All articles

January 03, 2002 08:46 Debian: mutt buffer overflow

Joost Pol found a buffer overflow in the address handling code of mutt (a popular mail user agent). Even though this is a one byte overflow this is exploitable. Fixed packages are available from

No avatar December 29, 2001 00:00 ICQ Development with the ickle Library

In recent years, the popularity of instant messaging solutions has grown dramatically. It's now difficult to say who was the first to invent something more rapid than email, but there is no doubt that among the wide variety of existing IM solutions, ICQ is the most popular one.

December 28, 2001 01:57 Debian: gpm (gpm-root) format string vulnerabilities

The package 'gpm' contains the 'gpm-root' program, which can be used to create mouse-activated menus on the console. Among other problems, the gpm-root program contains a format string vulnerability, which allows an attacker to gain root privileges. Fixed packages are available from

December 24, 2001 17:16 SuSE: remote privilege escalation in glibc/shlibs, in.ftpd

The file globbing (matching filenames against patterns such as "*.bak") routines in the glibc exhibits an error that results in a heap corruption and that may allow a remote attacker to execute arbitrary commands from processes that take globbing strings from user input. Fixed packages are available from

December 22, 2001 05:56 Red Hat: Updated Mailman packages available

A server running Mailmain versions prior to 2.0.8 will send certain user-modifiable data to clients without escaping embedded tags. This data may contain scripts which will then be executed by an unwary client, possibly transmitting private information to a third party. Fixed packages are available from

No avatar December 22, 2001 00:00 Lights-Out Administration

Current network and systems administration tools offer engineers a wide range of capabilities for remote administration. One capability that is limited is the capability to remotely power cycle a server or network device and perform remote diagnostics on any machine that will not boot. This paper will outline the requirements for a set of industry standard devices capable of performing remote functions on servers and network devices, targeted toward a common situation faced by network and systems administrators.

December 16, 2001 03:29 Debian: mailman cross-site scripting problem

Barry A. Warsaw reported several cross-site scripting security holes in Mailman, due to non-existent escaping of CGI variables. Fixed packages are available from

December 15, 2001 03:55 RedHat: Updated glibc packages are available

An overflowable buffer exists in earlier versions of glibc glob(3) implementation. It may be possible to exploit programs that pass user modifiable input to the glibc glob function. Fixed packages are available from

No avatar December 15, 2001 00:00 Sound and Music Software

freshmeat's Sound/Audio software category lists more than 200 varied applications dealing with audio and MIDI. The newcomer to this collection may find himself (forgivably) a bit bewildered, but I hope to dispel some of that confusion with this review. freshmeat has already defined the application subcategories (many of which are self-explanatory), so I will focus on how to access the particular software to suit a specific purpose.

December 13, 2001 00:50 Debian: postfix memory exhaustion

Wietse Venema reported he found a denial of service vulnerability in postfix. The SMTP session log that postfix keeps for debugging purposes could grow to an unreasonable size. Fixed packages are available from

December 07, 2001 00:34 SuSE: local privilege escalation in OpenSSH

This re-release of SuSE Security Announcement SuSE-SA:2001:044 adds another patch to the openssh-2.9.9p2 packages: A bug allows a local attacker on the server to specify environment variables that can influence the login process if the "UseLogin" configuration option on the server side is set to "yes". If exploited, the local attacker on the secure shell server can execute arbitrary commands as root. In the default configuration of the package, the UseLogin option is set to "no", which means that the administrator of the server must have set the option to "yes" manually before the bug can be exploited. Fixed packages are available from

December 06, 2001 01:58 Debian: local root in wmtv

Nicolas Boullis found a nasty security problem in the wmtv (a dockable video4linux tv player for windowmaker) package as distributed in Debian GNU/Linux 2.2. wmtv can optionally run a command if you double-click on the tv window. This command can be specified using the -e command-line option. However since wmtv is installed suid root this command was also run as root, which gives local users a very simple way to get root access. Fixed packages are available from

December 05, 2001 09:58 Debian: OpenSSH UseLogin vulnerability

If the UseLogin feature is enabled in for ssh local users could pass environment variables (including variables like LD_PRELOAD) to the login process. This has been fixed by not copying the environment if UseLogin is enabled. Please note that the default configuration for Debian does not have the UseLogin enabled. Fixed packages are available from

December 05, 2001 08:26 Debian: xtel symlink vulnerabilities

The xtel (a X emulator for minitel) package as distributed with Debian GNU/Linux 2.2 has two possible symlink attacks: xteld creates a temporary file /tmp/.xtel- without checking for symlinks and when printing a hardcope xtel would create a temporary file without protecting itself against symlink attacks. Fixed packages are available from

December 05, 2001 07:07 Debian: several problems in icecast-server

The icecast-server (a streaming music server) package as distributed in Debian GNU/Linux 2.2 has several security problems, including: if a client added a / after the filename of a file to be downloaded the server would crash, by escaping dots as %2E it was possible to circumvent security measures and download arbitrary files, and there were several buffer overflows that could be exploited to gain root access. Fixed packages are available from

December 05, 2001 07:06 Debian: improper character escaping in fml

The fml (a mailing list package) as distributed in Debian GNU/Linux 2.2 suffers from a cross-site scripting problem. When generating index pages for list archives the `<' and `>' characters were not properly escaped for subjects. Fixed packages are available from

December 05, 2001 00:37 Red Hat: Updated apache packages available

By using a carefully constructed HTTP request, a server with mod_negotiation and either mod_dir or mod_autoindex loaded could be tricked into displaying a listing of the contents of a directory, despite the presence of an index file. Updated packages are available from

December 05, 2001 00:35 Red Hat: Updated OpenSSH packages available

When the "UseLogin" option is enabled in OpenSSH, a malicious user who authenticates using key-based authentication methods can influence the environment variables passed to the login process. This could allow the user to execute arbitrary code with superuser privileges. In Red Hat Linux the OpenSSH server has the "UseLogin" option disabled by default. Therefore, it is not vulnerable unless the system administrator has changed this setting. Updated packages are available from

December 03, 2001 09:29 SuSE: various bugs in OpenSSH

The OpenSSH daemon shipped with SuSE distributions contains various minor bugs which allows bypassing of IP-access control in some circumstances or the deletion of files named "cookies" if X11 forwarding is enabled. It has also been verified that the recent remotely exploitable crc32 bug as well as the logging-bug has been fixed in SuSE's latest ssh packages. Packages fixing the latest bugs can be obtained from

December 03, 2001 03:37 Debian: wu-ftpd buffer overflow in glob code

CORE ST reports that an exploit has been found for a bug in the wu-ftpd glob code (this is the code that handles filename wildcard expansion). Any logged in user (including anonymous ftp users) can exploit the bug to gain root privilege on the server. Fixed packages can be obtained from

No avatar December 01, 2001 00:00 The Practice of System and Network Administration

Thomas A. Limoncelli and Christine Hogan's recent book "The Practice of System and Network Administration" breaks new ground in its coverage of Systems Administration.

November 30, 2001 12:36 Red Hat: Updated OpenSSH packages available

OpenSSH versions prior to 2.9.9, when configured to provide sftp access using the subsystem feature, allows remote authenticated users to bypass authorized_keys2 "command=" restrictions by using sftp commands. OpenSSH 2.9 also contained a subtle bug in the routines which attempt to confound an attacker using passive analysis, which would cause it to send two confounding packets instead of one when a client finished sending it a password. Fixed packages are available from

November 30, 2001 02:08 Red Hat: Updated wu-ftpd packages available

An overflowable buffer exists in earlier versions of wu-ftpd. An attacker could gain access to the machine by sending malicious commands. Updated packages are available from

November 30, 2001 02:06 Red Hat: Updated Cyrus-SASL packages available

The default logging callback function supplied by the Cyrus SASL library suffers from a format-string vulnerability. This function is used when a server which uses Cyrus SASL attempts to set or change a user's secrets. Updated packages are available from

November 29, 2001 00:43 SuSE: remote root compromise in wuftpd

The CORE ST Team had found an exploitable bug in all versions of wuftpd's ftpglob() function. The glob function overwrites buffer bounds while matching open and closed brackets. Due to a missing \0 at the end of the buffer a later call to a function that frees allocated memory will feed free(3) with userdefined data. This bug could be exploited depending on the implementation of the dynamic allocateable memory API (malloc(3), free(3)) in the libc library. Linux and other system are exploitable. Updated packages are available from

No avatar November 24, 2001 00:00 When is a command line not a line?

This article discusses the way in which intuitive handling of "command lines" can lead to bugs and security problems, and suggests a solution.

November 23, 2001 09:28 SuSE: cyrus-sasl possible local/remote privilege escalation

The Cyrus SASL library provides an authentication API for mail clients and servers. A format bug was found in one of the logging functions, that could be used by an attacker to gain access to a machine or to acquire higher privileges. Fixed packages are available from

No avatar November 17, 2001 00:00 Python Projects

As I write this, there are almost 3,000 projects in freshmeat's C category and almost 1,500 in the Perl category, but there are only about 400 projects in the Python category. SourceForge has similar statistics. In this article, I hope to get more people to consider using Python in their next projects.

November 14, 2001 00:43 Debian: New versions of ssh-nonfree & ssh-socks fix buffe...

Debian has received reports that the "SSH CRC-32 compensation attack detector vulnerability" is being actively exploited. This is the same integer type error previously corrected for OpenSSH in DSA-027-1. OpenSSH (the Debian ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were not. Fixed packages are available from

November 06, 2001 08:48 SuSE: remote privilege escalation in webalizer

The webalizer is a widely used tool for analyzing web server logs and produce statistics in HTML format. An exploitable bug was found in webalizer which allows a remote attacker to execute commands on other client machines or revealing sensitive information by placing HTML tags in the right place. This is possible due to missing sanity checks on untrusted data - hostnames and search keywords in this case - that are received by webalizer. This kind of attack is also known as "Cross-Site Scripting Vulnerability". Additionally the untrusted data will be written to files on the server running webalizer; this may lead to further problems when using this data as input for third-party software/scripts. Fixed packages are available from

Project Spotlight


A JMX remoting alternative to JSR-160 connectors.


Project Spotlight

MSS Code Factory

A rule-based expert system for manufacturing source code.