> ************************
> Widely Deployed Software
> ************************
>
> (1) HIGH: Winamp Playlist File Computer Name Handling Overflow
> Affected:
> Winamp all 5.x versions
>
> Description: Winamp, a popular Windows media player, contains a buffer
> overflow. The overflow can be triggered by a malformed
> playlist file (a
> file with an ".pls" extension) that contains an overlong "computer
> name". In order to exploit the flaw, an attacker can post the
> malicious
> playlist file on a webpage, shared folder or send it in an email. In a
> web attack scenario, Winamp may automatically open the
> crafted playlist
> file. The flaw can be leveraged to execute arbitrary code on
> the user's
> system. Exploit code has been publicly posted.
>
> Status: No patch yet available from Winamp. A workaround is to disable
> Winamp as the default media player.
>
> References:
> Posting by AtmaCA
>
> PlayList FileFormat
>
> /Chap1/chapter_1_section_58.html
> Winamp Homepage
>
> SecurityFocus BID
>
>
> **************************************************************
> *********
>
> (2) HIGH: Oracle PL/SQL Gateway Security Bypass
> Affected:
> Oracle PL/SQL Gateway present in Oracle Application Server,
> Oracle HTTP
> Server and Oracle Internet Application Server
>
> Description: NGSSoftware has reported that Oracle PL/SQL gateway
> contains a flaw in processing user-input that can be exploited to gain
> access to the restricted packages and procedures. This can
> result in the
> backend database server compromise via HTTP (a common configuration).
> The flaw can be triggered by a specially crafted query with
> an unmatched
> right parenthesis ")".
>
> Status: Oracle has been informed of this high rated flaw but has still
> not announced patches. NGSSoftware has published workarounds using
> "mod_rewrite" Apache module that is a part of the Oracle HTTP server.
>
> References:
> NGSSoftware Advisory
>
> SecurityFocus BID
>
>
> ********************************************************************
>
> (3) HIGH: CA iTechnology iGateway Buffer Overflow
> Affected
> iGateway component prior to version 4.0.051230
>
> Description: Computer Associate's iGateway, a HTTP/HTTPS server that
> runs on port 5250/tcp, is a component present in a number of
> CA products
> including BrightStor, eTrust and UniCenter product lines . This server
> contains a overflow that can be triggered by declaring a
> negative value
> for "content length" in an HTTP request. On Windows
> platforms, the flaw
> can be exploited to execute arbitrary code with SYSTEM privileges.
>
> Status: CA has posted fix for the iGateway component. Vulnerable
> products can be located by checking the version number in the
> "iGateway.conf" file.
>
> References:
> CA Advisory
>
> curity_notice.asp
> iDefense Advisory
>
> SecurityFocus BID
>
>
> **********************************************************************
>
> **************
> Other Software
> **************
>
> (6) CRITICAL: Mercury Mail Transport System Buffer Overflow
> Affected:
> Mercury Mail Transport System version 4.01b and prior
>
> Description: Mercury Mail Transport Systems is a mail server
> for Windows
> and Novell platforms. Mercury's Query Server for Directory services,
> which runs on port 105/tcp, contains a buffer overflow that can be
> exploited to execute arbitrary code with SYSTEM privileges.
> Exploit code
> has been publicly posted.
>
> Status: Vendor has released hotfixes for the product.
>
> References:
> Pegasus Advisory
>
>
> Exploit Code
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> 06.4.2 CVE: CVE-2006-0336
> Platform: Third Party Windows Apps
> Title: WinRoute Firewall Web Browsing Unspecified Denial of Service
> Description: Kerio WinRoute Firewall is an enterprise level firewall.
> It is vulnerable to a remote denial of service issue by unknown
> vectors involving "browsing the web". Kerio WinRoute Firewall versions
> 6.1.4 Patch 1 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
>
> 06.4.7 CVE: CVE-2005-4411
> Platform: Third Party Windows Apps
> Title: Mercury Mail Remote Mailbox Name Service Buffer Overflow
> Description: Mercury Mail is a Mail Transfer Agent (MTA) server for
> Microsoft Windows operating systems. It is prone to a remote buffer
> overflow vulnerability in its mailbox name service due to improper
> bounds checking on user-supplied input. Mercury Mail version 4.01b is
> reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.4.9 CVE: Not Available
> Platform: Linux
> Title: Red Hat Server Management Console Buffer Overflow
> Description: Red Hat Directory Server and Certificate Server are prone
> to buffer overflow issues because the application fails to perform
> boundary checks prior to copying user-supplied data into sensitive
> process buffers.
> Ref:
> ______________________________________________________________________
>
> 06.4.11 CVE: CVE-2006-0379, CVE-2006-0380
> Platform: BSD
> Title: FreeBSD Multiple Local Kernel Memory Disclosure
> Description: FreeBSD is vulnerable to multiple local kernel memory
> disclosure issues. This is due to the failure of the kernel to
> initialize previously used memory buffers and incorrect calculation of
> memory buffer lengths. FreeBSD kernel versions 6.0 and 5.4-STABLE are
> vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.4.12 CVE: CVE-2006-0381
> Platform: BSD
> Title: OpenBSD PF IP Fragment Remote Denial Of Service
> Description: PF is a packet filtering package that is integrated into
> the operating system's kernel. OpenBSD's PF is susceptible to a remote
> denial of service vulnerability. This issue is due to a flaw in
> affected kernels that results in a kernel crash when attempting to
> normalize IP fragments. For a list of vulnerable versions, see the
> reference below.
> Ref:
> ______________________________________________________________________
>
> 06.4.16 CVE: CVE-2005-3653
> Platform: Cross Platform
> Title: iTechnology iGateway Service Content-Length Heap Overflow
> Description: Computer Associates iTechnology iGateway is a component
> of various Computer Associates products. It allows remote attackers to
> execute arbitrary code by exploiting a heap overflow vulnerability.
> This issue arises because the application fails to perform boundary
> checks prior to copying user-supplied data into sensitive process
> buffers. Products containing iGateway version 4.0.051230 are
> vulnerable to this issue.
> Ref:
>
> hp?id=376
> ______________________________________________________________________
>
>
> 06.4.18 CVE: Not Available
> Platform: Cross Platform
> Title: Oracle PL/SQL Gateway PLSQLExclusion Access Control List Bypass
> Description: The Oracle PL/SQL gateway is a component of Internet
> Application Server, Oracle Application Server and Oracle HTTP Server.
> It is prone to a vulnerability that permits the bypassing of the
> "PLSQLExclusion" list due to improper sanitization of user-supplied
> input. Successful exploitation may faciliate a compromise of the
> database server and enable an attacker to gain full DBA access. Please
> refer to the following link for a list of vulnerable versions.
> Ref:
> ______________________________________________________________________
>
> 06.4.19 CVE: CVE-2006-0225
> Platform: Cross Platform
> Title: OpenSSH Local SCP Shell Command Execution
> Description: OpenSSH is an open source implementation of the Secure
> Shell protocol. It is susceptible to a local SCP shell command
> execution issue due to a failure of the application to properly
> sanitize user-supplied input prior to utilizing it in a "system()"
> function call. OpenSSH version 4.2 is affected.
> Ref:
> ______________________________________________________________________
>
> 06.4.20 CVE: CVE-2006-0321
> Platform: Cross Platform
> Title: Fetchmail Bounced Message Denial of Service
> Description: Fetchmail is a freely available, open source mail
> retrieval utility. It is prone to a denial of service vulnerability
> due to improper handling of bounced messages. Specifically, the
> problem occurs when fetchmail tries to clear the array of failed
> message addresses by issuing a "free()" call to an invalid pointer.
> Fetchmail versions 6.3.1-rc1 and earlier are affected by this issue.
> Ref:
> ______________________________________________________________________
>
> 06.4.21 CVE: CVE-2006-0019
> Platform: Cross Platform
> Title: KDE KJS Encodeuri / Decodeuri Remote Heap Overflow
> Description: KJS is the JavaScript interpreter engine used by
> Konqueror and KDE. It is prone to a remote heap overflow
> vulnerability. The issue presents itself when the application decodes
> specially-crafted UTF-8 encoded URI sequences. KDE versions 3.2.0 up
> to and including KDE 3.5.0 are vulnerable to this issue.
> Ref:
> ______________________________________________________________________
>
>
> 06.4.51 CVE: Not Available
> Platform: Network Device
> Title: Cisco IOS TCLSH AAA Command Authorization Bypass
> Description: Cisco IOS has support for the TCL (Tool Command Language)
> scripting language. It is susceptible to a remote AAA (Authentication,
> Authorization, and Accounting) command authorization bypass issue to a
> failure of the software to properly enforce command authorization
> restrictions in a "IOS EXEC" TCL command.
> Ref:
>
aatcl.shtml
> ______________________________________________________________________
>
> 06.4.52 CVE: Not Available
> Platform: Network Device
> Title: Cisco VPN 3000 Concentrator Remote Denial of Service
> Description: Cisco VPN 3000 Concentrator products provide Virtual
> Private Network services. They are vulnerable to a remote denial of
> service issue when handling an unspecified specially crafted HTTP
> packet. Cisco VPN 3000 series concentrators running software versions
> 4.7.0 through 4.7.2.A are vulnerable.
> Ref:
> ___________________________________________________________________
>
> (c) 2006. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>
> ==end==
>
> Subscriptions: @RISK is distributed free of charge to people
> responsible
> for managing and securing information systems and networks. You may
> forward this newsletter to others with such responsibility inside or
> outside your organization.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFD3p2p+LUG5KFpTkYRAtWeAJ0Tg8K1Tzz+2NfR68G8hsNpIfs5TgCgopUK
> 499WvFh/5jBoljQpkohdfYE=
> =q1tz
> -----END PGP SIGNATURE-----
>
