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Mnemonix says that he had previously reported on a similar
problem. Let's refer to the NTBugtraq posting as
CVE-1999-0467. We will refer to the "previous report" as
CVE-1999-0287, which could be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
0287 describes an exploit via the "template" hidden variable.
The exploit describes manually editing the HTML form to
change the filename to read from the template variable.
The exploit as described in 0467 encodes the template variable
directly into the URL. However, hidden variables are also
encoded into the URL, which would have looked the same to
the web server regardless of the exploit. Therefore 0287
and 0467 are the same.
Christey> BID:2024
Name: CVE-1999-0298
Description:
ypbind with -ypset and -ypsetme options activated in
Linux Slackware and SunOS allows local and remote
attackers to overwrite files via a .. (dot dot) attack.
Status: Candidate
Phase: Modified (20000524-01)
Reference: NAI:19970205 Vulnerabilities in Ypbind
when run with -ypset/-ypsetme
Reference:
URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp
Votes:
ACCEPT(4) Cole, Dik, Levy, Northcutt
MODIFY(1) Frech
NOOP(3) Shostack, Christey, Baker
Voter Comments:
Christey> ADDREF BID:1441
URL:http://www.securityfocus.com/bid/1441
Dik> If you run with "-ypset", then you're always insecure.
With ypsetme, only root on the local host
can run ypset in Solaris 2.x+.
Probably true for SunOS 4, hence my vote.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> ADDREF XF:ypbind-ypset-root
CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
Dik> This vulnerability does exist in SunOS 4.x in non default configurations.
In Solaris 2.x, the vulnerability only applies to files named "cache_binding"
and not all files ending in .2
Both releases are not vulnerable in the default configuration (both
disabllow ypset by default which prevents this problem from occurring)
Name: CVE-1999-0306
Description:
buffer overflow in HP xlock program.
Status: Candidate
Phase: Proposed (19990714)
Reference: XF:hp-xlock
Votes:
ACCEPT(3) Frech, Northcutt, Baker
MODIFY(1) Prosser
NOOP(1) Shostack
REJECT(1) Christey
Voter Comments:
Prosser> This is another of those with multiple affected OSs.
Refs: CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150
Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is
the same problem as in CERT:CA-97.13, which is CVE-1999-0038.
Name: CVE-1999-0307
Description:
Buffer overflow in HP-UX cstm program allows local users
to gain root privileges.
Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me
on, dead man
Reference: XF:hpux-cstm-bo
Votes:
ACCEPT(2) Frech, Northcutt
NOOP(3) Shostack, Prosser, Baker
RECAST(1) Christey
Voter Comments:
Prosser> only ref I can find is an old SOD exploit on
www.outpost9.com
Christey> MERGE CVE-1999-0336 (the exact exploit works with both
cstm and mstm, which are clearly part of the same package,
so CD:SF-EXEC says to merge them.)
Also, there does not seem to be any recognition of this problem
by HP. The only other information besides the Bugtraq post
is the SOD exploit.
See the original post:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org
Name: CVE-1999-0317
Description:
Buffer overflow in Linux su command gives root access to
local users.
Status: Candidate
Phase: Modified (19991216-01)
Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su
buffer overflow
Reference: XF:su-bo
Votes:
ACCEPT(3) Frech, Hill, Northcutt
NOOP(1) Prosser
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> DUPE CVE-1999-0845?
Also, ADDREF XF:unixware-su-username-bo
A report summary by Aleph One states that nobody was able to
confirm this problem on any Linux distribution.
Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845. There is about a two and half month difference in the bugtraq reporting of these.
Sounds like the same bug however...
Christey> XF:su-bo no longer seems to exist.
How about XF:linux-subo(734) ?
http://xforce.iss.net/static/734.php
BID:475 also seems to describe the same problem
(http://www.securityfocus.com/bid/475) in which case,
vsyslog is blamed in:
BUGTRAQ:19971220 Linux vsyslog() overflow
http://www.securityfocus.com/archive/1/8274
Name: CVE-1999-0319
Description:
Buffer overflow in xmcd 2.1 allows local users to gain
access through a user resource setting.
Status: Candidate
Phase: Proposed (19990623)
Reference: XF:xmcd-tiflestr
Votes:
ACCEPT(3) Frech, Hill, Northcutt
NOOP(2) Prosser, Baker
REVIEWING(1) Christey
Voter Comments:
Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1
A followup to this post says that xmcd is not suid here.
Name: CVE-1999-0330
Description:
Linux bdash game has a buffer overflow that allows local
users to gain root access.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19940101 (No Subject)
Reference: XF:bdash-bo
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Shostack, Northcutt, Wall
REVIEWING(1) Levy
Voter Comments:
Frech> XF:bdash-bo
Name: CVE-1999-0331
Description:
Buffer overflow in Internet Explorer 4.0(1).
Status: Candidate
Phase: Modified (20040811)
Reference: XF:msie-bo
Votes:
ACCEPT(2) Northcutt, Baker
MODIFY(2) Frech, Shostack
RECAST(1) Prosser
REJECT(2) Christey, LeBlanc
Voter Comments:
Shostack> this is a high cardinality item
Prosser> needs to be more specific.
Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
duplicate)
Description (from xfdb): Some versions of Internet Explorer for Windows
contain a vulnerability that may crash the broswer when a malicious web site
contains a certain kind of URL (that begins with "mk://") with more
characters than the browser supports.
Christey> The description is too vague.
LeBlanc> too vague
Christey> Add period to the end of the description.
Name: CVE-1999-0333
Description:
HP OpenView Omniback allows remote execution of commands
as root via spoofing, and local users can gain root
access via a symlink attack.
Status: Candidate
Phase: Modified (19990925-01)
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: HP:HPSBUX9810-085
Reference: XF:omniback-remote
Votes:
ACCEPT(2) Frech, Baker
MODIFY(1) Prosser
RECAST(1) Christey
Voter Comments:
Prosser> additional source
HP Security Bulletin 85
http://us-support.external.hp.com
http://europe-support.external.hp.com
Christey> Two separate bugs, so SF-LOC says this candidate should be
split
Christey> ADDREF CIAC:J-007
URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml
Name: CVE-1999-0336
Description:
Buffer overflow in mstm in HP-UX allows local users to
gain root access.
Status: Candidate
Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me
on, dead man
Reference: XF:hpux-mstm-bo
Votes:
ACCEPT(2) Frech, Northcutt
NOOP(3) Shostack, Prosser, Baker
RECAST(1) Christey
Voter Comments:
Prosser> same as CVE-1999-0307, only ref I can find is an old SOD
exploit on www.outpost9.com
Christey> MERGE CVE-1999-0307 (the exact exploit works with both
cstm and mstm, which are clearly part of the same package,
so CD:SF-EXEC says to merge them.)
Also, there does not seem to be any recognition of this problem
by HP. The only other information besides the Bugtraq post
is the SOD exploit.
Name: CVE-1999-0345
Description:
Jolt ICMP attack causes a denial of service in Windows
95 and Windows NT systems.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Cole, Blake
MODIFY(2) Frech, Wall
NOOP(4) Landfield, Bishop, Ozancin, Northcutt
RECAST(1) Meunier
REJECT(4) Armstrong, Levy, LeBlanc, Baker
REVIEWING(1) Christey
Voter Comments:
Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
Windows NT systems.
Reference: Q154174.
Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
It is a modified teardrop 2 attack.
Frech> XF:nt-ssping
ADDREF XF:ping-death
ADDREF XF:teardrop-mod
ADDREF XF:mpeix-echo-request-dos
Christey> I can't tell whether the Jolt exploit at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net
is exploiting any different flaw than teardrop does.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Baker> Jolt (original) is basically just a fragmented oversized ICMP that
kills Win boxes ala Ping of Death.
Teardrop is altering the offset in fragmented tcp packets so that the
end of subsequent fragments is inside first packet...
Teardrop 2 is UDP packets, if I remember right.
Seems like Jolt (original, not jolt 2) is just exploit code that
creates a ping of death (CVE 1999-0128)
Levy> I tend to agree with Baker.
CHANGE> [Armstrong changed vote from REVIEWING to REJECT]
Armstrong> This code does not use fragment overlap. It is simply a large ICMP echo request.
Christey> See the SCO advisory at:
http://www.securityfocus.com/templates/advisory.html?id=1411
which may further clarify the issue.
LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same
thing as ping of death - POD was an oversized ICMP packet, Jolt froze
Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes.
Teardrop and teardrop2 were related attacks (usually ICMP frag attacks),
but each of these is a distinct vulnerability, affected a discrete group
of systems, and should have distinct CVE numbers. CVE entries should be
precise as to what the problem is.
Meunier> I agree with Leblanc in that Jolt is multi-faceted. Jolt has
characteristics of Ping of Death AND teardrop, but it doesn't do
either exactly. Moreover, it sends a truncated IP fragment. I
disagree with Armstrong; jolt uses overlapping fragments. It's not a
simple ping of death either. It may be that the author's intent was
to construct a "super attack" somehow combining elements of other
vulnerabilities to try to make it more potent. In any case it
succeeded in confusing the CVE board :-).
I notice that Jolt uses echo replies (type 0) instead of echo
requests (to get past firewalls?). Jolt is peculiar in that it also
sends numerous overlapping fragments. The "Pascal Simulator" :-) says
it sends:
- 172 fragments of length 400 with offset starting at 5120 and
increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)),
which eventually results in sending fragments inside an already
covered area once ((n* 380) >> 3) is greater than 5120, which occurs
when n is reaches 108. This would look a bit like TearDrop if
fragments were reassembled on-the-fly.
- 1 fragment such that the total length of all the fragments
is greater than 65535 (my calculation is 172*380 + 418 = 65778; the
comment about 65538 must be wrong). The last packet is size 418
according to the IP header but the buffer is of size 400. The sendto
takes as argument the size of the buffer so a truncated packet is
sent.
So, I am not sure if the problem is because the last packet
doesn't extend to the payload it says it has or because the total size
of all fragments is greater than 65535. The author says it may take
more than one sending, so perhaps this has to do with an incorrect
error handling and recovery. One would need to experiment and isolate
each of those characteristics and test them independently. Inasmuch
as each of those things is likely a different vulnerability, then I
agree with Leblanc that this entry should be split. I'll try that if
I ever get bored. Jolt 2 should also have a different entry (see
below).
Jolt 2 runs in an infinite loop, sending the same fragmented
IP packet, which can pretend to be "ICMP" or "UDP" data; however this
is meaningless, as it's just a late fragment of an IP packet. The
attack works only as long as packets are sent. According to
http://www.securityfocus.com/archive/1/62170 the packets are
truncated, and would overflow over the 65535 byte limit, which is
similar to Jolt. Note that Jolt does send that much data whereas
jolt2 doesn't. Since jolt2 is simpler and narrower than jolt, and it
has weaker consequences, I believe that it's a different
vulnerability.
"Jolt 2 vulnerability causes a temporary denial-of-service in
Windows-type OSes" would be a title for it.
Name: CVE-1999-0347
Description:
Internet Explorer 4.01 allows remote attackers to read
local files and spoof web pages via a "%01" character in
an "about:" Javascript URL, which causes Internet
Explorer to use the domain specified after the
character.
Status: Candidate
Phase: Modified (20051028)
Reference: BUGTRAQ:19990126 Javascript ecurity
bug in Internet Explorer
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
Reference: NTBUGTRAQ:19990126 Javascript ecurity
bug in Internet Explorer
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2
Votes:
ACCEPT(4) Levy, LeBlanc, Northcutt, Baker
MODIFY(2) Frech, Prosser
REVIEWING(1) Christey
Voter Comments:
Prosser> this is a modified Cross-Frame vulnerability that circumvents
the original Cross-Frame Patch. Addressed in MS Bulletin MS99.012
http://www.microsoft.com/security/bulletins/ms99-012.asp
Christey> Duplicate of CVE-1999-0490?
LeBlanc> If Prosser is correct that this is MS99-012, accept
Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2
BID:197
URL:http://www.securityfocus.com/bid/197
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:ie-window-spoof(2069)
Name: CVE-1999-0352
Description:
ControlIT 4.5 and earlier (aka Remotely Possible) has
weak password encryption.
Status: Candidate
Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in
ControlIT(tm) (formerly Remotely Possible/32) enterprise
management software
Reference: XF:controlit-passwd-encrypt
Votes:
ACCEPT(2) Frech, Baker
NOOP(2) Northcutt, Wall
RECAST(1) Ozancin
Voter Comments:
Ozancin> Can we combine this with CVE-1999-0356 - ControlIT(tm) 4.5 and earlier uses
weak encryption.
Name: CVE-1999-0354
Description:
Internet Explorer 4.x or 5.x with Word 97 allows
arbitrary execution of Visual Basic programs to the IE
client through the Word 97 template, which doesn't warn
the user that the template contains executable content.
Also applies to Outlook when the client views a
malicious email message.
Status: Candidate
Phase: Proposed (19990623)
Reference: NTBUGTRAQ:Jan27,1999
Reference: MS:MS99-002
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp
Votes:
ACCEPT(3) Ozancin, Wall, Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:word97-template-macro
Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2
BID:196
http://www.securityfocus.com/bid/196
Christey> MSKB:Q214652
http://support.microsoft.com/support/kb/articles/q214/6/52.asp
Name: CVE-1999-0356
Description:
ControlIT v4.5 and earlier uses weak encryption to store
usernames and passwords in an address book.
Status: Candidate
Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in
ControlIT(tm) (formerly Remotely Possible/32) enterprise
management software
Reference: XF:controlit-bookfile-access
Votes:
ACCEPT(2) Frech, Baker
NOOP(2) Northcutt, Wall
RECAST(1) Ozancin
Name: CVE-1999-0359
Description:
ptylogin in Unix systems allows users to perform a
denial of service by locking out modems, dial out with
that modem, or obtain passwords.
Status: Candidate
Phase: Proposed (20010214)
Reference: BUGTRAQ:19990127 UNIX shell modem
access vulnerabilities
Reference: XF:ptylogin-dos
Votes:
ACCEPT(2) Cole, Frech
MODIFY(1) Baker
Voter Comments:
Frech> XF:ptylogin-dos
Baker> Should say "... lock out a modem, ..." rather than "... locking out modems..."
Name: CVE-1999-0360
Description:
MS Site Server 2.0 with IIS 4 can allow users to upload
content, including ASP, to the target web site, thus
allowing them to execute commands remotely.
Status: Candidate
Phase: Modified (20000530-01)
Reference: BUGTRAQ:19990130 Security Advisory for
Internet Information Server 4 with Site
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2
Reference: NTBUGTRAQ:Jan29,1999
Votes:
ACCEPT(6) Landfield, Cole, Collins, Blake, Northcutt, Wall
MODIFY(3) Frech, LeBlanc, Baker
NOOP(4) Armstrong, Ozancin, Christey, Prosser
Voter Comments:
Christey> I can't find the original Bugtraq posting (it appears that
mnemonix discovered the problem).
LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a
BUGTRAQ posting we can't find could be anything.
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/12218 Misc Defensive InfoVulnerability Reference (HTML) Reference Type
THis is the URL for the Bugtraq posting. It was cross posted to
NT Bugtraq as well, but identical text. It was Mnemonix...
Christey> BID:1811
URL:http://www.securityfocus.com/bid/1811
Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject.
Also standardize NTBUGTRAQ reference title.
Christey> Add "uploadn.asp" to the description.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:siteserver-user-dir-permissions(5384)
Name: CVE-1999-0361
Description:
NetWare version of LaserFiche stores usernames and
passwords unencrypted, and allows administrative changes
without logging.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Jan29,1999
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
Voter Comments:
Frech> XF:compulink-pw-laserfiche(1679)
Normalize BUGTRAQ reference to:
BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords
Name: CVE-1999-0364
Description:
Microsoft Access 97 stores a database password as
plaintext in a foreign mdb, allowing access to data.
Status: Candidate
Phase: Modified (20000426-01)
Reference: BUGTRAQ:19990204 Microsoft Access 97
Stores Database Password as Plaintext
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2
Votes:
ACCEPT(2) LeBlanc, Baker
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:access-weak-passwords(1774)
An older published reference (from our own Adam) would be
better:
ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0"
http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192
07028.1462108427&hitnum=1
Name: CVE-1999-0370
Description:
In Sun Solaris and SunOS, man and catman contain
vulnerabilities that allow overwriting arbitrary files.
Status: Candidate
Phase: Modified (19991210-01)
Reference: SUN:00184
Reference: BID:165
Reference:
URL:http://www.securityfocus.com/bid/165
Votes:
ACCEPT(4) Dik, Prosser, Northcutt, Baker
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Reference: XF:sun-man
Christey> ADDREF CIAC:J-028
Is the Linux man symlink problem the same as the one for Sun?
See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1
Also see BID:305
Dik> sun bug 4154565
Name: CVE-1999-0381
Description:
super 3.11.6 and other versions have a buffer overflow
in the syslog utility which allows a local user to gain
root access.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:19990225 SUPER buffer overflow
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet
Reference: XF:linux-super-logging-bo
Reference: BID:342
Reference:
URL:http://www.securityfocus.com/bid/342
Votes:
ACCEPT(7) Landfield, Cole, Frech, Ozancin, Levy, Blake, Baker
MODIFY(1) Bishop
NOOP(2) Armstrong, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> Is this the same as CVE-1999-0373? They both have the same
X-Force reference.
BID:342 suggests that there are two.
http://www.debian.org/security/1999/19990215a suggests
that there are two. However, CVE-1999-0373 is written up in
a fashion that is too general; and both XF:linux-super-bo and
XF:linux-super-logging-bo refer to CVE-1999-0373.
CVE-1999-0373 may need to be split.
Frech> From what I can surmise, ISS released the original advisory (attached to
linux-super-bo), and Sekure SDI expanded on it by releasing another related
overflow in syslog (which is linux-super-logging-bo).
When I was originally assigning these issues, I placed both XF references
and the ISS advisory on the -0373 candidate, since there was nothing else
available. Based on the information above, I'd request that
XF:linux-super-logging-bo be removed from CVE-1999-0373.
Christey> Given Andre's feedback, these are different issues.
CVE-1999-0373 does not need to be split because the ISS
reference is sufficient to distinguish that CVE from this
candidate; however, the CVE-1999-0373 description should
probably be modified slightly.
Bishop> (as indicated by Christey)
CHANGE> [Cole changed vote from NOOP to ACCEPT]
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> There are 2 bugs, as confirmed by the super author at:
BUGTRAQ:19990226 Buffer Overflow in Super (new)
http://www.securityfocus.com/archive/1/12713
BID:397 also seems to cover this one, and it may cover
CVE-1999-0373 as well.
Name: CVE-1999-0389
Description:
Buffer overflow in the bootp server in the Debian Linux
netstd package.
Status: Candidate
Phase: Modified (19991207-01)
Reference: DEBIAN:19990104
Reference: BUGTRAQ:19990103 [SECURITY] New
versions of netstd fixes buffer overflows
Reference: BID:324
Reference:
URL:http://www.securityfocus.com/bid/324
Votes:
ACCEPT(3) Ozancin, Stracener, Baker
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389
has January 1999 dates associated with it, while CVE-1999-0798
was reported in late December.
Also, is this the same line of code as CVE-1999-0914? Both are in
the netstd package, it could look like a library problem.
However, deep in the changelog in the
netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
the following entry:
+netstd (3.07-7slink.1) frozen; urgency=high
+
+ * bootpd: Applied patch from Redhat as well as a fix for the overflow in
+ report() (fixes #30675).
+ * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
+ bugs.
+
+ -- Herbert Xu <herbert@debian.org> Sat, 19 Dec 1998 14:36:48 +1100
This tells me that two separate bugs are involved.
Note that Red Hat posted *some* fix for *some* bootp problem
in June 1998. See:
http://www.redhat.com/support/errata/rh42-errata-general.html#bootp
Frech> XF:debian-netstd-bo
Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
CHANGE> [Christey changed vote from REJECT to REVIEWING]
Christey> The fix information for BID:324 suggests that there are two
overflows, one of which is in handle_request (bootpd.c) and is
likely related to a file name; but there is another issue in
report (report.c) which also looks like a straightforward
overflow, which would suggest that this is not a duplicate of
CVE-1999-0798 or CVE-1999-0799.
Note: see comments for CVE-1999-0798 which explain how that
candidate is not related to CVE-1999-0799.
Name: CVE-1999-0394
Description:
DPEC Online Courseware allows an attacker to change
another user's password without knowing the original
password.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990115 DPEC Online
Courseware
Votes:
ACCEPT(1) Baker
NOOP(1) Christey
REJECT(1) Frech
Voter Comments:
Frech> If I understand the issue, this HIGHCARD involves insecure web programming.
If I don't understand, mark this as my first NOOP.
Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com
ADDREF BID:565
URL:http://www.securityfocus.com/vdb/bottom.html?vid=565
Name: CVE-1999-0397
Description:
The demo version of the Quakenbush NT Password Appraiser
sends passwords across the network in plaintext.
Status: Candidate
Phase: Proposed (19990728)
Reference: L0PHT:Jan21,1999
Reference: BUGTRAQ:Jan21,1999
Votes:
ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Wall
Voter Comments:
Wall> Reject based on beta copy.
Frech> XF:quakenbush-pw-appraiser(1652)
Name: CVE-1999-0398
Description:
In some instances of SSH 1.2.27 and 2.0.11 on Linux
systems, SSH will allow users with expired accounts to
login.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990123 SSH 1.x and 2.x
Daemon
Reference: BUGTRAQ:19990124 SSH Daemon
Reference: XF:ssh-exp-account-access
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet
released. v1.2.26 should be substituted in the description for '27.
XF:ssh-exp-account-access
Name: CVE-1999-0399
Description:
The DCC server command in the Mirc 5.5 client doesn't
filter characters from file names properly, allowing
remote attackers to place a malicious file in a
different location, possibly allowing the attacker to
execute commands.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server'
hole
Reference: XF:mirc-dcc-metachar-filename
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> XF:mirc-dcc-metachar-filename
Name: CVE-1999-0400
Description:
Denial of service in Linux 2.2.0 running the ldd command
on a core file.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd)
Reference: XF:linux-kernel-ldd-dos
Reference: BID:344
Reference:
URL:http://www.securityfocus.com/bid/344
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> BUGTRAQ:Jan27,1999
(http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22&
msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com)
XF:linux-kernel-ldd-dos
Name: CVE-1999-0401
Description:
A race condition in Linux 2.2.1 allows local users to
read arbitrary memory from /proc files.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990202 [patch] /proc race
fixes for 2.2.1 (fwd)
Reference: XF:linux-race-condition-proc
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> XF:linux-race-condition-proc
Name: CVE-1999-0406
Description:
Digital Unix Networker program nsralist has a buffer
overflow which allows local users to obtain root
privilege.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:digital-networker-bo
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> In description, change 'which' to 'that'.
Name: CVE-1999-0411
Description:
Several startup scripts in SCO OpenServer Enterprise
System v 5.0.4p, including S84rpcinit, S95nis, S85tcp,
and S89nfs, are vulnerable to a symlink attack, allowing
a local user to gain root access.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:sco-startup-scripts
Votes:
MODIFY(2) Baker, Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not
19 February) does not mention gaining root access... it says a local user
could
"delete or overwrite arbitrary files on the system."
Baker> By overwriting arbitrary files, one could then gain root access. I agree with a minor description change to reflect this.
Christey> Normalize Bugtraq reference to:
BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p).
http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2
Also, SCO:SB-99.17
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c
Name: CVE-1999-0418
Description:
Denial of service in SMTP applications such as Sendmail,
when a remote attacker (e.g. spammer) uses many "RCPT
TO" commands in the same connection.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990308 SMTP server account
probing
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(3) Baker, Foat, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> DUPE CVE-1999-0144 and CVE-1999-0250?
Frech> XF:smtp-rctpto-dos(7499)
Name: CVE-1999-0419
Description:
When the Microsoft SMTP service attempts to send a
message to a server and receives a 4xx error code, it
quickly and repeatedly attempts to redeliver the
message, causing a denial of service.
Status: Candidate
Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990319 Microsoft's SMTP
service broken/stupid
Reference: XF:smtp-4xx-error-dos
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, LeBlanc
REVIEWING(1) Christey
Voter Comments:
Frech> XF:smtp-4xx-error-dos
LeBlanc> - if we can find a KB or something that shows that this wasn't just
user error, I'd vote ACCEPT.
Christey> David Lemson, Microsoft SMTP Service Program Manager,
posted a followup that said "We have confirmed this as a
problem..."
http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2
Name: CVE-1999-0426
Description:
The default permissions of /dev/kmem in Linux versions
before 2.0.36 allows IP spoofing.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990319 The default
permissions on /dev/kmem is insecure.
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Frech> XF:linux-dev-kmem-spoof
Christey> DUPE CVE-1999-0414
XF:linux-dev-kmem-spoof does not exist.
Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists...
Name: CVE-1999-0427
Description:
Eudora 4.1 allows remote attackers to perform a denial
of service by sending attachments with long file names.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990320 Eudora Attachment
Buffer Overflow
Reference: XF:eudora-long-attachments
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq
reference states: "Both the Win 95 and Win NT versions, along with the 4.2
beta of Eudora are affected."
Christey> This issue seems to have been rediscovered in
BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
Also see
BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
Is this a duplicate/subsumed by CVE-1999-0004?
Name: CVE-1999-0431
Description:
Linux 2.2.3 and earlier allow a remote attacker to
perform an IP fragmentation attack, causing a denial of
service.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89
- 2.2.3: 0 length fragment bug
Reference: XF:linux-zerolength-fragment
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:linux-zerolength-fragment
Christey> Consider adding BID:2247
Name: CVE-1999-0434
Description:
XFree86 xfs command is vulnerable to a symlink attack,
allowing local users to create files in restricted
directories, possibly allowing them to gain privileges
or cause a denial of service.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990331 Bug in xfs
Reference: BID:359
Reference:
URL:http://www.securityfocus.com/bid/359
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:xfree86-xfs-symlink-dos
Christey> Is this the same problem as CVE-1999-0433? CVE-1999-0433
deals with a symlink attack on one file (/tmp/.X11-unix),
while xfs (this candidate) deals with /tmp/.font-unix
XF:xfree86-xfs-symlink-dos doesn't exist.
Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable
Note: Debian's advisory says that this is not a problem for Debian.
Name: CVE-1999-0435
Description:
MC/ServiceGuard and MC/LockManager in HP-UX allows local
users to gain privileges through SAM.
Status: Candidate
Phase: Proposed (19990623)
Reference: HP:HPSBUX9903-096
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:hp-servicegaurd
Christey> ADDREF CIAC:J-039
Christey> Note the typo in Andre's suggested reference.
Normalize to XF:hp-serviceguard(2046)
Name: CVE-1999-0443
Description:
Patrol management software allows a remote attacker to
conduct a replay attack to steal the administrator
password.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference:
URL:http://www.securityfocus.com/archive/1/13204
Reference: XF:bmc-patrol-replay
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> Change "Patrol management software" to "The PATROL management product from
BMC Software".
Name: CVE-1999-0444
Description:
Remote attackers can perform a denial of service in
Windows machines using malicious ARP packets, forcing a
message box display for each packet or filling up log
files.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990412 ARP problem in
Windows9X/NT
Reference: XF:windows-arp-dos
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
Voter Comments:
Frech> ADDREF: XF:windows-arp-dos
Name: CVE-1999-0450
Description:
In IIS, an attacker could determine a real path using a
request for a non-existent URL that would be interpreted
by Perl (perl.exe) .
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:19990122 Perl.exe and IIS
security advisory
Reference: BID:194
Reference:
URL:http://www.securityfocus.com/bid/194
Votes:
ACCEPT(2) Ozancin, Wall
NOOP(2) Baker, Christey
REJECT(2) Frech, LeBlanc
Voter Comments:
Frech> Can't find in database.
Christey> This looks like another discovery of CVE-2000-0071
LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information,
and it does not repro -
GET /bogus.pl HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Thu, 05 Oct 2000 21:04:20 GMT
Content-Length: 3243
Content-Type: text/html
No path is returned whatsoever. This may have been a problem on some version
of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable.
Let's try and figure out what version had the problem, whether it is
intrinsic to IIS or the result of adding a 3rd party implementation of perl,
and when it got fixed, then we can try again.
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Christey> Add "no-such-file.pl" as an example to the desc, to facilitate
search (it's used by CGI scanners and in the original example)
Name: CVE-1999-0451
Description:
Denial of service in Linux 2.0.36 allows local users to
prevent any server from listening on any non-privileged
port.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Jan19,1999
Reference: BID:343
Reference:
URL:http://www.securityfocus.com/bid/343
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:linux-ports-dos(8364)
Name: CVE-1999-0452
Description:
A service or application has a backdoor password that
was placed there by the developer.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Wall
REJECT(1) Frech
Voter Comments:
Frech> Much too broad. Also may be HIGHCARD (or will be in the future).
Baker> I think we want to address this using the dot notation idea. We do need to address this, just not a separate entry for every single occurance.
Name: CVE-1999-0453
Description:
An attacker can identify a CISCO device by sending a SYN
packet to port 1999, which is for the Cisco Discovery
Protocol (CDP).
Status: Candidate
Phase: Modified (20040512-02)
Reference: BUGTRAQ:19990118 Remote Cisco
Identification
Votes:
ACCEPT(2) Baker, Balinsky
MODIFY(1) Frech
NOOP(2) Northcutt, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:cisco-ident(2289)
ADDREF BUGTRAQ:19990118 Remote Cisco Identification
In description, probably better to use "Cisco" as product/company name.
Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity.
Christey> There may be a slight abstraction problem here, e.g. look
at the candidate for queso/nmap; also see followup Bugtraq post
from "Basement Research" on 19990120 which says that there are
many other features in Cisco products that allow remote
identification.
Christey> fix typo: "Dicsovery"
Name: CVE-1999-0454
Description:
A remote attacker can sometimes identify the operating
system of a host based on how it reacts to some IP or
ICMP packets, using a tool such as nmap or queso.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(2) Christey, Wall
REJECT(2) Baker, Northcutt
Voter Comments:
Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced
ways to accomplish this. To pursue making the world signature free
is as much a vulnerability as having signatures, nay more.
Frech> XF:decod-nmap(2053)
XF:decod-queso(2048)
Christey> Add "fingerprinting" to facilitate search.
Some references:
MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html
BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask
http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2
BUGTRAQ:19990222 Preventing remote OS detection
http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2
BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper
http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2
BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD,
http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2
BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs)
http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2
BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with
http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2
BUGTRAQ:20000609 p0f - passive os fingerprinting tool
http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2
Baker> I think we can probably reject this as the corollary is that you can identify OS from a IP/TCP packet sent by a system, looking at various parts of the SYN packet. Unless we believe that all systems should always use identical packet header/identical responses, in which case the protocol should not permit variation.
Name: CVE-1999-0455
Description:
The Expression Evaluator sample application in
ColdFusion allows remote attackers to read or delete
files on the server via exprcalc.cfm, which does not
restrict access to the server properly.
Status: Candidate
Phase: Modified (19991210-01)
Reference: ALLAIRE:ASB-001
Reference: XF:coldfusion-expression-evaluator
Reference: BID:115
Reference:
URL:http://www.securityfocus.com/bid/115
Votes:
ACCEPT(3) Frech, Ozancin, Balinsky
MODIFY(1) Wall
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues)
make application plural since there are three sample applications
(openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).
Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here.
Since there are 3 separate "executables" with the same
(or similar) problem, we need to make sure that CD:SF-EXEC
determines what to do here. There is evidence that some
of these .cfm scripts have an "include" file, and if so,
then CD:SF-LOC says that we shouldn't make separate entries
for each of these scripts. On the other hand, the initial
L0pht discovery didn't include all 3 of these scripts, and
as far as I can tell, Allaire had patched the first problem
before the others were discovered. So, CD:DISCOVERY-DATE
may argue that we should split these because the problems
were discovered and patched at different times.
In any case, this candidate can not be accepted until the
Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC,
and CD:DISCOVERY-DATE content decisions.
Name: CVE-1999-0459
Description:
Local users can perform a denial of service in Alpha
Linux, using MILO to force a reboot.
Status: Candidate
Phase: Proposed (19990728)
Reference: XF:linux-milo-halt
Votes:
ACCEPT(1) Frech
NOOP(2) Baker, Northcutt
REJECT(1) Wall
Voter Comments:
Wall> Reject based on beta copy.
Name: CVE-1999-0460
Description:
Buffer overflow in Linux autofs module through long
directory names allows local users to perform a denial
of service.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:19990218 Linux autofs overflow
in 2.0.36+
Reference: BID:312
Reference:
URL:http://www.securityfocus.com/bid/312
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:linux-autofs-bo(8365)
Name: CVE-1999-0461
Description:
Versions of rpcbind including Linux, IRIX, and Wietse
Venema's rpcbind allow a remote attacker to insert and
delete entries by spoofing a source address.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> ADDREF XF:pmap-sset
Christey> CVE-1999-0195 = CVE-1999-0461 ?
If this is approved over CVE-1999-0195, make sure it gets
XF:pmap-sset
Baker> THis does appear to be a duplicate. We should accept 1999-0195, since it already has the votes and get rid of this one
Name: CVE-1999-0462
Description:
suidperl in Linux Perl does not check the nosuid mount
option on file systems, allowing local users to gain
root access by placing a setuid script in a mountable
file system, e.g. a CD-ROM or floppy disk.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990114 Secuity hole with
perl (suidperl) and nosuid mounts on Linux
Reference: BID:339
Reference:
URL:http://www.securityfocus.com/bid/339
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:perl-suidperl-bo
Christey> XF:perl-suidperl-bo doesn't exist.
Name: CVE-1999-0465
Description:
Remote attackers can crash Lynx and Internet Explorer
using an IMG tag with a large width parameter.
Status: Candidate
Phase: Proposed (19990728)
Reference: XF:http-img-overflow
Votes:
ACCEPT(2) Frech, Northcutt
NOOP(1) Baker
REJECT(2) LeBlanc, Wall
Voter Comments:
Wall> Reject based on client-side DoS
LeBlanc> Client side DOS
Name: CVE-1999-0467
Description:
The Webcom CGI Guestbook programs wguest.exe and
rguest.exe allow a remote attacker to read arbitrary
files using the "template" parameter.
Status: Candidate
Phase: Modified (20000106-01)
Reference: NTBUGTRAQ:19990409 Webcom's CGI
Guestbook for Win32 web servers
Reference: XF:http-cgi-webcom-guestbook
Votes:
ACCEPT(4) Landfield, Frech, Ozancin, Blake
NOOP(3) Baker, Christey, Northcutt
Voter Comments:
Christey> CVE-1999-0287 is probably a duplicate of CVE-1999-0467. In
NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Mnemonix says that he had previously reported on a similar
problem. Let's refer to the NTBugtraq posting as
CVE-1999-0467. We will refer to the "previous report" as
CVE-1999-0287, which can be found at:
http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
0287 describes an exploit via the "template" hidden variable.
The exploit describes manually editing the HTML form to
change the filename to read from the template variable.
The exploit as described in 0467 encodes the template variable
directly into the URL. However, hidden variables are also
encoded into the URL, which would have looked the same to
the web server regardless of the exploit. Therefore 0287
and 0467 are the same.
Christey>
The CD:SF-EXEC content decision also applies here. We have 2
programs, wguest.exe and rguest.exe, which appear to have the
same problem. CD:SF-EXEC needs to be accepted by the Editorial
Board before this candidate can be converted into a CVE
entry. When finalized, CD:SF-EXEC will decide whether
this candidate should be split or not.
Christey> BID:2024
Name: CVE-1999-0469
Description:
Internet Explorer 5.0 allows window spoofing, allowing a
remote attacker to spoof a legitimate web site and
capture information from the client.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 IE 5.0 security
vulnerabilities - %01 bug again
Reference: XF:ie-window-spoof
Votes:
ACCEPT(1) Wall
NOOP(2) Baker, Northcutt
REJECT(3) Frech, Christey, LeBlanc
Voter Comments:
Wall> Reference: Microsoft Security Bulletin MS99-012
Christey> DUPE CVE-1999-0488
Frech> Defer to Christey's vote.
However, XF:ie-mshtml-crossframe(2216) assigned to CVE-1999-0488.
LeBlanc> Duplicate
Name: CVE-1999-0476
Description:
A weak encryption algorithm is used for passwords in SCO
TermVision, allowing them to be easily decrypted by a
local user.
Status: Candidate
Phase: Proposed (19990721)
Reference: BUGTRAQ:19990331 Potential
vulnerability in SCO TermVision Windows 95 client
Reference: XF:sco-termvision-password
Votes:
ACCEPT(3) Baker, Frech, Ozancin
NOOP(3) LeBlanc, Northcutt, Wall
Name: CVE-1999-0477
Description:
The Expression Evaluator in the ColdFusion Application
Server allows a remote attacker to upload files to the
server via openfile.cfm, which does not restrict access
to the server properly.
Status: Candidate
Phase: Modified (19991210-01)
Reference: L0PHT:Cold Fusion App Server
Reference: XF:coldfusion-expression-evaluator
Reference: BID:115
Reference:
URL:http://www.securityfocus.com/bid/115
Votes:
ACCEPT(4) Baker, Frech, Ozancin, Christey
REJECT(1) Wall
Voter Comments:
Wall> Duplicate of 0455
Christey> CVE-1999-0477 and CVE-1999-0455 were discovered at different
times. Also, the attack was different. So "Same Attack" and
"Same Time of Discovery" dictate that these should remain
separate.
Name: CVE-1999-0480
Description:
Local attackers can conduct a denial of service in
Midnight Commander 4.x with a symlink attack.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19980315 Midnight Commander
/tmp race
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:midnight-commander-symlink-dos
Christey> XF:midnight-commander-symlink-dos(3505)
Name: CVE-1999-0486
Description:
Denial of service in AOL Instant Messenger when a remote
attacker sends a malicious hyperlink to the receiving
client, potentially causing a system crash.
Status: Candidate
Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990420 AOL Instant Messenger
URL Crash
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:aol-im.
Christey> XF:aol-im appears to be related to the problem discussed in
BUGTRAQ:19980224 AOL Instant Messanger Bug
This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash
Name: CVE-1999-0488
Description:
Internet Explorer 4.0 and 5.0 allows a remote attacker
to execute security scripts in a different security
context using malicious URLs, a variant of the "cross
frame" vulnerability.
Status: Candidate
Phase: Modified (19991205-01)
Reference: MS:MS99-012
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp
Votes:
ACCEPT(2) Baker, Landfield
MODIFY(2) Frech, Wall
NOOP(2) Ozancin, Christey
Voter Comments:
Frech> XF:ie-mshtml-crossframe
Wall> (source: MSKB:Q168485)
Christey> CVE-1999-0469 appears to be a duplicate; prefer this one over
that one, since this one has an MS advisory. Confirm with
Microsoft that these are really duplicates.
Also review CVE-1999-0487, which appears to be a similar
bug.
Name: CVE-1999-0489
Description:
MSHTML.DLL in Internet Explorer 5.0 allows a remote
attacker to paste a file name into the file upload
intrinsic control, a variant of "untrusted scripted
paste" as described in MS:MS98-013.
Status: Candidate
Phase: Modified (19991205-01)
Reference: MS:MS99-015
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp
Votes:
ACCEPT(1) Levy
MODIFY(1) Wall
NOOP(2) Baker, Ozancin
RECAST(1) Prosser
REJECT(1) Christey
REVIEWING(1) Frech
Voter Comments:
Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
clipboard in either.
I cannot proceed on this one without further clarification.
Wall> (source: MS:MS99-012)
Prosser> agree with Andre here. The Untrusted Scripted paste
vulnerability was originally addressed in MS98-015 and it is in the file
upload intrinsic control in which an attacker can paste the name of a file
on the target's drive in the control and a form submission would then send
that file from the attacked machine to the remote web site. This one has
nothing to do with the clipboard. What the advisory mentioned here,
MS99-012, does is replace the MSHTML parsing engine which is supposed to fix
the original Untrusted Scripted Paste issue and a variant, as well as the
two Cross-Frame variants and a privacy issue in IMG SRC.
The vulnerability that allowed reading of a user's clipboard is the Forms
2.0 Active X control vulnerability discussed in MS99-01
Christey> The advisory should have been listed as MS99-012.
CVE-1999-0468 describes the untrusted scripted paste problem
in MS99-012.
Frech> Pending response to guidance request. 12/6/01.
Name: CVE-1999-0490
Description:
MSHTML.DLL in Internet Explorer 5.0 allows a remote
attacker to learn information about a local user's files
via an IMG SRC tag.
Status: Candidate
Phase: Modified (19991205-01)
Reference: MS:MS99-012
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp
Votes:
ACCEPT(2) Landfield, Wall
MODIFY(1) Frech
NOOP(2) Baker, Ozancin
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ie-scriplet-fileread
Christey> Duplicate of CVE-1999-0347?
Name: CVE-1999-0492
Description:
The ffingerd 1.19 allows remote attackers to identify
users on the target system based on its responses.
Status: Candidate
Phase: Proposed (19990726)
Reference: BUGTRAQ:Apr23,1999
Votes:
ACCEPT(3) Armstrong, Collins, Northcutt
MODIFY(4) Baker, Frech, Shostack, Blake
NOOP(4) Landfield, Cole, Christey, Wall
REVIEWING(1) Ozancin
Voter Comments:
Shostack> isn't that what finger is supposed to do?
Landfield> Maybe we need a new category of "unsafe system utilities and protocols"
Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid
usernames on the target system based on its responses to finger queries.
Christey> CHANGEREF BUGTRAQ [canonicalize]
BUGTRAQ:19990423 Ffingerd privacy issues
http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2
Here's the nature of the problem.
(1) FFingerd allows users to decide not to be fingered,
printing a message "That user does not want to be fingered"
(2) If the fingered user does not exist, then FFingerd's
intended default is to print that the user does not
want to be fingered; however, the error message has a
period at the end.
Thus, ffingerd can allow someone to determine who valid users
on the server are, *in spite of* the intended functionality of
ffingerd itself. Thus this exposure should be viewed in light
of the intended functionality of the application, as opposed
to the common usage of the finger protocol in general.
Also, the vendor posted a followup and said that a patch was
available. See:
http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2
Baker> Vulnerability Reference (HTML) Reference Type
http://www.securityfocus.com/archive/1/13422 Misc Defensive Info
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:ffinger-user-info(5393)
Name: CVE-1999-0495
Description:
A remote attacker can gain access to a file system using
.. (dot dot) when accessing SMB shares.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(6) Baker, Cole, Collins, Ozancin, Blake, Northcutt
MODIFY(1) Frech
NOOP(4) Landfield, Armstrong, Bishop, Wall
REVIEWING(2) Levy, Christey
Voter Comments:
Frech> XF:nb-dotdotknown(837)
References would be appreciated. We've got no reference for this issue;
confidence rating is consequently low.
Levy> Some refernces:
http://www.securityfocus.com/archive/1/3894
http://www.securityfocus.com/archive/1/3533
http://www.securityfocus.com/archive/1/3535
Name: CVE-1999-0497
Description:
Anonymous FTP is enabled.
Status: Candidate
Phase: Modified (20040811)
Votes:
ACCEPT(1) Shostack
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Northcutt
Voter Comments:
Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php
ftp-anon2(543) at http://xforce.iss.net/static/543.php
Christey> Add period to the end of the description.
Baker> DOn't know about this, but it may be the only easy way to allow access to data for some folks.
Name: CVE-1999-0498
Description:
TFTP is not running in a restricted directory, allowing
a remote attacker to access sensitive information such
as password files.
Status: Candidate
Phase: Modified (19990925-01)
Reference:
CERT:CA-91.18.Active.Internet.tftp.Attacks
Votes:
ACCEPT(3) Hill, Blake, Northcutt
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> XF:linux-tftp
Christey> XF:linux-tftp refers to CVE-1999-0183
Name: CVE-1999-0499
Description:
NETBIOS share information may be published through SNMP
registry keys in NT.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(5) Baker, Shostack, Ozancin, Northcutt, Wall
MODIFY(1) Frech
REJECT(1) LeBlanc
Voter Comments:
Frech> Change wording to 'Windows NT.'
XF:snmp-netbios
LeBlanc> Share info can be obtained via SNMP queries, but I question
whether this is a vulnerability. The system can be configured not to do
this, and one may argue that SNMP itself is an insecure configuration.
Furthermore, the share information isn't published via registry keys -
the description could refer to more than one actual issue. SNMP is meant
to allow people to obtain information about systems. I'm willing to
discuss this with the rest of the board.
Name: CVE-1999-0501
Description:
A Unix account has a guessable password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(3) Baker, Shostack, Northcutt
RECAST(2) Frech, Meunier
REVIEWING(1) Christey
Voter Comments:
Frech> Guessable falls into the class of CVE-1999-0502, since I can guess a
default, null, etc. password.
Suggest changing to something like "has an existing non-default password
that can be guessed."
I'm also including default passwords in this entry.
In that vein, we show the following references:
XF:user-password
XF:passwd-username
XF:default-unix-sync
XF:default-unix-4dgifts
XF:default-unix-bin
XF:default-unix-daemon
XF:default-unix-lp
XF:default-unix-me
XF:default-unix-nuucp
XF:default-unix-root
XF:default-unix-toor
XF:default-unix-tour
XF:default-unix-tty
XF:default-unix-uucp
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
CHANGE> [Meunier changed vote from ACCEPT to RECAST]
Meunier> This relates only to account password technology, so this candidate is
independent of the operating system, application, web site or other
application of this technology. The appropriate (natural) level of
abstraction is therefore without specifying that it is for UNIX.
Change the description to "An account has a guessable password other
than default, null, blank." This should satisfy Andre's objection.
This Candidate should be merged with any candidate relating to
account password technology where "Unix" in the original description
can be replaced by something else.
Name: CVE-1999-0502
Description:
A Unix account has a default, null, blank, or missing
password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:passwd-blank
XF:no-pass
XF:dict
XF:sgi-accounts
XF:linux-caldera-lisa
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Name: CVE-1999-0503
Description:
A Windows NT local user or administrator account has a
guessable password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Note: I am assuming that this entry includes Windows 2000 accounts and
machine/service accounts listed in User Manager.
XF:nt-guess-admin
XF:nt-guess-user
XF:nt-guess-guest
XF:nt-guessed-operpwd
XF:nt-guessed-powerwd
XF:nt-guessed-disabled
XF:nt-guessed-backup
XF:nt-guessed-acctoper-pwd
XF:nt-adminuserpw
XF:nt-guestuserpw
XF:nt-accountuserpw
XF:nt-operator-userpw
XF:nt-service-user-pwd
XF:nt-server-oper-user-pwd
XF:nt-power-user-pwd
XF:nt-backup-operator-userpwd
XF:nt-disabled-account-userpwd
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Name: CVE-1999-0504
Description:
A Windows NT local user or administrator account has a
default, null, blank, or missing password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:nt-guestblankpw
XF:nt-adminblankpw
XF:nt-adminnopw
XF:nt-usernopw
XF:nt-guestnopw
XF:nt-accountblankpw
XF:nt-nopw
XF:nt-operator-blankpwd
XF:nt-server-oper-blank-pwd
XF:nt-power-user-blankpwd
XF:nt-backup-operator-blankpwd
XF:nt-disabled-account-blankpwd
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Name: CVE-1999-0505
Description:
A Windows NT domain user or administrator account has a
guessable password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-guessed-domain-userpwd
XF:nt-guessed-domain-guestpwd
XF:nt-guessed-domain-adminpwd
XF:nt-domain-userpwd
XF:nt-domain-admin-userpwd
XF:nt-domain-guest-userpwd
XF:win2k-certpub-usrpwd
XF:win2k-dhcpadm-usrpwd
XF:win2k-dnsadm-usrpwd
XF:win2k-entadm-usrpwd
XF:win2k-schema-usrpwd
XF:win2k-guessed-certpub
XF:win2k-guessed-dhcpadm
XF:win2k-guessed-dnsadm
XF:win2k-guessed-entadm
XF:win2k-guessed-schema
Name: CVE-1999-0506
Description:
A Windows NT domain user or administrator account has a
default, null, blank, or missing password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-domain-admin-blankpwd
XF:nt-domain-admin-nopwd
XF:nt-domain-guest-blankpwd
XF:nt-domain-guest-nopwd
XF:nt-domain-user-blankpwd
XF:nt-domain-user-nopwd
XF:win2k-certpub-blnkpwd
XF:win2k-dhcpadm-blnkpwd
XF:win2k-dnsadm-blnkpwd
XF:win2k-entadm-blnkpwd
XF:win2k-schema-blnkpwd
Name: CVE-1999-0507
Description:
An account on a router, firewall, or other network
device has a guessable password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:firewall-tisopen
XF:firewall-raptoropen
XF:firewall-msopen
XF:firewall-checkpointopen
XF:firewall-ciscoopen
Name: CVE-1999-0508
Description:
An account on a router, firewall, or other network
device has a default, null, blank, or missing password.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> Note: Because the distinction between network hardware and software is not
distinct,
the term 'network device' was liberally interpreted. Feel free to reject any
of the
below terms.
XF:default-netranger
XF:cayman-gatorbox
XF:breezecom-default-passwords
XF:default-portmaster
XF:wingate-unpassworded
XF:netopia-unpassworded
XF:default-bay-switches
XF:motorola-cable-default-pass
XF:default-flowpoint
XF:qms-2060-no-root-password
XF:avirt-ras-password
XF:webtrends-rtp-serv-install-password
XF:cisco-bruteforce
XF:cisco-bruteadmin
XF:sambar-server-defaults
XF:management-pfcuser
XF:http-cgi-wwwboard-default
Christey> DELREF XF:avirt-ras-password - does not fit CVE-1999-0508.
Name: CVE-1999-0509
Description:
Perl, sh, csh, or other shell interpreters are installed
in the cgi-bin directory on a WWW site, which allows
remote attackers to execute arbitrary commands.
Status: Candidate
Phase: Modified (20000114-01)
Reference: CERT:CA-96.11
Votes:
ACCEPT(2) Northcutt, Wall
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> What is the right level of abstraction to use here? Should
we combine all possible interpreters into a single entry,
or have a different entry for each one? I've often seen
Perl separated from other interpreters - is it included
by default in some Windows web server configurations?
Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search.
Frech> XF:http-cgi-vuln(146)
Name: CVE-1999-0510
Description:
A router or firewall allows source routed packets from
arbitrary hosts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:source-routing
Name: CVE-1999-0511
Description:
IP forwarding is enabled on a machine which is not a
router or firewall.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:ip-forwarding
Name: CVE-1999-0512
Description:
A mail server is explicitly configured to allow SMTP
mail relay, which allows abuse by spammers.
Status: Candidate
Phase: Modified (20020427-01)
Votes:
ACCEPT(3) Baker, Shostack, Northcutt
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:smtp-sendmail-relay(210)
XF:ntmail-relay(2257)
XF:exchange-relay(3107) (also assigned to CVE-1999-0682)
XF:smtp-relay-uucp(3470)
XF:sco-sendmail-spam(4342)
XF:sco-openserver-mmdf-spam(4343)
XF:lotus-domino-smtp-mail-relay(6591)
XF:win2k-smtp-mail-relay(6803)
XF:cobalt-poprelayd-mail-relay(6806)
Candidate implicitly may refer to relaying settings enabled by default, or
the bypass/circumvention of relaying. Both interpretations were used in
assigning this candidate.
Christey> The intention of this candidate is to cover configurations in
which the admin has explicitly enabled relaying. Other cases
in which the application *intends* to prvent relaying, but
there is some specific input that bypasses/tricks it, count
as vulnerabilities (or exposures?) and as such would be
assigned different numbers.
http://www.sendmail.org/~ca/email/spam.html seems like a good
general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt
Christey> I changed the description to make it more clear that the issue
is that of explicit configuration, as opposed to being the
result of a vulnerability.
Name: CVE-1999-0515
Description:
An unrestricted remote trust relationship for Unix
systems has been set up, e.g. by using a + sign in
/etc/hosts.equiv.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
REJECT(1) Shostack
Voter Comments:
Shostack> Overly broad
Frech> XF:rsh-equiv(111)
Baker> Since this is unrestricted trust, I agree this is a problem
Name: CVE-1999-0516
Description:
An SNMP community name is guessable.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:snmp-get-guess
XF:snmp-set-guess
XF:sol-hidden-commstr
XF:hpov-hidden-snmp-comm
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Name: CVE-1999-0517
Description:
An SNMP community name is the default (e.g. public),
null, or missing.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:nt-snmp
XF:snmp-comm
XF:snmp-set-any
XF:snmp-get-public
XF:snmp-set-public
XF:snmp-get-any
Christey> This candidate is affected by the CD:CF-PASS content decision,
which determines the appropriate level of abstraction to
use for password problems. CD:CF-PASS needs to be accepted
by the Editorial Board before this candidate can be
converted into a CVE entry; the final version of CD:CF-PASS
may require using a different LOA than this candidate is
currently using.
Christey> Consider adding BID:2112
Name: CVE-1999-0518
Description:
A NETBIOS/SMB share password is guessable.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(5) Baker, Shostack, Meunier, LeBlanc, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> Change description term to NetBIOS.
XF:nt-netbios-perm
XF:sharepass
XF:win95-smb-password
XF:nt-netbios-dict
Name: CVE-1999-0519
Description:
A NETBIOS/SMB share password is the default, null, or
missing.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(5) Baker, Shostack, Meunier, LeBlanc, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> Change description term to NetBIOS.
XF:decod-smb-password-empty
XF:nt-netbios-everyoneaccess
XF:nt-netbios-guestaccess
XF:nt-netbios-allaccess
XF:nt-netbios-open
XF:nt-netbios-write
XF:nt-netbios-shareguest
XF:nt-writable-netbios
XF:nt-netbios-everyoneaccess-printer
XF:nt-netbios-share-print-guest
Name: CVE-1999-0520
Description:
A system-critical NETBIOS/SMB share has inappropriate
access control.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(1) Baker
RECAST(1) Northcutt
REJECT(1) LeBlanc
REVIEWING(1) Christey
Voter Comments:
Northcutt> I think we need to enumerate the shares and or the access control
Christey> One question is, what is "inappropriate"? It's probably
very dependent on the policy of the enterprise on which
this is found. And should writable shares be different
from readable shares? (Or file systems, mail spools, etc.)
Yes, the impact may be different, but we could have a
large number of entries for each possible type of access.
A content decision (CD:CF-DATA) needs to be reviewed
and accepted by the Editorial Board in order to resolve
this question.
LeBlanc> Unacceptably vague - agree with Christey's comments.
Frech> associated to:
XF:nt-netbios-everyoneaccess(1)
XF:nt-netbios-guestaccess(2)
XF:nt-netbios-allaccess(3)
XF:nt-netbios-open(15)
XF:nt-netbios-write(19)
XF:nt-netbios-shareguest(20)
XF:nt-writable-netbios(26)
XF:nb-rootshare(393)
XF:decod-smb-password-empty(2358)
Name: CVE-1999-0521
Description:
An NIS domain name is easily guessable.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:nis-dom
Christey> Consider http://www.cert.org/advisories/CA-1992-13.html
as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch
Name: CVE-1999-0522
Description:
The permissions for a system-critical NIS+ table (e.g.
passwd) are inappropriate.
Status: Candidate
Phase: Proposed (19990803)
Reference: CERT:CA-96.10
Votes:
ACCEPT(2) Baker, Wall
NOOP(1) Christey
RECAST(1) Northcutt
Voter Comments:
Northcutt> Why not say world readable, this is what you do further down in the
file (world exportable in CVE-1999-0554)
Christey> ADDREF AUSCERT:AA-96.02
Name: CVE-1999-0523
Description:
ICMP echo (ping) is allowed from arbitrary hosts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(1) Meunier
NOOP(1) Baker
REJECT(2) Frech, Northcutt
Voter Comments:
Northcutt> (Though I sympathize with this one :)
CHANGE> [Frech changed vote from REVIEWING to REJECT]
Frech> Ping is a utility that can be run on demand; ICMP echo is a
message
type. As currently worded, this candidate seems as if an arbitrary
host
is vulnerable because it is capable of running an arbitrary program
or
function (in this case, ping/ICMP echo). There are many
programs/functions that
'shouldn't' be on a computer, from a security admin's perspective.
Even if this
were a vulnerability, it would be impacted by CD-HIGHCARD.
Meunier> Every ICMP message type presents a vulnerability or an
exposure, if access is not controlled. By that I mean not only those
in RFC 792, but also those in RFC 1256, 950, and more. I think that
the description should be changed to "ICMP messages are acted upon
without any access control". ICMP is an error and debugging protocol.
We complain about vendors leaving testing backdoors in their programs.
ICMP is the equivalent for TCP/IP. ICMP should be in the dog house,
unless you are trying to troubleshoot something. MTU discovery is
just a performance tweak -- it's not necessary. I don't know of any
ICMP message type that is necessary if the network is functional.
Limited logging of ICMP messages could be useful, but acting upon them
and allowing the modification of routing tables, the behavior of the
TCP/IP stack, etc... without any form of authentication is just crazy.
Name: CVE-1999-0524
Description:
ICMP information such as (1) netmask and (2) timestamp
is allowed from arbitrary hosts.
Status: Candidate
Phase: Modified (20070716)
Reference:
MISC:http://descriptions.securescout.com/tc/11010
Reference:
MISC:http://descriptions.securescout.com/tc/11011
Reference:
MISC:http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1434
Reference: OSVDB:95
Reference: URL:http://www.osvdb.org/95
Reference: XF:icmp-netmask(306)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/306
Reference: XF:icmp-timestamp(322)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/322
Votes:
MODIFY(3) Baker, Frech, Meunier
REJECT(1) Northcutt
Voter Comments:
Frech> XF:icmp-timestamp
XF:icmp-netmask
Meunier> If this is not merged with 1999-0523 as I commented for that
CVE, then the description should be changed to "ICMP messages of types
13 and 14 (timestamp request and reply) and 17 and 18 (netmask request
and reply) are acted upon without any access control". It's a more
precise and correct language. I believe that this is a valid CVE
entry (it's a common source of vulnerabilities or exposures) even
though I see that the inferred action was "reject". Knowing the time
of a host also allows attacks against random number generators that
are seeded with the current time. I want to push to have it accepted.
Baker> I agree with the description changes suggested by Pascal
Name: CVE-1999-0525
Description:
IP traceroute is allowed from arbitrary hosts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Northcutt
Voter Comments:
Frech> XF:traceroute
Name: CVE-1999-0527
Description:
The permissions for system-critical data in an anonymous
FTP account are inappropriate. For example, the root
directory is writeable by world, a real password file is
obtainable, or executable commands such as "ls" can be
overwritten.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(3) Baker, Northcutt, Wall
MODIFY(1) Frech
Voter Comments:
Northcutt> That that starts to get specific :)
Frech> ftp-writable-directory(6253)
ftp-write(53)
"writeable" in the description should be "writable."
Name: CVE-1999-0528
Description:
A router or firewall forwards external packets that
claim to come from inside the network that the
router/firewall is in front of.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(3) Baker, Meunier, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> possibly XF:nisd-dns-fwd-check
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:firewall-external-packet-forwarding(8372)
Name: CVE-1999-0529
Description:
A router or firewall forwards packets that claim to come
from IANA reserved or private addresses, e.g. 10.x.x.x,
127.x.x.x, 217.x.x.x, etc.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Frech
MODIFY(2) Baker, Meunier
REJECT(1) Northcutt
Voter Comments:
Northcutt> I have seen ISPs "assign" private addresses within their domain
Meunier> A border router or firewall forwards packets that claim to come from IANA
reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
etc, outside of their area of validity.
CHANGE> [Frech changed vote from REVIEWING to ACCEPT]
Baker> I think the description should be modified to say they accept this type of traffic from an interface not residing on private/reserved network.
Name: CVE-1999-0530
Description:
A system is operating in "promiscuous" mode which allows
it to perform packet sniffing.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Frech
REJECT(1) Shostack
Voter Comments:
Frech> XF:etherstatd(264)
XF:sniffer-attack(778)
XF:decod-packet-capture-remote(1072)
XF:netmon-running(1448)
XF:netxray3-probe(1450)
XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974)
Baker> Does pose a problem in non-switched environments
Name: CVE-1999-0531
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "An SMTP service
supports EXPN, VRFY, HELP, ESMTP, and/or EHLO."
Status: Candidate
Phase: Modified (20080731)
Votes:
MODIFY(1) Frech
NOOP(1) Christey
RECAST(1) Shostack
REJECT(1) Northcutt
Voter Comments:
Shostack> I think expn != vrfy, help, esmtp.
Frech> XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and
CVE-2000-1046)
XF:smtp-expn(128)
XF:smtp-vrfy(130)
XF:smtp-helo-bo(886)
XF:smtp-vrfy-bo(887)
XF:smtp-expn-bo(888)
XF:slmail-vrfyexpn-overflow(1721)
XF:smtp-ehlo(323)
Perhaps add RCPT? If so, add XF:smtp-rcpt(1928)
Christey> XF:smtp-vrfy(130) ?
Name: CVE-1999-0532
Description:
A DNS server allows zone transfers.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Northcutt
Voter Comments:
Northcutt> (With split DNS implementations this is quite appropriate)
Frech> XF:dns-zonexfer
Name: CVE-1999-0533
Description:
A DNS server allows inverse queries.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Northcutt
Voter Comments:
Northcutt> (rule of thumb)
Frech> XF:dns-iquery
Name: CVE-1999-0534
Description:
A Windows NT user has inappropriate rights or
privileges, e.g. Act as System, Add Workstation, Backup,
Change System Time, Create Pagefile, Create Permanent
Object, Create Token Name, Debug, Generate Security
Audit, Increase Priority, Increase Quota, Load Driver,
Lock Memory, Profile Single Process, Remote Shutdown,
Replace Process Token, Restore, System Environment, Take
Ownership, or Unsolicited Input.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(5) Baker, Shostack, Ozancin, Christey, Wall
MODIFY(2) Frech, Northcutt
Voter Comments:
Northcutt> If we are going to write a laundry list put access to the scheduler in it.
Christey> The list of privileges is very useful for lookup.
Frech> XF:nt-create-token
XF:nt-replace-token
XF:nt-lock-memory
XF:nt-increase-quota
XF:nt-unsol-input
XF:nt-act-system
XF:nt-create-object
XF:nt-sec-audit
XF:nt-add-workstation
XF:nt-manage-log
XF:nt-take-owner
XF:nt-load-driver
XF:nt-profile-system
XF:nt-system-time
XF:nt-single-process
XF:nt-increase-priority
XF:nt-create-pagefile
XF:nt-backup
XF:nt-restore
XF:nt-debug
XF:nt-system-env
XF:nt-remote-shutdown
Name: CVE-1999-0535
Description:
A Windows NT account policy for passwords has
inappropriate, security-critical settings, e.g. for
password length, password age, or uniqueness.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(2) Shostack, Wall
MODIFY(2) Baker, Frech
RECAST(2) Ozancin, Northcutt
Voter Comments:
Northcutt> inappropriate implies there is appropriate. As a guy who has been
monitoring
networks for years I have deep reservations about justiying the existance
of any fixed cleartext password. For appropriate to exist, some "we" would
have to establish some criteria for appropriate passwords.
Baker> Perhaps this could be re-worded a bit. The CVE CVE-1999-00582
specifies "...settings for lockouts". To remain consistent with the
other, maybe it should specify "...settings for passwords" I think
most people would agree that passwords should be at least 8
characters; contain letters (upper and lowercase), numbers and at
least one non-alphanumeric; should only be good a limited time 30-90
days; and should not contain character combinations from user's prior
2 or 3 passwords.
Suggested rewrite -
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for passwords, e.g. passwords of sufficient
length, periodic required password changes, or new password uniqueness
Ozancin> What is appropriate?
Frech> XF:nt-autologonpwd
XF:nt-pwlen
XF:nt-maxage
XF:nt-minage
XF:nt-pw-history
XF:nt-user-pwnoexpire
XF:nt-unknown-pwdfilter
XF:nt-pwd-never-expire
XF:nt-pwd-nochange
XF:nt-pwdcache-enable
XF:nt-guest-change-passwords
Name: CVE-1999-0537
Description:
A configuration in a web browser such as Internet
Explorer or Netscape Navigator allows execution of
active content such as ActiveX, Java, Javascript, etc.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Frech
REJECT(1) LeBlanc
Voter Comments:
Frech> Good candidate for dot notation.
XF:nav-java-enabled
XF:nav-javascript-enabled
XF:ie-active-content
XF:ie-active-download
XF:ie-active-scripting
XF:ie-activex-execution
XF:ie-java-enabled
XF:netscape-javascript
XF:netscape-java
XF:zone-active-scripting
XF:zone-activex-execution
XF:zone-desktop-install
XF:zone-low-channel
XF:zone-file-download
XF:zone-file-launch
XF:zone-java-scripting
XF:zone-low-java
XF:zone-safe-scripting
XF:zone-unsafe-scripting
LeBlanc> Not a vulnerability. These are just checks for configuration
settings that a user might have changed. I understand need to increase
number of checks in a scanning product, but don't feel like these belong
in CVE. Scanner vendors could argue that these entries are needed to
keep a common language.
Baker> Not sure about whether we should bother to include this type issue or not. It does provide a stepping stone for further actions, but in and of itself it isn't a specific vulnerability.
Name: CVE-1999-0539
Description:
A trust relationship exists between two Unix hosts.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(2) Shostack, Northcutt
Voter Comments:
Northcutt> Too non specific
Frech> XF:trusted-host(341)
XF:trust-remote-same(717)
XF:trust-remote-root(718)
XF:trust-remote-nonroot(719)
XF:trust-remote-any(720)
XF:trust-other-host(723)
XF:trust-all-nonroot(726)
XF:trust-any-remote(727)
XF:trust-local-acct(728)
XF:trust-local-any(729)
XF:trust-local-nonroot(730)
XF:trust-all-hosts(731)
XF:nt-trusted-domain(1284)
XF:rsagent-trusted-domainadded(1588)
XF:trust-remote-user(2955)
XF:user-trust-hosts(3074)
XF:user-trust-other-host(3077)
XF:user-trust-remote-account(3079)
Name: CVE-1999-0541
Description:
A password for accessing a WWW URL is guessable.
Status: Candidate
Phase: Proposed (19990714)
Votes:
ACCEPT(4) Baker, Shostack, Meunier, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:http-password
Name: CVE-1999-0546
Description:
The Windows NT guest account is enabled.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(5) Baker, Shostack, Ozancin, Northcutt, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-guest-account
Name: CVE-1999-0547
Description:
An SSH server allows authentication through the .rhosts
file.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Shostack
MODIFY(1) Frech
NOOP(1) Northcutt
Voter Comments:
Frech> XF:sshd-rhosts(315)
Name: CVE-1999-0548
Description:
A superfluous NFS server is running, but it is not
importing or exporting any file systems.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Shostack
NOOP(1) Baker
REJECT(1) Northcutt
Name: CVE-1999-0549
Description:
Windows NT automatically logs in an administrator upon
rebooting.
Status: Candidate
Phase: Proposed (19990630)
Votes:
ACCEPT(1) Hill
MODIFY(3) Frech, Ozancin, Blake
NOOP(1) Wall
REJECT(1) Baker
Voter Comments:
Wall> Don't know what this is. Don't think it is a vulnerability and would
initially reject. This is different than just renaming the
administrator account.
Frech> Would appreciate more information on this one, as in a reference.
Blake> Reference: XF:nt-autologin
Ozancin> Needs more detail
Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine.
No refs, no details, should reject
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:nt-autologon(5)
Name: CVE-1999-0550
Description:
A router's routing tables can be obtained from arbitrary
hosts.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
RECAST(1) Northcutt
Voter Comments:
Northcutt> Don't you mean obtained by arbitrary hosts
Frech> XF:routed
XF:decod-rip-entry
XF:rip
Baker> Concur with this as a security issue
Name: CVE-1999-0554
Description:
NFS exports system-critical data to the world, e.g. / or
a password file.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(2) Northcutt, Wall
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> A content decision (CD:CF-DATA) needs to be reviewed
and accepted by the Editorial Board in order to resolve
this question.
Name: CVE-1999-0555
Description:
A Unix account with a name other than "root" has UID 0,
i.e. root privileges.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(1) Baker
REJECT(2) Shostack, Northcutt
Voter Comments:
Northcutt> This is very bogus
Name: CVE-1999-0556
Description:
Two or more Unix accounts have the same UID.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(2) Baker, Christey
REJECT(2) Shostack, Northcutt
Voter Comments:
Christey> XF:duplicate-uid(876)
Christey> Add terms "duplicate" and "user ID" to facilitate search.
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
Name: CVE-1999-0559
Description:
A system-critical Unix file or directory has
inappropriate permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(2) Baker, Wall
RECAST(2) Shostack, Northcutt
Voter Comments:
Northcutt> Writable other than by root/bin/wheelgroup?
Name: CVE-1999-0560
Description:
A system-critical Windows NT file or directory has
inappropriate permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(2) Baker, Wall
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we should specify these
Name: CVE-1999-0561
Description:
IIS has the #exec function enabled for Server Side
Include (SSI) files.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(2) Baker, Northcutt
RECAST(1) Shostack
REJECT(1) LeBlanc
Voter Comments:
LeBlanc> Does not meet definition of a vulnerability. This function is
just enabled. You can turn it off if you want. if you trust the people
putting up your web pages, this isn't a problem. If you don't, this is
just one of many things you need to change.
Name: CVE-1999-0562
Description:
The registry in Windows NT can be accessed remotely by
users who are not administrators.
Status: Candidate
Phase: Modified (20061101)
Reference: OVAL:oval:org.mitre.oval:def:1023
Reference:
URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1023
Votes:
ACCEPT(4) Baker, Shostack, Ozancin, Wall
MODIFY(1) Frech
RECAST(1) Northcutt
Voter Comments:
Northcutt> This isn't all or nothing, users may be allowed to access part of the
registry.
Frech> XF:nt-winreg-all
XF:nt-winreg-net
Name: CVE-1999-0564
Description:
An attacker can force a printer to print arbitrary
documents (e.g. if the printer doesn't require a
password) or to become disabled.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Shostack
NOOP(1) Northcutt
Name: CVE-1999-0565
Description:
A Sendmail alias allows input to be piped to a program.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
NOOP(1) Baker
RECAST(1) Shostack
REVIEWING(1) Christey
Voter Comments:
Shostack> Is this a default alias? Is my .procmailrc an instance of this?
Christey> It is not entirely clear whether the simple fact that an alias
pipes into a program should be considered a vulnerability. It
all depends on the behavior of that particular program. This
is one of a number of configuration-related issues from the
"draft" CVE that came from vulnerability scanners. In
general, when we get to general configuration and "policy,"
it becomes more difficult to use the current CVE model to
represent them. So at the very least, this candidate (and
similar ones) should be given close consideration and
discussion before being added to the official CVE list.
Because this candidate is related to general configuration
issues, and we have not completely determined how to handle
such issues in CVE, this candidate cannot be promoted to an
official CVE entry until such issues are resolved.
Name: CVE-1999-0568
Description:
rpc.admind in Solaris is not running in a secure mode.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
NOOP(2) Baker, Christey
RECAST(2) Dik, Shostack
Voter Comments:
Shostack> are there secure modes?
Dik> Several:
1) there is no "rpc.admind" daemon.
there used to be a "admind" RPC daemon (100087/10)
and there's now an "sadmind" daemon (100232/10)
The switch over was somewhere around Solaris 2.4.
2) Neither defaults to "secure mode"
3) secure mode is "using secure RPC" which does
proper over the wire authentication by specifying
the "-S 2" option in inetd.conf
(security level 2)
Christey> XF:rpc-admind(626)
http://xforce.iss.net/static/626.php
MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html
Name: CVE-1999-0569
Description:
A URL for a WWW directory allows auto-indexing, which
provides a list of all files in that directory if it
does not contain an index.html file.
Status: Candidate
Phase: Modified (19991130-01)
Votes:
ACCEPT(1) Wall
NOOP(2) Baker, Christey
REJECT(1) Northcutt
Voter Comments:
Northcutt> I do this intentionally somethings in high content directories
Christey> XF:http-noindex(90) ?
Name: CVE-1999-0570
Description:
Windows NT is not using a password filter utility, e.g.
PASSFILT.DLL.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Wall
Voter Comments:
Northcutt> Here we are crossing into the best practices arena again. However since
passfilt does establish a measurable standard and since we aren't the
ones defining the stanard, simply saying it should be employed I will
vote for this.
Frech> XF:nt-passfilt-not-inst(1308)
XF:nt-passfilt-not-found(1309)
Christey> Consider MSKB:Q161990 and MSKB:Q151082
Name: CVE-1999-0571
Description:
A router's configuration service or management interface
(such as a web server or telnet) is configured to allow
connections from arbitrary hosts.
Status: Candidate
Phase: Modified (20020312-01)
Reference: BUGTRAQ:Feb5,1999
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Christey, Northcutt
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:ascend-config-kill(889)
XF:cisco-ios-crash(1238)
XF:webramp-remote-access(1670)
XF:ascom-timeplex-debug(1824)
XF:netopia-unpassworded(1850)
XF:cisco-web-crash(1886)
XF:cisco-router-commands(1951)
XF:motorola-cable-default-pass(2002)
XF:default-flowpoint(2091)
XF:netgear-router-idle-dos(4003)
XF:cisco-cbos-telnet(4251)
XF:routermate-snmp-community(4290)
XF:cayman-router-dos(4479)
XF:wavelink-authentication(5185)
XF:ciscosecure-ldap-bypass-authentication(5274)
XF:foundry-firmware-telnet-dos(5514)
XF:netopia-view-system-log(5536)
XF:cisco-webadmin-remote-dos(5595)
XF:cisco-cbos-web-access(5626)
XF:netopia-telnet-dos(6001)
XF:cisco-sn-gain-access(6827)
XF:cayman-dsl-insecure-permissions(6841)
XF:linksys-etherfast-reveal-passwords(6949)
XF:zyxel-router-default-password(6968)
XF:cisco-cbos-web-config(7027)
XF:prestige-wan-bypass-filter(7146)
Christey> I changed the description to make it more explicit that this
candidate is about router configuration, as opposed to
vulnerabilities that accidentally make a configuration
service accessible to anyone.
Name: CVE-1999-0572
Description:
.reg files are associated with the Windows NT registry
editor (regedit), making the registry susceptible to
Trojan Horse attacks.
Status: Candidate
Phase: Modified (20041017)
Votes:
ACCEPT(4) Baker, Shostack, Ozancin, Wall
MODIFY(1) Frech
NOOP(2) Christey, Northcutt
Voter Comments:
Northcutt> I don't quite get what this means, sorry
Frech> XF:nt-regfile(178)
Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html
Name: CVE-1999-0575
Description:
A Windows NT system's user audit policy does not log an
event success or failure, e.g. for Logon and Logoff,
File and Object Access, Use of User Rights, User and
Group Management, Security Policy Changes, Restart,
Shutdown, and System, and Process Tracking.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(4) Shostack, Ozancin, Christey, Wall
MODIFY(1) Frech
RECAST(2) Baker, Northcutt
Voter Comments:
Northcutt> It isn't a great truth that you should enable all or the above, if you
do you potentially introduce a vulnerbility of filling up the file
system with stuff you will never look at.
Ozancin> It is far less interesting what a user does successfully that what they
attempt and fail at.
Christey> The list of event types is very useful for lookup.
Frech> XF:nt-system-audit
XF:nt-logon-audit
XF:nt-object-audit
XF:nt-privil-audit
XF:nt-process-audit
XF:nt-policy-audit
XF:nt-account-audit
CHANGE> [Baker changed vote from REVIEWING to RECAST]
Name: CVE-1999-0576
Description:
A Windows NT system's file audit policy does not log an
event success or failure for security-critical files or
directories.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(3) Baker, Shostack, Wall
MODIFY(2) Frech, Ozancin
REJECT(1) Northcutt
Voter Comments:
Northcutt> 1.) Too general are we ready to state what the security-critical files
and directories are
2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability
Ozancin> Some files and directories are clearly understood to be critical. Others are
unclear. We need to clarify that critical is.
Frech> XF:nt-object-audit
Name: CVE-1999-0577
Description:
A Windows NT system's file audit policy does not log an
event success or failure for non-critical files or
directories.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(2) Shostack, Wall
MODIFY(3) Baker, Frech, Ozancin
REJECT(1) Northcutt
Voter Comments:
Ozancin> It is far less interesting what a user does successfully that what they
attempt and fail at.
Perhaps only failure should be logged.
Frech> XF:nt-object-audit
CHANGE> [Baker changed vote from REVIEWING to MODIFY]
Baker> Failure on non-critical files is what should be monitored.
Name: CVE-1999-0578
Description:
A Windows NT system's registry audit policy does not log
an event success or failure for security-critical
registry keys.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(4) Baker, Shostack, Ozancin, Wall
MODIFY(1) Frech
REJECT(1) Northcutt
Voter Comments:
Ozancin> with reservation
Again what is defined as critical
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:nt-object-audit(228)
Name: CVE-1999-0579
Description:
A Windows NT system's registry audit policy does not log
an event success or failure for non-critical registry
keys.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(3) Baker, Shostack, Wall
MODIFY(2) Frech, Ozancin
REJECT(1) Northcutt
Voter Comments:
Ozancin> Again only failure may be of interest. It would be impractical to wad
through the incredibly large amount of logging that this would generate. It
could overwhelm log entries that you might find interesting.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:nt-object-audit(228)
Name: CVE-1999-0580
Description:
The HKEY_LOCAL_MACHINE key in a Windows NT system has
inappropriate, system-critical permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Baker> This is way vague...
Name: CVE-1999-0581
Description:
The HKEY_CLASSES_ROOT key in a Windows NT system has
inappropriate, system-critical permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Baker> way too vague
Name: CVE-1999-0582
Description:
A Windows NT account policy has inappropriate,
security-critical settings for lockout, e.g. lockout
duration, lockout after bad logon attempts, etc.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(3) Shostack, Ozancin, Wall
MODIFY(2) Baker, Frech
REJECT(1) Northcutt
Voter Comments:
Northcutt> The definition is?
Baker> Maybe a rewording of this one too. I think most people would agree on
some "minimum" policies like 3-5 bad attempts lockout for an hour or
until the administrator unlocks the account.
Suggested rewrite -
A Windows NT account policy does not enforce reasonable minimum
security-critical settings for lockouts, e.g. lockout duration,
lockout after bad logon attempts, etc.
Ozancin> with reservations
What is appropriate?
Frech> XF:nt-thres-lockout
XF:nt-lock-duration
XF:nt-lock-window
XF:nt-perm-lockout
XF:lockout-disabled
Name: CVE-1999-0583
Description:
There is a one-way or two-way trust relationship between
Windows NT domains.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(2) Baker, Christey
REJECT(2) Shostack, Northcutt
Voter Comments:
Christey> XF:nt-trusted-domain(1284)
Name: CVE-1999-0584
Description:
A Windows NT file system is not NTFS.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Northcutt, Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
Voter Comments:
Wall> NTFS partition provides the security. This could be re-worded
to "A Windows NT file system is FAT" since it is either NTFS or FAT
and FAT is less secure.
Frech> XF:nt-filesys(195)
Christey> MSKB:Q214579
MSKB:Q214579
http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP
Name: CVE-1999-0585
Description:
A Windows NT administrator account has the default name
of Administrator.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(1) Ozancin
MODIFY(1) Frech
REJECT(3) Baker, Shostack, Northcutt
REVIEWING(1) Wall
Voter Comments:
Wall> Some sources say this is not a vulnerability, but a warning. It just
slows down the search for the admin account (SID = 500) which can
always be found.
Northcutt> I change this on all NT systems I am responsible for, but is
root a vulnerability?
Baker> There are ways to identify the administrator account anyway, so this
is only a minor delay to someone that is knowledgeable. This, in and
of itself, doesn't really strike me as a vulnerability, anymore than
the root account on a Unix box.
Shostack> (there is no way to hide the account name today)
Frech> XF:nt-adminexists
Name: CVE-1999-0586
Description:
A network service is running on a nonstandard port.
Status: Candidate
Phase: Proposed (19990728)
Votes:
NOOP(1) Baker
RECAST(1) Shostack
REJECT(1) Northcutt
Voter Comments:
Shostack> Might be acceptable if clearer; is that a standard service on a
non-standard port, or any service on an unassigned port?
Baker> It might actually be an enhancement rather than a problem to run a service on a non-standard port
Name: CVE-1999-0587
Description:
A WWW server is not running in a restricted file system,
e.g. through a chroot, thus allowing access to
system-critical data.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> While I would accept this for Unix, I am not sure this applies to NT,
VMS, palm pilots, or commodore 64
Name: CVE-1999-0588
Description:
A filter in a router or firewall allows unusual
fragmented packets.
Status: Candidate
Phase: Proposed (19990726)
Votes:
MODIFY(2) Baker, Frech
REJECT(1) Northcutt
Voter Comments:
Northcutt> I want to vote to accept this one, but unusual is a shade broad.
Frech> XF:nt-rras
XF:cisco-fragmented-attacks
XF:ip-frag
Baker> Perhaps we should use the word abnormally fragmented or some other descriptor.
Name: CVE-1999-0589
Description:
A system-critical Windows NT registry key has
inappropriate permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(2) Christey, Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Christey> Upon further reflection, this is too high-level for CVE.
Specific registry keys with bad permissions is roughly
equivalent to Unix configuration files that have bad
permissions; those permission problems can be created by
any vendor, not just a specific one. Therefore this
candidate should be RECAST into each separate registry
key that has this problem.
Name: CVE-1999-0590
Description:
A system does not present an appropriate legal message
or warning to a user who is accessing it.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(2) Baker, Northcutt
MODIFY(1) Christey
RECAST(1) Shostack
Voter Comments:
Christey> ADDREF CIAC:J-043
URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
Also add "banner" to the description to facilitate search.
Baker> Should be in place where ever it is possible
Name: CVE-1999-0591
Description:
An event log in Windows NT has inappropriate access
permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(2) Baker, Wall
RECAST(1) Northcutt
Voter Comments:
Northcutt> splain Lucy, splain
Name: CVE-1999-0592
Description:
The Logon box of a Windows NT system displays the name
of the last user who logged in.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(2) Northcutt, Wall
Voter Comments:
Wall> Information gathering, not vulnerability
Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing
not just vulnerability
Frech> XF:nt-display-last-username(1353)
Use it if you will. :-) If not, let us know so I can remove the CAN
reference from our database.
Christey> MSKB:Q114463
http://support.microsoft.com/support/kb/articles/q114/4/63.asp
Name: CVE-1999-0593
Description:
The default setting for the Winlogon key entry
ShutdownWithoutLogon in Windows NT allows users with
physical access to shut down a Windows NT system without
logging in.
Status: Candidate
Phase: Modified (20070307)
Reference:
MISC:http://www.microsoft.com/technet/archive/winntas/deploy/confeat/06wntpcc.mspx?mfr=true
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Northcutt
Voter Comments:
Wall> Still a denial of service.
Northcutt> May well be appropriate
Frech> XF:nt-shutdown-without-logon(1291)
Name: CVE-1999-0594
Description:
A Windows NT system does not restrict access to
removable media drives such as a floppy disk drive or
CDROM drive.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Northcutt
Voter Comments:
Wall> Perhaps it can be re-worded to "removable media drives
such as a floppy disk drive or CDROM drive can be accessed (shared) in a
Windows NT system."
Northcutt> - what good is my NT w/o its floppy
Frech> XF:nt-allocate-cdroms(1294)
XF:nt-allocate-floppy(1318)
Christey> MSKB:Q172520
URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp
Name: CVE-1999-0595
Description:
A Windows NT system does not clear the system page file
during shutdown, which might allow sensitive information
to be recorded.
Status: Candidate
Phase: Proposed (19990728)
Reference: MSKB:Q182086
Votes:
ACCEPT(2) Baker, Wall
MODIFY(1) Frech
NOOP(1) Northcutt
Voter Comments:
Frech> XF:nt-clearpage(216)
XF:reg-pagefile-clearing(2551)
Name: CVE-1999-0596
Description:
A Windows NT log file has an inappropriate maximum size
or retention period.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(2) Northcutt, Wall
Voter Comments:
Northcutt> define appropriate
Frech> XF:reg-app-log-small(2521)
XF:reg-sec-log-maxsize(2577)
XF:reg-sys-log-small(2586)
Name: CVE-1999-0597
Description:
A Windows NT account policy does not forcibly disconnect
remote users from the server when their logon hours
expire.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Northcutt
MODIFY(1) Frech
NOOP(1) Baker
REJECT(1) Wall
Voter Comments:
Frech> XF:nt-forced-logoff(1343)
Name: CVE-1999-0598
Description:
A network intrusion detection system (IDS) does not
properly handle packets that are sent out of order,
allowing an attacker to escape detection.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(3) Baker, Armstrong, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0599
Description:
A network intrusion detection system (IDS) does not
properly handle packets with improper sequence numbers.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0600
Description:
A network intrusion detection system (IDS) does not
verify the checksum on a packet.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0601
Description:
A network intrusion detection system (IDS) does not
properly handle data within TCP handshake packets.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for Godot, er, CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0602
Description:
A network intrusion detection system (IDS) does not
properly reassemble fragmented packets.
Status: Candidate
Phase: Proposed (19990726)
Votes:
ACCEPT(2) Baker, Northcutt
NOOP(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> Waiting for CIEL.
Christey> This is a design flaw, along with the other reported IDS
problems; at least reference Ptacek/Newsham's paper.
Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
Name: CVE-1999-0603
Description:
In Windows NT, an inappropriate user is a member of a
group, e.g. Administrator, Backup Operators, Domain
Admins, Domain Guests, Power Users, Print Operators,
Replicators, System Operators, etc.
Status: Candidate
Phase: Proposed (19990728)
Votes:
MODIFY(1) Frech
NOOP(1) Baker
REJECT(2) Wall, Northcutt
Voter Comments:
Frech> XF:nt-system-operator
XF:nt-admin-group
XF:nt-replicator
XF:nt-print-operator
XF:nt-power-user
XF:nt-guest-in-group
XF:nt-backup-operator
XF:nt-domain-admin
XF:nt-domain-guest
XF:win2k-acct-oper-grp
XF:win2k-admin-grp
XF:win2k-backup-oper-grp
XF:win2k-certpublishers-grp
XF:win2k-dhcp-admin-grp
XF:win2k-dnsadm-grp
XF:win2k-domainadm-grp
XF:win2k-entadm-grp
XF:win2k-printoper-grp
XF:win2k-replicator-grp
XF:win2k-schemaadm-grp
XF:win2k-serveroper-grp
You asked for it... :-) Use or reject at your discretion. If rejected,
please let us know so we can remove CAN references from database.
Name: CVE-1999-0604
Description:
An incorrect configuration of the WebStore 1.0 shopping
cart CGI program "web_store.cgi" could disclose private
information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts
exposing CC data
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Wall, Northcutt
Voter Comments:
Frech> XF:webstore-misconfig(3861)
Name: CVE-1999-0605
Description:
An incorrect configuration of the Order Form 1.0
shopping cart CGI program could disclose private
information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts
exposing CC data
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Christey, Northcutt
Voter Comments:
Frech> XF:orderform-misconfig(3860)
Christey> BID:2021
Christey> Mention affected files: order_log_v12.dat and order_log.dat
fix version number (1.2)
Name: CVE-1999-0606
Description:
An incorrect configuration of the EZMall 2000 shopping
cart CGI program "mall2000.cgi" could disclose private
information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts
exposing CC data
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Christey, Northcutt
Voter Comments:
Frech> XF:ezmall2000-misconfig(3859)
Christey> Add mall_log_files/order.log to desc
Name: CVE-1999-0607
Description:
quikstore.cgi in QuikStore shopping cart stores
quikstore.cfg under the web document root with
insufficient access control, which allows remote
attackers to obtain the cleartext administrator password
and gain privileges.
Status: Candidate
Phase: Modified (20060608)
Reference: BUGTRAQ:19990420 Shopping Carts
exposing CC data
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Christey, Northcutt
Voter Comments:
Frech> XF:quikstore-misconfig(3858)
Christey> http://www.quikstore.com/help/pages/Security/security.htm says:
"It is IMPORTANT that during the setup of the QuikStore program, you
check to make sure that the cgi-bin or executable program directory
of your web site not be viewable from the outside world. You don't
want the users to have access to your programs or log files that could
be stored there!
...
If you can view or download these files from the browser, someone
else can too"
So is this a configuration problem? See the configuration file at
http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm
The [DIRECTORY_PATHS] section identifies pathnames and describes how
pathnames are constructed. It clearly uses relative pathnames,
so all data is underneath the base directory!!
If we call this a configuration problem, then maybe this (and
all other "CGI-data-in-web-tree" configuration problems) should
be combined.
Christey> Consider adding BID:1983
Name: CVE-1999-0609
Description:
An incorrect configuration of the SoftCart CGI program
"SoftCart.exe" could disclose private information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts
exposing CC data
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(3) Wall, Christey, Northcutt
Voter Comments:
Frech> XF:softcart-misconfig(3856)
Christey> Consider adding BID:2055
Name: CVE-1999-0610
Description:
An incorrect configuration of the Webcart CGI program
could disclose private information.
Status: Candidate
Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts
exposing CC data
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(2) Wall, Northcutt
Voter Comments:
Frech> Cite reference as:
BUGTRAQ:19990424 Re: Shopping Carts exposing CC data
URL:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:webcart-data-exposure(8374)
Name: CVE-1999-0611
Description:
A system-critical Windows NT registry key has an
inappropriate value.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Baker> too vague
Name: CVE-1999-0613
Description:
The rpc.sprayd service is running.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
REJECT(1) Northcutt
Voter Comments:
Frech> XF:sprayd
Name: CVE-1999-0614
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The FTP service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0615
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The SNMP service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(3) Wall, Baker, Prosser
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Baker> Although newer versions on snmp are not as vulnerable as prior versions,
this can still be a significant risk of exploitation, as seen in recent
attacks on snmp services via automated worms
Christey> XF:snmp(132) ?
Prosser> This fits the "exposure" description although we also know there are many vulnerabilities in SNMP. This is more of a policy/best practice issue for administrators. If you need SNMP lock it down as tight as you can, if you don't need it, don't run it.
Name: CVE-1999-0616
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The TFTP service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0617
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The SMTP service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0618
Description:
The rexec service is running.
Status: Candidate
Phase: Modified (19990921-01)
Reference: XF:rexec
Votes:
ACCEPT(4) Wall, Baker, Ozancin, Northcutt
MODIFY(1) Frech
Voter Comments:
Frech> XF:decod-rexec
XF:rexec
Name: CVE-1999-0619
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The Telnet service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0620
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "A component service
related to NIS is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> XF:ypserv(261)
Name: CVE-1999-0621
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "A component service
related to NETBIOS is running."
Status: Candidate
Phase: Modified (20080731)
Reference: OVAL:oval:org.mitre.oval:def:1024
Reference:
URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1024
Votes:
ACCEPT(2) Wall, Baker
MODIFY(1) Frech
REJECT(2) LeBlanc, Northcutt
Voter Comments:
LeBlanc> There is insufficient description to even know what this is.
Lots of component services related to NetBIOS run, and usually do not
constitute a problem.
Frech> associated to:
XF:nt-alerter(29)
XF:nt-messenger(69)
XF:reg-ras-gateway-enabled(2567)
Name: CVE-1999-0622
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "A component service
related to DNS service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0623
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The X Windows service
is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> Add "X11" to facilitate search.
Name: CVE-1999-0624
Description:
The rstat/rstatd service is running.
Status: Candidate
Phase: Interim (19990925)
Reference: XF:rstat-out
Reference: XF:rstatd
Votes:
ACCEPT(3) Baker, Ozancin, Northcutt
MODIFY(1) Frech
NOOP(2) Wall, Meunier
Voter Comments:
Frech> XF:rstat-out
XF:rstatd
Name: CVE-1999-0625
Description:
The rpc.rquotad service is running.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(3) Baker, Ozancin, Northcutt
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:rquotad
Name: CVE-1999-0629
Description:
The ident/identd service is running.
Status: Candidate
Phase: Proposed (19990721)
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(2) Wall, Christey
REJECT(1) Northcutt
Voter Comments:
Frech> possibly XF:identd?
Christey> XF:ident-users(318) ?
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:identd-vuln(61)
XF:ident-users(318)
Name: CVE-1999-0630
Description:
The NT Alerter and Messenger services are running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Wall, Baker
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> http://support.microsoft.com/support/kb/articles/q189/2/71.asp
Name: CVE-1999-0631
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The NFS service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> XF:nfs-nfsd(76) ?
Christey> Add rpc.mountd/mountd to facilitate search.
Name: CVE-1999-0632
Description:
The RPC portmapper service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0633
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The HTTP/WWW service
is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0634
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The SSH service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0635
Description:
The echo service is running.
Status: Candidate
Phase: Modified (20060122)
Reference: FULLDISC:20060116 ACT P202S VoIP
wireless phone multiple undocumented ports/services
Reference:
URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041434.html
Reference: SECUNIA:18514
Reference:
URL:http://secunia.com/advisories/18514
Votes:
ACCEPT(3) Wall, Baker, Northcutt
REVIEWING(1) Christey
Voter Comments:
Northcutt> The method to my madness is echo is the common denom in the dos attack
Christey> How much of this is an overlap with the echo/chargen flood
problem (CVE-1999-0103)? If this is only an exposure because
of CVE-1999-0103, then maybe this should be REJECTed.
Name: CVE-1999-0636
Description:
The discard service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0637
Description:
The systat service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0638
Description:
The daytime service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0639
Description:
The chargen service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
REVIEWING(1) Christey
Voter Comments:
Christey> How much of this is an overlap with the echo/chargen flood
problem (CVE-1999-0103)? If this is only an exposure because
of CVE-1999-0103, then maybe this should be REJECTed.
Name: CVE-1999-0640
Description:
The Gopher service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0641
Description:
The UUCP service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0642
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "A POP service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0643
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The IMAP service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0644
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The NNTP news service
is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> XF:nntp-post(88) ?
Name: CVE-1999-0645
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The IRC service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> XF:irc-server(767) ?
Name: CVE-1999-0646
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The LDAP service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0647
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The bootparam
(bootparamd) service is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Baker, Ozancin
MODIFY(1) Frech
NOOP(1) Wall
REJECT(1) Northcutt
Voter Comments:
Frech> XF:bootp
Name: CVE-1999-0648
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The X25 service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0649
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "The FSP service is
running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0650
Description:
The netstat service is running, which provides sensitive
information to remote attackers.
Status: Candidate
Phase: Modified (20060608)
Reference: XF:netstat(72)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0651
Description:
The rsh/rlogin service is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Wall, Baker
MODIFY(1) Frech
NOOP(1) Christey
REJECT(1) Northcutt
Voter Comments:
Christey> aka "shell" on UNIX systems (at least Solaris) in the
/etc/inetd.conf file.
Frech> associated to:
XF:nt-rlogin(92)
XF:rsh-svc(114)
XF:rshd(2995)
Name: CVE-1999-0652
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "A database service is
running, e.g. a SQL server, Oracle, or mySQL."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Wall
REJECT(1) Northcutt
Voter Comments:
Frech> XF:nt-sql-server(1289)
XF:msql-detect(2211)
XF:oracle-detect(2388)
XF:sybase-detect-namedpipes(1461)
Name: CVE-1999-0653
Description:
A component service related to NIS+ is running.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0654
Description:
The OS/2 or POSIX subsystem in NT is enabled.
Status: Candidate
Phase: Proposed (19990728)
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Northcutt
Voter Comments:
Wall> These subsystems could still allow a process to persist across logins.
Frech> XF:nt-posix(217)
XF:nt-posix-sub-c2(2397)
XF:nt-posix-sub-onceonly(2478)
XF:nt-os2-sub(218)
XF:nt-os2-sub-c2(2396)
XF:nt-os2-sub-onceonly(2477)
XF:nt-os2-registry(2550)
Christey> s2-file-os2(1865)
Name: CVE-1999-0655
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is not about
any specific product, protocol, or design, so it is out
of scope of CVE. Notes: the former description is: "A
service may include useful information in its banner or
help function (such as the name and version), making it
useful for information gathering activities."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(5) Wall, Baker, Frech, Ozancin, Northcutt
Voter Comments:
CHANGE> [Frech changed vote from REVIEWING to ACCEPT]
Name: CVE-1999-0656
Description:
The ugidd RPC interface, by design, allows remote
attackers to enumerate valid usernames by specifying
arbitrary UIDs that ugidd maps to local user and group
names.
Status: Candidate
Phase: Modified (20080731)
Reference:
MISC:http://ca.com/au/securityadvisor/vulninfo/Vuln.aspx?ID=1638
Reference: XF:linux-ugidd(348)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/348
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0657
Description:
WinGate is being used.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(1) Baker
NOOP(1) Wall
REJECT(1) Northcutt
Name: CVE-1999-0658
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "DCOM is running."
Status: Candidate
Phase: Modified (20080731)
Votes:
ACCEPT(2) Wall, Baker
REJECT(1) Northcutt
Name: CVE-1999-0659
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is solely about
a configuration that does not directly introduce
security vulnerabilities, so it is more appropriate to
cover under the Common Configuration Enumeration (CCE).
Notes: the former description is: "A Windows NT Primary
Domain Controller (PDC) or Backup Domain Controller
(BDC) is present."
Status: Candidate
Phase: Modified (20080731)
Votes:
REJECT(3) Wall, Baker, Northcutt
Voter Comments:
Wall> Don't consider this a service or a problem.
Baker> concur with wall on this
Name: CVE-1999-0660
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: None. Reason: this candidate is not about
any specific product, protocol, or design, so it is out
of scope of CVE. It might be more appropriate to cover
under the Common Configuration Enumeration (CCE). Notes:
the former description is: "A hacker utility, back door,
or Trojan Horse is installed on a system, e.g. NetBus,
Back Orifice, Rootkit, etc."
Status: Candidate
Phase: Modified (20080730)
Votes:
ACCEPT(4) Wall, Baker, Hill, Northcutt
NOOP(1) Christey
Voter Comments:
Christey> Add "back door" to description.
Name: CVE-1999-0661
Description:
A system is running a version of software that was
replaced with a Trojan Horse at one of its distribution
points, such as (1) TCP Wrappers 7.6, (2) util-linux
2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC
client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6)
Sendmail 8.12.6.
Status: Candidate
Phase: Modified (20050529)
Reference: CERT:CA-1994-07
Reference:
URL:http://www.cert.org/advisories/CA-1994-07.html
Reference: CERT:CA-1994-14
Reference:
URL:http://www.cert.org/advisories/CA-1994-14.html
Reference: CERT:CA-1999-01
Reference:
URL:http://www.cert.org/advisories/CA-1999-01.html
Reference: CERT:CA-1999-02
Reference:
URL:http://www.cert.org/advisories/CA-1999-02.html
Reference: CERT:CA-2002-28
Reference:
URL:http://www.cert.org/advisories/CA-2002-28.html
Reference: BUGTRAQ:20020801 trojan horse in
recent openssh (version 3.4 portable 1)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102820843403741&w=2
Reference: BUGTRAQ:20020801 OpenSSH Security
Advisory: Trojaned Distribution Files
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821663814127&w=2
Reference: BUGTRAQ:20021009 Re: CERT Advisory
CA-2002-28 Trojan Horse Sendmail
Reference:
URL:http://online.securityfocus.com/archive/1/294539
Reference: BID:5921
Reference:
URL:http://www.securityfocus.com/bid/5921
Reference: XF:sendmail-backdoor(10313)
Reference:
URL:http://www.iss.net/security_center/static/10313.php
Votes:
ACCEPT(4) Wall, Baker, Hill, Northcutt
REVIEWING(1) Christey
Voter Comments:
Christey> Should add the specific CERT advisory references for
well-known Trojaned software.
TCP Wrappers -> CERT:CA-1999-01
CERT:CA-1999-02 includes util-linux
wuarchive - CERT:CA-94.07
IRC client - CERT:CA-1994-14
Christey> BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
Modify description to use dot notation.
Christey> CERT:CA-2002-24
URL:http://www.cert.org/advisories/CA-2002-24.html
XF:openssh-backdoor(9763)
URL:http://www.iss.net/security_center/static/9763.php
BID:5374
URL:http://www.securityfocus.com/bid/5374
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Add libpcap and tcpdump:
BUGTRAQ:20021113 Latest libpcap & tcpdump sources from tcpdump.org contain a trojan
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=103722456708471&w=2
CERT:CA-2002-30
URL:http://www.cert.org/advisories/CA-2002-30.html
This CAN has been active for over 4 years. At this moment, my
thinking is that we should SPLIT this CAN into each separate
trojaned product, then create some criteria that restrict
creation of new CANs to "widespread" or "important" products only.
Name: CVE-1999-0662
Description:
A system-critical program or library does not have the
appropriate patch, hotfix, or service pack installed, or
is outdated or obsolete.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(4) Wall, Baker, Hill, Northcutt
Name: CVE-1999-0663
Description:
A system-critical program, library, or file has a
checksum or other integrity measurement that indicates
that it has been modified.
Status: Candidate
Phase: Proposed (19990804)
Votes:
ACCEPT(3) Wall, Baker, Hill
RECAST(1) Northcutt
Voter Comments:
Northcutt> This needs to be worded carefully.
1. Rootkits evade checksum detection.
2. The modification could be positive (a patch)
Name: CVE-1999-0664
Description:
An application-critical Windows NT registry key has
inappropriate permissions.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(2) Christey, Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Christey> Upon further reflection, this is too high-level for CVE.
Specific registry keys with bad permissions is roughly
equivalent to Unix configuration files that have bad
permissions; those permission problems can be created by
any vendor, not just a specific one. Therefore this
candidate should be RECAST into each separate registry
key that has this problem.
Name: CVE-1999-0665
Description:
An application-critical Windows NT registry key has an
inappropriate value.
Status: Candidate
Phase: Proposed (19990803)
Votes:
ACCEPT(1) Wall
NOOP(1) Baker
RECAST(1) Northcutt
Voter Comments:
Northcutt> I think we can define appropriate, take a look at the nt security .pdf
and see if you can't see a way to phrase specific keys in a way that
defines inappropriate.
Baker> very vague
Name: CVE-1999-0667
Description:
The ARP protocol allows any host to spoof ARP replies
and poison the ARP cache to conduct IP address spoofing
or a denial of service.
Status: Candidate
Phase: Proposed (19991222)
Votes:
ACCEPT(2) Cole, Blake
MODIFY(1) Stracener
NOOP(2) Baker, Christey
REJECT(1) Frech
Voter Comments:
Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP
Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp:
CVE-1999-0763: NetBSD on a multi-homed host allows ARP packets on one
network to modify ARP entries on another connected network.
CVE-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries.
Will reconsider if reference provides enough information to render a
distinction.
Christey> This particular vulnerability was exploited by an attacker
during the ID'Net IDS test network exercise at the SANS
Network Security '99 conference. The attacker adapted a
publicly available program that was able to spoof another
machine on the same physical network.
See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2
for the Bugtraq reference that Tom Stracener suggested.
This generated a long thread on Bugtraq in 1997.
Blake> I'll second Tom's request to add the reference, it's a very
posting good and the vulnerability is clearly derivative of
the work.
(I do recall talking to the guy and drafting a description.)
Name: CVE-1999-0669
Description:
The Eyedog ActiveX control is marked as "safe for
scripting" for Internet Explorer, which allows a remote
attacker to execute arbitrary commands as demonstrated
by Bubbleboy.
Status: Candidate
Phase: Interim (19991229)
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308
Votes:
ACCEPT(5) Wall, Baker, Cole, Ozancin, Prosser
MODIFY(2) Frech, Stracener
REVIEWING(1) Christey
Voter Comments:
Frech> XF:ms-scriptlet-eyedog-unsafe
Stracener> Add Ref: MSKB Q240308
Christey> Should CVE-1999-0669 and 668 be merged? If not, then this is
a reason for not merging CVE-1999-0988 and CVE-1999-0828.
Name: CVE-1999-0670
Description:
Buffer overflow in the Eyedog ActiveX control allows a
remote attacker to execute arbitrary commands.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-032
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
Reference: CIAC:J-064
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Votes:
ACCEPT(3) Wall, Ozancin, Prosser
MODIFY(2) Frech, Stracener
REJECT(2) Baker, Cole
Voter Comments:
Frech> XF:ie-eyedog-bo
Cole> Based on the references and information listed this is the same as
CVE-1999-0669
Stracener> Add Ref: MSKB Q240308
Baker> Duplicate
Name: CVE-1999-0673
Description:
Buffer overflow in ALMail32 POP3 client via From: or To:
headers.
Status: Candidate
Phase: Proposed (19991222)
Reference: BID:574
Reference:
URL:http://www.securityfocus.com/bid/574
Votes:
ACCEPT(6) Wall, Baker, Cole, Collins, Levy, Blake
MODIFY(2) Frech, Stracener
NOOP(3) Landfield, Armstrong, Oliver
REVIEWING(1) Ozancin
Voter Comments:
Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037
Frech> XF:almail-bo
CHANGE> [Cole changed vote from NOOP to ACCEPT]
Name: CVE-1999-0677
Description:
The WebRamp web administration utility has a default
password.
Status: Candidate
Phase: Modified (19991228-01)
Reference: BUGTRAQ:19990802 [LoWNOISE] Password
hunting with webramp
Reference: BID:577
Reference:
URL:http://www.securityfocus.com/bid/577
Votes:
ACCEPT(3) Baker, Stracener, Blake
MODIFY(2) Cole, Frech
NOOP(2) Armstrong, Christey
Voter Comments:
Cole> I would add that is is not forced to be changed.
Frech> XF:webramp-default-password
Christey> This problem may have been detected in January 1999:
BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug
http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2
Name: CVE-1999-0684
Description:
Denial of service in Sendmail 8.8.6 in HPUX.
Status: Candidate
Phase: Proposed (19991214)
Reference: HP:HPSBUX9904-097
Votes:
ACCEPT(2) Cole, Blake
MODIFY(3) Frech, Stracener, Prosser
NOOP(1) Baker
REJECT(1) Christey
Voter Comments:
Stracener> Add Ref: CIAC: J-040
Prosser> Might change description to indicate DoS caused by multiple connections
Christey> Andre's right. This is a duplicate of CVE-1999-0684.
Frech> Without further information and/or references, this issue looks like an
ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail
8.8.6 related to accepting connections.
(was REJECT)
XF:hp-sendmail-connect-dos
Name: CVE-1999-0698
Description:
Denial of service in IP protocol logger (ippl) on Red
Hat and Debian Linux.
Status: Candidate
Phase: Proposed (19991222)
Votes:
ACCEPT(6) Baker, Cole, Armstrong, Collins, Ozancin, Blake
MODIFY(1) Frech
NOOP(4) Wall, Landfield, Stracener, Levy
REJECT(1) Christey
Voter Comments:
Stracener> Is the candidate referring to the denial of service problem mentioned in
the
changelogs for versions previous to 1.4.3-1 or does it pertain to some
problem with or
1.4.8-1?
Frech> Depending on the version, this could be any number of DoSes
related to ippl.
From http://www.larve.net/ippl/:
9 April 1999: version 1.4.3 released, correctly fixing a
potential denial of service attack.
7 April 1999: version 1.4.2 released, fixing a potential
denial of service attack.
XF:linux-ippl-dos
Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY
See comments for version 1.4.2 and 1.4.3
Another source: http://freshmeat.net/news/1999/04/08/923586598.html
CHANGE> [Stracener changed vote from REVIEWING to NOOP]
CHANGE> [Christey changed vote from NOOP to REJECT]
Christey> As mentioned by others, this could apply to several different
versions. Since the description is too vague, this CAN should
be REJECTED and recast into other candidates.
Name: CVE-1999-0712
Description:
A vulnerability in Caldera Open Administration System
(COAS) allows the /etc/shadow password file to be made
world-readable.
Status: Candidate
Phase: Proposed (19991214)
Reference: CALDERA:CSSA-1999:009
Reference: XF:linux-coas
Votes:
ACCEPT(4) Baker, Cole, Frech, Stracener
MODIFY(1) Blake
NOOP(1) Armstrong
REVIEWING(1) Christey
Voter Comments:
Blake> This obscurely-written advisory seems to state that COAS will make the
file world-readable, not that it allows the user to make it so. I hardly
think that allowing the user to turn off security is a vulnerability.
Christey> It's difficult to write the description based on what's in
the advisory. If COAS inadvertently changes permissions
without user confirmation, then it should be ACCEPTed with
appropriate modification to the description.
Christey> ADDREF BID:137
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Name: CVE-1999-0736
Description:
The showcode.asp sample file in IIS and Site Server
allows remote attackers to read arbitrary files.
Status: Candidate
Phase: Modified (20061101)
Reference: L0PHT:May7,1999
Reference: MS:MS99-013
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368
Reference: OVAL:oval:org.mitre.oval:def:932
Reference:
URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:932
Votes:
ACCEPT(4) Prosser, Wall, Ozancin, Stracener
MODIFY(2) Cole, Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> XF:iis-samples-showcode
Cole> There are several sample files that allow this. I would quote
showcode.asp but make it more generic.
Prosser> (Modify)
Have a question on this and on the following three candidates as well. All
of these are part of the file viewers utilities that allow unauthorized
files reading, but MSKB Q231368 also mentioned the diagnostics
program,Winmsdp.exe, as another vulnerable viewer in this same set of
viewers. If we are going to split out the seperate viewer tools then
shouldn't there should be a seperate CAN for Winmsdp.exe also.
Christey> Mike's question basically touches on the CD:SF-EXEC
content decision - what do you do when you have the same bug
in multiple executables? CD:SF-EXEC needs to be reviewed
and approved by the Editorial Board before we can decide
what to do with this candidate.
Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in
MSKB:Q231368 may be an error, and that winmsdp.exe is a
Microsoft Diagnostics Report Generator which may not even
be installed as part of IIS.
Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html
Christey> ADDREF BID:167
URL:http://www.securityfocus.com/vdb/bottom.html?vid=167
Christey> MISC:http://p.ulh.as/xploitsdb/NT/iis38.html covers a showcode.asp
directory traversal vulnerability and refers to the L0pht advisory.
Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317
Name: CVE-1999-0737
Description:
The viewcode.asp sample file in IIS and Site Server
allows remote attackers to read arbitrary files.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q231656
Votes:
ACCEPT(4) Prosser, Wall, Ozancin, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
Voter Comments:
Frech> XF:iis-samples-viewcode
Cole> I would combine this with the previous.
Prosser> (modify)
See comments in 0736 above
Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
for additional details.
Christey> Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317
Name: CVE-1999-0738
Description:
The code.asp sample file in IIS and Site Server allows
remote attackers to read arbitrary files.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368
Votes:
ACCEPT(4) Prosser, Wall, Ozancin, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
Voter Comments:
Frech> XF:iis-samples-code
Cole> Same as above
Prosser> (modify)
See comments in 0736 above
Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
for additional details.
Christey> Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317
Name: CVE-1999-0739
Description:
The codebrws.asp sample file in IIS and Site Server
allows remote attackers to read arbitrary files.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368
Votes:
ACCEPT(4) Prosser, Wall, Ozancin, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
Voter Comments:
Frech> XF:iis-samples-codebrws
Cole> Same as above.
Prosser> (modify)
See comments in 0736 above
Christey> codebrw2.asp and Codebrw1.asp also need to be included
somewhere.
Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html
Christey> Mark Burnett's article is at:
MISC:http://www.securityfocus.com/infocus/1317
Name: CVE-1999-0741
Description:
QMS CrownNet Unix Utilities for 2060 allows root to log
on without a password.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19990818 QMS 2060 printer
security hole
Reference: BID:593
Reference:
URL:http://www.securityfocus.com/bid/593
Reference: XF:qms-2060-no-root-password
Votes:
ACCEPT(4) Baker, Frech, Stracener, Levy
NOOP(2) Christey, Oliver
Voter Comments:
Christey> change description - anyone can log on *as* root
Frech> (Note: this XF also cataloged under CVE-1999-0508.)
Name: CVE-1999-0748
Description:
Buffer overflows in Red Hat net-tools package.
Status: Candidate
Phase: Proposed (19991214)
Reference: REDHAT:RHSA-1999:017-01
Votes:
ACCEPT(4) Baker, Cole, Armstrong, Stracener
MODIFY(1) Frech
REJECT(1) Blake
Voter Comments:
Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the
absence of knowing whether or not the problems actually existed, I don't
think we have an entry here.
Frech> XF:redhat-net-tool-bo
Name: CVE-1999-0750
Description:
Hotmail allows Javascript to be executed via the HTML
STYLE tag, allowing remote attackers to execute commands
on the user's Hotmail account.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19990913 Hotmail security
vulnerability - injecting JavaScript using 'STYLE' tag
Reference: BID:630
Reference:
URL:http://www.securityfocus.com/bid/630
Votes:
ACCEPT(1) Levy
MODIFY(2) Frech, Stracener
NOOP(1) Baker
Voter Comments:
Stracener> Many sites are vulnerable to this problem. I recommend removing the
explicit references to Hotmail and making the description more generic.
Suggest: Javascript can be injected using the STYLE tag in an HTML
formatted e-mail, allowing remote attackers to execute commands on user
accounts.
Frech> XF:hotmail-html-style-embed
Name: CVE-1999-0757
Description:
The ColdFusion CFCRYPT program for encrypting CFML
templates has weak encryption, allowing attackers to
decrypt the templates.
Status: Candidate
Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-08
Reference:
URL:http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full
Reference: XF:coldfusion-encryption
Reference:
URL:http://xforce.iss.net/static/2208.php
Votes:
ACCEPT(3) Baker, Cole, Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:coldfusion-encryption
Christey> BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles
URL:http://www.securityfocus.com/archive/1/19471
Christey> ADDREF BID:275
URL:http://www.securityfocus.com/bid/275
Name: CVE-1999-0767
Description:
Buffer overflow in Solaris libc, ufsrestore, and rcp via
LC_MESSAGES environmental variable.
Status: Candidate
Phase: Proposed (19991214)
Reference: SUN:00189
Votes:
ACCEPT(4) Baker, Cole, Dik, Blake
MODIFY(2) Frech, Stracener
REVIEWING(2) Prosser, Christey
Voter Comments:
Stracener> Add Ref: CIAC: J-069
Frech> XF:sun-libc-lcmessages
Prosser> BID 268 is an additional reference for this one as it has info on the Sun
vulnerability. However, BID 268 also includes AIX in this vulnerability and
refs APARS issued to fix a vulnerability in various 'nixs with the Natural
Language Service environmental variables NSLPATH and PATH_LOCALE depending
on the 'nix, ref CERT CA-97.10, CVE-1999-0041. However, Georgi Guninski
reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it
is possible the AIX APARs fix an earlier, similar vulnerability to the Sun
BO in LC_MESSAGES. This should probably be considered under a different
CAN. Any ideas?
Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH
and PATH_LOCALE, I'd say that's good evidence that this is not
the same problem. But a buffer overflow in libc in
LC_MESSAGES... We must ask if these are basically the same
codebase.
ADDREF CIAC:J-069
Christey> While the description indicates multiple programs, CD:SF-EXEC
does not apply because the vulnerability was in libc, and
rcp and ufsrestore were both statically linked against libc.
Thus CD:SF-LOC applies, and a single candidate is maintained
because the problem occurred in a library.
Dik> Sun bug 4240566
Christey> I'm consulting with Casper Dik and Troy Bollinger to see if
this should be combined with the AIX buffer overflows for
LC_MESSAGES; current indications are that they should be
split.
Christey> For further consultation, consider this post, though it's
associated with CVE-1999-0041:
BUGTRAQ:19970213 Linux NLSPATH buffer overflow
http://www.securityfocus.com/archive/1/6296
Also add "NLSPATH" and "PATH_LOCALE" to the description to
facilitate search.
Name: CVE-1999-0776
Description:
Alibaba HTTP server allows remote attackers to read
files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (19991214)
Reference: NTBUGTRAQ:19990506 ".."-hole in
Alibaba 2.0
Reference:
URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=NTBUGTRAQ&P=R1533
Reference: XF:http-alibaba-dotdot
Votes:
ACCEPT(4) Frech, Ozancin, Stracener, Levy
MODIFY(1) Baker
NOOP(6) Wall, Landfield, Cole, Armstrong, Blake, LeBlanc
REVIEWING(1) Christey
Voter Comments:
Christey> This candidate is unconfirmed by the vendor.
Posted by Arne Vidstrom.
Blake> I'd like to change my vote on this from ACCEPT to NOOP. I did some
digging and the vendor seems to have discontinued the product, so no
information is available beyond Arne's post. Unless Andre has a copy
in his archive and can test it, I think we have to leave it out.
Wall> I agree with Blake. We have not seen the product and it has been discontinued.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> If this is (or was) tested by some tool, we should ACCEPT it.
Baker> http://www.securityfocus.com/bid/270
Christey> BID:270
URL:http://www.securityfocus.com/bid/270
Name: CVE-1999-0784
Description:
Denial of service in Oracle TNSLSNR SQL*Net Listener via
a malformed string to the listener port, aka NERP.
Status: Candidate
Phase: Proposed (20010214)
Reference: NTBUGTRAQ:19980827 NERP DoS attack
possible in Oracle
Reference:
URL:http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00536.html
Reference: BUGTRAQ:19990104 Re: Fw:"NERP" DoS
attack possible in Oracle
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/1999_1/0056.html
Reference: BUGTRAQ:19981228 Oracle8 TNSLSNR DoS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/1998_4/0764.html
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(1) Cole
Voter Comments:
Frech> XF:oracle-tnslsnr-dos(1551)
Name: CVE-1999-0792
Description:
ROUTERmate has a default SNMP community name which
allows remote attackers to modify its configuration.
Status: Candidate
Phase: Modified (20000827)
Reference:
MISC:http://www2.merton.ox.ac.uk/~security/rootshell/0022.html
Votes:
ACCEPT(1) Baker
MODIFY(2) Frech, Stracener
NOOP(1) Christey
REVIEWING(1) Levy
Voter Comments:
Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate
Security
Advisory
Frech> XF:routermate-snmp-community
Christey> BUGTRAQ:19980914 [rootshell] Security Bulletin #23
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2
Name: CVE-1999-0795
Description:
The NIS+ rpc.nisd server allows remote attackers to
execute certain RPC calls without authentication to
obtain system information, disable logging, or modify
caches.
Status: Candidate
Phase: Proposed (19991222)
Reference: NAI:NAI-27
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(1) Frech
NOOP(1) Ozancin
Voter Comments:
Frech> XF:sun-nisplus
Name: CVE-1999-0798
Description:
Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux
systems via a malformed header type.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19981204 bootpd remote
vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2
Votes:
ACCEPT(3) Baker, Ozancin, Stracener
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798? CVE-1999-0389
has January 1999 dates associated with it, while CVE-1999-0798
was reported in late December.
http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2
SCO appears to have acknowledged this as well:
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a
The poster also claims that OpenBSD fixed this as well.
Frech> XF:bootp-remote-bo
Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
CHANGE> [Christey changed vote from REJECT to NOOP]
Christey> What was I thinking? Brian Caswell pointed out that this is
*not* the same bug as CVE-1999-0799. As reported in the
1998 Bugtraq post, the bug is in bootpd.c, and is related
to providing an htype value that is used as an index
into an array, and exceeds the intended boundaries of that
array.
Name: CVE-1999-0805
Description:
Novell NetWare Transaction Tracking System (TTS) in
Novell 4.11 and earlier allows remote attackers to cause
a denial of service via a large number of requests.
Status: Candidate
Phase: Proposed (20010214)
Reference: BUGTRAQ:19990512 DoS with Netware
4.x's TTS
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/1999_2/0439.html
Reference: XF:novell-tts-dos
Reference:
URL:http://xforce.iss.net/static/2184.php
Votes:
ACCEPT(2) Baker, Frech
NOOP(2) Cole, Christey
Voter Comments:
Christey> BID:276
URL:http://www.securityfocus.com/vdb/bottom.html?vid=276
Frech> XF:novell-tts-dos
Name: CVE-1999-0808
Description:
Multiple buffer overflows in ISC DHCP Distribution
server (dhcpd) 1.0 and 2.0 allow a remote attacker to
cause a denial of service (crash) and possibly execute
arbitrary commands via long options.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980518 DHCP 1.0 and 2.0
SECURITY ALERT! (fwd)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925960&w=2
Reference: CIAC:I-053
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/i-053.shtml
Reference:
MISC:ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz
Votes:
ACCEPT(4) Foat, Cole, Armstrong, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:dhcp-remote-dos(7248)
Name: CVE-1999-0816
Description:
The Motorola CableRouter allows any remote user to
connect to and configure the router on port 1024.
Status: Candidate
Phase: Modified (20000313-01)
Reference: BUGTRAQ:19980510 Security
Vulnerability in Motorola CableRouters
Reference:
URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-default-pass
Votes:
ACCEPT(3) Baker, Cole, Stracener
MODIFY(1) Frech
NOOP(2) LeBlanc, Christey
Voter Comments:
Christey> This candidate is unconfirmed by the vendor.
Frech> XF:motorola-cable-default-pass
Name: CVE-1999-0818
Description:
Buffer overflow in Solaris kcms_configure via a long
NETPATH environmental variable.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 another hole of
Solaris7 kcms_configure
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net
Reference: BID:831
Reference:
URL:http://www.securityfocus.com/bid/831
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(4) Prosser, Cole, Frech, Dik
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Cole> This can cause code to be executed.
Frech> XF:sol-kcms-conf-netpath-bo
Dik> the bug has nothing to do with kcms_configure; it's a bug
in libnsl.so. All set-uid executables that trigger this code path are
vulnerable. Sun bug 4295834; fixed in Solaris 8.
Prosser> Okay, I am confused. Based on Casper's comments and checking
on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security
problem in libnsl) fixed in SunOS 5.4, Patch 101974-37(x86) 101973 (sparc).
Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin
#00172 for 5.4 up through 2.6. Was this NETPATH a problem that resurfaced
in 7 (looks like in 5.4 as well) and was fixed in 8?
Christey> Need to dig up my offline email on this.
Christey> May be a duplicate of CVE-1999-0321, whose sole reference
(XF:sun-kcms-configure-bo) no longer exists. Also examine
BID:452 and
BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code
Modules Updated)
which are the same as XF:sol-kcms-conf-p-bo(3652), which could
be the new name for XF:sun-kcms-configure-bo.
Name: CVE-1999-0821
Description:
FreeBSD seyon allows local users to gain privileges by
providing a malicious program in the -emulator argument.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3
vulnerabilities
Reference: BID:838
Reference:
URL:http://www.securityfocus.com/bid/838
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Christey
REJECT(1) Cole
REVIEWING(1) Prosser
Voter Comments:
Cole> I would combine this with the previous. To me the general
vulnerabilities are similar it is just the end result that changes.
Frech> XF:freebsd-seyon-setgid
Christey> ADDREF? CALDERA:CSSA-1999-037.0
Name: CVE-1999-0822
Description:
Buffer overflow in Qpopper (qpop) 3.0 allows remote root
access via AUTH command.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 serious Qpopper 3.0
vulnerability
Reference: BUGTRAQ:19991130 qpop3.0b20 and below
- notes and exploit
Reference: BID:830
Reference:
URL:http://www.securityfocus.com/bid/830
Votes:
ACCEPT(4) Baker, Cole, Armstrong, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:qpopper-auth-bo
Christey> ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0
ADDREF XF:qpopper-auth-bo
Name: CVE-1999-0825
Description:
The default permissions for UnixWare /var/mail allow
local users to read and modify other users' mail.
Status: Candidate
Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991203 UnixWare read/modify
users' mail
Reference: BUGTRAQ:19991215 Recent postings about
SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security
patches available.
Reference: BID:849
Reference:
URL:http://www.securityfocus.com/bid/849
Votes:
ACCEPT(4) Baker, Cole, Armstrong, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:sco-mail-permissions
Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a
Name: CVE-1999-0827
Description:
By default, Internet Explorer 5.0 and other versions
enables the "Navigate sub-frames across different
domains" option, which allows frame spoofing.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Default IE 5.0
security settings allow frame spoofing
Votes:
ACCEPT(4) LeBlanc, Baker, Armstrong, Stracener
MODIFY(2) Cole, Frech
REVIEWING(1) Prosser
Voter Comments:
Cole> The BID is 855. If I have the right vulnerability, this allows an
attacker to access URL's of there choosing which could lead to a compromise
of private information.
Frech> XF:http-frame-spoof
Question: Similar vulnerability to MS98-020 / CVE-1999-0869?
LeBlanc> MSRC tells me this is patched in MS00-009
Name: CVE-1999-0828
Description:
UnixWare pkg commands such as pkginfo, pkgcat, and
pkgparam allow local users to read arbitrary files via
the dacread permission.
Status: Candidate
Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991203 UnixWare and the
dacread permission
Reference: BUGTRAQ:19991204 UnixWare pkg* command
exploits
Reference: BUGTRAQ:19991223 FYI, SCO Security
patches available.
Reference: BUGTRAQ:19991220 SCO OpenServer
Security Status
Reference: BID:853
Reference:
URL:http://www.securityfocus.com/bid/853
Votes:
ACCEPT(3) Baker, Armstrong, Stracener
MODIFY(2) Cole, Frech
REVIEWING(2) Prosser, Christey
Voter Comments:
Cole> This is BID 850.
Christey> See comments on CVE-1999-0988. Perhaps these two should be
merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a
loosely alludes to this problem; the README for patch SSE053
effectively confirms it.
Frech> XF:sco-pkg-dacread-fileread
Name: CVE-1999-0829
Description:
HP Secure Web Console uses weak encryption.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991201 HP Secure Web Console
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Cole
REVIEWING(1) Prosser
Voter Comments:
Cole> I could not find details on this using the above references.
Frech> XF:hp-secure-console
Name: CVE-1999-0830
Description:
Buffer overflow in SCO UnixWare Xsco command via a long
argument.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #6]:
UnixWare 7's Xsco
Votes:
ACCEPT(3) Baker, Armstrong, Stracener
MODIFY(3) Prosser, Cole, Frech
REVIEWING(1) Christey
Voter Comments:
Cole> This is BID 824 and the BUGTRAQ reference is 19991125.
Frech> XF:sco-unixware-xsco
Christey> Confirmed by vendor, albeit vaguely:
http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
Prosser> agree with Steve on vendor confirmation, however not sure the
fix ref'd in BID 824 (SSE041) is right. It lists fixes for libnsl and
tcpip.so, nothing about xsco. SSE050b
(ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow
in xsco on OpenServer (the vendor message Steve refers to) but not the
UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more
familar with SCO shed some light on this? Are they the same codebase so fix
would be same? From the SCO site it seems the UnixWare and OpenSever
products are similar but have differences.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> BID:824
http://www.securityfocus.com/bid/824
Name: CVE-1999-0840
Description:
Buffer overflow in CDE dtmail and dtmailpr programs
allows local users to gain privileges via a long -f
option.
Status: Candidate
Phase: Modified (20071022)
Reference: BUGTRAQ:19991129 Solaris7
dtmail/dtmailpr/mailtool Buffer Overflow
Reference:
URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html
Reference:
MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: BID:832
Reference:
URL:http://www.securityfocus.com/bid/832
Reference:
MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: XF:solaris-dtmail-overflow(3579)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/3579
Reference: XF:solaris-dtmailpr-overflow(3580)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/3580
Votes:
ACCEPT(4) Baker, Armstrong, Dik, Stracener
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(1) Prosser
Voter Comments:
Cole> I went to 1129 and it looks like a reference for a different
vulnerability.
Frech> In the description, should dtmailptr be dtmailpr?
XF:solaris-dtmailpr-overflow
XF:solaris-dtmail-overflow
Dik> sun bug: 4166321
Name: CVE-1999-0841
Description:
Buffer overflow in CDE mailtool allows local users to
gain root privileges via a long MIME Content-Type.
Status: Candidate
Phase: Modified (20071022)
Reference: BUGTRAQ:19991129 Solaris7
dtmail/dtmailpr/mailtool Buffer Overflow
Reference:
URL:http://www.security-express.com/archives/bugtraq/1999-q4/0122.html
Reference:
MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: BID:832
Reference:
URL:http://www.securityfocus.com/bid/832
Reference:
MISC:http://www.securiteam.com/exploits/3J5QQPPQ0O.html
Reference: XF:cde-mailtool-bo(3732)
Reference:
URL:http://xforce.iss.net/xforce/xfdb/3732
Votes:
ACCEPT(5) Baker, Cole, Armstrong, Dik, Stracener
MODIFY(1) Frech
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:cde-mailtool-bo
Dik> bug 4163471
(Root access is only possible when mail is send to root and he
uses dtmail to read it)
Name: CVE-1999-0843
Description:
Denial of service in Cisco routers running NAT via a
PORT command from an FTP client to a Telnet port.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1)
Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS
(VD#1)
Votes:
ACCEPT(3) Cole, Stracener, Balinsky
MODIFY(1) Frech
NOOP(2) Baker, Armstrong
REVIEWING(3) Prosser, Ziese, Christey
Voter Comments:
Frech> XF:cisco-nat-dos
Christey> Mike Prosser's REVIEWING vote expires July 17, 2000
Ziese> After reviewing
http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml
I can not confirm this exists unless it's restructred to
describe a problem against IOS per se; not NAT per se. I am
reviewing this and it may take some time.
CHANGE> [Christey changed vote from NOOP to REVIEWING]
Christey> Not sure if Kevin's suggested reference really describes this
one. However, a followup email by Jim Duncan of Cisco does
acknowledge the problem as discussed in the Bugtraq post:
http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2
The original post is:
http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2
It could be that the researcher believed that the problem was
NAT, but in fact it wasn't.
I need to follow up with Ziese/Balinsky on this one.
Name: CVE-1999-0844
Description:
Denial of service in MDaemon WorldClient and WebConfig
services via a long URL.
Status: Candidate
Phase: Proposed (19991208)
Reference: NTBUGTRAQ:19991124 Remote DoS Attack
in WorldClient Server v2.0.0.0 Vulnerability
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples
Remotes DoS Attacks in MDaemon Server v2.8.5.0
Vulnerability
Reference: BID:823
Reference:
URL:http://www.securityfocus.com/bid/823
Reference: BID:820
Reference:
URL:http://www.securityfocus.com/bid/820
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(2) Cole, Frech
NOOP(1) Armstrong
RECAST(1) Christey
REVIEWING(1) Prosser
Voter Comments:
Cole> 823 and 820 are two different vulnerabilities and should be
separated out. They are both buffer overflows but accomplish it in a
different fashion and the end exploit is different.
Frech> (RECAST?)
XF:mdaemon-worldclient-dos
XF:mdaemon-webconfig-dos
Recast request: This is really two services exhibiting the same problem.
Christey> as suggested by others.
Also see confirmation at:
http://mdaemon.deerfield.com/helpdesk/hotfix.cfm
Name: CVE-1999-0845
Description:
Buffer overflow in SCO su program allows local users to
gain root access via a long username.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #5 and
w00news]: UnixWare 7's su
Reference: SCO:99.19
Reference: BUGTRAQ:19991128 SCO su patches
Votes:
ACCEPT(4) Prosser, Cole, Armstrong, Stracener
MODIFY(1) Frech
RECAST(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> DUPE CVE-1999-0317?
Frech> XF:sco-su-username-bo
Christey> ADDREF BID:826
CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z
Name: CVE-1999-0846
Description:
Denial of service in MDaemon 2.7 via a large number of
connection attempts.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples
Remotes DoS Attacks in MDaemon Server v2.8.5.0
Vulnerability
Votes:
ACCEPT(5) Prosser, Baker, Cole, Armstrong, Stracener
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:mdaemon-dos
Christey> CVE-1999-0844 is confirmed by MDaemon at
http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there
is no apparent confirmation for this problem, even
though it was posted the same day.
Prosser> Looks like from a follow-on message on Bugtraq from Nobuo
<http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the
DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS
that Nobuo initially reported. Can't find the original message, so may have
been limited distro. Looks like an upgrade to the latest release might be
the final solution here.
Name: CVE-1999-0850
Description:
The default permissions for Endymion MailMan allow local
users to read email or modify files.
Status: Candidate
Phase: Proposed (19991208)
Reference: BID:845
Reference:
URL:http://www.securityfocus.com/bid/845
Reference: BUGTRAQ:19991202 Insecure default
permissions for MailMan Professional Edition, version
3.0.18
Votes:
ACCEPT(2) Cole, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Armstrong
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:endymion-mailman-perms
Name: CVE-1999-0852
Description:
IBM WebSphere sets permissions that allow a local user
to modify a deinstallation script or its data files
stored in /usr/bin.
Status: Candidate
Phase: Proposed (19991208)
Reference: BID:844
Reference:
URL:http://www.securityfocus.com/bid/844
Reference: BUGTRAQ:19991202 WebSphere protections
from installation
Votes:
ACCEPT(3) Cole, Armstrong, Stracener
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:websphere-protect
Name: CVE-1999-0855
Description:
Buffer overflow in FreeBSD gdc program.
Status: Candidate
Phase: Proposed (19991208)
Reference: BID:834
Reference:
URL:http://www.securityfocus.com/bid/834
Reference: BUGTRAQ:19991130 FreeBSD 3.3
gated-3.1.5 local exploit
Votes:
ACCEPT(3) Prosser, Armstrong, Stracener
MODIFY(2) Cole, Frech
NOOP(2) Baker, Christey
Voter Comments:
Cole> The BID is 834 and the reference is 19991201 not 1130.
Frech> XF:freebsd-gdc-bo
Christey> ADDREF BID:780 ?
Name: CVE-1999-0857
Description:
FreeBSD gdc program allows local users to modify files
via a symlink attack.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 FreeBSD 3.3
gated-3.1.5 local exploit
Reference: BID:835
Reference:
URL:http://www.securityfocus.com/bid/835
Votes:
ACCEPT(3) Prosser, Armstrong, Stracener
MODIFY(2) Cole, Frech
NOOP(1) Baker
Voter Comments:
Cole> This is via debug output.
Frech> XF:freebsd-gdc
Name: CVE-1999-0860
Description:
Solaris chkperm allows local users to read files owned
by bin via the VMSYS environmental variable and a
symlink attack.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Solaris 2.x
chkperm/arp vulnerabilities
Reference: BID:837
Reference:
URL:http://www.securityfocus.com/bid/837
Votes:
ACCEPT(2) Armstrong, Stracener
MODIFY(2) Frech, Dik
NOOP(2) Baker, Christey
REJECT(1) Cole
REVIEWING(1) Prosser
Voter Comments:
Cole> This is the same as the pervious.
Frech> XF:sol-chkperm-vmsys
Dik> include reference to Sun bug 4296167
Christey> Remove BID:837, which is for arp, not chkperm
Name: CVE-1999-0862
Description:
Insecure directory permissions in RPM distribution for
PostgreSQL allows local users to gain privileges by
reading a plaintext password file.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19991202 PostgreSQL RPM's
permission problems
Votes:
ACCEPT(3) Cole, Armstrong, Stracener
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Prosser
Voter Comments:
Frech> XF:postgresql-insecure-perms
Name: CVE-1999-0863
Description:
Buffer overflow in FreeBSD seyon via HOME environmental
variable, -emulator argument, -modems argument, or the
GUI.
Status: Candidate
Phase: Proposed (19991208)
Reference: BUGTRAQ:19970617 Seyon vulnerability -
IRIX
Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon
vulnerability
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3
vulnerabilities
Votes:
ACCEPT(4) Prosser, Cole, Armstrong, Stracener
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Frech> XF:freebsd-seyon-bo
Christey> ADDREF? CALDERA:CSSA-1999-037.0
Christey> May be multiple bugs here, or a single library problem.
CD:SF-LOC needs to be resolved before determining if this
candidate should be SPLIT. Also see CVE-1999-0821.
Name: CVE-1999-0872
Description:
Buffer overflow in Vixie cron allows local users to gain
root access via a long MAILTO environment variable in a
crontab file.
Status: Candidate
Phase: Proposed (19991214)
Reference: BID:759
Reference:
URL:http://www.securityfocus.com/bid/759
Reference: BID:611
Reference:
URL:http://www.securityfocus.com/bid/611
Reference: REDHAT:RHSA-1999:030-02
Votes:
MODIFY(2) Cole, Frech
NOOP(1) Baker
REJECT(3) Stracener, Christey, Blake
Voter Comments:
Cole> 611 is the mail to listed above but 759 is for the mail from and
should be listed as a separate vulenrability.
Blake> This does not appear materially different from CVE-1999-0768
Christey> This is an apparent duplicate of CVE-1999-0768.
REDHAT:RHSA-1999:030-02 describes two issues, one of which is
CVE-1999-0768, and the other is CVE-1999-0769.
Stracener> This is a duplicate of candidate CVE-1999-0768.
Frech> XF:cron-sendmail-bo-root
Christey> BID:759 is improperly assigned to this candidate and doesn't
even describe it. It may have been inadvertently copied
from CVE-1999-0873.
Name: CVE-1999-0882
Description:
Falcon web server allows remote attackers to determine
the absolute path of the web root via long file names.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server
Votes:
ACCEPT(3) Baker, Stracener, Blake
MODIFY(1) Frech
NOOP(2) Cole, Armstrong
Voter Comments:
Frech> XF:falcon-server-long-filename
Name: CVE-1999-0885
Description:
Alibaba web server allows remote attackers to execute
commands via a pipe character in a malformed URL.
Status: Candidate
Phase: Modified (20000313-01)
Reference: BUGTRAQ:19991103 More Alibaba Web
Server problems...
Reference:
URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com
Reference: BID:770
Reference:
URL:http://www.securityfocus.com/bid/770
Reference: XF:alibaba-url-file-manipulation
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(1) Frech
NOOP(5) LeBlanc, Cole, Armstrong, Christey, Blake
Voter Comments:
Christey> This candidate is unconfirmed by the vendor.
Blake> Same as CVE-1999-0776.
Frech> XF:alibaba-url-file-manipulation
Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with
the problems described in:
BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0
URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html
If so, then ADDREF BID:1485 as well.
Christey> Include the names of the affected CGI's, including tst.bat,
get32.exe, alibaba.pl, etc.
Name: CVE-1999-0910
Description:
Microsoft Site Server and Commercial Internet System
(MCIS) do not set an expiration for a cookie, which
could then be cached by a proxy and inadvertently used
by a different user.
Status: Candidate
Phase: Proposed (19991208)
Reference: MS:MS99-035
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms99-035.asp
Reference: BID:625
Reference:
URL:http://www.securityfocus.com/bid/625
Votes:
ACCEPT(4) Prosser, Wall, Baker, Ozancin
MODIFY(2) Frech, Stracener
REJECT(1) Cole
Voter Comments:
Frech> XF:siteserver-cis-cookie-cache
Cole> Whether cookies are a vulnerbality is a debate for another time, the
question here is whether the
expiration feature is a vulnerability and I do not think it is
because the underlying concerns for this
are present even without this feature. The expiration feature does
not add any new vulenrabilities
that are not already present with cookies.
Stracener> Add Ref: MSKB Q238647
Name: CVE-1999-0911
Description:
Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows
remote attackers to gain root access via a series of MKD
and CWD commands that create nested directories.
Status: Candidate
Phase: Modified (20050309)
Reference: BUGTRAQ:19990827 ProFTPD
Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4
buffer overflow -- once more
Reference: DEBIAN:19990210
Reference:
URL:http://www.debian.org/security/1999/19990210
Reference: FREEBSD:FreeBSD-SA-99:03
Reference: BID:612
Reference:
URL:http://www.securityfocus.com/bid/612
Votes:
ACCEPT(5) Blake, Prosser, Baker, Cole, Stracener
MODIFY(1) Frech
REVIEWING(1) Christey
Voter Comments:
Frech> XF:proftpd-long-dir-bo(3399)
Christey> Not absolutely sure if this isn't the same as Palmetto
(CVE-1999-0368), which describes a similar type of overflow.
NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368:
ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc
Christey> ADDREF CIAC:J-068
Include version numbers; too many wu-ftp/etc. problems
were published in summer/fall 1999
Name: CVE-1999-0913
Description:
dfire.cgi script in Dragon-Fire IDS allows remote users
to execute commands via shell metacharacters.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19990804 NSW Dragon Fire gets
drowned
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93383593909438&w=2
Reference: BID:564
Reference:
URL:http://www.securityfocus.com/bid/564
Votes:
ACCEPT(2) Blake, Stracener
MODIFY(1) Frech
NOOP(4) LeBlanc, Baker, Cole, Armstrong
REVIEWING(1) Christey
Voter Comments:
Christey> Some voters should use ABSTAIN.
Frech> XF:dragon-fire-ids-metachar(3834)
CHANGE> [Armstrong changed vote from REVIEWING to NOOP]
Name: CVE-1999-0919
Description:
A memory leak in a Motorola CableRouter allows remote
attackers to conduct a denial of service via a large
number of telnet connections.
Status: Candidate
Phase: Modified (20020226-02)
Reference: BUGTRAQ:19980510 Security
Vulnerability in Motorola CableRouters
Reference:
URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-crash(2004)
Reference:
URL:http://xforce.iss.net/static/2004.php
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(7) LeBlanc, Wall, Landfield, Armstrong, Ozancin, Stracener, Christey
REVIEWING(1) Levy
Voter Comments:
Christey> This candidate is unconfirmed by the vendor.
Frech> XF:motorola-cable-crash
Christey> This has enough votes, but not the "confidence" yet (until we
resolve the question of the amount of verification needed
for CVE).
Name: CVE-1999-0923
Description:
Sample runnable code snippets in ColdFusion Server 4.0
allow remote attackers to read files, conduct a denial
of service, or use the server as a proxy for other HTTP
calls.
Status: Candidate
Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-02
Reference:
URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full
Votes:
ACCEPT(2) Baker, Cole
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:coldfusion-source-display(1741)
XF:coldfusion-syntax-checker(1742)
XF:coldfusion-file-existence(1743)
XF:coldfusion-sourcewindow(1744)
Christey> List all affected runnable code snippets to facilitate
search, which may include:
viewexample.cfm (though could that be part of CVE-1999-0922?)
Name: CVE-1999-0925
Description:
UnityMail allows remote attackers to conduct a denial of
service via a large number of MIME headers.
Status: Candidate
Phase: Modified (20020829-01)
Reference: BUGTRAQ:19980903 Web servers /
possible DOS Attack / mime header flooding
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90486243124867&w=2
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Levy
Voter Comments:
Frech> XF:unitymail-web-dos(1630)
Christey> BID:1760
URL:http://www.securityfocus.com/bid/1760
Christey> Affected version is 2.0
Change date of Bugtraq post - it was 1998.
Name: CVE-1999-0926
Description:
Apache allows remote attackers to conduct a denial of
service via a large number of MIME headers.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990903 Web servers /
possible DOS Attack / mime header flooding
Reference:
URL:http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(3) Wall, Foat, Christey
Voter Comments:
Christey> BID:1760
URL:http://www.securityfocus.com/bid/1760
Frech> XF:unitymail-web-dos(1630)
Name: CVE-1999-0929
Description:
Novell NetWare with Novell-HTTP-Server or YAWN web
servers allows remote attackers to conduct a denial of
service via a large number of HTTP GET requests.
Status: Candidate
Phase: Interim (19991229)
Reference: BUGTRAQ:19990616 Novell NetWare
webservers DoS
Votes:
ACCEPT(4) Blake, Cole, Armstrong, Stracener
MODIFY(1) Frech
NOOP(1) Baker
Voter Comments:
Frech> XF:novell-webserver-dos(2287)
Name: CVE-1999-0941
Description:
Mutt mail client allows a remote attacker to execute
commands via shell metacharacters.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19980728 mutt x.x
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2
Votes:
ACCEPT(1) Stracener
NOOP(2) Baker, Christey
REJECT(1) Frech
REVIEWING(1) Levy
Voter Comments:
Frech> References are vague, but seem to be identical to CVE-1999-0940
(XF:mutt-text-enriched-mime-bo). According to the references, the malformed
messages consist of metacharacters. In addition, -0941's reference and
-0940's SuSE reference both refer to fixes in 1.0pre3 release. Will
reconsider vote if other clearer references are forthcoming.
Christey> Modify to mention that the metachar's are in the Content-Type header.
http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2
Name: CVE-1999-0944
Description:
IBM WebSphere ikeyman tool uses weak encryption to store
a password for a key database that is used for SSL
connections.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991024 password leak in IBM
WebSphere / HTTP Server / ikeyman
Votes:
ACCEPT(2) Baker, Stracener
MODIFY(1) Frech
NOOP(2) Bollinger, Christey
REVIEWING(1) Levy
Voter Comments:
Frech> XF:websphere-database-pwd-accessible
Christey> ADDREF BID:1763
URL:http://www.securityfocus.com/bid/1763
Name: CVE-1999-0948
Description:
Buffer overflow in uum program for Canna input system
allows local users to gain root privileges.
Status: Candidate
Phase: Proposed (19991222)
Reference: BID:757
Reference:
URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for
Win/UNIX softwares
Votes:
ACCEPT(2) Stracener, Levy
MODIFY(1) Frech
NOOP(2) Baker, Christey
Voter Comments:
Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar.
uum (0948) is exploitable through a different set of options
than canuum (0949). If it's the same generic option parsing
routine used by both programs, then CD:SF-CODEBASE says to
merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC
says to split them. However, this is a prime example of
how SF-EXEC might be modified - uum and canuum are clearly
part of the same package, so in the absence of clear
information, maybe we should merge them.
Frech> XF:canna-uum-bo
Name: CVE-1999-0949
Description:
Buffer overflow in canuum program for Canna input system
allows local users to gain root privileges.
Status: Candidate
Phase: Proposed (19991222)
Reference: BID:757
Reference:
URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for
Win/UNIX softwares
Votes:
ACCEPT(2) Stracener, Levy
MODIFY(1) Frech
NOOP(2) Baker, Christey
Voter Comments:
Christey> CVE-1999-0948 and CVE-1999-0949 are extremely similar.
uum (0948) is exploitable through a different set of options
than canuum (0949). If it's the same generic option parsing
routine used by both programs, then CD:SF-CODEBASE says to
merge them. But if it's not, then CD:SF-LOC and CD:SF-EXEC
says to split them. However, this is a prime example of
how SF-EXEC might be modified - uum and canuum are clearly
part of the same package, so in the absence of clear
information, maybe we should merge them.
Also review BID:758 and BID:757 - may need to change the BID
here.
Frech> XF:canna-uum-bo
Christey> CHANGEREF BID:757 BID:758
Christey> The following page says that canuum is a "Japanese input tty
frontend for Canna using uum," which suggests that it is, at
the least, a different package, so perhaps this should stay SPLIT.
http://wuarchive.wustl.edu/mirrors/NetBSD/NetBSD-current/pkgsrc/inputmethod/canuum/README.html
Name: CVE-1999-0952
Description:
Buffer overflow in Solaris lpstat via class argument
allows local users to gain root access.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19990126 Buffer overflow in
Solaris 2.6/2.7 /usr/bin/lpstat
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91759216618637&w=2
Votes:
ACCEPT(3) Baker, Ozancin, Stracener
MODIFY(2) Frech, Dik
REVIEWING(1) Christey
Voter Comments:
Frech> XF:solaris-lpstat-bo
Christey> It is unclear from Casper Dik's followup whether this is
exploitable or not.
Dik> Sunbug 4129917
(other reports in the same thread suggest that the then current patchd id
fix the problem)
Christey> Confirm with Casper Dik that the overflow is in the -c option,
and if so, include it in the description to differentiate
it from the lpstat -n buffer overflow.
Name: CVE-1999-0970
Description:
The OmniHTTPD visadmin.exe program allows a remote
attacker to conduct a denial of service via a malformed
URL which causes a large number of temporary files to be
created.
Status: Candidate
Phase: Modified (20020226-01)
Reference: BUGTRAQ:19990605 Remote Exploit (Bug)
in OmniHTTPd Web Server
Reference:
URL:http://www.securityfocus.com/archive/1/14311
Reference: XF:omnihttpd-dos(2271)
Reference:
URL:http://xforce.iss.net/static/2271.php
Reference: BID:1808
Reference:
URL:http://www.securityfocus.com/bid/1808
Votes:
ACCEPT(3) Blake, Baker, Stracener
MODIFY(1) Frech
NOOP(1) Christey
REVIEWING(1) Levy
Voter Comments:
Frech> XF:omnihttpd-dos
Christey> Some sort of confirmation might be findable at:
http://www.omnicron.ab.ca/httpd/docs/release.html
Christey> See http://www.omnicron.ab.ca/index.html
The August 16, 2000 news item says "This release fixes some
security problems." It's for version 2.07, but the discloser
didn't say what version was available.
Other security fixes are in the release notes at
http://www.omnicron.ab.ca/httpd/docs/release.html Notes for
Professional Version 1.01 say "Patched up two security weaknesses."
Notes for version 2.07 say "Fixes dot-appending vulnerability."
Professional Alpha 7 says "Revamped CGI launching and security,"
Professional Alpha 4 says "Fixed SSI path mapping and security
problems," Alpha 5 says "Security fixup."
In other words, you can't tell whether they've fixed this bug
or not.
Christey> BID:1808
URL:http://www.securityfocus.com/bid/1808
Name: CVE-1999-0983
Description:
Whois Internic Lookup program whois.cgi allows remote
attackers to execute commands via shell metacharacters
in the domain entry.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.
Votes:
ACCEPT(3) Blake, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Baker
REVIEWING(1) Christey
Voter Comments:
Christey> More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.
Frech> XF:whois-internic-shell-meta
Christey> ADDREF BID:2000
Christey> The XF appears to be gone. Perhaps it's this one:
XF:http-cgi-whois-meta(3798)
Name: CVE-1999-0984
Description:
Matt's Whois program whois.cgi allows remote attackers
to execute commands via shell metacharacters in the
domain entry.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.
Votes:
ACCEPT(2) Blake, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Cole
REVIEWING(1) Christey
Voter Comments:
Cole> How is this different than the previous?
Christey> More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.
Frech> XF:matts-whois-meta
Christey> ADDREF BID:2000
Christey> XF reference is gone. Replace with http-cgi-matts-whois-meta(3799) ?
Name: CVE-1999-0985
Description:
CC Whois program whois.cgi allows remote attackers to
execute commands via shell metacharacters in the domain
entry.
Status: Candidate
Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.
Votes:
ACCEPT(2) Blake, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Cole
REVIEWING(1) Christey
Voter Comments:
Cole> I would combine all of these.
Christey> More examination is required to determine if CVE-1999-0983,
CVE-1999-0984, or CVE-1999-0985 are the same codebase.
Frech> XF:cc-whois-meta
Christey> ADDREF BID:2000
Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747)
Christey> Replace XF reference with XF:cc-whois-meta(3800) ?
Name: CVE-1999-0988
Description:
UnixWare pkgtrans allows local users to read arbitrary
files via a symlink attack.
Status: Candidate
Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991204 UnixWare pkg* command
exploits
Reference: BUGTRAQ:19991215 Recent postings about
SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security
patches available.
Reference: BUGTRAQ:19991220 SCO OpenServer
Security Status
Votes:
ACCEPT(3) Blake, Baker, Cole
MODIFY(1) Frech
RECAST(1) Stracener
REVIEWING(1) Christey
Voter Comments:
Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam
can be used to mount etc/shadow printing attacks as a result of the
"dacread" permission (cf. /etc/security/tcb/privs). The procedural
differences between the individual exploits for each of these utilities
are therefore inconsequential. CVE-1999-0988 should be merged with
CVE-1999-0828. From the standpoint of maintaining consistency of the
level of abstraction used in CVE, the co-existence of CANS
1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or
split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the
very small differences (in principle) between the exploits subsumed by
0828 and 0988 and the shared dacread permissions of the pkg* suite, I
suggest a merge. Below is a summary of the data upon which my decision
was based.
utility exploit
-------- ----------------------------------
pkgtrans --> symlink + dacread permission prob
pkginfo --> truss (debugging utility) in conjunction with pkginfio -d
etc/shadow. In this case, it captures the interaction between
pkginfo the shadow file. Once again: dacread.
pkgcat --> buffer overflow + dacread permission prob
pkginstall -> buffer overflow + dacread permission prob
pkgparam --> -f etc/shadow (works because of dacread).
Christey> This is a tough one. While there are few procedural
differences, one could view "assignment of an improper
permission" as a "class" of problems along the lines of
buffer overflows and the like. Just like some programs
were fine until they got turned into CGI scripts, this
could be an emerging pattern which should be given
consideration. Consider the Eyedog and scriptlet.typelib
ActiveX utilities being marked as safe for scripting
(CVE-1999-0668 and 0669).
ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely
alludes to this problem; the README for patch SSE053
effectively confirms it.
Frech> XF:unixware-pkgtrans-symlink
Name: CVE-1999-0990
Description:
Error messages generated by gdm with the VerboseAuth
setting allows an attacker to identify valid users on a
system.
Status: Candidate
Phase: Interim (19991229)
Reference: BUGTRAQ:19991205 gdm thing
Votes:
ACCEPT(3) Blake, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Baker
Voter Comments:
Frech> XF:verbose-auth-identify-user(3804)
Name: CVE-1999-0993
Description:
Modifications to ACLs (Access Control Lists) in
Microsoft Exchange 5.5 do not take effect until the
directory store cache is refreshed.
Status: Candidate
Phase: Proposed (19991222)
Reference: NTBUGTRAQ:19991213 Changing ACL's in
Exchange Server
Votes:
ACCEPT(2) Wall, Stracener
MODIFY(1) Frech
NOOP(2) Baker, Cole
REJECT(1) LeBlanc
Voter Comments:
Frech> XF:exchange-acl-changes(3916)
LeBlanc> Not a vulnerability
Name: CVE-1999-1002
Description:
Netscape Navigator uses weak encryption for storing a
user's Netscape mail password.
Status: Candidate
Phase: Modified (20030619-01)
Reference:
MISC:http://www.rstcorp.com/news/bad-crypto.html
Reference: BUGTRAQ:19991216 Reinventing the wheel
(aka "Decoding Netscape Mail passwords")
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94536309217214&w=2
Reference: BUGTRAQ:19991220 Netscape password
scrambling
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94570673523998&w=2
Votes:
ACCEPT(4) Baker, Cole, Stracener, Wall
MODIFY(1) Frech
NOOP(1) Christey
Voter Comments:
Frech> XF:netscape-mail-encryption(3921)
Christey> CHANGEREF make the RCA URL a "MISC" reference
Name: CVE-1999-1003
Description:
War FTP Daemon 1.70 allows remote attackers to cause a
denial of service by flooding it with connections.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991214 Local / Remote D.o.S
Attack in War FTP Daemon 1.70 Vulnerability
Reference: BUGTRAQ:19991216 Statement: Local /
Remote D.o.S Attack in War FTP Daemon 1.70
Votes:
ACCEPT(3) Baker, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:warftp-connection-flood
Name: CVE-1999-1006
Description:
Groupwise web server GWWEB.EXE allows remote attackers
to determine the real path of the web server via the
HELP parameter.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991219 Groupewise Web
Interface
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94571433731824&w=2
Votes:
ACCEPT(4) Baker, Cole, Stracener, Prosser
MODIFY(1) Frech
NOOP(2) Christey, Wall
Voter Comments:
Frech> XF:groupwise-web-path
Prosser> Pretty well confirmed by testing with responses to BugTraq list.
additional ref: BugTraq ID 879 http://www.securityfocus.com/bid/879
Christey> A later discovery almost 2 years later is at:
BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell
GroupWise Web Access Path Disclosure Vulnerability
http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2
CD:SF-LOC might suggest merging these together.
Name: CVE-1999-1009
Description:
The Disney Go Express Search allows remote attackers to
access and modify search information for users by
connecting to an HTTP server on the user's system.
Status: Candidate
Phase: Proposed (19991222)
Reference: BUGTRAQ:19991213 Privacy hole in Go
Express Search
Votes:
ACCEPT(1) Baker
MODIFY(1) Frech
NOOP(4) Cole, Stracener, Balinsky, Wall
Voter Comments:
Frech> XF:disney-search-info(3955)
Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this.
Name: CVE-1999-1012
Description:
SMTP component of Lotus Domino 4.6.1 on AS/400, and
possibly other operating systems, allows a remote
attacker to crash the mail server via a long string.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 AS/400
Reference:
URL:http://www.securityfocus.com/archive/1/13527
Reference: BID:173
Reference:
URL:http://www.securityfocus.com/bid/173
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> (Task 1770)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:lotus-domino-smtp-dos(8790)
Name: CVE-1999-1013
Description:
named-xfer in AIX 4.1.5 and 4.2.1 allows members of the
system group to overwrite system files to gain root
access via the -f parameter and a malformed zone file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BID:673
Reference:
URL:http://www.securityfocus.com/bid/673
Reference: BUGTRAQ:19990923 named-xfer hole on
AIX (fwd)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837026726954&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:aix-named-xfer-root-access(3308)
Name: CVE-1999-1015
Description:
Buffer overflow in Apple AppleShare Mail Server 5.0.3 on
MacOS 8.1 and earlier allows a remote attacker to cause
a denial of service (crash) via a long HELO command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 AppleShare IP Mail
Server
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200657216213&w=2
Reference: BID:61
Reference:
URL:http://www.securityfocus.com/bid/61
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:smtp-helo-bo(886)
Name: CVE-1999-1016
Description:
Microsoft HTML control as used in (1) Internet Explorer
5.0, (2) FrontPage Express, (3) Outlook Express 5, and
(4) Eudora, and possibly others, allows remote malicious
web site or HTML emails to cause a denial of service
(100% CPU consumption) via large HTML form fields such
as text inputs in a table cell.
Status: Candidate
Phase: Modified (20040811)
Reference: NTBUGTRAQ:19990827 HTML code to crash
IE5 and Outlook Express 5
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93578772920970&w=2
Reference: BID:606
Reference:
URL:http://www.securityfocus.com/bid/606
Votes:
ACCEPT(2) Cole, Wall
MODIFY(1) Frech
NOOP(2) Foat, Christey
Voter Comments:
Frech> XF:ms-html-table-form-dos(3246)
Frech> XF:ms-html-table-form-dos(3246)
Christey> Add period to the end of the description.
Name: CVE-1999-1017
Description:
Seattle Labs Emurl 2.0, and possibly earlier versions,
stores e-mail attachments in a specific directory with
scripting enabled, which allows a malicious ASP file
attachment to execute when the recipient opens the
message.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990728 Seattle Labs EMURL
Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93316253431588&w=2
Reference: BID:544
Reference:
URL:http://www.securityfocus.com/bid/544
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> (Task 2281)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:emurl-attachment-execution(8794)
Name: CVE-1999-1018
Description:
IPChains in Linux kernels 2.2.10 and earlier does not
reassemble IP fragments before checking the header
information, which allows a remote attacker to bypass
the filtering rules using several fragments with 0
offsets.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990727 Linux 2.2.10 ipchains
Advisory
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93312523904591&w=2
Reference: BID:543
Reference:
URL:http://www.securityfocus.com/bid/543
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:linux-ipchains-bypass-filter(6516)
Frech> XF:linux-ipchains-bypass-filter(6516)
Name: CVE-1999-1020
Description:
The installation of Novell Netware NDS 5.99 provides an
unauthenticated client with Read access for the tree,
which allows remote attackers to access sensitive
information such as users, groups, and readable objects
via CX.EXE and NLIST.EXE.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980918 NMRC Advisory -
Default NDS Rights
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90613355902262&w=2
Reference: BID:484
Reference:
URL:http://www.securityfocus.com/bid/484
Reference: XF:novell-nds(1364)
Reference:
URL:http://xforce.iss.net/static/1364.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1022
Description:
serial_ports administrative program in IRIX 4.x and 5.x
trusts the user's PATH environmental variable to find
and execute the ls program, which allows local users to
gain root privileges via a Trojan horse ls program.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19941002
Reference:
URL:http://www.securityfocus.com/archive/1/930
Reference: XF:sgi-serialports(2111)
Reference:
URL:http://xforce.iss.net/static/2111.php
Reference: BID:464
Reference:
URL:http://www.securityfocus.com/bid/464
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Christey
Voter Comments:
Christey> Note: CVE-1999-1310 is a duplicate of this candidate.
CVE-1999-1310 will be REJECTed; this is the proper CAN to use.
CIAC:F-01
URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml
SGI:19941001-01-P
URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P
MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html
Name: CVE-1999-1023
Description:
useradd in Solaris 7.0 does not properly interpret
certain date formats as specified in the "-e"
(expiration date) argument, which could allow users to
login after their accounts have expired.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990610 Sun Useradd program
expiration date bug
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92904175406756&w=2
Reference: BID:426
Reference:
URL:http://www.securityfocus.com/bid/426
Votes:
ACCEPT(1) Dik
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Dik> sun bug: 4222400
Frech> XF:solaris-useradd-expired-accounts(8375)
CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01,
(7_x86) 110870-01
Name: CVE-1999-1024
Description:
ip_print procedure in Tcpdump 3.4a allows remote
attackers to cause a denial of service via a packet with
a zero length header, which causes an infinite loop and
core dump when tcpdump prints the packet.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990616 tcpdump 3.4 bug?
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92955903802773&w=2
Reference: BUGTRAQ:19990617 Re: tcpdump 3.4 bug?
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92963447601748&w=2
Reference: BUGTRAQ:19990620 Re: tcpdump 3.4 bug?
(final)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92989907627051&w=2
Reference: BID:313
Reference:
URL:http://www.securityfocus.com/bid/313
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:tcpdump-ipprint-dos(8373)
Name: CVE-1999-1025
Description:
CDE screen lock program (screenlock) on Solaris 2.6 does
not properly lock an unprivileged user's console session
when the host is an NIS+ client, which allows others
with physical access to login with any string.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981012 Annoying
Solaris/CDE/NIS+ bug
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90831127921062&w=2
Reference: SUNBUG:4115685
Reference:
URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F106027&zone_32=411568%2A%20
Reference: BID:294
Reference:
URL:http://www.securityfocus.com/bid/294
Votes:
ACCEPT(4) Foat, Cole, Dik, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:solaris-cde-nisplus-lock(7473)
Dik> sun bug: 4115685
Name: CVE-1999-1026
Description:
aspppd on Solaris 2.5 x86 allows local users to modify
arbitrary files and gain root privileges via a symlink
attack on the /tmp/.asppp.fifo file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961220 Solaris 2.5 x86
aspppd (semi-exploitable-hole)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420343&w=2
Reference: BID:292
Reference:
URL:http://www.securityfocus.com/bid/292
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> XF:sun-aspppd-tmp-symlink(7173)
Name: CVE-1999-1029
Description:
SSH server (sshd2) before 2.0.12 does not properly
record login attempts if the connection is closed before
the maximum number of tries, allowing a remote attacker
to guess the password without showing up in the audit
logs.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990513 - J.J.F. / Hackers
Team warns for SSHD 2.x brute force password hacking
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004280&w=2
Reference: BID:277
Reference:
URL:http://www.securityfocus.com/bid/277
Reference: XF:ssh2-bruteforce(2193)
Reference:
URL:http://xforce.iss.net/static/2193.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1030
Description:
counter.exe 2.70 allows a remote attacker to cause a
denial of service (hang) via an HTTP request that ends
in %0A (newline), which causes a malformed entry in the
counter log that produces an access violation.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990519 Denial of Service in
Counter.exe version 2.70
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service
in Counter.exe version 2.70
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2
Reference: BID:267
Reference:
URL:http://www.securityfocus.com/bid/267
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:http-cgi-counter-long(2196)
Frech> XF:http-cgi-counter-long(2196)
Name: CVE-1999-1031
Description:
counter.exe 2.70 allows a remote attacker to cause a
denial of service (hang) via a long argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990519 Denial of Service in
Counter.exe version 2.70
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service
in Counter.exe version 2.70
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2
Reference: BID:267
Reference:
URL:http://www.securityfocus.com/bid/267
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:http-cgi-counter-long(2196)
Frech> XF:http-cgi-counter-long(2196)
Name: CVE-1999-1033
Description:
Microsoft Outlook Express before 4.72.3612.1700 allows a
malicious user to send a message that contains a ..,
which can inadvertently cause Outlook to re-enter POP3
command mode and cause the POP3 session to hang.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990511 Outlook Express Win98
bug
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407427342&w=2
Reference: BUGTRAQ:19990512 Outlook Express Win98
bug, addition.
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004275&w=2
Reference: BID:252
Reference:
URL:http://www.securityfocus.com/bid/252
Votes:
ACCEPT(2) Cole, Wall
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> (Task 2241)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:outlook-pop3-dot-dos(8926)
Name: CVE-1999-1036
Description:
COPS 1.04 allows local users to overwrite or create
arbitrary files via a symlink attack on temporary files
in (1) res_diff, (2) ca.src, and (3) mail.chk.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in
satan, cops & tiger
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2
Votes:
ACCEPT(1) Foat
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:cops-temp-file-symlink(7325)
Name: CVE-1999-1038
Description:
Tiger 2.2.3 allows local users to overwrite arbitrary
files via a symlink attack on various temporary files in
Tiger's default working directory, as defined by the
WORKDIR variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in
satan, cops & tiger
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2
Votes:
ACCEPT(1) Foat
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:tiger-workdir-symlink(7326)
Name: CVE-1999-1039
Description:
Vulnerability in (1) diskalign and (2) diskperf in IRIX
6.4 patches 2291 and 2848 allow a local user to create
root-owned files leading to a root compromise.
Status: Candidate
Phase: Proposed (20010912)
Reference: SGI:19980502-01-P3030
Reference:
URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030
Votes:
ACCEPT(3) Foat, Cole, Stracener
REJECT(1) Frech
Name: CVE-1999-1040
Description:
Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare
Client 1.0 on IRIX 6.3 and 6.4 allows local users to
gain root access via a modified IFS environmental
variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 SGI O2 ipx security
issue
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89217373930054&w=2
Reference: SGI:19980501-01-P
Reference:
URL:ftp://patches.sgi.com/support/free/security/advisories/19980501-01-P2869
Reference: CIAC:I-055
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/i-055.shtml
Votes:
ACCEPT(3) Foat, Cole, Stracener
NOOP(1) Christey
REJECT(1) Frech
Voter Comments:
Christey> This candidate and CVE-1999-1501 are duplicates. However,
CVE-1999-1501 will be REJECTed in favor of this candidate.
Add the following references:
BID:70
URL:http://www.securityfocus.com/bid/70
BID:71
URL:http://www.securityfocus.com/bid/71
XF:irix-ipxchk-ipxlink-ifs-commands(7365)
URL:http://xforce.iss.net/static/7365.php
Name: CVE-1999-1041
Description:
Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO
UNIX 3.2v4 allows a local user to gain root access via
(1) a long TERM environmental variable and (2) a long
entry in the .mscreenrc file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference:
URL:http://www.securityfocus.com/archive/1/10420
Reference: BUGTRAQ:19980926 Root exploit for SCO
OpenServer.
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2
Reference: SCO:SB-98.05a
Reference:
URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-98.05a
Reference: CERT:VB-98.10
Reference:
URL:http://www.cert.org/vendor_bulletins/VB-98.10.sco.mscreen
Votes:
ACCEPT(3) Foat, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:sco-openserver-mscreen-bo(1379)
Christey> Possible dupe with CVE-1999-1185.
Name: CVE-1999-1042
Description:
Cisco Resource Manager (CRM) 1.0 and 1.1 creates
world-readable log files and temporary files, which may
expose sensitive information, to local users such as
user IDs, passwords and SNMP community strings.
Status: Candidate
Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File
Vulnerability
Reference:
URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml
Votes:
ACCEPT(3) Foat, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Wall
REJECT(3) Armstrong, Balinsky, Christey
Voter Comments:
Frech> XF:cisco-crm-file-vuln(1575)
Armstrong> I think that this is the same as Can-1999-1126
Balinsky> This is the same as CVE-1999-1126. Merge them.
Christey> DUPE CVE-1999-1126, as noted by others.
This candidate will be rejected. CVE-1999-1126 will be
promoted.
Name: CVE-1999-1043
Description:
Microsoft Exchange Server 5.5 and 5.0 does not properly
handle (1) malformed NNTP data, or (2) malformed SMTP
data, which allows remote attackers to cause a denial of
service (application error).
Status: Candidate
Phase: Proposed (20010912)
Reference: MS:MS98-007
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms98-007.asp
Votes:
ACCEPT(3) Foat, Cole, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:exchange-dos(1223)
Name: CVE-1999-1046
Description:
Buffer overflow in IMonitor in IMail 5.0 allows remote
attackers to cause a denial of service, and possibly
execute arbitrary commands, via a long string to port
8181.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990302 Multiple IMail
Vulnerabilites
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2
Reference: BID:504
Reference:
URL:http://www.securityfocus.com/bid/504
Reference: XF:imail-imonitor-overflow(1897)
Reference:
URL:http://xforce.iss.net/static/1897.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1049
Description:
ARCserve NT agents use weak encryption (XOR) for
passwords, which allows remote attackers to sniff the
authentication request to port 6050 and decrypt the
password.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990222 Severe Security Hole
in ARCserve NT agents (fwd)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91972006211238&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:arcserve-agent-passwords(1822)
Name: CVE-1999-1050
Description:
Directory traversal vulnerability in Matt Wright
FormHandler.cgi script allows remote attackers to read
arbitrary files via (1) a .. (dot dot) in the
reply_message_attach attachment parameter, or (2) by
specifying the filename as a template.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991112 FormHandler.cgi
Reference:
URL:http://www.securityfocus.com/archive/1/34600
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference:
URL:http://www.securityfocus.com/archive/1/34939
Reference: BID:798
Reference:
URL:http://www.securityfocus.com/bid/798
Reference: BID:799
Reference:
URL:http://www.securityfocus.com/bid/799
Reference: XF:formhandler-cgi-absolute-path(3550)
Reference:
URL:http://xforce.iss.net/static/3550.php
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> Abstraction and definition issue: CD:SF-LOC suggests combining
issues of the same type. Some people refer to "directory
traversal" and just mean .. problems; but there are other
issues (specifying an absolute pathname, using C: drive
letters, doing encodings) that, to my way of thinking, are
"different." Perhaps this should be split.
My brain hurts too much right now. There are a couple
problems with the references and descriptions of CVE-1999-1050
and CVE-1999-1051. I'm interpreting the underlying nature
of the problem(s) a little differently than others are.
Some of it may be due to differing definitions or thoughts
about what "directory traversal vulnerabilities" are.
Name: CVE-1999-1051
Description:
Default configuration in Matt Wright FormHandler.cgi
script allows arbitrary directories to be used for
attachments, and only restricts access to the /etc/
directory, which allows remote attackers to read
arbitrary files via the reply_message_attach attachment
parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference:
URL:http://www.securityfocus.com/archive/1/34939
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
REVIEWING(1) Christey
Voter Comments:
Frech> XF:formhandler-cgi-reply-message(7782)
Christey> I view one of these as a configuration issue: FormHandler.cgi
*could* be configured to limit hard-coded pathnames to a single
directory which, while being an information leak, would still be
"reasonably secure." But by default, it's just not configured that
way.
My brain hurts too much right now. There are a couple
problems with the references and descriptions of CVE-1999-1050
and CVE-1999-1051. I'm interpreting the underlying nature
of the problem(s) a little differently than others are.
Some of it may be due to differing definitions or thoughts
about what "directory traversal vulnerabilities" are.
Name: CVE-1999-1052
Description:
Microsoft FrontPage stores form results in a default
location in /_private/form_results.txt, which is
world-readable and accessible in the document root,
which allows remote attackers to read possibly sensitive
information submitted by other users.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990824 Front Page
form_results
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582550911564&w=2
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> XF:frontpage-formresults-world-readable(8362)
Name: CVE-1999-1053
Description:
guestbook.pl cleanses user-inserted SSI commands by
removing text between "<!--" and "-->" separators, which
allows remote attackers to execute arbitrary commands
when guestbook.pl is run on Apache 1.3.9 and possibly
other versions, since Apache allows other closing
sequences besides "-->".
Status: Candidate
Phase: Proposed (20010912)
Reference: VULN-DEV:19990913 Guestbook perl
script (long)
Reference:
URL:http://www.securityfocus.com/archive/82/27296
Reference: VULN-DEV:19990916 Re: Guestbook perl
script (error fix)
Reference:
URL:http://www.securityfocus.com/archive/82/27560
Reference: BUGTRAQ:19991105 Guestbook.pl, sloppy
SSI handling in Apache? (VD#2)
Reference:
URL:http://www.securityfocus.com/archive/1/33674
Reference: BID:776
Reference:
URL:http://www.securityfocus.com/bid/776
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:guestbook-cgi-command-execution(7783)
Name: CVE-1999-1054
Description:
The default configuration of FLEXlm license manager
6.0d, and possibly other versions, allows remote
attackers to shut down the server via the lmdown
command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980925 Globetrotter FlexLM
'lmdown' bogosity
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90675672323825&w=2
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
Name: CVE-1999-1056
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-1999-1395. Reason: This candidate is a
duplicate of CVE-1999-1395. Notes: All CVE users should
reference CVE-1999-1395 instead of this candidate. All
references and descriptions in this candidate have been
removed to prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
ACCEPT(3) Foat, Cole, Stracener
MODIFY(1) Frech
NOOP(1) Wall
REJECT(1) Christey
Voter Comments:
Frech> XF:vms-monitor-gain-privileges(7136)
Christey> DUPE CVE-1999-1395
This CAN is being rejected in favor of CVE-1999-1395 because
CVE-1999-1395 has more references.
Name: CVE-1999-1058
Description:
Buffer overflow in Vermillion FTP Daemon VFTPD 1.23
allows remote attackers to cause a denial of service,
and possibly execute arbitrary commands, via several
long CWD commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991122 Remote DoS Attack
in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94337185023159&w=2
Reference: BUGTRAQ:19991122 Remote DoS Attack in
Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94329968617085&w=2
Reference: XF:vermillion-ftp-cwd-overflow(3543)
Reference:
URL:http://xforce.iss.net/static/3543.php
Reference: BID:818
Reference:
URL:http://www.securityfocus.com/bid/818
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1060
Description:
Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows
remote attackers to cause a denial of service and
possibly execute arbitrary commands by connecting to
port 31457 from a host with a long DNS hostname.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990217 Tetrix 1.13.16 is
Vulnerable
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91937090211855&w=2
Reference: BID:340
Reference:
URL:http://www.securityfocus.com/bid/340
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:tetrinet-dns-hostname-bo(7500)
Name: CVE-1999-1061
Description:
HP Laserjet printers with JetDirect cards, when
configured with TCP/IP, can be configured without a
password, which allows remote attackers to connect to
the printer and change its IP address or disable
logging.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus
DirectJet Problem
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference:
URL:http://xforce.iss.net/static/1876.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(1) Foat
Voter Comments:
Frech> CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl
02914.html
Name: CVE-1999-1062
Description:
HP Laserjet printers with JetDirect cards, when
configured with TCP/IP, allow remote attackers to bypass
print filters by directly sending PostScript documents
to TCP ports 9099 and 9100.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus
DirectJet Problem
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference:
URL:http://xforce.iss.net/static/1876.php
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(1) Foat
Voter Comments:
Frech> DELREF:XF:laserjet-unpassworded(1876)
ADDREF:XF:hp-printer-flood(1818)
Name: CVE-1999-1063
Description:
CDomain whois_raw.cgi whois CGI script allows remote
attackers to execute arbitrary commands via shell
metacharacters in the fqdn parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990601 whois_raw.cgi problem
Reference:
URL:http://www.securityfocus.com/archive/1/14019
Reference: BID:304
Reference:
URL:http://www.securityfocus.com/bid/304
Reference: XF:http-cgi-cdomain(2251)
Reference:
URL:http://xforce.iss.net/static/2251.php
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1064
Description:
Multiple buffer overflows in WindowMaker 0.52 through
0.60.0 allow attackers to cause a denial of service and
possibly execute arbitrary commands by executing
WindowMaker with a long program name (argv[0]).
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990822
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93555317429630&w=2
Reference: BUGTRAQ:19990824 Re: WindowMaker bugs
(was sub:none )
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582070508957&w=2
Reference: BID:596
Reference:
URL:http://www.securityfocus.com/bid/596
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:windowmaker-bo(3249)
Frech> XF:windowmaker-bo(3249)
Name: CVE-1999-1065
Description:
Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows
remote attackers to cause a denial of service, and
possibly execute arbitrary commands, via a long string
to port 14238 while the manager is in network mode.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991104 Palm Hotsync
vulnerable to DoS attack
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94175465525422&w=2
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:palm-hotsync-bo(7785)
Name: CVE-1999-1066
Description:
Quake 1 server responds to an initial UDP game
connection request with a large amount of traffic, which
allows remote attackers to use the server as an
amplifier in a "Smurf" style attack on another host, by
spoofing the connection request.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991222 Quake "smurf" - Quake
War Utils
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94589559631535&w=2
Votes:
MODIFY(1) Frech
NOOP(4) Foat, Cole, Christey, Wall
Voter Comments:
Christey> This is apparently a problem with the connection protocol.
See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect.
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2
Frech> XF:quake-udp-connection-dos(7862)
Name: CVE-1999-1067
Description:
SGI MachineInfo CGI program, installed by default on
some web servers, prints potentially sensitive system
status information, which could be used by remote
attackers for information gathering activities.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Re: SGI Security
Advisory 19970501-01-A - Vulnerability in webdist.cgi
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420919&w=2
Reference: XF:sgi-machineinfo
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> I'd be a lot more confident in this vote if there was a more
concrete reference strongly associating webdist.cgi and machineinfo.
Name: CVE-1999-1068
Description:
Oracle Webserver 2.1, when serving PL/SQL stored
procedures, allows remote attackers to cause a denial of
service via a long HTTP GET request.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970723 DoS against Oracle
Webserver 2.1 with PL/SQL stored procedures
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419366&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> XF:oracle-webserver-dos(1812)
Name: CVE-1999-1069
Description:
Directory traversal vulnerability in carbo.dll in iCat
Carbo Server 3.0.0 allows remote attackers to read
arbitrary files via a .. (dot dot) in the icatcommand
parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971108 Security bug in iCat
Suite version 3.0
Reference:
URL:http://www.securityfocus.com/archive/1/7943
Reference: BID:2126
Reference:
URL:http://www.securityfocus.com/bid/2126
Reference: XF:icat-carbo-server-vuln(1620)
Reference:
URL:http://xforce.iss.net/static/1620.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(1) Foat
Voter Comments:
Frech> iCat's site at http://www.icat.com/ is shut down, and no
further support seems to be available.
Name: CVE-1999-1070
Description:
Buffer overflow in ping CGI program in Xylogics Annex
terminal service allows remote attackers to cause a
denial of service via a long query parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980725 Annex DoS
Reference:
URL:http://www.securityfocus.com/archive/1/10021
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:annex-ping-crash(2090)
Name: CVE-1999-1071
Description:
Excite for Web Servers (EWS) 1.1 installs the
Architext.conf authentication file with world-writeable
permissions, which allows local users to gain access to
Excite accounts by modifying the file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in
Excite for Web Servers 1.1
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2
Reference: XF:excite-world-write(1417)
Reference:
URL:http://xforce.iss.net/static/1417.php
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1072
Description:
Excite for Web Servers (EWS) 1.1 allows local users to
gain privileges by obtaining the encrypted password from
the world-readable Architext.conf authentication file
and replaying the encrypted password in an HTTP request
to AT-generated.cgi or AT-admin.cgi.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in
Excite for Web Servers 1.1
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2
Votes:
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1073
Description:
Excite for Web Servers (EWS) 1.1 records the first two
characters of a plaintext password in the beginning of
the encrypted password, which makes it easier for an
attacker to guess passwords via a brute force or
dictionary attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in
Excite for Web Servers 1.1
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2
Votes:
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1075
Description:
inetd in AIX 4.1.5 dynamically assigns a port N when
starting ttdbserver (ToolTalk server), but also
inadvertently listens on port N-1 without passing
control to ttdbserver, which allows remote attackers to
cause a denial of service via a large number of
connections to port N-1, which are not properly closed
by inetd.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980318 AIX 4.1.5 DoS attack
(aka "Port 1025 problem")
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89025820612530&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:aix-ttdbserver(813)
CONFIRM:APAR IX70400
Name: CVE-1999-1076
Description:
Idle locking function in MacOS 9 allows local users to
bypass the password protection of idled sessions by
selecting the "Log Out" option and selecting a "Cancel"
option in the dialog box for an application that
attempts to verify that the user wants to log out, which
returns the attacker into the locked session.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991026 Mac OS 9 Idle Lock
Bug
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94096348604173&w=2
Reference: BID:745
Reference:
URL:http://www.securityfocus.com/bid/745
Votes:
ACCEPT(2) Foat, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:macos-idle-screenlock-bypass(7794)
Name: CVE-1999-1077
Description:
Idle locking function in MacOS 9 allows local attackers
to bypass the password protection of idled sessions via
the programmer's switch or CMD-PWR keyboard sequence,
which brings up a debugger that the attacker can use to
disable the lock.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991101 Re: Mac OS 9 Idle
Lock Bug
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94149318124548&w=2
Reference: BID:756
Reference:
URL:http://www.securityfocus.com/bid/756
Votes:
ACCEPT(2) Foat, Cole
MODIFY(1) Frech
NOOP(1) Wall
Voter Comments:
Frech> XF:macos-debug-screenlock-access(3426)
Name: CVE-1999-1078
Description:
WS_FTP Pro 6.0 uses weak encryption for passwords in its
initialization files, which allows remote attackers to
easily decrypt the passwords and gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990729 WS_FTP Pro 6.0 Weak
Password Encryption Vulnerability
Reference:
URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&D=0&P=10370&F=P
Reference: BID:547
Reference:
URL:http://www.securityfocus.com/bid/547
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:wsftp-weak-password-encryption(8349)
Name: CVE-1999-1079
Description:
Vulnerability in ptrace in AIX 4.3 allows local users to
gain privileges by attaching to a setgid program.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990506 AIX Security Fixes
Update
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92601792420088&w=2
Reference: BUGTRAQ:19990825 AIX security summary
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93587956513233&w=2
Reference: AIXAPAR:IX80470
Reference:
URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36
Reference: BID:439
Reference:
URL:http://www.securityfocus.com/bid/439
Votes:
ACCEPT(3) Foat, Cole, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:aix-ptrace-setgid(7487)
Name: CVE-1999-1081
Description:
Vulnerability in files.pl script in Novell WebServer
Examples Toolkit 2 allows remote attackers to read
arbitrary files.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://www.w3.org/Security/Faq/wwwsf8.html#Q87
Reference:
MISC:http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35
Reference: XF:http-nov-files(2054)
Reference:
URL:http://xforce.iss.net/static/2054.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(1) Foat
Name: CVE-1999-1082
Description:
Directory traversal vulnerability in Jana proxy web
server 1.40 allows remote attackers to ready arbitrary
files via a "......" (modified dot dot) attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991008 Jana webserver
exploit
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941794201059&w=2
Reference: BID:699
Reference:
URL:http://www.securityfocus.com/bid/699
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:jana-server-directory-traversal(6513)
Name: CVE-1999-1083
Description:
Directory traversal vulnerability in Jana proxy web
server 1.45 allows remote attackers to ready arbitrary
files via a .. (dot dot) attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:20000502 Security Bug in Jana
HTTP Server
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95730430727064&w=2
Reference: BID:699
Reference:
URL:http://www.securityfocus.com/bid/699
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(3) Foat, Christey, Wall
Voter Comments:
Frech> XF:jana-server-directory-traversal(6513)
Christey> MODIFY description - the attack is of the form "/./../"
(single dot followed by double-dot)
Name: CVE-1999-1084
Description:
The "AEDebug" registry key is installed with insecure
permissions, which allows local users to modify the key
to specify a Trojan Horse debugger which is
automatically executed on a system crash.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980622 Yet another "get
yourself admin rights exploit":
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431604&w=2
Reference: MSKB:Q103861
Reference:
URL:http://support.microsoft.com/support/kb/articles/q103/8/61.asp
Reference: MS:MS00-008
Reference:
URL:http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Reference: CIAC:K-029
Reference:
URL:http://www.ciac.org/ciac/bulletins/k-029.shtml
Reference: BID:1044
Reference:
URL:http://www.securityfocus.com/bid/1044
Votes:
ACCEPT(3) Foat, Cole, Wall
MODIFY(1) Frech
Voter Comments:
Frech> XF:nt-registry-permissions(4111)
Name: CVE-1999-1086
Description:
Novell 5 and earlier, when running over IPX with a
packet signature level less than 3, allows remote
attackers to gain administrator privileges by spoofing
the MAC address in IPC fragmented packets that make
NetWare Core Protocol (NCP) calls.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990715 NMRC Advisory:
Netware 5 Client Hijacking
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93214475111651&w=2
Reference: BID:528
Reference:
URL:http://www.securityfocus.com/bid/528
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:netware-ipx-session-spoof(2350)
Name: CVE-1999-1088
Description:
Vulnerability in chsh command in HP-UX 9.X through 10.20
allows local users to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9701-050
Reference: CIAC:H-21
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: XF:hp-chsh(2012)
Reference:
URL:http://xforce.iss.net/static/2012.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
Name: CVE-1999-1089
Description:
Buffer overflow in chfn command in HP-UX 9.X through
10.20 allows local users to gain privileges via a long
command line argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961209 the HP Bug of the
Week!
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420285&w=2
Reference: HP:HPSBUX9701-049
Reference: CIAC:H-21
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: CIAC:H-16
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/h-16.shtml
Reference: AUSCERT:AA-96.18
Reference: XF:hp-chfn(2008)
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
Name: CVE-1999-1091
Description:
UNIX news readers tin and rtin create the /tmp/.tin_log
file with insecure permissions and follow symlinks,
which allows attackers to modify the permissions of
files writable by the user via a symlink attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960903 [BUG] Vulnerability
in TIN
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419835&w=2
Reference: BUGTRAQ:19960903 Re: BoS: [BUG]
Vulnerability in TIN
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419839&w=2
Reference: BUGTRAQ:19970329 symlink bug in
tin/rtin
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420726&w=2
Reference: XF:tin-tmpfile(431)
Reference:
URL:http://xforce.iss.net/static/431.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1092
Description:
tin 1.40 creates the .tin directory with insecure
permissions, which allows local users to read passwords
from the .inputhistory file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991117 default permissions
for tin
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286179032648&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:tin-insecure-permissions(7796)
Confirmed in changelog for 1.4.1
http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES
Name: CVE-1999-1095
Description:
sort creates temporary files and follows symbolic links,
which allows local users to modify arbitrary files that
are writable by the user running sort, as observed in
updatedb and other programs that use sort.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971006 KSR[T] Advisory #3:
updatedb / crontabs
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87619953510834&w=2
Reference: BUGTRAQ:19980303 updatedb stuff
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88890116304676&w=2
Reference: BUGTRAQ:19980303 updatedb: sort patch
Reference: BUGTRAQ:19980302 overwrite any file
with updatedb
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88886870129518&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Christey
Voter Comments:
Frech> XF:sort-tmp-file-symlink(7182)
Christey> This issue clearly has a long history.
CALDERA:CSSA-2002-SCO.21
URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html
CALDERA:CSSA-2002-SCO.2
URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html
(There are 2 Caldera advisories because one is for Open UNIX
and UnixWare, and the other is for OpenServer)
XF:openserver-sort-symlink(9218)
URL:http://www.iss.net/security_center/static/9218.php
Name: CVE-1999-1096
Description:
Buffer overflow in kscreensaver in KDE klock allows
local users to gain root privileges via a long HOME
environmental variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980516 kde exploit
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925954&w=2
Reference: BUGTRAQ:19980517 simple kde exploit
fix
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925959&w=2
Reference: XF:kde-klock-home-bo(1644)
Reference:
URL:http://xforce.iss.net/static/1644.php
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1097
Description:
Microsoft NetMeeting 2.1 allows one client to read the
contents of another client's clipboard via a CTRL-C in
the chat box when the box is empty.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 Microsoft Netmeeting
Hole
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92586457816446&w=2
Reference: XF:netmeeting-clipboard(2187)
Reference:
URL:http://xforce.iss.net/static/2187.php
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1101
Description:
Kabsoftware Lydia utility uses weak encryption to store
user passwords in the lydia.ini file, which allows local
users to easily decrypt the passwords and gain
privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Yet Another password
storing problem (was: Re: Possible Netscape Crypto
Security Flaw)
Reference:
URL:http://www.securityfocus.com/archive/1/12618
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:lydia-ini-passwords(7501)
ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version
History for Lydia, V3.3 - 11/24/00)
Name: CVE-1999-1106
Description:
Buffer overflow in kppp in KDE allows local users to
gain root access via a long -c (account_name) command
line argument.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980429 Security hole in kppp
Reference:
URL:http://www.securityfocus.com/archive/1/9121
Reference: XF:kde-kppp-account-bo(1643)
Reference:
URL:http://xforce.iss.net/static/1643.php
Reference: BID:92
Reference:
URL:http://www.securityfocus.com/bid/92
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1107
Description:
Buffer overflow in kppp in KDE allows local users to
gain root access via a long PATH environmental variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981118 Multiple KDE security
vulnerabilities (root compromise)
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-kppp-path-bo(1650)
Reference:
URL:http://xforce.iss.net/static/1650.php
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1108
Description:
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER.
ConsultIDs: CVE-1999-1107. Reason: This candidate is a
duplicate of CVE-1999-1107. Notes: All CVE users should
reference CVE-1999-1107 instead of this candidate. All
references and descriptions in this candidate have been
removed to prevent accidental usage.
Status: Candidate
Phase: Modified (20050204)
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
REJECT(2) Frech, Christey
Voter Comments:
Frech> Has exactly the same attributes as CVE-1999-1107.
Christey> DUPE CVE-1999-1107.
Name: CVE-1999-1110
Description:
Windows Media Player ActiveX object as used in Internet
Explorer 5.0 returns a specific error code when a file
does not exist, which allows remote malicious web sites
to determine the existence of files on the client.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991114 IE 5.0 and Windows
Media Player ActiveX object allow checking the existence
of local files and directories
Reference:
URL:http://www.securityfocus.com/archive/1/34675
Reference: BID:793
Reference:
URL:http://www.securityfocus.com/bid/793
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> XF:ie-mediaplayer-activex(7800)
Name: CVE-1999-1112
Description:
Buffer overflow in IrfanView32 3.07 and earlier allows
attackers to execute arbitrary commands via a long
string after the "8BPS" image type in a Photo Shop image
header.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991109 Irfan view 3.07
buffer overflow
Reference:
URL:http://www.securityfocus.com/archive/1/34066
Reference:
MISC:http://stud4.tuwien.ac.at/~e9227474/main2.html
Reference: XF:irfan-view32-bo(3549)
Reference:
URL:http://xforce.iss.net/static/3549.php
Reference: BID:781
Reference:
URL:http://www.securityfocus.com/bid/781
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1113
Description:
Buffer overflow in Eudora Internet Mail Server (EIMS)
2.01 and earlier on MacOS systems allows remote
attackers to cause a denial of service via a long USER
command to port 106.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980414 MacOS based buffer
overflows...
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89258194718577&w=2
Reference: BID:75
Reference:
URL:http://www.securityfocus.com/bid/75
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:eudora-ims-user-dos(7300)
Name: CVE-1999-1123
Description:
The installation of Sun Source (sunsrc) tapes allows
local users to gain root privileges via setuid root
programs (1) makeinstall or (2) winstall.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-07
Reference:
URL:http://www.cert.org/advisories/CA-1991-07.html
Reference: SUN:00107
Reference:
URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/107&type=0&nav=sec.sba
Reference: BID:21
Reference:
URL:http://www.securityfocus.com/bid/21
Reference: BID:22
Reference:
URL:http://www.securityfocus.com/bid/22
Reference: XF:sun-sourcetapes(582)
Reference:
URL:http://xforce.iss.net/static/582.php
Votes:
ACCEPT(5) Foat, Cole, Frech, Dik, Stracener
NOOP(1) Wall
Voter Comments:
Dik> sun bug: 1059621
Name: CVE-1999-1124
Description:
HTTP Client application in ColdFusion allows remote
attackers to bypass access restrictions for web pages on
other ports by providing the target page to the
mainframeset.cfm application, which requests the page
from the server, making it look like the request is
coming from the local host.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://packetstorm.securify.com/mag/phrack/phrack54/P54-08
Votes:
ACCEPT(2) Cole, Wall
NOOP(1) Foat
Name: CVE-1999-1125
Description:
Oracle Webserver 2.1 and earlier runs setuid root, but
the configuration file is owned by the oracle account,
which allows any local or remote attacker who obtains
access to the oracle account to gain privileges or
modify arbitrary files by modifying the configuration
file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970919 Instresting practises
of Oracle [Oracle Webserver]
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019796&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> XF:oracle-webserver-gain-root(7174)
Name: CVE-1999-1126
Description:
Cisco Resource Manager (CRM) 1.1 and earlier creates
certain files with insecure permissions that allow local
users to obtain sensitive configuration information
including usernames, passwords, and SNMP community
strings, from (1) swim_swd.log, (2) swim_debug.log, (3)
dbi_debug.log, and (4) temporary files whose names begin
with "DPR_".
Status: Candidate
Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File
Vulnerability
Reference:
URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml
Reference: CIAC:I-086
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/i-086.shtml
Reference: XF:cisco-crm-file-vuln(1575)
Reference:
URL:http://xforce.iss.net/static/1575.php
Votes:
ACCEPT(5) Foat, Cole, Armstrong, Frech, Stracener
NOOP(1) Wall
REJECT(1) Balinsky
Voter Comments:
Balinsky> Duplicate of CVE-1999-1042
Name: CVE-1999-1128
Description:
Internet Explorer 3.01 on Windows 95 allows remote
malicious web sites to execute arbitrary commands via a
.isp file, which is automatically downloaded and
executed without prompting the user.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
Reference:
MISC:http://members.tripod.com/~unibyte/iebug3.htm
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Christey
Voter Comments:
Frech> XF:http-ie-exec(462)
Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html
Name: CVE-1999-1129
Description:
Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow
remote attackers to inject 802.1q frames into another
VLAN by forging the VLAN identifier in the trunking tag.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990901 VLAN Security
Reference:
URL:http://www.securityfocus.com/archive/1/26008
Reference:
MISC:http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm
Reference: XF:cisco-catalyst-vlan-frames(3294)
Reference:
URL:http://xforce.iss.net/static/3294.php
Reference: BID:615
Reference:
URL:http://www.securityfocus.com/bid/615
Votes:
ACCEPT(2) Foat, Frech
NOOP(2) Cole, Wall
Voter Comments:
CHANGE> [Foat changed vote from NOOP to ACCEPT]
Name: CVE-1999-1130
Description:
Default configuration of the search engine in Netscape
Enterprise Server 3.5.1, and possibly other versions,
allows remote attackers to read the source of JHTML
files by specifying a search command using the
HTML-tocrec-demo1.pat pattern file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990730 Netscape Enterprise
Server yeilds source of JHTML
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93346448121208&w=2
Reference: NTBUGTRAQ:19990730 Netscape Enterprise
Server yeilds source of JHTML
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93337389603117&w=2
Reference: BID:559
Reference:
URL:http://www.securityfocus.com/bid/559
Votes:
ACCEPT(1) Cole
MODIFY(1) Frech
NOOP(2) Foat, Wall
Voter Comments:
Frech> XF:netscape-enterprise-view-jhtml(8352)
Name: CVE-1999-1133
Description:
HP-UX 9.x and 10.x running X windows may allow local
attackers to gain privileges via (1) vuefile, (2)
vuepad, (3) dtfile, or (4) dtpad, which do not
authenticate users.
Status: Candidate
Phase: Modified (20020217-01)
Reference: HP:HPSBUX9709-069
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019776&w=2
Reference: XF:hp-vue-dt(499)
Reference:
URL:http://xforce.iss.net/static/499.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
NOOP(1) Christey
Voter Comments:
Christey> CHANGEREF: chaneg XF reference to XF:hp-vue-dt(499)
Name: CVE-1999-1134
Description:
Vulnerability in Vue 3.0 in HP 9.x allows local users to
gain root privileges, as fixed by PHSS_4038, PHSS_4055,
and PHSS_4066.
Status: Candidate
Phase: Modified (20020217-01)
Reference: HP:HPSBUX9404-008
Reference:
URL:http://packetstorm.securify.com/advisories/hpalert/008
Reference: CIAC:E-23
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/e-23.shtml
Reference: XF:hp-vue(2284)
Reference:
URL:http://www.iss.net/security_center/static/2284.php
Votes:
ACCEPT(3) Foat, Cole, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:hp-vue(2284)
Packetstorm URL is dead. Try another archive.
Name: CVE-1999-1135
Description:
Vulnerability in VUE 3.0 in HP 9.x allows local users to
gain root privileges, as fixed by PHSS_4994 and
PHSS_5438.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9504-027
Reference:
URL:http://packetstorm.securify.com/advisories/hpalert/027
Reference: XF:hp-vue(2284)
Reference:
URL:http://xforce.iss.net/static/2284.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
Name: CVE-1999-1141
Description:
Ascom Timeplex router allows remote attackers to obtain
sensitive information or conduct unauthorized activities
by entering debug mode through a sequence of CTRL-D
characters.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970515 MicroSolved finds
hole in Ascom Timeplex Router Security
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420981&w=2
Reference: XF:ascom-timeplex-debug(1824)
Reference:
URL:http://xforce.iss.net/static/1824.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1149
Description:
Buffer overflow in CSM Proxy 4.1 allows remote attackers
to cause a denial of service (crash) via a long string
to the FTP port.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980716 S.A.F.E.R. Security
Bulletin 980708.DOS.1.1
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525993&w=2
Reference: XF:csm-proxy-dos(1422)
Reference:
URL:http://xforce.iss.net/static/1422.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1150
Description:
Livingston Portmaster routers running ComOS use the same
initial sequence number (ISN) for TCP connections, which
allows remote attackers to conduct spoofing and hijack
TCP sessions.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980630 Livingston Portmaster
- ISN generation is loosy!
Reference:
URL:http://www.securityfocus.com/archive/1/9723
Reference: XF:portmaster-fixed-isn(1882)
Reference:
URL:http://xforce.iss.net/static/1882.php
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1151
Description:
Compaq/Microcom 6000 Access Integrator does not cause a
session timeout after prompting for a username or
password, which allows remote attackers to cause a
denial of service by connecting to the integrator
without providing a username or password.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980603 Compaq/Microcom 6000
DoS + more
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90296493106214&w=2
Reference: XF:microcom-dos(2089)
Reference:
URL:http://xforce.iss.net/static/2089.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1152
Description:
Compaq/Microcom 6000 Access Integrator does not
disconnect a client after a certain number of failed
login attempts, which allows remote attackers to guess
usernames or passwords via a brute force attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980603 Compaq/Microcom 6000
DoS + more
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90296493106214&w=2
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:microcom-brute-force(7301)
Name: CVE-1999-1153
Description:
HAMcards Postcard CGI script 1.0 allows remote attackers
to execute arbitrary commands via shell metacharacters
in the recipient email address.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI
vulnerabilities
Reference:
URL:http://www.securityfocus.com/archive/1/11175
Reference: XF:cgi-perl-mail-programs(1400)
Reference:
URL:http://xforce.iss.net/static/1400.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1154
Description:
LakeWeb Filemail CGI script allows remote attackers to
execute arbitrary commands via shell metacharacters in
the recipient email address.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI
vulnerabilities
Reference:
URL:http://www.securityfocus.com/archive/1/11175
Reference: MISC:http://lakeweb.com/scripts/
Reference: XF:cgi-perl-mail-programs(1400)
Reference:
URL:http://xforce.iss.net/static/1400.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(3) Foat, Christey, Wall
Voter Comments:
Christey> I confirmed this problem via visual inspection of the
source code in http://www.lakeweb.com/scripts/filemail.zip
Line 82 has an insufficient check for shell metacharacters
that doesn't exclude semicolons. Line 129 is the
call where the metacharacters are injected.
Need to add "filemail.pl" to the description.
Name: CVE-1999-1155
Description:
LakeWeb Mail List CGI script allows remote attackers to
execute arbitrary commands via shell metacharacters in
the recipient email address.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981109 Several new CGI
vulnerabilities
Reference:
URL:http://www.securityfocus.com/archive/1/11175
Reference: MISC:http://lakeweb.com/scripts/
Reference: XF:cgi-perl-mail-programs(1400)
Reference:
URL:http://xforce.iss.net/static/1400.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Foat, Wall
Name: CVE-1999-1158
Description:
Buffer overflow in (1) pluggable authentication module
(PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in
Solaris 2.4 and 2.3 allows local users to gain root
privileges via programs that use these modules such as
passwd, yppasswd, and nispasswd.
Status: Candidate
Phase: Proposed (20010912)
Reference: AUSCERT:AA-97.09
Reference:
URL:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul
Reference: SUN:00139
Reference:
URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba
Votes:
ACCEPT(4) Foat, Cole, Dik, Stracener
MODIFY(1) Frech
RECAST(1) Christey
Voter Comments:
Frech> XF:solaris-pam-bo(7432)
Dik> sun bug: 4018347
Christey> These issues should be SPLIT per CD:SF-EXEC because the PAM
problem appears in different Solaris versions than
unix_scheme.
Name: CVE-1999-1164
Description:
Microsoft Outlook client allows remote attackers to
cause a denial of service by sending multiple email
messages with the same X-UIDL headers, which causes
Outlook to hang.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990625 Outlook denial of
service
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93041631215856&w=2
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> XF:outlook-xuidl-dos(8356)
Name: CVE-1999-1165
Description:
GNU fingerd 1.37 does not properly drop privileges
before accessing user information, which could allow
local users to (1) gain root privileges via a malicious
program in the .fingerrc file, or (2) read arbitrary
files via symbolic links from .plan, .forward, or
.project files.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990721 old gnu finger bugs
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93268249021561&w=2
Reference: BUGTRAQ:19950317 GNU finger 1.37
executes ~/.fingerrc with gid root
Reference:
URL:http://www.securityfocus.com/archive/1/2478
Reference: BID:535
Reference:
URL:http://www.securityfocus.com/bid/535
Votes:
MODIFY(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> XF:gnu-finger-privilege-dropping(7175)
Name: CVE-1999-1166
Description:
Linux 2.0.37 does not properly encode the Custom segment
limit, which allows local users to gain root privileges
by accessing and modifying kernel memory.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990711 Linux 2.0.37 segment
limit bug
Reference:
URL:http://www.securityfocus.com/archive/1/18156
Reference: BID:523
Reference:
URL:http://www.securityfocus.com/bid/523
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> (Task 2253)
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:linux-segment-limit-privileges(11202)
Name: CVE-1999-1168
Description:
install.iss installation script for Internet Security
Scanner (ISS) for Linux, version 5.3, allows local users
to change the permissions of arbitrary files via a
symlink attack on a temporary file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990220 ISS install.iss
security hole
Reference:
URL:http://www.securityfocus.com/archive/1/12640
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:iss-temp-files(1793)
ADDREF:http://www.securityfocus.com/archive/1/12679
Name: CVE-1999-1169
Description:
nobo 1.2 allows remote attackers to cause a denial of
service (crash) via a series of large UDP packets.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990204 NOBO denial of
service
Reference:
URL:http://www.securityfocus.com/archive/1/12284
Votes:
ACCEPT(1) Foat
MODIFY(1) Frech
NOOP(2) Cole, Wall
Voter Comments:
Frech> XF:nobo-udp-packet-dos(7502)
ADDREF:http://www.securityfocus.com/archive/1/12378
ADDREF:http://web.cip.com.br/nobo/mudancas_en.html
Name: CVE-1999-1170
Description:
IPswitch IMail allows local users to gain additional
privileges and modify or add mail accounts by setting
the "flags" registry key to 1920.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990204 WS FTP Server
Remote DoS Attack
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91816507920544&w=2
Reference: BID:218
Reference:
URL:http://www.securityfocus.com/bid/218
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:imail-registry(1725)
Name: CVE-1999-1171
Description:
IPswitch WS_FTP allows local users to gain additional
privileges and modify or add mail accounts by setting
the "flags" registry key to 1920.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990204 WS FTP Server
Remote DoS Attack
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91816507920544&w=2
Reference: BID:218
Reference:
URL:http://www.securityfocus.com/bid/218
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:wsftp-registry(1726)
Name: CVE-1999-1172
Description:
By design, Maximizer Enterprise 4 calendar and address
book program allows arbitrary users to modify the
calendar of other users when the calendar is being
shared.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990114 security hole in
Maximizer
Reference:
URL:http://www.securityfocus.com/archive/1/11947
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
REVIEWING(1) Christey
Voter Comments:
Christey> The discloser does not provide enough details to fully
understand what the problem is. This makes it difficult
because if Maximizer has a concept of "users" and it is
designed to allow any user to modify any other user's data,
then this would not be a vulnerability or exposure, unless
that "cross-user" capability could be used to violate system
integrity, data confidentiality, or the like. There are some
features of Maximizer 6.0 that, if abused, could allow someone
to do some bad things. For example, an attacker could modify
the email addresses for contacts to redirect sales to
locations besides the customer. There's also a capability of
assigning priorities and alarms, which could be susceptible to
an "inconvenience attack" at the very least, as well as
tie-ins to e-commerce capabilities.
The critical question becomes: "how is this data shared" in
the first place? If it's through a network share or other
distribution method besides transferring the complete database
between sites, then this may be accessible to any attacker who
can mimic a Maximizer client (if there is such a thing as a
client), and this could be a vulnerability or exposure
according to the CVE definition.
However, since the Maximizer functionality is unknown to me
and not readily apparent from product documentation, it's hard
to know what to do about this one.
CHANGE> [Frech changed vote from REVIEWING to MODIFY]
Frech> XF:maximizer-enterprise-calendar-modification(7590)
Name: CVE-1999-1173
Description:
Corel Word Perfect 8 for Linux creates a temporary
working directory with world-writable permissions, which
allows local users to (1) modify Word Perfect behavior
by modifying files in the working directory, or (2)
modify files of other users via a symlink attack.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19981218 wordperfect 8 for
linux security
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91404045014047&w=2
Votes:
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1174
Description:
ZIP drive for Iomega ZIP-100 disks allows attackers with
physical access to the drive to bypass password
protection by inserting a known disk with a known
password, waiting for the ZIP drive to power down,
manually replacing the known disk with the target disk,
and using the known password to access the target disk.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://www.counterpane.com/crypto-gram-9812.html#doghouse
Votes:
ACCEPT(1) Cole
NOOP(2) Foat, Wall
Name: CVE-1999-1176
Description:
Buffer overflow in cidentd ident daemon allows local
users to gain root privileges via a long line in the
.authlie script.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980110 Cidentd
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88466930416716&w=2
Reference: BUGTRAQ:19980911 Re: security problems
with jidentd
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90554230925545&w=2
Reference:
MISC:http://spisa.act.uji.es/spi/progs/codigo/www.hack.co.za/exploits/daemon/ident/cidentd.c
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:cidentd-authlie-bo(7327)
Name: CVE-1999-1178
Description:
Sambar Server 4.1 beta allows remote attackers to obtain
sensitive information about the server via an HTTP
request for the dumpenv.pl script.
Status: Candidate
Phase: Proposed (20010912)
Reference: XF:sambar-dump-env(3223)
Reference:
URL:http://xforce.iss.net/static/3223.php
Reference: BUGTRAQ:19980610 Sambar Server Beta
BUG..
Reference:
URL:http://www.securityfocus.com/archive/1/9505
Votes:
ACCEPT(1) Frech
NOOP(3) Foat, Cole, Wall
Name: CVE-1999-1179
Description:
Vulnerability in man.sh CGI script, included in May 1998
issue of SysAdmin Magazine, allows remote attackers to
execute arbitrary commands.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980515 May SysAdmin man.sh
security hole
Reference:
URL:http://www.securityfocus.com/archive/1/9330
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:mansh-execute-commands(7328)
Name: CVE-1999-1180
Description:
O'Reilly WebSite 1.1e and Website Pro 2.0 allows remote
attackers to execute arbitrary commands via shell
metacharacters in an argument to (1) args.cmd or (2)
args.bat.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html
Reference: BUGTRAQ:19990216 Website Pro v2.0 (NT)
Configuration Issues
Reference:
URL:http://www.tryc.on.ca/archives/bugtraq/1999_1/0612.html
Votes:
ACCEPT(1) Wall
MODIFY(1) Frech
NOOP(3) Foat, Cole, Christey
Voter Comments:
Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/buffer.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/buffer.html
Frech> XF:website-pro-args-commands(7529)
Name: CVE-1999-1182
Description:
Buffer overflow in run-time linkers (1) ld.so or (2)
ld-linux.so for Linux systems allows local users to gain
privileges by calling a setuid program with a long
program name (argv[0]) and forcing ld.so/ld-linux.so to
report an error.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970717 KSR[T] Advisory #2:
ld.so
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419318&w=2
Reference: BUGTRAQ:19970722 ld.so vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419351&w=2
Reference: BUGTRAQ:19980204 An old ld-linux.so
hole
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88661732807795&w=2
Votes:
NOOP(2) Foat, Cole
Name: CVE-1999-1183
Description:
System Manager sysmgr GUI in SGI IRIX 6.4 and 6.3 allows
remote attackers to execute commands by providing a
trojan horse (1) runtask or (2) runexec descriptor file,
which is used to execute a System Manager Task when the
user's Mailcap entry supports the x-sgi-task or
x-sgi-exec type.
Status: Candidate
Phase: Modified (20060705)
Reference: SGI:19980403-02-PX
Reference:
URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-02-PX
Reference: SGI:19980403-01-PX
Reference:
URL:ftp://patches.sgi.com/support/free/security/advisories/19980403-01-PX
Reference: OSVDB:8556
Reference: URL:http://www.osvdb.org/8556
Reference: XF:sgi-mailcap(809)
Reference:
URL:http://www.iss.net/security_center/static/809.php
Votes:
ACCEPT(3) Foat, Cole, Stracener
MODIFY(1) Frech
Voter Comments:
Frech> XF:sgi-mailcap(809)
Name: CVE-1999-1184
Description:
Buffer overflow in Elm 2.4 and earlier allows local
users to gain privileges via a long TERM environmental
variable.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970513
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420967&w=2
Reference: BUGTRAQ:19970514 Re: ELM overflow
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420970&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> XF:elm-term-bo(7183)
Name: CVE-1999-1185
Description:
Buffer overflow in SCO mscreen allows local users to
gain root privileges via a long terminal entry (TERM) in
the .mscreenrc file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference: BUGTRAQ:19980926 Root exploit for SCO
OpenServer.
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2
Reference: CERT:VB-98.10
Reference: SCO:98.05
Reference: XF:sco-openserver-mscreen-bo(1379)
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
NOOP(1) Wall
REVIEWING(1) Christey
Voter Comments:
Frech> Possible dupe on CVE-1999-1041.
Christey> Possible dupe with CVE-1999-1041.
Name: CVE-1999-1186
Description:
rxvt, when compiled with the PRINT_PIPE option in
various Linux operating systems including Linux
Slackware 3.0 and RedHat 2.1, allows local users to gain
root privileges by specifying a malicious program using
the -print-pipe command line parameter.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960102 rxvt security hole
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418966&w=2
Votes:
MODIFY(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> XF:rxvtpipe(425)
Name: CVE-1999-1187
Description:
Pine before version 3.94 allows local users to gain
privileges via a symlink attack on a lockfile that is
created when a user receives new mail.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19960826 [BUG] Vulnerability
in PINE
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419803&w=2
Reference: XF:pine-tmpfile(416)
Reference:
URL:http://xforce.iss.net/static/416.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Voter Comments:
Frech> CONFIRM:http://www.washington.edu/pine/changes.html
Name: CVE-1999-1190
Description:
Buffer overflow in POP3 server of Admiral Systems
EmailClub 1.05 allows remote attackers to execute
arbitrary commands via a long "From" header in an e-mail
message.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://www.securiteam.com/exploits/E-MailClub__FROM__remote_buffer_overflow.html
Reference: BID:801
Reference:
URL:http://www.securityfocus.com/bid/801
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:emailclub-pop3-from-bo(7873)
Name: CVE-1999-1195
Description:
NAI VirusScan NT 4.0.2 does not properly modify the
scan.dat virus definition file during an update via FTP,
but it reports that the update was successful, which
could cause a system administrator to believe that the
definitions have been updated correctly.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990505 NAI AntiVirus
Update Problem
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92587579032534&w=2
Reference: BUGTRAQ:19990505 NAI AntiVirus Update
Problem
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92588169005196&w=2
Reference: BID:169
Reference:
URL:http://www.securityfocus.com/bid/169
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:virusscan-ftp-update(8387)
Name: CVE-1999-1196
Description:
Hummingbird Exceed X version 5 allows remote attackers
to cause a denial of service via malformed data to port
6000.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990427 NT/Exceed D.O.S.
Reference:
URL:http://www.securityfocus.com/archive/1/13451
Reference: BID:158
Reference:
URL:http://www.securityfocus.com/bid/158
Votes:
MODIFY(1) Frech
NOOP(3) Foat, Cole, Wall
Voter Comments:
Frech> XF:exceed-xserver-dos(7530)
Name: CVE-1999-1200
Description:
Vintra SMTP MailServer allows remote attackers to cause
a denial of service via a malformed "EXPN *@" command.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980720 DOS in Vintra
systems Mailserver software.
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131610&w=2
Reference: XF:vintra-mail-dos(1617)
Reference:
URL:http://xforce.iss.net/static/1617.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Wall, Foat
Name: CVE-1999-1202
Description:
StarTech (1) POP3 proxy server and (2) telnet server
allows remote attackers to cause a denial of service via
a long USER command.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980703 Windows95 Proxy DoS
Vulnerabilites
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525873&w=2
Reference: XF:startech-pop3-overflow(2088)
Reference:
URL:http://xforce.iss.net/static/2088.php
Votes:
ACCEPT(1) Frech
NOOP(3) Wall, Foat, Cole
Name: CVE-1999-1206
Description:
SystemSoft SystemWizard package in HP Pavilion PC with
Windows 98, and possibly other platforms and operating
systems, installs two ActiveX controls that are marked
as safe for scripting, which allows remote attackers to
execute arbitrary commands via a malicious web page that
references (1) the Launch control, or (2) the RegObj
control.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990729 New ActiveX security
problems in Windows 98 PCs
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93336970231857&w=2
Reference:
CONFIRM:http://www.systemsoft.com/l-2/l-3/support-systemwizard.htm
Reference: BID:555
Reference:
URL:http://www.securityfocus.com/bid/555
Votes:
ACCEPT(4) Foat, Cole, Armstrong, Stracener
MODIFY(1) Frech
NOOP(2) Wall, Christey
Voter Comments:
Frech> XF:systemwizard-modify-registry(7080)
Christey> CERT-VN:VU#22919
URL:http://www.kb.cert.org/vuls/id/22919
CERT-VN:VU#34453
URL:http://www.kb.cert.org/vuls/id/34453
Name: CVE-1999-1207
Description:
Buffer overflow in web-admin tool in NetXRay 2.6 allows
remote attackers to cause a denial of service, and
possibly execute arbitrary commands, via a long HTTP
request.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://www.efri.hr/~crv/security/bugs/NT/netxtray.html
Reference: XF:netxray-bo(907)
Reference:
URL:http://xforce.iss.net/static/907.php
Votes:
ACCEPT(1) Frech
NOOP(3) Wall, Foat, Cole
Name: CVE-1999-1210
Description:
xterm in Digital UNIX 4.0B *with* patch kit 5 allows
local users to overwrite arbitrary files via a symlink
attack on a core dump file, which is created when xterm
is called with a DISPLAY environmental variable set to a
display that xterm cannot access.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971112 Digital Unix Security
Problem
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87936891504885&w=2
Reference: XF:dec-xterm(613)
Reference:
URL:http://xforce.iss.net/static/613.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1211
Description:
Vulnerability in in.telnetd in SunOS 4.1.1 and earlier
allows local users to gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-02
Reference:
URL:http://www.cert.org/advisories/CA-1991-02.html
Reference: XF:sun-intelnetd(574)
Reference:
URL:http://xforce.iss.net/static/574.php
Votes:
ACCEPT(5) Foat, Cole, Frech, Dik, Stracener
NOOP(1) Wall
Voter Comments:
Frech> CONFIRM:Sun Microsystems, Inc. Security Bulletin #00106 at
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/1
06&type=0&nav=sec.sba
Dik> sun bug: 1054669 1049886 1042370 1033809
Name: CVE-1999-1212
Description:
Vulnerability in in.rlogind in SunOS 4.0.3 and 4.0.3c
allows local users to gain root privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1991-02
Reference:
URL:http://www.cert.org/advisories/CA-1991-02.html
Reference: XF:sun-intelnetd(574)
Reference:
URL:http://xforce.iss.net/static/574.php
Votes:
ACCEPT(5) Foat, Cole, Frech, Dik, Stracener
NOOP(1) Wall
Voter Comments:
Dik> sun bug: 1054669 1049886 1042370 1033809
Name: CVE-1999-1213
Description:
Vulnerability in telnet service in HP-UX 10.30 allows
attackers to cause a denial of service.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9710-070
Reference:
URL:http://www2.dataguard.no/bugtraq/1997_4/0001.html
Reference: XF:hp-telnetdos(571)
Reference:
URL:http://xforce.iss.net/static/571.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
Name: CVE-1999-1216
Description:
Cisco routers 9.17 and earlier allow remote attackers to
bypass security restrictions via certain IP source
routed packets that should normally be denied using the
"no ip source-route" command.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1993-07
Reference:
URL:http://www.cert.org/advisories/CA-1993-07.html
Reference: CIAC:D-15
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/d-15.shtml
Reference: XF:cisco-sourceroute(541)
Reference:
URL:http://xforce.iss.net/static/541.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1218
Description:
Vulnerability in finger in Commodore Amiga UNIX 2.1p2a
and earlier allows local users to read arbitrary files.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1993-04
Reference:
URL:http://www.cert.org/advisories/CA-1993-04.html
Reference: XF:amiga-finger(522)
Reference:
URL:http://xforce.iss.net/static/522.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1219
Description:
Vulnerability in sgihelp in the SGI help system and
print manager in IRIX 5.2 and earlier allows local users
to gain root privileges, possibly through the clogin
command.
Status: Candidate
Phase: Proposed (20010912)
Reference: CERT:CA-1994-13
Reference:
URL:http://www.cert.org/advisories/CA-1994-13.html
Reference: AUSCERT:AA-94.04a
Reference: CIAC:E-33
Reference:
URL:http://ciac.llnl.gov/ciac/bulletins/e-33.shtml
Reference: XF:sgi-prn-mgr(511)
Reference:
URL:http://xforce.iss.net/static/511.php
Reference: BID:468
Reference:
URL:http://www.securityfocus.com/bid/468
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
NOOP(1) Wall
Name: CVE-1999-1220
Description:
Majordomo 1.94.3 and earlier allows remote attackers to
execute arbitrary commands when the advertise or
noadvertise directive is used in a configuration file,
via shell metacharacters in the Reply-To header.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970824 Vulnerability in
Majordomo
Reference:
URL:http://www.securityfocus.com/archive/1/7527
Reference: XF:majordomo-advertise(502)
Reference:
URL:http://xforce.iss.net/static/502.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1221
Description:
dxchpwd in Digital Unix (OSF/1) 3.x allows local users
to modify arbitrary files via a symlink attack on the
dxchpwd.log file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961117 Digital Unix v3.x
(v4.x?) security vulnerability
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420141&w=2
Reference: XF:dgux-chpwd(399)
Reference:
URL:http://xforce.iss.net/static/399.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1224
Description:
IMAP 4.1 BETA, and possibly other versions, does not
properly handle the SIGABRT (abort) signal, which allows
local users to crash the server (imapd) via certain
sequences of commands, which causes a core dump that may
contain sensitive password information.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971008 L0pht Advisory:
IMAP4rev1 imapd server
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87635124302928&w=2
Reference: XF:imapd-core(349)
Reference:
URL:http://xforce.iss.net/static/349.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1225
Description:
rpc.mountd on Linux, Ultrix, and possibly other
operating systems, allows remote attackers to determine
the existence of a file on the server by attempting to
mount that file, which generates different error
messages depending on whether the file exists or not.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19970824 Serious security flaw
in rpc.mountd on several operating systems.
Reference:
URL:http://www.securityfocus.com/archive/1/7526
Reference: XF:mountd-file-exists(347)
Reference:
URL:http://xforce.iss.net/static/347.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1227
Description:
Ethereal allows local users to overwrite arbitrary files
via a symlink attack on the packet capture file.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00126.html
Reference:
MISC:http://www.ethereal.com/lists/ethereal-dev/199907/msg00130.html
Reference: XF:ethereal-dev-capturec-root(3334)
Reference:
URL:http://xforce.iss.net/static/3334.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Wall, Foat
Name: CVE-1999-1228
Description:
Various modems that do not implement a guard time, or
are configured with a guard time of 0, can allow remote
attackers to execute arbitrary modem commands such as
ATH, ATH0, etc., via a "+++" sequence that appears in
ICMP packets, the subject of an e-mail message, IRC
commands, and others.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980927 1+2=3, +++ATH0=Old
school DoS
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90695973308453&w=2
Reference:
MISC:http://www.macintouch.com/modemsecurity.html
Reference: XF:global-village-modem-dos(3320)
Reference:
URL:http://xforce.iss.net/static/3320.php
Votes:
ACCEPT(1) Frech
NOOP(3) Wall, Foat, Cole
Name: CVE-1999-1229
Description:
Quake 2 server 3.13 on Linux does not properly check
file permissions for the config.cfg configuration file,
which allows local users to read arbitrary files via a
symlink from config.cfg to the target file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19980225 Quake 2 Linux 3.13
(and lower) allow users to read arbitrary files
Reference:
URL:http://www.securityfocus.com/archive/1/8590
Reference: XF:linux-quake2(733)
Reference:
URL:http://xforce.iss.net/static/733.php
Votes:
ACCEPT(1) Frech
NOOP(3) Wall, Foat, Cole
Name: CVE-1999-1230
Description:
Quake 2 server allows remote attackers to cause a denial
of service via a spoofed UDP packet with a source
address of 127.0.0.1, which causes the server to attempt
to connect to itself.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19971224 Quake II Remote
Denial of Service
Reference:
URL:http://www.securityfocus.com/archive/1/8282
Reference: XF:quake2-dos(698)
Reference:
URL:http://xforce.iss.net/static/698.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1231
Description:
ssh 2.0.12, and possibly other versions, allows valid
user names to attempt to enter the correct password
multiple times, but only prompts an invalid user name
for a password once, which allows remote attackers to
determine user account names on the server.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990609 ssh advirsory
Reference:
URL:http://www.securityfocus.com/archive/1/14758
Reference: XF:ssh-leak(2276)
Reference:
URL:http://xforce.iss.net/static/2276.php
Votes:
ACCEPT(1) Frech
NOOP(3) Wall, Foat, Cole
Name: CVE-1999-1232
Description:
Untrusted search path vulnerability in day5datacopier in
SGI IRIX 6.2 allows local users to execute arbitrary
commands via a modified PATH environment variable that
points to a malicious cp program.
Status: Candidate
Phase: Modified (20060503)
Reference: BUGTRAQ:19970516 Irix and WWW
Reference:
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420994&w=2
Reference: OSVDB:8559
Reference: URL:http://www.osvdb.org/8559
Reference: XF:sgi-day5datacopier(3316)
Reference:
URL:http://xforce.iss.net/static/3316.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1234
Description:
LSA (LSASS.EXE) in Windows NT 4.0 allows remote
attackers to cause a denial of service via a NULL policy
handle in a call to (1) SamrOpenDomain, (2)
SamrEnumDomainUsers, and (3) SamrQueryDomainInfo.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19991026 Re: LSA vulnerability
on NT40 SP5
Reference:
URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94096671308565&w=2
Reference: XF:msrpc-samr-open-dos(3293)
Reference:
URL:http://xforce.iss.net/static/3293.php
Votes:
ACCEPT(3) Wall, Cole, Frech
NOOP(1) Foat
Name: CVE-1999-1235
Description:
Internet Explorer 5.0 records the username and password
for FTP servers in the URL history, which could allow
(1) local users to read the information from another
user's index.dat, or (2) people who are physically
observing ("shoulder surfing") another user to read the
information from the status bar when the user moves the
mouse over a link.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990331 Minor Bug in IE5.0
Reference:
URL:http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=NTBUGTRAQ&P=R179
Reference: NTBUGTRAQ:19990825 IE5 FTP password
exposure & index.dat null ACL problem
Reference:
URL:http://packetderm.cotse.com/mailing-lists/ntbugtraq/1999/0364.html
Reference: XF:nt-ie5-user-ftp-password(3289)
Reference:
URL:http://xforce.iss.net/static/3289.php
Votes:
ACCEPT(4) Wall, Foat, Cole, Frech
Voter Comments:
CHANGE> [Foat changed vote from NOOP to ACCEPT]
Name: CVE-1999-1236
Description:
Internet Anywhere Mail Server 2.3.1 stores passwords in
plaintext in the msgboxes.dbf file, which could allow
local users to gain privileges by extracting the
passwords from msgboxes.dbf.
Status: Candidate
Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991001 Vulnerabilities in
the Internet Anywhere Mail Server
Reference:
URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662
Reference: BID:731
Reference:
URL:http://www.securityfocus.com/bid/731
Reference: XF:iams-passwords-plaintext(3285)
Reference:
URL:http://xforce.iss.net/static/3285.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Wall, Foat
Name: CVE-1999-1237
Description:
Multiple buffer overflows in smbvalid/smbval SMB
authentication library, as used in Apache::AuthenSmb and
possibly other modules, allows remote attackers to
execute arbitrary commands via (1) a long username, (2)
a long password, and (3) other unspecified methods.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990606 Buffer overflows in
smbval library
Reference:
URL:http://www.securityfocus.com/archive/1/14384
Reference: XF:smbvalid-bo(2272)
Reference:
URL:http://xforce.iss.net/static/2272.php
Votes:
ACCEPT(1) Frech
NOOP(3) Wall, Foat, Cole
Name: CVE-1999-1238
Description:
Vulnerability in CORE-DIAG fileset in HP message catalog
in HP-UX 9.05 and earlier allows local users to gain
privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9409-017
Reference:
URL:http://www.securityfocus.com/advisories/1531
Reference: XF:hp-core-diag-fileset(2262)
Reference:
URL:http://xforce.iss.net/static/2262.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
Name: CVE-1999-1239
Description:
HP-UX 9.x does not properly enable the Xauthority
mechanism in certain conditions, which could allow local
users to access the X display even when they have not
explicitly been authorized to do so.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9407-015
Reference:
URL:http://www.securityfocus.com/advisories/1559
Reference: XF:hp-xauthority(2261)
Reference:
URL:http://xforce.iss.net/static/2261.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
Name: CVE-1999-1240
Description:
Buffer overflow in cddbd CD database server allows
remote attackers to execute arbitrary commands via a
long log message.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19961126 Major Security
Vulnerabilities in Remote CD Databases
Reference:
URL:http://www.securityfocus.com/archive/1/5784
Reference: XF:cddbd-bo(2203)
Reference:
URL:http://xforce.iss.net/static/2203.php
Votes:
ACCEPT(1) Frech
NOOP(2) Foat, Cole
Name: CVE-1999-1241
Description:
Internet Explorer, with a security setting below Medium,
allows remote attackers to execute arbitrary commands
via a malicious web page that uses the FileSystemObject
ActiveX object.
Status: Candidate
Phase: Proposed (20010912)
Reference:
MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html
Reference: XF:ie-filesystemobject(2173)
Reference:
URL:http://xforce.iss.net/static/2173.php
Votes:
ACCEPT(3) Wall, Cole, Frech
NOOP(2) Foat, Christey
Voter Comments:
Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/activex4.html
ADDREF MISC:http://focus.silversand.net/vulner/allbug/activex4.html
Frech> Change MISC to http://www.securitybugware.org/NT/1018.html
Name: CVE-1999-1242
Description:
Vulnerability in subnetconfig in HP-UX 9.01 and 9.0
allows local users to gain privileges.
Status: Candidate
Phase: Proposed (20010912)
Reference: HP:HPSBUX9402-003
Reference:
URL:http://packetstormsecurity.org/advisories/hpalert/003
Reference: XF:hp-subnet-config(2162)
Reference:
URL:http://xforce.iss.net/static/2162.php
Votes:
ACCEPT(4) Foat, Cole, Frech, Stracener
Name: CVE-1999-1244
Description:
IPFilter 3.2.3 through 3.2.10 allows local users to
modify arbitrary files via a symlink attack on the saved
output file.
Status: Candidate
Phase: Proposed (20010912)
Reference: BUGTRAQ:19990415
FSA-99.04-IPFILTER-v3.2.10
Reference:
URL:http://www.securityfocus.com/archive/1/13303
Reference: XF:ipfilter-temp-file(2087)
Reference:
URL:http://xforce.iss.net/static/2087.php
Votes:
ACCEPT(2) Cole, Frech
NOOP(2) Wall, Foat
Name: CVE-1999-1245
Description:
vacm ucd-snmp SNMP server, version 3.52, does not
properly disable access to the public community string,
which could allow remote attackers to obtain sensitive
information.
Status: Candidate
Phase: Proposed (20010912)
Reference: XF:ucd-snmpd-community(2086)
Reference:
URL:http://xforce.iss.net/static/2086.php
Votes:
ACCEPT(1) Frech
NOOP(3) Wall, Foat, Cole
Voter Comments:
Frech> http://www.securityfocus.com/archive/1/13130
<
| 
