CVE Candidates as of 20030718

Phase: Modified (20000106-01)
Reference: CERT:CA-98-13-tcp-denial-of-service
Reference: BUGTRAQ:19981223 Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service

Description:
Denial of service in BSD-derived TCP/IP implementations, as described in CERT CA-98-13.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Northcutt
   REVIEWING(1) Christey

 Christey> A Bugtraq posting indicates that the bug has to do with
   "short packets with certain options set," so the description
   should be modified accordingly.
   
   But is this the same as CVE-1999-0052?  That one is related
   to nestea (CAN-1999-0257) and probably the one described in
   BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
   The patch for nestea is in ip_input.c around line 750.
   The patches for CAN-1999-0001 are in lines 388&446.  So, 
   CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052.
   The FreeBSD patch for CVE-1999-0052 is in line 750.
   So, CAN-1999-0257 and CVE-1999-0052 may be the same, though
   CVE-1999-0052 should be RECAST since this bug affects Linux
   and other OSes besides FreeBSD.
 Frech> XF:teardrop(338)
   This assignment was based solely on references to the CERT advisory.

Phase: Modified (19990621-01)
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175
Reference: MS:MS98-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-008.asp

Description:
MIME buffer overflow in email clients, e.g. Solaris mailtool and Outlook.

Votes:

   ACCEPT(8) Baker, Magdych, Wall, Landfield, Cole, Dik, Collins, Northcutt
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Shostack

 Frech> Extremely minor, but I believe e-mail is the correct term. (If you reject
   this suggestion, I will not be devastated.) :-)
 Christey> This issue seems to have been rediscovered in
   BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
   http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
   
   Also see
   BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
   http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
 Christey> 
   CAN-2000-0415 may be a later rediscovery of this problem
   for Outlook.
 Dik> Sun bug 4163471,
 Christey> ADDREF BID:125
 Christey> BUGTRAQ:19980730 Long Filenames & Lotus Products
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526201&w=2

Phase: Proposed (19990726)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop

Description:
Teardrop IP denial of service.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF: teardrop-mod
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> MSKB:Q154174
   MSKB:Q154174 (CAN-1999-0015) and MSKB:Q179129 (CAN-1999-0104)
   indicate that CAN-1999-0015 was fixed in NT SP3, but
   CAN-1999-0104 was not.  Thus CD:SF-LOC suggests that the
   problems keep separate candidates because one problem appears
   in a different version than the other.
 Christey> BID:124
   http://www.securityfocus.com/bid/124
   Consider MSKB:Q154174
   http://support.microsoft.com/support/kb/articles/q154/1/74.asp
   Consider BUGTRAQ:19971113 Linux IP fragment overlap bug
   http://www.securityfocus.com/archive/1/8014

Phase: Modified (20000106-01)

Description:
** REJECT ** Duplicate of CVE-1999-0032 ** REJECT ** Buffer overflow in Linux lpr command gives root access.

Votes:

   MODIFY(1) Frech
   NOOP(4) Shostack, Levy, Wall, Northcutt
   REJECT(2) Baker, Christey

 Frech> XF:lpr-bo
 Christey> DUPE CVE-1999-0032, which includes XF:lpr-bo

Phase: Proposed (19990623)
Reference: CERT:CA-97.21.sgi_buffer_overflow
Reference: AUSCERT:AA-97.24.IRIX.xlock.buffer.overflow.vul
Reference: XF:sgi-xlockbo
Reference: SGI:19970508-02-PX

Description:
root privileges via buffer overflow in xlock command on SGI IRIX systems.

Votes:

   ACCEPT(3) Ozancin, Levy, Prosser
   RECAST(1) Frech
   REJECT(1) Christey

 Frech> XF:xlock-bo (also add)
   As per xlock-bo, also appears on AIX, BSDI, DG/UX, FreeBSD, Solaris, and
   several Linii.
   Also, don't you mean to cite SGI:19970502-02-PX? The one you list is
   login/scheme.
 Levy> Notice that this xlock overflow is the same as in
   CA-97.13. CA-97.21 simply is a reminder.
 Christey> As pointed out by Elias, CA-97.21 states: "For more
   information about vulnerabilities in xlock... see CA-97.13"
   CA-97.13 = CVE-1999-0038.
   This may also be a duplicate with CAN-1999-0306.
   
   See exploits at:
   
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418394&w=2
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167418404&w=2
   
   Sun also has this problem, at
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/150&type=0&nav=sec.sba

Phase: Proposed (19990607)
Reference: CERT:CA-97.18.at
Reference: SUN:00160
Reference: XF:sun-atbo

Description:
Command execution in Sun systems via buffer overflow in the at program

Votes:

   ACCEPT(8) Baker, Shostack, Wall, Cole, Dik, Collins, Hill, Northcutt
   NOOP(1) Christey
   RECAST(1) Frech

 Frech> This vulnerability also manifests itself for the following 
   platforms: AIX, HPUX, IRIX, Solaris, SCO, NCR MP-RAS. In this light,
   please add the following:
   Reference: XF:at-bo
 Dik> Sun bug 1265200, 4063161
 Christey> ADDREF SGI:19971102-01-PX
   ftp://patches.sgi.com/support/free/security/advisories/19971102-01-PX
   SCO:SB.97:01
   ftp://ftp.sco.com/SSE/security_bulletins/SB.97:01a
 Christey> CIAC:F-15
   http://ciac.llnl.gov/ciac/bulletins/f-15.shtml
   HP:HPSBUX9502-023
 Christey> Add period to the end of the description.

Phase: Proposed (19990630)
Reference: NAI:NAI-20
Reference: XF:bsd-lpd

Description:
File creation and deletion, and remote execution, in the BSD line printer daemon (lpd).

Votes:

   ACCEPT(3) Frech, Hill, Northcutt
   RECAST(1) Baker
   REVIEWING(1) Christey

 Christey> This should be split into three separate problems based on
   the SNI advisory.  But there's newer information to further
   complicate things.
   
   What do we do about this one?  in 1997 or so, SNI did an
   advisory on this problem.  In early 2000, it was still
   discovered to be present in some Linux systems.  So an 
   SF-DISCOVERY content decision might say that this is a
   long enough time between the two, so this should be recorded
   separately.  But they're the same codebase... so if we keep
   them in the same entry, how do we make sure that this entry
   reflects that some new information has been discovered?
   
   The use of dot notation may help in this regard, to use one
   dot for the original problem as discovered in 1997, and
   another dot for the resurgence of the problem in 2000.
 Baker> We should merge these.

Phase: Modified (19990925-01)
Reference: XF:ftp-args

Description:
Buffer overflow in wu-ftp from PASV command causes a core dump.

Votes:

   ACCEPT(3) Baker, Frech, Ozancin
   NOOP(1) Balinsky
   REVIEWING(1) Christey

 Balinsky> Don't know what this is.  Is this the LIST Core dump vulnerability?
 Christey> Need to add more references and details.

Phase: Modified (19990621-01)
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd

Description:
pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call.

Votes:

   ACCEPT(5) Frech, Shostack, Landfield, Collins, Northcutt
   RECAST(1) Christey

 Christey> This candidate should be SPLIT, since there are two separate
   software flaws.  One is a symlink race and the other is a
   shell metacharacter problem.
 Christey> The permissions part of this vulnerability appears to
   overlap with CVE-1999-0353
 Christey> SGI:20020802-01-I

Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1998:001.1
Reference: XF:ibm-routed

Description:
AIX routed allows remote users to modify sensitive files.

Votes:

   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REJECT(1) Christey

 Frech> Reference: XF:ibm-routed
 Prosser> This vulnerability allows debug mode to be turned on which is
   the problem.  Should this be more specific in the description? This
   one also affects SGI OSes, ref SGI Security Advisory 19981004-PX which
   is in the SGI cluster, shouldn't these be cross-referenced as the same
   vuln affects multiple OSes.
 Christey> This appears to be subsumed by CVE-1999-0215

Phase: Proposed (19990617)
Reference: ERS:ERS-SVA-E01-1998:004.1
Reference: URL:http://www-1.ibm.com/services/brs/brspwhub.nsf/advisories/852567CC004F9038852566BF007B6393/$file/ERS-SVA-E01-1998_004_1.txt

Description:
IRIX and AIX automountd services (autofsd) allow remote users to execute root commands.

Votes:

   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey

 Frech> ERS (and other references, BTW) explicitly stipulate 'local and
   remote'.
   Reference: XF:irix-autofsd
 Prosser> Include the SGI Alert as well since it is mentioned in the
   description.
   SGI Security Advisory 19981005-01-PX
 Christey> DUPE CAN-1999-0210?
 Christey> ADDREF CIAC:J-014
 Baker> It does look very similar to 1999-0210.  Perhaps they should be a single entry

Phase: Interim (19990630)
Reference: ERS:ERS-SVA-E01-1997:005.1
Reference: XF:ibm-libDtSvc

Description:
Buffer overflow in AIX libDtSvc library can allow local users to gain root access.

Votes:

   ACCEPT(2) Shostack, Northcutt
   MODIFY(2) Frech, Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey

 Frech> Reference: XF:ibm-libDtSvc
 Prosser> The overflow is in the dtaction utility.  Also affects
   dtaction in the CDE on versions of SunOS (SUN 164). Probably should be
   specific.
 Christey> Same Codebase as CAN-1999-0121, so the two entries should be
   merged.

Phase: Proposed (19990623)
Reference: ERS:ERS-SVA-E01-1997:006.1

Description:
Various vulnerabilities in the AIX portmir command allows local users to obtain root access.

Votes:

   ACCEPT(1) Bollinger
   MODIFY(1) Frech
   NOOP(1) Ozancin

 Frech> XF:ibm-portmir

Phase: Proposed (19990726)
Reference: XF:smtp-helo-bo

Description:
Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.

Votes:

   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

 Frech> (Accept XF reference.)
   Our references do not mention hiding activities. This issue can crash the
   SMTP server or execute arbitrary byte-code. Is there another reference
   available?
 Christey> Should this be merged with CAN-1999-0284, which is Sendmail
   with SMTP HELO?
 Christey> BUGTRAQ:19980522 about sendmail 8.8.8 HELO hole
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925991&w=2
   BUGTRAQ:19980527 about sendmail 8.8.8 HELO hole
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101926003&w=2

Phase: Proposed (19990726)
Reference: CERT:CA-97.28.Teardrop_Land
Reference: XF:teardrop-mod

Description:
A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2

Votes:

   ACCEPT(2) Frech, Wall
   REVIEWING(1) Christey

 Wall> Another reference is Microsoft Knowledge Base Q179129.
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> MSKB:Q179129
   http://support.microsoft.com/support/kb/articles/q179/1/29.asp
 Christey> MSKB:Q179129
   http://support.microsoft.com/support/kb/articles/q179/1/29.asp
   Note that the hotfix name is teardrop2, but the keywords
   included in the KB article specifically name bonk
   (CAN-1999-0258) and boink.
   Since teardrop2 was fixed in a slightly different version
   (at least in a separate patch) than Teardrop, CD:SF-LOC
   suggests keeping them separate.
 Christey> Add period to the end of the description.

Phase: Proposed (19990726)

Description:
finger allows recursive searches by using a long string of @ symbols.

Votes:

   MODIFY(2) Frech, Shostack
   NOOP(1) Christey
   REJECT(1) Northcutt

 Shostack> fingerD
 Frech> XF:finger-bomb
 Christey> aka redirection or forwarding requests? (but then might
   overlap CAN-1999-0106)

Phase: Proposed (19990726)

Description:
Finger redirection allows finger bombs.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(2) Frech, Shostack
   REVIEWING(1) Christey

 Shostack> fingerd allows redirection
   This is a larger modification, since there are two applications of the 
   vulnerability, one that I can finger anonymously, and the other that I 
   can finger bomb anonymously.
 Frech> XF:finger-bomb
 Christey> need more refs

Phase: Modified (19991223-01)
Reference: XF:apache-dos
Reference: BUGTRAQ:19971230 Apache DoS attack?

Description:
Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Shostack, Wall, Northcutt
   REVIEWING(1) Levy
   REVOTE(1) Christey

 Wall> - Although this is probably the phf hack.
 Frech> XF:apache-dos
 Christey> This sounds like the incident reported in:
   NTBUGTRAQ:20000810 Apache Distributed Denial of Service
 Levy> I belive this is the problem where sending lot of HTTP headers to apache resulted on a denial of service.
   BUGTRAQ: http://www.securityfocus.com/archive/1/10228
   BUGTRAQ: http://www.securityfocus.com/archive/1/10516

Phase: Interim (19990810)

Description:
** REJECT ** Duplicate of CVE-1999-0315 (this has a typo) ** REJECT ** Buffer overflow in fbformat command in Solaris.

Votes:

   MODIFY(1) Frech
   NOOP(4) Shostack, Levy, Wall, Northcutt
   REJECT(3) Baker, Dik, Christey

 Frech> XF:fdformat-bo
 Christey> Duplicate of CAN-1999-0315
 Dik> dup

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990912 elm filter program
Reference: BUGTRAQ:19951226 filter (elm package) security hole
Reference: XF:elm-filter2

Description:
Local users can execute commands as other users, and read other users' files, through the filter command in the Elm elm-2.4 mail package using a symlink attack.

Votes:

   ACCEPT(7) Shostack, Bishop, Wall, Landfield, Cole, Armstrong, Blake
   MODIFY(2) Baker, Frech
   NOOP(3) Ozancin, Christey, Northcutt
   REVIEWING(1) Levy

 Frech> XF:elm-filter2
 CHANGE> [Wall changed vote from NOOP to ACCEPT]
 Landfield> with Frech modifications
 Baker> ADD REF http://www.cert.org/ftp/cert_bulletins/VB-95:10a.elm	Official Advisory
 Christey> The correct URL is http://www.cert.org/vendor_bulletins/VB-95:10a.elm
   Need to make sure that this CERT advisory describes the right
   problem, especially since the CERT advisory is dated December
   18, 1995 and the original Bugtraq post was December 26, 1995.
 Christey> BID:1802
   URL:http://www.securityfocus.com/bid/1802
   BID:1802 doesn't include the 1999 posting - does Security
   Focus think that the 1999 post describes a different
   vulnerability?
 Christey> XF:elm-filter2 isn't on the X-Force web site.  How about XF:elm-filter(402) ?
   Its references point to the December 26, 1995 BUgtraq post.
   
   Also consider CIAC:G-36 and CERT:VB-95:10
 Frech> DELREF:XF:elm-filter2(711)
   ADDREF:XF:elm-filter(402)

Phase: Proposed (19990728)

Description:
Windows NT 4.0 beta allows users to read and delete shares.

Votes:

   MODIFY(1) Frech
   NOOP(1) Northcutt
   REJECT(1) Wall

 Wall> Reject based on beta copy.
 Frech> XF:nt-beta(11)
   Reconsider reject, because this beta was in widespread use.

Phase: Proposed (19990617)
Reference: SUN:00164
Reference: ERS:ERS-SVA-E01-1997:005.1

Description:
Buffer overflow in dtaction command gives root access.

Votes:

   ACCEPT(2) Dik, Northcutt
   MODIFY(3) Baker, Frech, Prosser
   REVIEWING(1) Christey

 Frech> Reference: XF:dtaction-bo
   Reference: XF:sun-dtaction
 Prosser> Buffer overflow also affects /usr/dt/bin/dtaction in libDtSvc.a
   library in AIX 4.x, but reference for this Sun vulnerability should
   only reflect the Sun Bulletin or the CIAC I-032 version of the Sun
   Bulletin
 Christey> This is the Same Codebase as CAN-1999-0089, so the two entries
   should be merged.
 Frech> Replace sun-dtaction(732) with dtaction-bo(879)
 Baker> Merge with 1999-0089

Phase: Modified (20000105-01)
Reference: XF:linux-mailx
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole

Description:
Race condition in Linux mailx command allows local users to read user files.

Votes:

   ACCEPT(3) Baker, Frech, Ozancin
   NOOP(1) Wall

Phase: Proposed (19990623)
Reference: CERT:CA-96.27.hp_sw_install
Reference: AUSCERT:AA-96.04
Reference: XF:hpux-swinstall

Description:
swinstall and swmodify commands in SD-UX package in HP-UX systems allow local users to create or overwrite arbitrary files to gain root access.

Votes:

   ACCEPT(1) Prosser
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> (keep current XF: reference, and add)
   XF:hpux-sqwmodify
 Christey> Perhaps this should be split, per SF-LOC.
 Christey> CIAC:H-81
   http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
   HP:HPSBUX9707-064  references CERT:CA-96.27
   http://ciac.llnl.gov/ciac/bulletins/h-81.shtml
   
   The original AUSCERT advisory says that the programs "create
   files in an insecure manner" and "Exploit details involving
   this vulnerability have been made publicly available." which
   leads one to assume that the following original Bugtraq post
   provides the details for a standard symlink problem:
   
   BUGTRAQ:19961005 swinst,bug
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419941&w=2

Phase: Proposed (19990630)

Description:
Denial of service in RAS/PPTP on NT systems.

Votes:

   ACCEPT(1) Hill
   MODIFY(2) Frech, Meunier
   NOOP(1) Baker
   REJECT(1) Christey

 Meunier> Add "pptp invalid packet length in header" to distinguish from other
   vulnerabilities in RAS/PPTP on NT systems resulting in DOS, that might be
   discovered in the future.
 Frech> XF:nt-ras-bo
   ONLY IF reference is to MS:MS99-016
 Christey> According to my mappings, this is not the MS:MS99-016 problem
   referred to by Andre.  However, I have yet to dig up a
   source.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> This is too general to know which problem is being discussed.
   More precise candidates should be created.
 Christey> Consider adding BID:2111

Phase: Modified (20010301-02)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319029&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: BID:2237
Reference: URL:http://www.securityfocus.com/bid/2237
Reference: XF:qmail-rcpt
Reference: URL:http://xforce.iss.net/static/208.php

Description:
Denial of service in Qmail by specifying a large number of recipients with the RCPT command.

Votes:

   ACCEPT(4) Baker, Frech, Meunier, Hill
   REVIEWING(1) Christey

 Christey> DUPE CAN-1999-0418 and CAN-1999-0250?
 Christey> Dan Bernstein, author of Qmail, says that this is not a
   vulnerability in qmail because Unix has built-in resource
   limits that can restrict the size of a qmail process; other
   limits can be specified by the administrator.  See
   http://cr.yp.to/qmail/venema.html
   
   Significant discussion of this issue took place on the qmail
   list.  The fundamental question appears to be whether 
   application software should set its own limits, or rely
   on limits set by the parent operating system (in this case,
   UNIX).  Also, some people said that the only problem was that
   the suggested configuration was not well documented, but this
   was refuted by others.
   
   See the following threads at
   http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
   "Denial of service (qmail-smtpd)"
   "qmail-dos-2.c, another denial of service"
   "[PATCH] denial of service"
   "just another qmail denial-of-service"
   "the UNIX way"
   "Time for a reality check"
   
   Also see Bugtraq threads on a different vulnerability that
   is related to this topic:
   BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
   http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
 Baker> http://cr.yp.to/qmail/venema.html
   Berstein rejects this as a vulnerability, claiming this is a slander campaign by Wietse Venema.
   His page states this is not a qmail problem, rather it is a UNIX problem
   that many apps can consume all available memory, and that the administrator
   is responsible to set limits in the OS, rather than expect applications to
   individually prevent memory exhaustion.  CAN 1999-0250 does appear to
   be a duplicate of this entry, based on the research I have done so far.
   There were two different bugtraq postings, but the second one references
   the first, stating that the new exploit uses perl instead of shell scripting
   to accomplish the same attack/exploit.
 Baker> http://www.securityfocus.com/archive/1/6970
   http://www.securityfocus.com/archive/1/6969
   http://cr.yp.to/qmail/venema.html
   
   Should probably reject CAN-1999-0250, and add these references to this
   Candidate.
 Baker> http://www.securityfocus.com/bid/2237
 CHANGE> [Baker changed vote from REVIEWING to ACCEPT]
 Christey> qmail-dos-1.c, as published by Wietse Venema (CAN-1999-0250)
   in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
   use any RCPT commands.  Instead, it sends long strings
   of "X" characters.  A followup by "super@UFO.ORG" includes
   an exploit that claims to do the same thing; however, that
   exploit does not send long strings of X characters - it sends
   a large number of RCPT commands.  It appears that super@ufo.org
   followed up to the wrong message.
   
   qmail-dos-2.c, as published by Wietse Venema (CAN-1999-0144)
   in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
   sends a large number of RCPT commands.
   
   ADDREF BID:2237
   ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
   ADDREF BUGTRAQ:19970612 Re: Denial of service (qmail-smtpd)
   
   Also see a related thread:
   BUGTRAQ:19990308 SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
   
   This also describes a problem with mail servers not being able
   to handle too many "RCPT TO" requests.  A followup message
   notes that application-level protection is used in Sendmail
   to prevent this:
   BUGTRAQ:19990309 Re: SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
   The person further says, "This attack can easily be
   prevented with configuration methods."

Phase: Proposed (20010912)
Reference: MSKB:Q163485
Reference: MSKB:Q164059
Reference: BUGTRAQ:19970220 ! [ADVISORY] Major Security Hole in MS ASP
Reference: XF:http-iis-aspdot
Reference: XF:http-iis-aspsource

Description:
IIS 2.0 and 3.0 allows remote attackers to read the source code for ASP pages by appending a . (dot) to the end of the URL.

Votes:

   ACCEPT(4) Frech, Wall, Foat, Stracener
   NOOP(2) Cole, Christey

 Christey> This is the precursor to the problem that is identified in
   CAN-1999-0253.  
 Christey> CIAC:H-48
   URL:http://ciac.llnl.gov/ciac/bulletins/h-48.shtml
 CHANGE> [Foat changed vote from NOOP to ACCEPT]

Phase: Proposed (19990714)
Reference: XF:ftp-pwless

Description:
wu-ftpd FTP daemon allows any user and password combination.

Votes:

   ACCEPT(2) Shostack, Northcutt
   NOOP(1) Baker
   RECAST(1) Frech
   REVIEWING(2) Christey, Prosser

 Prosser> but so far can find no reference to this one
 Frech> Our records indicate that this does not necessarly affect just wu-ftp (ie,
   also affects IIS FTP server).
 Christey> The references for XF:ftp-pwless are not specific enough,
   e.g. in terms of version numbers.  Perhaps this candidate
   should be rejected due to insufficient information.

Phase: Proposed (19990714)
Reference: XF:smtp-pipe

Description:
In older versions of Sendmail, an attacker could use a pipe character to execute root commands.

Votes:

   ACCEPT(2) Frech, Northcutt
   MODIFY(1) Prosser
   NOOP(2) Baker, Christey
   RECAST(1) Shostack

 Shostack> there was a 'To: |' and a 'From: |' attack, which I
   think are seperate.
 Prosser> older vulnerability, but one additional reference is-
   The Ultimate Sendmail Hole List by Markus Hübner @
   bau2.uibk.ac.at/matic/buglist.htm
   '|PROGRAM '
 Christey> Description needs to be more specific to distinguish between
   this and CAN-1999-0203, as alluded to by Adam Shostack

Phase: Proposed (19990714)
Reference: XF:nfs-cache

Description:
NFS cache poisoning

Votes:

   ACCEPT(3) Baker, Frech, Northcutt
   MODIFY(1) Shostack
   NOOP(1) Prosser
   REVIEWING(1) Christey

 Shostack> need more data
 Christey> need more refs
 Christey> Add period to the end of the description.

Phase: Proposed (19990714)
Reference: XF:nfs-uid

Description:
NFS allows attackers to read and write any file on the system by specifying a false UID.

Votes:

   ACCEPT(2) Frech, Northcutt
   REJECT(1) Shostack

 Shostack> this is not a vulnerability but a design feature.

Phase: Proposed (19990714)
Reference: XF:syslog-flood

Description:
Denial of service in syslog by sending it a large number of superfluous messages.

Votes:

   ACCEPT(2) Frech, Northcutt
   NOOP(1) Baker
   REJECT(2) Shostack, Christey

 Shostack> design issue, not a vulnerability.  Alternately, add:
   DOS on server by opening a large number of telnet sessions..
 Christey> Duplicate of CVE-1999-0566

Phase: Proposed (19990726)
Reference: SUN:00178
Reference: XF:snmp-backdoor-access

Description:
In Solaris, an SNMP subagent has a default community string that allows remote attackers to execute arbitrary commands as root, or modify system parameters.

Votes:

   ACCEPT(2) Baker, Dik
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

 Frech> Change XF:snmp-backdoor-access to XF:sol-hidden-commstr
   Add ISS:Hidden Community String in SNMP Implementation
 Christey> What is the proper level of abstraction to use here?  Should
   we have a separate entry for each different default community
   string?  See:
   http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
   http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
   http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
   
   Until the associated content decisions have been approved
   by the Editorial Board, this candidate cannot be accepted
   for inclusion in CVE.
 Christey> ADDREF BID:177
 Christey> ISS:19981102 Hidden community string in SNMP implementation
   http://xforce.iss.net/alerts/advise11.php
   
   Change description to include "hidden"
 Christey> XF:snmp-backdoor-access is missing.

Phase: Modified (19990805)
Reference: SUN:00179

Description:
** REJECT ** Duplicate of CAN-1999-0022 (SUN:00179 is referenced in CERT:CA-97.23.rdist) The rdist program in Solaris has some buffer overflows that allow attackers to gain root access.

Votes:

   ACCEPT(2) Hill, Northcutt
   RECAST(3) Baker, Frech, Prosser
   REJECT(1) Dik
   REVIEWING(1) Christey

 Prosser> The Sun Patches in Ref roll-up fixes for an earlier BO in
   rdist lookup( )(ref CERT 96.14)as well as the BO in rdist function expstr()
   (ref CERT 97-23) and various vendor bulletins.  However both of these rdist
   BO's affect many more OSs than just Sun, i.e., BSD/OS 2.1, DEC OSF's, AIX,
   FreeBSD, SCO, SGI, etc.  Believe this falls into the SF-codebase content
   decision
 Frech> XF:rdist-bo (error msg formation)
   XF:rdist-bo2 (execute code)
   XF:rdist-bo3 (execute user-created code)
   XF:rdist-sept97 (root from local)
 Christey> Duplicate of CAN-1999-0022 (SUN:00179 is referenced in
   CERT:CA-97.23.rdist), but as Mike and Andre noted, there
   are multiple flaws here, so a RECAST may be necessary.
 Dik> As currently phrasedm thissa duplicate of CVE-1999-0022
 Baker> Based on our new philosophy, this should be recast/merged or re-described.

Phase: Proposed (19990714)

Description:
Denial of service in Ascend and 3com routers, which can be rebooted by sending a zero length TCP option.

Votes:

   ACCEPT(5) Shostack, Bishop, Ozancin, Cole, Northcutt
   MODIFY(2) Baker, Blake
   NOOP(4) Frech, Wall, Landfield, Armstrong
   REVIEWING(2) Levy, Christey

 Frech> possibly XF:ascend-kill
   I can't find a reference that lists both routers in the same reference.
 Wall> Comment:  There is a reference about the zero length TCP option in BugTraq on
   Feb 5, 1999
   and it mentions Cisco, but not directly Ascend or 3Com.  CIAC Advisory I-038
   mentions
   vulnerabilities in Ascend, but does not mention TCP.  CIAC Advisory I-052
   mentions
   3Com vulnerabilities, but not TCP.  Too confusing withour better references.
 Landfield> What are the references for this ? I cannot find a means to check it out.
 CHANGE> [Frech changed vote from REVIEWING to NOOP]
 Frech> Cannot reconcile to our database without further references.
 Blake> I'm with Andre.  I only remember and can find reference to the Ascend
   issue.  Do we have a refernce to the 3Coms?  If not, that should be
   removed from the description.
 Baker> http://xforce.iss.net/static/614.php	Misc Defensive Info
   http://www.securityfocus.com/archive/1/5682	Misc Offensive Info
   http://www.securityfocus.com/archive/1/5647	Misc Defensive Info
   http://www.securityfocus.com/archive/1/5640	Misc Defensive Info
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]

Phase: Modified (19991130-01)
Reference: BUGTRAQ:19990128 rpcbind: deceive, enveigle and obfuscate

Description:
Denial of service in RPC portmapper allows attackers to register or unregister RPC services or spoof RPC services using a spoofed source IP address such as 127.0.0.1.

Votes:

   ACCEPT(2) Shostack, Balinsky
   MODIFY(1) Frech
   NOOP(3) Baker, Wall, Northcutt
   REVIEWING(2) Levy, Christey

 Frech> XF:rpcbind-spoof
 Christey> CAN-1999-0195 = CAN-1999-0461 ?
   If this is approved over CAN-1999-0461, make sure it gets
   XF:pmap-sset

Phase: Proposed (19990726)

Description:
finger 0@host on some systems may print information on some user accounts.

Votes:

   MODIFY(2) Frech, Shostack
   REJECT(1) Northcutt

 Shostack> fingerd may respond to 'finger 0@host' with account info
 Frech> Need more reference to establish this 'exposure'.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:finger-unused-accounts(8378)
   We're entering it into our database solely to track
   competition. The only references seem to be product listings:
   http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1002
   Finger 0@host check)
   http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger 0@host check)
   http://cgi.nessus.org/plugins/dump.php3?id=10069 (Finger zero at host
   feature)

Phase: Proposed (19990726)

Description:
finger .@host on some systems may print information on some user accounts.

Votes:

   MODIFY(2) Frech, Shostack
   REJECT(1) Northcutt

 Shostack> as above
 Frech> Need more reference to establish this 'exposure'.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:finger-unused-accounts(8378)
   We're entering it into our database solely to track
   competition. The only references seem to be product listings:
   http://hq.mcafeeasap.com/vulnerabilities/vuln_data/1000.asp (1004
   Finger .@target-host check)
   http://www.ipnsa.com/ipnsa_vuln.htm?step=1000 (Finger .@target-host
   check )
   http://cgi.nessus.org/plugins/dump.php3?id=10072 (Finger dot at host
   feature)

Phase: Modified (19991130-01)
Reference: MSKB:Q137853

Description:
Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Shostack
   NOOP(2) Wall, Northcutt
   REJECT(1) Christey
   REVIEWING(1) Levy

 Shostack> WFTP is not sufficient; is this wu-, ws-, war-, or another?
 Frech> Other have mentioned this before, but it may be WU-FTP.
   POSSIBLY XF:ftp-exec; does this have to do with the Site Exec allowing root
   access without anon FTP or a regular account?
   POSSIBLY XF:wu-ftpd-exec;same as above conditions, but instead from a
   non-anon FTP account and gain root privs.
 Christey> added MSKB reference
 CHANGE> [Christey changed vote from REVOTE to REJECT]
 Christey> The MSKB article may have confused things even more.  There
   were reports of problems in a Windows-based FTP server called
   WFTP (http://www.wftpd.com/) that is not a Microsft FTP
   server.  It's best to just kill this candidate where it
   stands and start fresh.

Phase: Modified (19990925-01)
Reference: BUGTRAQ:19990708 SM 8.6.12

Description:
Denial of service in Sendmail 8.6.11 and 8.6.12.

Votes:

   ACCEPT(2) Hill, Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REVIEWING(2) Ozancin, Christey

 Frech> XF:sendmail-alias-dos
 Prosser> additional source
   Bugtraq
   "Re:  SM 8.6.12"
   http://www.securityfocus.com
 Christey> The Bugtraq thread does not provide any proof, including a
   comment by Eric Allman that he hadn't been provided any
   details either.
   
   See http://www.securityfocus.com/templates/archive.pike?list=1&date=1995-07-8&thread=199507131402.KAA02492@bedbugs.net.ohio-state.edu
   for the thread.
 Christey> Change Bugtraq reference date to 19950708.

Phase: Modified (20001009-01)
Reference: XF:sun-libnsl
Reference: SUNBUG:4305859

Description:
libnsl in Solaris allowed an attacker to perform a denial of service of rpcbind.

Votes:

   ACCEPT(6) Ozancin, Landfield, Cole, Dik, Hill, Blake
   MODIFY(3) Baker, Frech, Levy
   NOOP(4) Bishop, Wall, Armstrong, Meunier
   REVIEWING(1) Christey

 Frech> XF:sun-libnsl
 Dik> Sun bug #4305859
 Baker> http://xforce.iss.net/static/1204.php	Misc Defensive Info
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/172&type=0&nav=sec.sba	Vendor Info
   http://www-1.ibm.com/services/continuity/recover1.nsf/advisories/A1050E354364BF498525680F0077E414/$file/ERS-OAR-E01-1998_074_1.txt	Vendor Info
   http://www.securityfocus.com/archive/1/9749	Misc Defensive Info
 Christey> I don't think this is the bug that everyone thinks it is.
   This candidate came from CyberCop Scanner 2.4/2.5, which
   only reports this as a DoS problem.  If SUN:00172 is an
   advisory for this, then it may be a duplicate of
   CVE-1999-0055.  There appears to be overlap with other
   references as well.  HOWEVER, this particular one deals with a
   DoS in rpcbind - which isn't mentioned in the sources for
   CVE-1999-0055.
 Levy> BID 148

Phase: Modified (19991203-01)
Reference: BUGTRAQ:19971130 Linux inetd..
Reference: XF:linux-inetd-dos
Reference: HP:HPSBUX9803-077
Reference: XF:hp-inetd

Description:
Denial of service of inetd on Linux through SYN and RST packets.

Votes:

   ACCEPT(1) Hill
   MODIFY(2) Baker, Frech
   RECAST(1) Meunier

 Meunier> The location of the vulnerability, whether in the Linux kernel or the
   application, is debatable.  Any program making the same (reasonnable)
   assumption is vulnerable, i.e., implements the same vulnerability:
   "Assumption that TCP-three-way handshake is complete after calling Linux
   kernel function accept(), which returns socket after getting SYN.   Result
   is process death by SIGPIPE"
   Moreover, whether it results in DOS (to third parties) depends on the
   process that made the assumption.
   I think that the present entry should be split, one entry for every
   application that implements the vulnerability (really describing threat
   instances, which is what other people think about when we talk about
   vulnerabilities), and one entry for the Linux kernel that allows the
   vulnerability to happen.
 Frech> XF:hp-inetd
   XF:linux-inetd-dos
 Baker> Since we have an hpux bulletin, the description should not specifically say Linux, should it?  It applies to mulitple OS and should be likely either modified, or in extreme case, recast

Phase: Proposed (19990728)

Description:
Attackers can do a denial of service of IRC by crashing the server.

Votes:

   NOOP(1) Northcutt
   REJECT(2) Frech, Christey

 Frech> Would reconsider if any references were available.
 Christey> No references available, combined with extremely vague
   description, equals REJECT.

Phase: Proposed (19990714)

Description:
Denial of service in Cisco IOS web server allows attackers to reboot the router using a long URL.

Votes:

   ACCEPT(1) Baker
   MODIFY(3) Frech, Shostack, Levy
   NOOP(3) Balinsky, Wall, Northcutt
   RECAST(1) Ziese
   REJECT(1) Christey

 Shostack> I follow cisco announcements and problems pretty closely, and haven't
   seen this.  Source?
 Frech> XF:cisco-web-crash
 Christey> XF:cisco-web-crash has no additional references.  I can't find
   any references in Bugtraq or Cisco either.  This bug is
   supposedly tested by at least one security product, but that
   product's database doesn't have any references either.  So
   a question becomes, how did it make it into at least two
   security companies' databases?
 Levy> BUGTGRAQ: http://www.securityfocus.com/archive/1/60159
   BID 1154
 Ziese> The vulnerability is addressed by a vendor acknowledgement.  This one, if
   recast to reflect that "...after using a long url..." should be replaced
   with
   "...A defect in multiple releases of Cisco IOS software will cause a Cisco
   router or switch to halt and reload if the IOS HTTP service is enabled,
   browsing to "http://router-ip/anytext?/" is attempted, and the enable
   password is supplied when requested. This defect can be exploited to produce
   a denial of service (DoS) attack."
   Then I can accept this and mark it as "Verfied by my Company".  If it can't
   be recast because this (long uri) is diffferent then our release (special
   url construction).
 CHANGE> [Christey changed vote from REVIEWING to REJECT]
 Christey> Elias Levy's suggested reference is CVE-2000-0380.
   I don't think that Kevin's description is really addressing
   this either.  The lack of references and a specific
   description make this candidate unusable, so it should be
   rejected.

Phase: Proposed (19990728)

Description:
Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Christey

 Christey> Too general, and no references.
 Frech> XF:nt-frag(528)
   See reference from BugTraq Mailing List, "A New Fragmentation Attack" at
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&ms
   g=Pine.SUN.3.94.970710054440.11707A-100000@dfw.dfw.net

Phase: Modified (19991228-02)
Reference: MSKB:Q115052

Description:
Denial of service in Windows NT IIS server using ..\..

Votes:

   ACCEPT(2) Baker, Shostack
   MODIFY(2) Frech, Wall
   NOOP(1) Northcutt
   REJECT(1) Christey
   REVIEWING(1) Levy

 Wall> Denial of service in Windows NT IIS Server 1.0 using ..\...
   Source: Microsoft Knowledge Base Article Q115052 - IIS Server.
 Frech> XF:http-dotdot (not necessarily IIS?)
 Christey> DELREF XF:http-dotdot - it deals with a read/access dot dot
   problem.
 Christey> This actually looks like XF:iis-dot-dot-crash(1638)
   http://xforce.iss.net/static/1638.php
   If so, include the version number (2.0)
   
 CHANGE> [Christey changed vote from REVOTE to REJECT]
 Christey> Bill Wall intended to suggest Q155052, but the affected
   IIS version there is 1.0; the effect is to read files,
   so this sounds like a directory traversal problem,
   instead of an inability to process certain strings.
   
   As a result, this candidate is too general, since it could
   apply to 2 different problems, so it should be REJECTed.
 Christey> Consider adding BID:2218

Phase: Modified (19991207-01)
Reference: BUGTRAQ:19990317 Re: SLMail 2.6 DoS - Imail also

Description:
Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.

Votes:

   ACCEPT(1) Levy
   NOOP(3) Landfield, Christey, Northcutt
   RECAST(1) Frech
   REVIEWING(1) Ozancin

 Frech> XF:slmail-vrfyexpn-overflow (for Slmail v3.2 and below)
   XF:smtp-vrfy-bo (many mail packages)
 Northcutt> (There is no way I will have access to these systems)
 Christey> Some sources report that VRFY and EXPN are both affected.

Phase: Modified (19991220-01)

Description:
Buffer overflow in NCSA WebServer (version 1.5c) gives remote access.

Votes:

   ACCEPT(2) Hill, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REJECT(1) Baker
   REVIEWING(1) Christey

 Frech> Unable to provide a match due to vague/insufficient description/references.
   Possible matches are:
   XF:ftp-ncsa (probably not, considering you've mentioned the webserver.)
   XF:http-ncsa-longurl (highest probability)
 Christey> CAN-1999-0235 is the one associated with XF:http-ncsa-longurl
   More research is necessary for this one.
 Baker> Since this has no references at all, and is vague and we have a
   CAN for the most likely issue, we should kill this one

Phase: Modified (19991220-01)
Reference: CERT:CA-95:04
Reference: CIAC:F-11

Description:
Buffer overflow in NCSA WebServer (1.4.1 and below) gives remote access.

Votes:

   ACCEPT(3) Hill, Prosser, Northcutt
   MODIFY(1) Frech
   REJECT(2) Baker, Christey

 Frech> XF:http-ncsa-longurl
 Christey> CAN-1999-0235 has the same ref's as CVE-1999-0267
 Baker> Not to mention, the X-force listings of http-ncsa-longurl and http-port both
   refer to the same problem.  This should be rejected as 1999-0267 is the same problem.

Phase: Proposed (19990623)
Reference: XF:http-cgi-phpfileread

Description:
php.cgi allows attackers to read any file on the system.

Votes:

   ACCEPT(5) Baker, Frech, Collins, Prosser, Northcutt
   NOOP(1) Christey

 Prosser> additional source
   AUSCERT External Security Bulletin ESB-97.047
   http://www.auscert.org.au
 Christey> ADDREF BUGTRAQ:19970416 Update on PHP/FI hole
   URL:http://www.dataguard.no/bugtraq/1997_2/0069.html
   The attacker specifies the filename as an argument to the
   program.
   Add "PHP/FI" to description to facilitate search.
   AUSCERT URL is ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047
 Christey> Consider adding BID:2250

Phase: Proposed (19990728)

Description:
Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.

Votes:

   ACCEPT(1) Northcutt
   REJECT(1) Frech

 Frech> Would reconsider if any references were available.

Phase: Modified (19990925-01)
Reference: XF:http-xguess-cookie

Description:
Guessable magic cookies in X Windows allows remote attackers to execute commands, e.g. through xterm.

Votes:

   ACCEPT(3) Proctor, Hill, Northcutt
   MODIFY(2) Frech, Prosser
   NOOP(1) Baker
   REVIEWING(1) Christey

 Frech> Also add to references:
   XF:sol-mkcookie
 Prosser> additional source
   Bugtraq
   "X11 cookie hijacker"
   http://www.securityfocus.com
 Christey> The cookie hijacker thread has to do with stealing cookies
   through a file with bad permissions.  I'm not sure the
   X-Force reference identifies this problem either.
 Christey> CIAC:G-04
   URL:http://ciac.llnl.gov/ciac/bulletins/g-04.shtml
   SGI:19960601-01-I
   URL:ftp://patches.sgi.com/support/free/security/advisories/19960601-01-I
   CERT:VB-95:08

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19951222 mailx-5.5 (slackware /bin/mail) security hole
Reference: XF:linux-pop3d

Description:
Remote attackers can access mail files via POP3 in some Linux systems that are using shadow passwords.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Shostack, Wall, Christey, Northcutt
   REVIEWING(1) Levy

 Frech> Ambiguous description: need more detail. Possibly:
   XF:linux-pop3d (mktemp() leads to reading e-mail)
 Christey> At first glance this might look like CAN-1999-0123 or
   CVE-1999-0125, however this particular candidate arises out
   of a brief mention of the problem in a larger posting which
   discusses CAN-1999-0123 (which may be the same bug as
   CVE-1999-0125).  See the following phrase in the Bugtraq
   post: "one such example of this is in.pop3d"
   
   However, the original source of this candidate's description
   explicitly mentions shadowed passwords, though it has no
   references to help out here.

Phase: Proposed (19990714)

Description:
Linux cfingerd could be exploited to gain root access.

Votes:

   ACCEPT(1) Shostack
   NOOP(4) Baker, Levy, Wall, Northcutt
   REJECT(2) Frech, Christey

 Christey> This has no sources; neither does the original database that
   this entry came from.  It's a likely duplicate of 
   CAN-1999-0813.
 Frech> I disagree on the dupe; see Linux-Security Mailing List,
   "[linux-security] Cfinger (Yet more :)" at
   http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
   if v1.2.3 is vulnerable, perhaps 1.3.0 also. CAN-1999-0813 pertains
   to 1.4.x and below and shows up two years later.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> If the reference I previously supplied is correct, then
   it appears as if the poster modified the source using authorized 
   access to make it vulnerable. Modifying the source in this manner 
   does not qualify as being listed a vulnerability.
   I disagree on the dupe; see Linux-Security Mailing List,
   "[linux-security] Cfinger (Yet more :)" at
   http://www.geocrawler.com/archives/3/92/1996/9/0/2217716/. Seems as
   if v1.2.3 is vulnerable, perhaps 1.3.0 also. CAN-1999-0813 pertains
   to 1.4.x and below and shows up two years later.

Phase: Proposed (19990630)
Reference: XF:hp-remote

Description:
HP Remote Watch allows a remote user to gain root access.

Votes:

   ACCEPT(4) Frech, Hill, Prosser, Northcutt
   NOOP(1) Baker
   RECAST(1) Christey

 Frech> Comment: Determine if it's RemoteWatch or Remote Watch.
 Christey> HP:HPSBUX9610-039 alludes to multiple vulnerabilities in
   Remote Watch (the advisory uses two words, not one, for the
   "Remote Watch" name)
   
   ADDREF BUGTRAQ:19961015 HP/UX Remote Watch (was Re: BoS: SOD remote exploit)
   URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=199610151351.JAA18241@grymoire.crd.ge.com
 Prosser> agree that the advisory mentions two vulnerabilities in Remote
   Watch, one being a socket connection and other with the showdisk utility
   which seems to be a suid vulnerability.  Never get much details on this
   anywhere since the recommendation is to remove the program since it is
   obsolete and superceded by later tools. Believe the biggest concern here is
   to just not run the tool at all.
 Christey> CIAC:H-16
   Also, http://www.cert.org/vendor_bulletins/VB-96.20.hp
   And possibly AUSCERT:AA-96.07 at
   ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.07.HP-UX.Remote.Watch.vul
 Christey> Also BUGTRAQ:19961013 BoS: SOD remote exploit
   http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419969&w=2
   Include "remwatch" in the description to facilitate search.

Phase: Proposed (19990714)

Description:
Windows NT RSHSVC program allows remote users to execute arbitrary commands.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Wall
   NOOP(2) Shostack, Northcutt
   RECAST(1) Christey
   REVIEWING(1) Levy

 Wall> Windows NT Rshsvc.exe from the Windows NT Resource Kit allows
   remote
   users to execute arbitrary commands.
   Source: rshsvc.txt from the Windows NT Resource Kit.
 Frech> XF:rsh-svc
 Christey> MSKB:Q158320, last reviewed in January 1999, refers to a case
   where remote users coming from authorized machines are
   allowed access regardless of what .rhosts says.  XF:rsh-svc
   refers to a bug circa 1997 where any remote entity could
   execute commands as system.

Phase: Modified (20010301-01)
Reference: BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602558319024&w=2
Reference: MISC:http://cr.yp.to/qmail/venema.html
Reference: MISC:http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
Reference: XF:qmail-leng

Description:
Denial of service in Qmail through long SMTP commands.

Votes:

   ACCEPT(2) Meunier, Hill
   MODIFY(1) Frech
   REJECT(1) Baker
   REVIEWING(1) Christey

 Frech> XF:qmail-rcpt
 Christey> DUPE CAN-1999-0418 and CAN-1999-0144?
 Christey> Dan Bernstein, author of Qmail, says that this is not a
   vulnerability in qmail because Unix has built-in resource
   limits that can restrict the size of a qmail process; other
   limits can be specified by the administrator.  See
   http://cr.yp.to/qmail/venema.html
   
   Significant discussion of this issue took place on the qmail
   list.  The fundamental question appears to be whether 
   application software should set its own limits, or rely
   on limits set by the parent operating system (in this case,
   UNIX).  Also, some people said that the only problem was that
   the suggested configuration was not well documented, but this
   was refuted by others.
   
   See the following threads at
   http://www.ornl.gov/its/archives/mailing-lists/qmail/1997/06/threads.html
   "Denial of service (qmail-smtpd)"
   "qmail-dos-2.c, another denial of service"
   "[PATCH] denial of service"
   "just another qmail denial-of-service"
   "the UNIX way"
   "Time for a reality check"
   
   Also see Bugtraq threads on a different vulnerability that
   is related to this topic:
   BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
   http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html
 Baker> This appears to be the same vulnerability listed in CAN 1999-0144.  In reading
   through both bugtraq postings, the one that is referenced by 0144 is
   based on a shell code exploit to cause memory exhaustion. The bugtraq
   posting referenced by this entry refers explicitly to the prior
   posting for 0144, and states that the same effect could be
   accomplished by a perl exploit, which was then attached.
 Baker> http://www.securityfocus.com/archive/1/6969    CAN-1999-0144
   http://www.securityfocus.com/archive/1/6970    CAN-1999-0250
   
   Both references should be added to CAN-1999-0144, and CAN-1999-0250
   should likely be rejected.
 CHANGE> [Baker changed vote from REVIEWING to REJECT]
 Christey> XF:qmail-leng no longer exists; check with Andre to see if they
   regarded it as a duplicate as well.
   
   qmail-dos-1.c, as published by Wietse Venema (CAN-1999-0250)
   in "BUGTRAQ:19970612 Denial of service (qmail-smtpd)", does not
   use any RCPT commands.  Instead, it sends long strings
   of "X" characters.  A followup by "super@UFO.ORG" includes
   an exploit that claims to do the same thing; however, that
   exploit does not send long strings of X characters - it sends
   a large number of RCPT commands.  It appears that super@ufo.org
   followed up to the wrong message.
   
   qmail-dos-2.c, as published by Wietse Venema (CAN-1999-0144)
   in "BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack"
   sends a large number of RCPT commands.
   
   ADDREF BUGTRAQ:19970612 Denial of service (qmail-smtpd)
   ADDREF BUGTRAQ:19970612 qmail-dos-2.c, another denial of service attack
   
   Also see a related thread:
   BUGTRAQ:19990308 SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2
   
   This also describes a problem with mail servers not being able
   to handle too many "RCPT TO" requests.  A followup message
   notes that application-level protection is used in Sendmail
   to prevent this:
   BUGTRAQ:19990309 Re: SMTP server account probing
   http://marc.theaimsgroup.com/?l=bugtraq&m=92101584629263&w=2
   The person further says, "This attack can easily be
   prevented with configuration methods."

Phase: Modified (2000106-01)
Reference: XF:http-iis-2e
Reference: L0PHT:19970319

Description:
IIS 3.0 with the iis-fix hotfix installed allows remote intruders to read source code for ASP programs by using a %2e instead of a . (dot) in the URL.

Votes:

   ACCEPT(9) Baker, Frech, Bishop, Landfield, Cole, Armstrong, Collins, Blake, Northcutt
   MODIFY(1) LeBlanc
   NOOP(3) Ozancin, Wall, Prosser
   REVIEWING(1) Christey

 Christey> This is a problem that was introduced after patching a
   previous dot bug with the iis-fix hotfix (see CAN-1999-0154).
   Since the hotfix introduced the problem, this should be
   treated as a seaprate issue.
 Wall> Agree with the comment.
 LeBlanc> - this one is so old, I don't remember it at all and can't verify or
   deny the issue. If you can find some documentation that says we fixed it (KB
   article, hotfix, something), then I would change this to ACCEPT
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> BID:1814
   URL:http://www.securityfocus.com/bid/1814

Phase: Proposed (19990726)
Reference: ISS:Hidden SNMP community in HP OpenView
Reference: XF:hpov-hidden-snmp-comm

Description:
A hidden SNMP community string in HP OpenView allows remote attackers to modify MIB tables and obtain sensitive information.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

 Christey> What is the proper level of abstraction to use here?  Should
   we have a separate entry for each different default community
   string?  See:
   http://cve.mitre.org/Board_Sponsors/archives/msg00242.html and
   http://cve.mitre.org/Board_Sponsors/archives/msg00250.html
   http://cve.mitre.org/Board_Sponsors/archives/msg00251.html
   
   Until the associated content decisions have been approved
   by the Editorial Board, this candidate cannot be accepted
   for inclusion in CVE.

Phase: Proposed (19990623)

Description:
Buffer overflow in ircd allows arbitrary command execution.

Votes:

   ACCEPT(3) Baker, Hill, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REJECT(1) Christey

 Frech> XF:irc-bo
 Christey> This is too general and doesn't have any references.  The
   XF reference doesn't appear toe xist any more.
   
   Perhaps this reference would help:
   BUGTRAQ:19970701 ircd buffer overflow
 Baker> It appears that the XForce entry has been corrected, and there is a patch posted in the original bugtraq post.

Phase: Proposed (19990726)

Description:
Nestea variation of teardrop IP fragmentation denial of service.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:nestea-linux-dos
 Christey> Not sure how many separate "instances" of Teardrop
   and its ilk.  Also see comments on CAN-1999-0001.
   
   See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
   
   Is CAN-1999-0001 the same as CVE-1999-0052?  That one is related
   to nestea (CAN-1999-0257) and probably the one described in
   BUGTRAQ:19981023 nestea v2 against freebsd 3.0-Release
   The patch for nestea is in ip_input.c around line 750.
   The patches for CAN-1999-0001 are in lines 388&446.  So, 
   CAN-1999-0001 is different from CAN-1999-0257 and CVE-1999-0052.
   The FreeBSD patch for CVE-1999-0052 is in line 750.
   So, CAN-1999-0257 and CVE-1999-0052 may be the same, though
   CVE-1999-0052 should be RECAST since this bug affects Linux
   and other OSes besides FreeBSD.
   
   Also see BUGTRAQ:19990909 CISCO and nestea.
   
   Finally, note that there is no fundamental difference between
   nestea and nestea2/nestea-v2; they are different ports that
   exploit the same problem.
   
   The original nestea advisory is at
   http://www.technotronic.com/rhino9/advisories/06.htm
   but notice that the suggested fix is in line 375 of
   ip_fragment.c, not ip_input.c.
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> BUGTRAQ:19980501 nestea does other things
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925819&w=2
   BUGTRAQ:19980508 nestea2 and HP Jet Direct cards.
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925870&w=2
   BUGTRAQ:19981027 nestea v2 against freebsd 3.0-Release
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90951521507669&w=2
   
   Nestea source code is in
   MISC:http://oliver.efri.hr/~crv/security/bugs/Linux/ipfrag6.html

Phase: Proposed (19990726)

Description:
Bonk variation of teardrop IP fragmentation denial of service.

Votes:

   MODIFY(2) Frech, Wall
   REVIEWING(1) Christey

 Wall> Reference Q179129
 Frech> XF:teardrop-mod
 Christey> Not sure how many separate "instances" of Teardrop there are.
   See: CAN-1999-0015, CAN-1999-0104, CAN-1999-0257, CAN-1999-0258
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 Christey> BUGTRAQ:19980108 bonk.c
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88429524325956&w=2
   NTBUGTRAQ:19980108 bonk.c
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88433857200304&w=2
   NTBUGTRAQ:19980109 Re: Bonk.c
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88441302913269&w=2
   NTBUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=88901842000424&w=2
   BUGTRAQ:19980304 Update on wide-spread NewTear Denial of Service attacks
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88903296104349&w=2
   CIAC:I-031a
   http://ciac.llnl.gov/ciac/bulletins/i-031a.shtml
   
   CERT summary CS-98.02 implies that bonk, boink, and newtear
   all exploit the same vulnerability.

Phase: Modified (20000827-01)
Reference: BUGTRAQ:19980504 Netmanage Holes
Reference: MISC:http://www.insecure.org/sploits/netmanage.chameleon.overflows.html

Description:
Netmanager Chameleon SMTPd has several buffer overflows that cause a crash.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Landfield
   NOOP(3) Ozancin, Christey, Northcutt

 Frech> XF:chamelion-smtp-dos
 Landfield> - Specify what "a crash" means.
 Christey> ADDREF XF:chameleon-smtp-dos ?  (but it's not on the web site)
 Christey> Consider adding BID:2387

Phase: Modified (19990925-01)
Reference: BUGTRAQ:19980115 pnserver exploit..
Reference: BUGTRAQ:19980817 Re: Real Audio Server Version 5 bug?

Description:
Progressive Networks Real Video server (pnserver) can be crashed remotely.

Votes:

   ACCEPT(3) Baker, Blake, Northcutt
   MODIFY(1) Frech
   NOOP(1) Prosser
   REVIEWING(1) Christey

 Christey> Problem confirmed by RealServer vendor (URL listed in Bugtraq
   posting), but may be multiple codebases since several
   Real Audio servers are affected.
   
   Also, this may be the same as BUGTRAQ:19991105 RealNetworks RealServer G2 buffer overflow.
   See CVE-1999-0896
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:realvideo-telnet-dos

Phase: Proposed (19990623)
Reference: CERT:CA-95.12.sun.loadmodule.vul

Description:
Vulnerabilities in loadmodule and modload programs in SunOS and OpenWindows

Votes:

   ACCEPT(1) Dik
   MODIFY(1) Frech
   NOOP(2) Ozancin, Christey
   RECAST(1) Prosser

 Frech> XF:sun-loadmodule
   XF:sun-modload (CERT CA-93.18 very old!)
 Prosser> Believe the reference given, 95-12,  is referencing a later
   loadmodule(8) setuid problem in the X11/NeWS windowing system.  There is an
   earlier, similar setuid vulnerability in the CA-93.18, CIAC G-02 advisories
   for the SunOS 4.1.x/Solbourne and OpenWindow 3.0.  In fact, there may be the
   same as the HP patches are 100448-02 for the 93 loadmodule/modload
   vulnerability and 100448-03 for the 95 loadmodule vulnerability which
   normally indicated a patch update.  Looks like the original patch either
   didn't completely fix the problem or it resurfaced in X11 NeWS.  Can't tell
   much beyond that and this is my opinion only as have no way to check it.  
   Which one is this CVE referencing?  I accept both.
 Dik> There are three similar Sun bug ids associated with the patches.
   1076118 loadmodule has a security vulnerability
   1148753 loadmodule has a security vulnerability
   1222192 loadmodule has a security vulnerability
   as well as:
   1137491
   Ancient stuff.
 Christey> Add period to the end of the description.

Phase: Modified (19991203-01)
Reference: BUGTRAQ:19970716 Viewable .jhtml source with JavaWebServer
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2

Description:
The Java Web Server would allow remote users to obtain the source code for CGI programs.

Votes:

   ACCEPT(7) Northcutt, Baker, Wall, Cole, Dik, Collins, Blake
   MODIFY(1) Frech
   NOOP(5) Bishop, Landfield, Armstrong, Christey, Prosser
   REVIEWING(1) Ozancin

 Wall> Acknowledged by vendor at
   http://www.sun.com/software/jwebserver/techinfo/jws112info.html.
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/7260	Misc Defensive Info
   http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info
 Christey> BID:1891
   URL:http://www.securityfocus.com/bid/1891
 Christey> Add version number (1.1 beta) and details of attack (appending
   a . or a \)
   
   The Sun URL referenced by Dave Baker no longer exists, so I
   wasn't able to verify that it addressed the problem described
   in the Bugtraq post.  This might not even be Sun's
   "Java Web Server," as CAN-2001-0186 describes some product
   called "Free Java Web Server"
 Dik> There appears to be some confusion.
   
   The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed
   in 1.1.2 (get foo.jthml source by appending "." of "\" to URL)
   
   There are other bugs that give access and that require a configuration
   change.
   
   http://www.sun.com/software/jwebserver/techinfo/security_advisory.html
 Christey> Need to make sure to create CAN's for the other bugs,
   as documented in:
   NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS
   http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2
   BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2
   The reported bugs are:
   1) file read by appending %20
   2) Directly call /servlet/file
   URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html
   #2 is explicitly mentioned in the Sun advisory for
   CAN-1999-0283.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:javawebserver-cgi-source(5383)

Phase: Proposed (19990623)
Reference: XF:smtp-helo-bo

Description:
Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.

Votes:

   ACCEPT(2) Northcutt, Blake
   MODIFY(3) Frech, Ozancin, Levy
   REVIEWING(1) Christey

 Frech> "Windows NT-based mail servers" (A trademark thing, and for clarification)
   XF:mdaemon-helo-bo
   XF:lotus-notes-helo-crash
   XF:slmail-helo-overflow
   XF:smtp-helo-bo (mentions several products)
   XF:smtp-exchangedos
 Levy> - Need one per software. Each one should be its own
   vulnerability.
 Ozancin> => Windows NT is correct
 Christey> These are probably multiple codebases, so we'll need to use
   dot notation.  Also need to see if this should be merged
   with CAN-1999-0098 (Sendmail SMTP HELO).

Phase: Proposed (19990630)

Description:
Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.

Votes:

   ACCEPT(1) Hill
   NOOP(1) Wall
   REJECT(2) Frech, Christey

 Christey> No references, no information.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> No references; closest documented match is with
   CVE-2001-0346, but that's for Windows 2000.

Phase: Proposed (19990714)

Description:
In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.

Votes:

   ACCEPT(3) Shostack, Cole, Armstrong
   MODIFY(3) Levy, Wall, Blake
   NOOP(5) Northcutt, Baker, Bishop, Ozancin, Landfield
   REJECT(1) Frech
   REVIEWING(1) Christey

 Wall> In some NT web servers, appending a dot at the end of a URL may
   allows attackers to read source code for active pages.
   Source:  MS Knowledge Base Article Q163485 - "Active Server Pages Script Appears
   in Browser"
 Frech> In the meantime, reword description as 'Windows NT' (trademark issue)
 Christey> Q163485 does not refer to a space, it refers to a dot.
   However, I don't have other references.
   
   Reading source code with a dot appended is in CAN-1999-0154,
   which will be proposed.  A subsequent bug similar to the
   dot bug is CAN-1999-0253.
 Levy> NTBUGTRAQ: http://www.securityfocus.com/archive/2/22014
   NTBUGTRAQ: http://www.securityfocus.com/archive/2/22019
   BID 273
 Blake> Reference:  http://www.allaire.com/handlers/index.cfm?ID=10967
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> BID articles)

Phase: Proposed (19990714)

Description:
Vulnerability in the Wguest CGI program.

Votes:

   MODIFY(2) Frech, Shostack
   NOOP(4) Northcutt, Levy, Wall, Blake
   REJECT(2) Baker, Christey

 Shostack> allows file reading
 Frech> XF:http-cgi-webcom-guestbook
 Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467.  In
   NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
   Mnemonix says that he had previously reported on a similar
   problem.  Let's refer to the NTBugtraq posting as
   CAN-1999-0467.  We will refer to the "previous report" as
   CAN-1999-0287, which could be found at:
   http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
   
   0287 describes an exploit via the "template" hidden variable.
   The exploit describes manually editing the HTML form to
   change the filename to read from the template variable.
   
   The exploit as described in 0467 encodes the template variable
   directly into the URL.  However, hidden variables are also
   encoded into the URL, which would have looked the same to
   the web server regardless of the exploit.  Therefore 0287
   and 0467 are the same.
 Christey> BID:2024

Phase: Modified (20000524-01)
Reference: NAI:19970205 Vulnerabilities in Ypbind when run with -ypset/-ypsetme
Reference: URL:http://www.nai.com/nai_labs/asp_set/advisory/06_ypbindsetme_adv.asp

Description:
ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.

Votes:

   ACCEPT(4) Northcutt, Levy, Cole, Dik
   MODIFY(1) Frech
   NOOP(3) Baker, Shostack, Christey

 Christey> ADDREF BID:1441
   URL:http://www.securityfocus.com/bid/1441
 Dik> If you run with "-ypset", then you're always insecure.
   With ypsetme, only root on the local host
   can run ypset in Solaris 2.x+.
   Probably true for SunOS 4, hence my vote.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> ADDREF XF:ypbind-ypset-root
 CHANGE> [Dik changed vote from REVIEWING to ACCEPT]
 Dik> This vulnerability does exist in SunOS 4.x in non default configurations.
   In Solaris 2.x, the vulnerability only applies to files named "cache_binding"
   and not all files ending in .2
   Both releases are not vulnerable in the default configuration (both
   disabllow ypset by default which prevents this problem from occurring)

Phase: Proposed (19990714)
Reference: XF:hp-xlock

Description:
buffer overflow in HP xlock program.

Votes:

   ACCEPT(3) Northcutt, Baker, Frech
   MODIFY(1) Prosser
   NOOP(1) Shostack
   REJECT(1) Christey

 Prosser> This is another of those with multiple affected OSs.
   Refs:  CA-97.13, http://207.237.120.45/linux/xlock-exploit.txt,
   HPSBUX9711-073, SGI 19970502-02-PX, Sun Bulletin 000150
 Christey> XF:hp-xlock points to SGI:19970502-02-PX which says this is
   the same problem as in CERT:CA-97.13, which is CVE-1999-0038.

Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-cstm-bo

Description:
Buffer overflow in HP-UX cstm program allows local users to gain root privileges.

Votes:

   ACCEPT(2) Northcutt, Frech
   NOOP(3) Prosser, Baker, Shostack
   RECAST(1) Christey

 Prosser> only ref I can find is an old SOD exploit on
   www.outpost9.com
 Christey> MERGE CAN-1999-0336 (the exact exploit works with both
   cstm and mstm, which are clearly part of the same package,
   so CD:SF-EXEC says to merge them.)
   
   Also, there does not seem to be any recognition of this problem
   by HP.  The only other information besides the Bugtraq post
   is the SOD exploit.
   
   See the original post:
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1996-11-15&msg=Pine.LNX.3.91.961116112242.15276J-100000@underground.org

Phase: Modified (19991216-01)
Reference: BUGTRAQ:19990818 slackware-3.5 /bin/su buffer overflow
Reference: XF:su-bo

Description:
Buffer overflow in Linux su command gives root access to local users.

Votes:

   ACCEPT(3) Northcutt, Frech, Hill
   NOOP(1) Prosser
   RECAST(1) Baker
   REVIEWING(1) Christey

 Christey> DUPE CAN-1999-0845?
   Also, ADDREF XF:unixware-su-username-bo
   A report summary by Aleph One states that nobody was able to
   confirm this problem on any Linux distribution.
 Baker> If this is the same as the unixware, the n it is a dupe of 1999-0845.  There is about a two and half month difference in the bugtraq reporting of these.
   Sounds like the same bug however...
 Christey> XF:su-bo no longer seems to exist.
   How about XF:linux-subo(734) ?
   http://xforce.iss.net/static/734.php
   
   BID:475 also seems to describe the same problem
   (http://www.securityfocus.com/bid/475) in which case,
   vsyslog is blamed in:
   BUGTRAQ:19971220 Linux vsyslog() overflow
   http://www.securityfocus.com/archive/1/8274

Phase: Proposed (19990623)
Reference: XF:xmcd-tiflestr

Description:
Buffer overflow in xmcd 2.1 allows local users to gain access through a user resource setting.

Votes:

   ACCEPT(3) Northcutt, Frech, Hill
   NOOP(2) Prosser, Baker
   REVIEWING(1) Christey

 Christey> BUGTRAQ:19961126 Security Problems in XMCD 2.1
   A followup to this post says that xmcd is not suid here.

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19940101 (No Subject)
Reference: XF:bdash-bo

Description:
Linux bdash game has a buffer overflow that allows local users to gain root access.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Northcutt, Shostack, Wall
   REVIEWING(1) Levy

 Frech> XF:bdash-bo

Phase: Proposed (19990714)
Reference: XF:msie-bo

Description:
Buffer overflow in Internet Explorer 4.0(1)

Votes:

   ACCEPT(2) Northcutt, Baker
   MODIFY(2) Frech, Shostack
   RECAST(1) Prosser
   REJECT(2) LeBlanc, Christey

 Shostack> this is a high cardinality item
 Prosser> needs to be more specific.
 Frech> Replace reference with XF:iemk-bug (msie-bo is obsolete and a vague
   duplicate)
   Description (from xfdb): Some versions of Internet Explorer for Windows
   contain a vulnerability that may crash the broswer when a malicious web site
   contains a certain kind of URL (that begins with "mk://") with more
   characters than the browser supports. 
 Christey> The description is too vague.
 LeBlanc> too vague
 Christey> Add period to the end of the description.

Phase: Modified (19990925-01)
Reference: RSI:RSI.0009.09-08-98.HP-UX.OMNIBACK
Reference: HP:HPSBUX9810-085
Reference: XF:omniback-remote

Description:
HP OpenView Omniback allows remote execution of commands as root via spoofing, and local users can gain root access via a symlink attack.

Votes:

   ACCEPT(1) Frech
   MODIFY(1) Prosser
   RECAST(1) Christey

 Prosser> additional source
   HP Security Bulletin 85
   http://us-support.external.hp.com
   http://europe-support.external.hp.com
 Christey> Two separate bugs, so SF-LOC says this candidate should be
   split
 Christey> ADDREF CIAC:J-007
   URL:http://ciac.llnl.gov/ciac/bulletins/j-007.shtml

Phase: Modified (19991207-01)
Reference: BUGTRAQ:19961116 This week: turn me on, dead man
Reference: XF:hpux-mstm-bo

Description:
Buffer overflow in mstm in HP-UX allows local users to gain root access.

Votes:

   ACCEPT(2) Northcutt, Frech
   NOOP(3) Prosser, Baker, Shostack
   RECAST(1) Christey

 Prosser> same as CAN-1999-0307, only ref I can find is an old SOD
   exploit on www.outpost9.com
 Christey> MERGE CAN-1999-0307 (the exact exploit works with both
   cstm and mstm, which are clearly part of the same package,
   so CD:SF-EXEC says to merge them.)
   
   Also, there does not seem to be any recognition of this problem
   by HP.  The only other information besides the Bugtraq post
   is the SOD exploit.

Phase: Proposed (19990728)

Description:
Jolt ICMP attack causes a denial of service in Windows 95 and Windows NT systems.

Votes:

   ACCEPT(2) Cole, Blake
   MODIFY(2) Frech, Wall
   NOOP(4) Northcutt, Bishop, Ozancin, Landfield
   RECAST(1) Meunier
   REJECT(4) Baker, Levy, LeBlanc, Armstrong
   REVIEWING(1) Christey

 Wall> Invalid ICMP datagram fragments causes a denial of service in Windows 95 and
   Windows NT systems.
   Reference: Q154174.
   Jolt is also known as sPING, ICMP bug, Icenewk, and Ping of Death.
   It is a modified teardrop 2 attack.  
 Frech> XF:nt-ssping
   ADDREF XF:ping-death
   ADDREF XF:teardrop-mod
   ADDREF XF:mpeix-echo-request-dos
 Christey> I can't tell whether the Jolt exploit at:
   
   http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-06-28&msg=Pine.BSF.3.95q.970629163422.3264A-200000@apollo.tomco.net
   
   is exploiting any different flaw than teardrop does.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Baker> Jolt (original) is basically just a fragmented oversized ICMP that
   kills Win boxes ala Ping of Death.
   Teardrop is altering the offset in fragmented tcp packets so that the
   end of subsequent fragments is inside first packet...
   Teardrop 2 is UDP packets, if I remember right.
   Seems like Jolt (original, not jolt 2) is just exploit code that
   creates a ping of death (CVE 1999-0128)
 Levy> I tend to agree with Baker.
 CHANGE> [Armstrong changed vote from REVIEWING to REJECT]
 Armstrong> This code does not use fragment overlap.  It is simply a large ICMP echo request.
 Christey> See the SCO advisory at:
   http://www.securityfocus.com/templates/advisory.html?id=1411
   which may further clarify the issue.
 LeBlanc> This is a hodge-podge of DoS attacks. Jolt isn't the same
   thing as ping of death - POD was an oversized ICMP packet, Jolt froze
   Linux and Solaris (and I think not NT), IIRC Jolt2 did get NT boxes.
   Teardrop and teardrop2 were related attacks (usually ICMP frag attacks),
   but each of these is a distinct vulnerability, affected a discrete group
   of systems, and should have distinct CVE numbers. CVE entries should be
   precise as to what the problem is.
 Meunier> I agree with Leblanc in that Jolt is multi-faceted.  Jolt has
   characteristics of Ping of Death AND teardrop, but it doesn't do
   either exactly.  Moreover, it sends a truncated IP fragment.  I
   disagree with Armstrong; jolt uses overlapping fragments.  It's not a
   simple ping of death either.  It may be that the author's intent was
   to construct a "super attack" somehow combining elements of other
   vulnerabilities to try to make it more potent.  In any case it
   succeeded in confusing the CVE board :-).
   
   I notice that Jolt uses echo replies (type 0) instead of echo
   requests (to get past firewalls?).  Jolt is peculiar in that it also
   sends numerous overlapping fragments.  The "Pascal Simulator" :-) says
   it sends:
   
   - 172 fragments of length 400 with offset starting at 5120 and
   increasing by about 47 (odd arithmetic of 5120 OR ((n* 380) >> 3)),
   which eventually results in sending fragments inside an already
   covered area once ((n* 380) >> 3) is greater than 5120, which occurs
   when n is reaches 108.  This would look a bit like TearDrop if
   fragments were reassembled on-the-fly.
   
   - 1 fragment such that the total length of all the fragments
   is greater than 65535 (my calculation is 172*380 + 418 = 65778; the
   comment about 65538 must be wrong).  The last packet is size 418
   according to the IP header but the buffer is of size 400.  The sendto
   takes as argument the size of the buffer so a truncated packet is
   sent.
   
   So, I am not sure if the problem is because the last packet
   doesn't extend to the payload it says it has or because the total size
   of all fragments is greater than 65535.  The author says it may take
   more than one sending, so perhaps this has to do with an incorrect
   error handling and recovery.  One would need to experiment and isolate
   each of those characteristics and test them independently.  Inasmuch
   as each of those things is likely a different vulnerability, then I
   agree with Leblanc that this entry should be split.  I'll try that if
   I ever get bored.  Jolt 2 should also have a different entry (see
   below).
   
   Jolt 2 runs in an infinite loop, sending the same fragmented
   IP packet, which can pretend to be "ICMP" or "UDP" data; however this
   is meaningless, as it's just a late fragment of an IP packet.  The
   attack works only as long as packets are sent.  According to
   http://www.securityfocus.com/archive/1/62170 the packets are
   truncated, and would overflow over the 65535 byte limit, which is
   similar to Jolt.  Note that Jolt does send that much data whereas
   jolt2 doesn't.  Since jolt2 is simpler and narrower than jolt, and it
   has weaker consequences, I believe that it's a different
   vulnerability.
   
   "Jolt 2 vulnerability causes a temporary denial-of-service in
   Windows-type OSes" would be a title for it.

Phase: Proposed (19990623)
Reference: BUGTRAQ:Jan26,1999
Reference: NTBUGTRAQ:Jan28,1999

Description:
Javascript bug in Internet Explorer 4.01 by adding %01URL allows reading local files and spoofing of web pages from other sites.

Votes:

   ACCEPT(4) Northcutt, Baker, Levy, LeBlanc
   MODIFY(2) Prosser, Frech
   REVIEWING(1) Christey

 Prosser> this is a modified Cross-Frame vulnerability that circumvents
   the original Cross-Frame Patch.  Addressed in MS Bulletin MS99.012
   http://www.microsoft.com/security/bulletins/ms99-012.asp
 Christey> Duplicate of CAN-1999-0490?
 LeBlanc> If Prosser is correct that this is MS99-012, accept
 Christey> BUGTRAQ:19990126 Javascript ecurity bug in Internet Explorer
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91745430007021&w=2
   NTBUGTRAQ:19990128 Javascript %01 bug in Internet Explorer
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91756771207719&w=2
   BID:197
   URL:http://www.securityfocus.com/bid/197
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ie-window-spoof(2069)

Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-passwd-encrypt

Description:
ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Northcutt, Wall
   RECAST(1) Ozancin

 Ozancin> Can we combine this with CAN-1999-0356 - ControlIT(tm) 4.5 and earlier uses
   weak encryption.

Phase: Proposed (19990623)
Reference: NTBUGTRAQ:Jan27,1999
Reference: MS:MS99-002
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-002.asp

Description:
Internet Explorer 4.x or 5.x with Word 97 allows arbitrary execution of Visual Basic programs to the IE client through the Word 97 template, which doesn't warn the user that the template contains executable content. Also applies to Outlook when the client views a malicious email message.

Votes:

   ACCEPT(2) Ozancin, Wall
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:word97-template-macro
 Christey> CHANGEREF NTBUGTRAQ:19990127 IE 4/5/Outlook + Word 97 security hole
   URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=91747570922757&w=2
   BID:196
   http://www.securityfocus.com/bid/196
 Christey> MSKB:Q214652
   http://support.microsoft.com/support/kb/articles/q214/6/52.asp

Phase: Proposed (19990721)
Reference: ISS:Multiple vulnerabilities in ControlIT(tm) (formerly Remotely Possible/32) enterprise management software
Reference: XF:controlit-bookfile-access

Description:
ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Northcutt, Wall
   RECAST(1) Ozancin

Phase: Proposed (20010214)
Reference: BUGTRAQ:19990127 UNIX shell modem access vulnerabilities
Reference: XF:ptylogin-dos

Description:
ptylogin in Unix systems allows users to perform a denial of service by locking out modems, dial out with that modem, or obtain passwords.

Votes:

   ACCEPT(2) Frech, Cole

 Frech> XF:ptylogin-dos 

Phase: Modified (20000530-01)
Reference: BUGTRAQ:19990130 Security Advisory for Internet Information Server 4 with Site
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91763097004101&w=2
Reference: NTBUGTRAQ:Jan29,1999

Description:
MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotely.

Votes:

   ACCEPT(6) Northcutt, Wall, Landfield, Cole, Collins, Blake
   MODIFY(3) Baker, Frech, LeBlanc
   NOOP(4) Prosser, Ozancin, Armstrong, Christey

 Christey> I can't find the original Bugtraq posting (it appears that
   mnemonix discovered the problem).
 LeBlanc> - if there was a fix or a KB article, I'd ACCEPT. A vuln based on a
   BUGTRAQ posting we can't find could be anything. 
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/12218	Misc Defensive InfoVulnerability Reference (HTML)	Reference Type
   THis is the URL for the Bugtraq posting.  It was cross posted to
   NT Bugtraq as well, but identical text.  It was Mnemonix...
 Christey> BID:1811
   URL:http://www.securityfocus.com/bid/1811
 Christey> CHANGEREF BUGTRAQ add "Server 2." to the subject.
   Also standardize NTBUGTRAQ reference title.
 Christey> Add "uploadn.asp" to the description.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:siteserver-user-dir-permissions(5384)

Phase: Proposed (19990728)
Reference: BUGTRAQ:Jan29,1999

Description:
NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

 Frech> XF:compulink-pw-laserfiche(1679)
   Normalize BUGTRAQ reference to:
   BUGTRAQ:19990129 Compulink LaserFiche Client/Server - unencrypted passwords

Phase: Modified (20000426-01)
Reference: BUGTRAQ:19990204 Microsoft Access 97 Stores Database Password as Plaintext
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91816470220259&w=2

Description:
Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.

Votes:

   ACCEPT(2) Baker, LeBlanc
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:access-weak-passwords(1774)
   An older published reference (from our own Adam) would be
   better:
   ailab.coderpunks Newsgroup, 1998/06/23 "Re: MS Access 2.0"
   http://x15.dejanews.com/[ST_rn=ps]/getdoc.xp?AN=365308578&CONTEXT=9192
   07028.1462108427&hitnum=1

Phase: Modified (19991210-01)
Reference: SUN:00184
Reference: BID:165
Reference: URL:http://www.securityfocus.com/bid/165

Description:
In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.

Votes:

   ACCEPT(4) Prosser, Northcutt, Baker, Dik
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> Reference: XF:sun-man
 Christey> ADDREF CIAC:J-028
   
   Is the Linux man symlink problem the same as the one for Sun?
   See BUGTRAQ:19990602 /tmp symlink problems in SuSE Linux 6.1
   Also see BID:305
 Dik> sun bug 4154565

Phase: Proposed (19990726)
Reference: BUGTRAQ:19990225 SUPER buffer overflow
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet
Reference: XF:linux-super-logging-bo
Reference: BID:342
Reference: URL:http://www.securityfocus.com/bid/342

Description:
super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.

Votes:

   ACCEPT(7) Baker, Frech, Ozancin, Levy, Landfield, Cole, Blake
   MODIFY(1) Bishop
   NOOP(2) Wall, Armstrong
   REVIEWING(1) Christey

 Christey> Is this the same as CVE-1999-0373?  They both have the same
   X-Force reference.
   
   BID:342 suggests that there are two.
   
   http://www.debian.org/security/1999/19990215a suggests
   that there are two.  However, CVE-1999-0373 is written up in
   a fashion that is too general; and both XF:linux-super-bo and
   XF:linux-super-logging-bo refer to CVE-1999-0373.
   CVE-1999-0373 may need to be split.
   
 Frech> From what I can surmise, ISS released the original advisory (attached to
   linux-super-bo), and Sekure SDI expanded on it by releasing another related
   overflow in syslog (which is linux-super-logging-bo).
   
   When I was originally assigning these issues, I placed both XF references
   and the ISS advisory on the -0373 candidate, since there was nothing else
   available. Based on the information above, I'd request that
   XF:linux-super-logging-bo be removed from CVE-1999-0373.
 Christey> Given Andre's feedback, these are different issues.
   CVE-1999-0373 does not need to be split because the ISS
   reference is sufficient to distinguish that CVE from this
   candidate; however, the CVE-1999-0373 description should
   probably be modified slightly.
 Bishop> (as indicated by Christey)
 CHANGE> [Cole changed vote from NOOP to ACCEPT]
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> There are 2 bugs, as confirmed by the super author at:
   BUGTRAQ:19990226 Buffer Overflow in Super (new)
   http://www.securityfocus.com/archive/1/12713
   BID:397 also seems to cover this one, and it may cover
   CVE-1999-0373 as well.

Phase: Modified (19991207-01)
Reference: DEBIAN:19990104
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: BID:324
Reference: URL:http://www.securityfocus.com/bid/324

Description:
Buffer overflow in the bootp server in the Debian Linux netstd package.

Votes:

   ACCEPT(2) Ozancin, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Christey> Is CAN-1999-0389 a duplicate of CAN-1999-0798?  CAN-1999-0389
   has January 1999 dates associated with it, while CAN-1999-0798
   was reported in late December.
   
   Also, is this the same line of code as CVE-1999-0914?  Both are in
   the netstd package, it could look like a library problem.
   
   However, deep in the changelog in the
   netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
   the following entry:
   
   +netstd (3.07-7slink.1) frozen; urgency=high
   +
   +  * bootpd:     Applied patch from Redhat as well as a fix for the overflow in
   +                report() (fixes #30675).
   +  * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
   +                bugs.
   +
   + -- Herbert Xu <herbert@debian.org>  Sat, 19 Dec 1998 14:36:48 +1100
   
   This tells me that two separate bugs are involved.
   
   Note that Red Hat posted *some* fix for *some* bootp problem
   in June 1998.  See:
   http://www.redhat.com/support/errata/rh42-errata-general.html#bootp
 Frech> XF:debian-netstd-bo
 Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
 CHANGE> [Christey changed vote from REJECT to REVIEWING]
 Christey> The fix information for BID:324 suggests that there are two
   overflows, one of which is in handle_request (bootpd.c) and is
   likely related to a file name; but there is another issue in
   report (report.c) which also looks like a straightforward
   overflow, which would suggest that this is not a duplicate of
   CAN-1999-0798 or CVE-1999-0799.
   
   Note: see comments for CAN-1999-0798 which explain how that
   candidate is not related to CAN-1999-0799.

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990115 DPEC Online Courseware

Description:
DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.

Votes:

   NOOP(1) Christey
   REJECT(1) Frech

 Frech> If I understand the issue, this HIGHCARD involves insecure web programming. 
   If I don't understand, mark this as my first NOOP.
 Christey> CONFIRM:http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D19990803132618.16407.qmail%40securityfocus.com
   ADDREF BID:565
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=565

Phase: Proposed (19990728)
Reference: L0PHT:Jan21,1999
Reference: BUGTRAQ:Jan21,1999

Description:
The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Wall

 Wall> Reject based on beta copy.
 Frech> XF:quakenbush-pw-appraiser(1652)

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990123 SSH 1.x and 2.x Daemon
Reference: BUGTRAQ:19990124 SSH Daemon
Reference: XF:ssh-exp-account-access

Description:
In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> Followups to the bugtraq message (1/24/99) indicate that 1.2.27 was not yet
   released. v1.2.26 should be substituted in the description for '27.
   XF:ssh-exp-account-access

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990124 Mirc 5.5 'DCC Server' hole
Reference: XF:mirc-dcc-metachar-filename

Description:
The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file in a different location, possibly allowing the attacker to execute commands.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> XF:mirc-dcc-metachar-filename

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990127 2.2.0 SECURITY (fwd)
Reference: XF:linux-kernel-ldd-dos
Reference: BID:344
Reference: URL:http://www.securityfocus.com/bid/344

Description:
Denial of service in Linux 2.2.0 running the ldd command on a core file.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> BUGTRAQ:Jan27,1999
   (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-01-22&
   msg=Pine.LNX.4.05.9901270538380.539-100000@vitelus.com)
   XF:linux-kernel-ldd-dos

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990202 [patch] /proc race fixes for 2.2.1 (fwd)
Reference: XF:linux-race-condition-proc

Description:
A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> XF:linux-race-condition-proc

Phase: Proposed (19990728)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:digital-networker-bo

Description:
Digital Unix Networker program nsralist has a buffer overflow which allows local users to obtain root privilege.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> In description, change 'which' to 'that'.

Phase: Proposed (19990726)
Reference: BUGTRAQ:Feb19,1999
Reference: XF:sco-startup-scripts

Description:
Several startup scripts in SCO OpenServer Enterprise System v 5.0.4p, including S84rpcinit, S95nis, S85tcp, and S89nfs, are vulnerable to a symlink attack, allowing a local user to gain root access.

Votes:

   MODIFY(2) Baker, Frech
   NOOP(2) Wall, Christey

 Frech> Neither XFDB nor the BugTraq article (incidentally, shows up as 7 March, not
   19 February) does not mention gaining root access... it says a local user
   could
   "delete or overwrite arbitrary files on the system."
 Baker> By overwriting arbitrary files, one could then gain root access.  I agree with a minor description change to reflect this.
 Christey> Normalize Bugtraq reference to:
   BUGTRAQ:19990307 Little exploit for startup scripts (SCO 5.0.4p).
   http://marc.theaimsgroup.com/?l=bugtraq&m=92087765014242&w=2
   Also, SCO:SB-99.17
   ftp://ftp.sco.com/SSE/security_bulletins/SB-99.17c

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990308 SMTP server account probing
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92100018214316&w=2

Description:
Denial of service in SMTP applications such as Sendmail, when a remote attacker (e.g. spammer) uses many "RCPT TO" commands in the same connection.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat
   REVIEWING(1) Christey

 Christey> DUPE CAN-1999-0144 and CAN-1999-0250?
 Frech> XF:smtp-rctpto-dos(7499)

Phase: Modified (20000105-01)
Reference: BUGTRAQ:19990319 Microsoft's SMTP service broken/stupid
Reference: XF:smtp-4xx-error-dos

Description:
When the Microsoft SMTP service attempts to send a message to a server and receives a 4xx error code, it quickly and repeatedly attempts to redeliver the message, causing a denial of service.

Votes:

   MODIFY(2) Frech, LeBlanc
   REVIEWING(1) Christey

 Frech> XF:smtp-4xx-error-dos
 LeBlanc> - if we can find a KB or something that shows that this wasn't just
   user error, I'd vote ACCEPT.
 Christey> David Lemson, Microsoft SMTP Service Program Manager,
   posted a followup that said "We have confirmed this as a
   problem..."
   http://marc.theaimsgroup.com/?l=bugtraq&m=92171608127206&w=2

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990319 The default permissions on /dev/kmem is insecure.

Description:
The default permissions of /dev/kmem in Linux versions before 2.0.36 allows IP spoofing.

Votes:

   MODIFY(1) Frech
   REJECT(1) Christey

 Frech> XF:linux-dev-kmem-spoof
 Christey> DUPE CVE-1999-0414
   XF:linux-dev-kmem-spoof does not exist.
 Christey> *Now* XF:linux-dev-kmem-spoof(3500) exists...

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
Reference: XF:eudora-long-attachments

Description:
Eudora 4.1 allows remote attackers to perform a denial of service by sending attachments with long file names.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> Change version number to 4.2beta. Second to last paragraph in bugtraq
   reference states: "Both the Win 95 and Win NT versions, along with the 4.2
   beta of Eudora are affected."
 Christey> This issue seems to have been rediscovered in
   BUGTRAQ:20000515 Eudora Pro & Outlook Overflow - too long filenames again
   http://marc.theaimsgroup.com/?l=bugtraq&m=95842482413076&w=2
   
   Also see
   BUGTRAQ:19990320 Eudora Attachment Buffer Overflow
   http://marc.theaimsgroup.com/?l=bugtraq&m=92195396912110&w=2
   
   Is this a duplicate/subsumed by CAN-1999-0004?

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990324 DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug
Reference: XF:linux-zerolength-fragment

Description:
Linux 2.2.3 and earlier allow a remote attacker to perform an IP fragmentation attack, causing a denial of service.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:linux-zerolength-fragment  
 Christey> Consider adding BID:2247

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990331 Bug in xfs
Reference: BID:359
Reference: URL:http://www.securityfocus.com/bid/359

Description:
XFree86 xfs command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:xfree86-xfs-symlink-dos
 Christey> Is this the same problem as CVE-1999-0433?  CVE-1999-0433
   deals with a symlink attack on one file (/tmp/.X11-unix),
   while xfs (this candidate) deals with /tmp/.font-unix
   XF:xfree86-xfs-symlink-dos doesn't exist.
 Christey> ADDREF DEBIAN:19990331 symbolic link can be used to make any file world readable
   Note: Debian's advisory says that this is not a problem for Debian.

Phase: Proposed (19990623)
Reference: HP:HPSBUX9903-096

Description:
MC/ServiceGuard and MC/LockManager in HP-UX allows local users to gain privileges through SAM.

Votes:

   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:hp-servicegaurd
 Christey> ADDREF CIAC:J-039

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 Patrol security bugs
Reference: URL:http://www.securityfocus.com/archive/1/13204
Reference: XF:bmc-patrol-replay

Description:
Patrol management software allows a remote attacker to conduct a replay attack to steal the administrator password.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> Change "Patrol management software" to "The PATROL management product from
   BMC Software".

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990412 ARP problem in Windows9X/NT
Reference: XF:windows-arp-dos

Description:
Remote attackers can perform a denial of service in Windows machines using malicious ARP packets, forcing a message box display for each packet or filling up log files.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech

 Frech> ADDREF: XF:windows-arp-dos  

Phase: Proposed (19990726)
Reference: BUGTRAQ:19990122 Perl.exe and IIS security advisory
Reference: BID:194
Reference: URL:http://www.securityfocus.com/bid/194

Description:
In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe) .

Votes:

   ACCEPT(2) Ozancin, Wall
   NOOP(1) Christey
   REJECT(2) Frech, LeBlanc

 Frech> Can't find in database.
 Christey> This looks like another discovery of CAN-2000-0071 
 LeBlanc> - I just tried to repro this based on the BUGTRAQ vuln information,
   and it does not repro - 
   GET /bogus.pl HTTP/1.0
   HTTP/1.1 404 Object Not Found
   Server: Microsoft-IIS/5.0
   Date: Thu, 05 Oct 2000 21:04:20 GMT
   Content-Length: 3243
   Content-Type: text/html
   No path is returned whatsoever. This may have been a problem on some version
   of IIS in the past, but the BUGTRAQ ID says all versions are vulnerable.
   Let's try and figure out what version had the problem, whether it is
   intrinsic to IIS or the result of adding a 3rd party implementation of perl,
   and when it got fixed, then we can try again.
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Christey> Add "no-such-file.pl" as an example to the desc, to facilitate
   search (it's used by CGI scanners and in the original example)

Phase: Proposed (19990726)
Reference: BUGTRAQ:Jan19,1999
Reference: BID:343
Reference: URL:http://www.securityfocus.com/bid/343

Description:
Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:linux-ports-dos(8364)

Phase: Proposed (19990726)

Description:
A service or application has a backdoor password that was placed there by the developer.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Frech

 Frech> Much too broad. Also may be HIGHCARD (or will be in the future).
 Baker> I think we want to address this using the dot notation idea.  We do need to address this, just not a separate entry for every single occurance.

Phase: Modified (20010425-01)
Reference: BUGTRAQ:19990118 Remote Cisco Identification

Description:
An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Dicsovery Protocol (CDP).

Votes:

   ACCEPT(2) Baker, Balinsky
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall
   REVIEWING(1) Christey

 Frech> XF:cisco-ident(2289)
   ADDREF BUGTRAQ:19990118 Remote Cisco Identification
   In description, probably better to use "Cisco" as product/company name.
 Balinsky> CiscoSecure IDS has a signature for this...ID 3602 Cisco IOS Identity.
 Christey> There may be a slight abstraction problem here, e.g. look
   at the candidate for queso/nmap; also see followup Bugtraq post
   from "Basement Research" on 19990120 which says that there are
   many other features in Cisco products that allow remote
   identification.

Phase: Proposed (19990728)

Description:
A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.

Votes:

   MODIFY(1) Frech
   NOOP(2) Wall, Christey
   REJECT(1) Northcutt

 Northcutt> Nmap and queso are the tip of the iceberg and not the most advanced
   ways to accomplish this.  To pursue making the world signature free
   is as much a vulnerability as having signatures, nay more.
 Frech> XF:decod-nmap(2053)
   XF:decod-queso(2048)
 Christey> Add "fingerprinting" to facilitate search.
   Some references:
   MISC:http://www.insecure.org/nmap/nmap-fingerprinting-article.html
   BUGTRAQ:19981228 A few more fingerprinting techniques - time and netmask
   http://marc.theaimsgroup.com/?l=bugtraq&m=91489155019895&w=2
   BUGTRAQ:19990222 Preventing remote OS detection
   http://marc.theaimsgroup.com/?l=bugtraq&m=91971553006937&w=2
   BUGTRAQ:20000901 ICMP Usage In Scanning v2.0 - Research Paper
   http://marc.theaimsgroup.com/?l=bugtraq&m=96791499611849&w=2
   BUGTRAQ:20000912 Using the Unused (Identifying OpenBSD,
   http://marc.theaimsgroup.com/?l=bugtraq&m=96879267724690&w=2
   BUGTRAQ:20000912 The DF Bit Playground (Identifying Sun Solaris & OpenBSD OSs)
   http://marc.theaimsgroup.com/?l=bugtraq&m=96879481129637&w=2
   BUGTRAQ:20000816 TOSing OSs out of the window / Fingerprinting Windows 2000 with
   http://marc.theaimsgroup.com/?l=bugtraq&m=96644121403569&w=2
   BUGTRAQ:20000609 p0f - passive os fingerprinting tool
   http://marc.theaimsgroup.com/?l=bugtraq&m=96062535628242&w=2

Phase: Modified (19991210-01)
Reference: ALLAIRE:ASB-001
Reference: XF:coldfusion-expression-evaluator
Reference: BID:115
Reference: URL:http://www.securityfocus.com/bid/115

Description:
The Expression Evaluator sample application in ColdFusion allows remote attackers to read or delete files on the server via exprcalc.cfm, which does not restrict access to the server properly.

Votes:

   ACCEPT(3) Frech, Ozancin, Balinsky
   MODIFY(1) Wall
   REVIEWING(1) Christey

 Wall> The reference should be ASB99-01 (Expression Evaluator Security Issues)
   make application plural since there are three sample applications
   (openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm).
 Christey> The CD:SF-EXEC and CD:SF-LOC content decisions apply here.
   Since there are 3 separate "executables" with the same
   (or similar) problem, we need to make sure that CD:SF-EXEC
   determines what to do here.  There is evidence that some
   of these .cfm scripts have an "include" file, and if so, 
   then CD:SF-LOC says that we shouldn't make separate entries
   for each of these scripts.  On the other hand, the initial
   L0pht discovery didn't include all 3 of these scripts, and
   as far as I can tell, Allaire had patched the first problem
   before the others were discovered.  So, CD:DISCOVERY-DATE
   may argue that we should split these because the problems
   were discovered and patched at different times.
   
   In any case, this candidate can not be accepted until the
   Editorial Board has accepted the CD:SF-EXEC, CD:SF-LOC,
   and CD:DISCOVERY-DATE content decisions.

Phase: Proposed (19990728)
Reference: XF:linux-milo-halt

Description:
Local users can perform a denial of service in Alpha Linux, using MILO to force a reboot.

Votes:

   ACCEPT(1) Frech
   NOOP(1) Northcutt
   REJECT(1) Wall

 Wall> Reject based on beta copy.

Phase: Proposed (19990726)
Reference: BUGTRAQ:19990218 Linux autofs overflow in 2.0.36+
Reference: BID:312
Reference: URL:http://www.securityfocus.com/bid/312

Description:
Buffer overflow in Linux autofs module through long directory names allows local users to perform a denial of service.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:linux-autofs-bo(8365)

Phase: Proposed (19990728)

Description:
Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source address.

Votes:

   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> ADDREF XF:pmap-sset
 Christey> CAN-1999-0195 = CAN-1999-0461 ?
   If this is approved over CAN-1999-0195, make sure it gets
   XF:pmap-sset

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990114 Secuity hole with perl (suidperl) and nosuid mounts on Linux
Reference: BID:339
Reference: URL:http://www.securityfocus.com/bid/339

Description:
suidperl in Linux Perl does not check the nosuid mount option on file systems, allowing local users to gain root access by placing a setuid script in a mountable file system, e.g. a CD-ROM or floppy disk.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:perl-suidperl-bo
 Christey> XF:perl-suidperl-bo doesn't exist.

Phase: Proposed (19990728)
Reference: XF:http-img-overflow

Description:
Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.

Votes:

   ACCEPT(2) Northcutt, Frech
   REJECT(2) LeBlanc, Wall

 Wall> Reject based on client-side DoS
 LeBlanc> Client side DOS

Phase: Modified (20000106-01)
Reference: NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
Reference: XF:http-cgi-webcom-guestbook

Description:
The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter.

Votes:

   ACCEPT(4) Blake, Frech, Ozancin, Landfield
   NOOP(2) Northcutt, Christey

 Christey> CAN-1999-0287 is probably a duplicate of CAN-1999-0467.  In
   NTBUGTRAQ:19990409 Webcom's CGI Guestbook for Win32 web servers
   Mnemonix says that he had previously reported on a similar
   problem.  Let's refer to the NTBugtraq posting as
   CAN-1999-0467.  We will refer to the "previous report" as
   CAN-1999-0287, which can be found at:
   http://oliver.efri.hr/~crv/security/bugs/NT/httpd41.html
   
   0287 describes an exploit via the "template" hidden variable.
   The exploit describes manually editing the HTML form to
   change the filename to read from the template variable.
   
   The exploit as described in 0467 encodes the template variable
   directly into the URL.  However, hidden variables are also
   encoded into the URL, which would have looked the same to
   the web server regardless of the exploit.  Therefore 0287
   and 0467 are the same.
 Christey> 
   The CD:SF-EXEC content decision also applies here.  We have 2
   programs, wguest.exe and rguest.exe, which appear to have the
   same problem.  CD:SF-EXEC needs to be accepted by the Editorial
   Board before this candidate can be converted into a CVE
   entry.  When finalized, CD:SF-EXEC will decide whether
   this candidate should be split or not.
 Christey> BID:2024

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990409 IE 5.0 security vulnerabilities - %01 bug again
Reference: XF:ie-window-spoof

Description:
Internet Explorer 5.0 allows window spoofing, allowing a remote attacker to spoof a legitimate web site and capture information from the client.

Votes:

   ACCEPT(1) Wall
   NOOP(1) Northcutt
   REJECT(3) Frech, LeBlanc, Christey

 Wall> Reference: Microsoft Security Bulletin MS99-012
 Christey> DUPE CAN-1999-0488
 Frech> Defer to Christey's vote.
   However, XF:ie-mshtml-crossframe(2216) assigned to CAN-1999-0488.
 LeBlanc> Duplicate

Phase: Proposed (19990721)
Reference: BUGTRAQ:19990331 Potential vulnerability in SCO TermVision Windows 95 client
Reference: XF:sco-termvision-password

Description:
A weak encryption algorithm is used for passwords in SCO TermVision, allowing them to be easily decrypted by a local user.

Votes:

   ACCEPT(3) Baker, Frech, Ozancin
   NOOP(3) Northcutt, LeBlanc, Wall

Phase: Modified (19991210-01)
Reference: L0PHT:Cold Fusion App Server
Reference: XF:coldfusion-expression-evaluator
Reference: BID:115
Reference: URL:http://www.securityfocus.com/bid/115

Description:
The Expression Evaluator in the ColdFusion Application Server allows a remote attacker to upload files to the server via openfile.cfm, which does not restrict access to the server properly.

Votes:

   ACCEPT(3) Frech, Ozancin, Christey
   REJECT(1) Wall

 Wall> Duplicate of 0455
 Christey> CAN-1999-0477 and CAN-1999-0455 were discovered at different
   times.  Also, the attack was different.  So "Same Attack" and
   "Same Time of Discovery" dictate that these should remain
   separate.

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19980315 Midnight Commander /tmp race

Description:
Local attackers can conduct a denial of service in Midnight Commander 4.x with a symlink attack.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:midnight-commander-symlink-dos
 Christey> XF:midnight-commander-symlink-dos(3505)

Phase: Modified (20000106-01)
Reference: BUGTRAQ:19990420 AOL Instant Messenger URL Crash

Description:
Denial of service in AOL Instant Messenger when a remote attacker sends a malicious hyperlink to the receiving client, potentially causing a system crash.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:aol-im.
 Christey> XF:aol-im appears to be related to the problem discussed in
   BUGTRAQ:19980224 AOL Instant Messanger Bug
   
   This one is related to BUGTRAQ:19990420 AOL Instant Messenger URL Crash

Phase: Modified (19991205-01)
Reference: MS:MS99-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp

Description:
Internet Explorer 4.0 and 5.0 allows a remote attacker to execute security scripts in a different security context using malicious URLs, a variant of the "cross frame" vulnerability.

Votes:

   ACCEPT(1) Landfield
   MODIFY(2) Frech, Wall
   NOOP(2) Ozancin, Christey

 Frech> XF:ie-mshtml-crossframe
 Wall> (source: MSKB:Q168485)
 Christey> CAN-1999-0469 appears to be a duplicate; prefer this one over
   that one, since this one has an MS advisory.  Confirm with
   Microsoft that these are really duplicates.
   
   Also review CVE-1999-0487, which appears to be a similar
   bug.

Phase: Modified (19991205-01)
Reference: MS:MS99-015
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-015.asp

Description:
MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013.

Votes:

   ACCEPT(1) Levy
   MODIFY(1) Wall
   NOOP(1) Ozancin
   RECAST(1) Prosser
   REJECT(1) Christey
   REVIEWING(1) Frech

 Frech> Wasn't Untrusted scripted paste MS98-015? I can find no mention of a
   clipboard in either.
   I cannot proceed on this one without further clarification.
 Wall> (source: MS:MS99-012)
 Prosser> agree with Andre here.  The Untrusted Scripted paste
   vulnerability was originally addressed in MS98-015 and it is in the file
   upload intrinsic control in which an attacker can paste the name of a file
   on the target's drive in the control and a form submission would then send
   that file from the attacked machine to the remote web site.  This one has
   nothing to do with the clipboard.  What the advisory mentioned here,
   MS99-012, does is replace the MSHTML parsing engine which is supposed to fix
   the original Untrusted Scripted Paste issue and a variant, as well as the
   two Cross-Frame variants and a privacy issue in IMG SRC.  
   The vulnerability that allowed reading of a user's clipboard is the Forms
   2.0 Active X control vulnerability discussed in MS99-01
 Christey> The advisory should have been listed as MS99-012.  
   CVE-1999-0468 describes the untrusted scripted paste problem
   in MS99-012.
 Frech> Pending response to guidance request. 12/6/01.

Phase: Modified (19991205-01)
Reference: MS:MS99-012
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-012.asp

Description:
MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to learn information about a local user's files via an IMG SRC tag.

Votes:

   ACCEPT(2) Wall, Landfield
   MODIFY(1) Frech
   NOOP(1) Ozancin
   REVIEWING(1) Christey

 Frech> XF:ie-scriplet-fileread
 Christey> Duplicate of CAN-1999-0347?

Phase: Proposed (19990726)
Reference: BUGTRAQ:Apr23,1999

Description:
The ffingerd 1.19 allows remote attackers to identify users on the target system based on its responses.

Votes:

   ACCEPT(3) Northcutt, Armstrong, Collins
   MODIFY(4) Blake, Baker, Frech, Shostack
   NOOP(4) Wall, Landfield, Cole, Christey
   REVIEWING(1) Ozancin

 Shostack> isn't that what finger is supposed to do?
 Landfield> Maybe we need a new category of "unsafe system utilities and protocols"
 Blake> Ffingerd 1.19 allows remote attackers to differentiate valid and invalid
   usernames on the target system based on its responses to finger queries.
 Christey> CHANGEREF BUGTRAQ [canonicalize]
   BUGTRAQ:19990423 Ffingerd privacy issues
   http://marc.theaimsgroup.com/?l=bugtraq&m=92488772121313&w=2
   
   Here's the nature of the problem.
   (1) FFingerd allows users to decide not to be fingered,
   printing a message "That user does not want to be fingered"
   (2) If the fingered user does not exist, then FFingerd's
   intended default is to print that the user does not
   want to be fingered; however, the error message has a
   period at the end.
   Thus, ffingerd can allow someone to determine who valid users
   on the server are, *in spite of* the intended functionality of
   ffingerd itself.  Thus this exposure should be viewed in light
   of the intended functionality of the application, as opposed
   to the common usage of the finger protocol in general.
   
   Also, the vendor posted a followup and said that a patch was
   available.  See:
   http://marc.theaimsgroup.com/?l=bugtraq&m=92489375428016&w=2
 Baker> Vulnerability Reference (HTML)	Reference Type
   http://www.securityfocus.com/archive/1/13422	Misc Defensive Info
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ffinger-user-info(5393)

Phase: Proposed (19990728)

Description:
A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.

Votes:

   ACCEPT(6) Blake, Northcutt, Baker, Ozancin, Cole, Collins
   MODIFY(1) Frech
   NOOP(4) Bishop, Wall, Landfield, Armstrong
   REVIEWING(2) Levy, Christey

 Frech> XF:nb-dotdotknown(837)
   References would be appreciated. We've got no reference for this issue;
   confidence rating is consequently low. 
 Levy> Some refernces:
   http://www.securityfocus.com/archive/1/3894
   http://www.securityfocus.com/archive/1/3533
   http://www.securityfocus.com/archive/1/3535

Phase: Proposed (19990728)

Description:
Anonymous FTP is enabled

Votes:

   ACCEPT(1) Shostack
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Northcutt

 Frech> ftp-anon(52) at http://xforce.iss.net/static/52.php
   ftp-anon2(543) at http://xforce.iss.net/static/543.php
 Christey> Add period to the end of the description.

Phase: Modified (19990925-01)
Reference: CERT:CA-91.18.Active.Internet.tftp.Attacks

Description:
TFTP is not running in a restricted directory, allowing a remote attacker to access sensitive information such as password files.

Votes:

   ACCEPT(3) Blake, Northcutt, Hill
   MODIFY(1) Frech
   NOOP(1) Baker
   REVIEWING(1) Christey

 Frech> XF:linux-tftp
 Christey> XF:linux-tftp refers to CAN-1999-0183

Phase: Proposed (19990721)

Description:
NETBIOS share information may be published through SNMP registry keys in NT.

Votes:

   ACCEPT(5) Northcutt, Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   REJECT(1) LeBlanc

 Frech> Change wording to 'Windows NT.'
   XF:snmp-netbios
 LeBlanc> Share info can be obtained via SNMP queries, but I question
   whether this is a vulnerability. The system can be configured not to do
   this, and one may argue that SNMP itself is an insecure configuration.
   Furthermore, the share information isn't published via registry keys -
   the description could refer to more than one actual issue. SNMP is meant
   to allow people to obtain information about systems. I'm willing to
   discuss this with the rest of the board.

Phase: Proposed (19990714)

Description:
A Unix account has a guessable password.

Votes:

   ACCEPT(3) Northcutt, Baker, Shostack
   RECAST(2) Frech, Meunier
   REVIEWING(1) Christey

 Frech> Guessable falls into the class of CAN-1999-0502, since I can guess a
   default, null, etc. password.
   Suggest changing to something like "has an existing non-default password
   that can be guessed."
   I'm also including default passwords in this entry. 
   In that vein, we show the following references:
   XF:user-password
   XF:passwd-username
   XF:default-unix-sync
   XF:default-unix-4dgifts
   XF:default-unix-bin
   XF:default-unix-daemon
   XF:default-unix-lp
   XF:default-unix-me
   XF:default-unix-nuucp
   XF:default-unix-root
   XF:default-unix-toor
   XF:default-unix-tour
   XF:default-unix-tty
   XF:default-unix-uucp
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.
 CHANGE> [Meunier changed vote from ACCEPT to RECAST]
 Meunier> This relates only to account password technology, so this candidate is
   independent of the operating system, application, web site or other
   application of this technology.  The appropriate (natural) level of
   abstraction is therefore without specifying that it is for UNIX.
   Change the description to "An account has a guessable password other
   than default, null, blank."  This should satisfy Andre's objection.
   
   This Candidate should be merged with any candidate relating to
   account password technology where "Unix" in the original description
   can be replaced by something else.

Phase: Proposed (19990714)

Description:
A Unix account has a default, null, blank, or missing password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:passwd-blank
   XF:no-pass
   XF:dict
   XF:sgi-accounts
   XF:linux-caldera-lisa
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.

Phase: Proposed (19990714)

Description:
A Windows NT local user or administrator account has a guessable password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> Note: I am assuming that this entry includes Windows 2000 accounts and
   machine/service accounts listed in User Manager.
   XF:nt-guess-admin
   XF:nt-guess-user
   XF:nt-guess-guest
   XF:nt-guessed-operpwd
   XF:nt-guessed-powerwd
   XF:nt-guessed-disabled
   XF:nt-guessed-backup
   XF:nt-guessed-acctoper-pwd
   XF:nt-adminuserpw
   XF:nt-guestuserpw
   XF:nt-accountuserpw
   XF:nt-operator-userpw
   XF:nt-service-user-pwd
   XF:nt-server-oper-user-pwd
   XF:nt-power-user-pwd
   XF:nt-backup-operator-userpwd
   XF:nt-disabled-account-userpwd
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.

Phase: Proposed (19990714)

Description:
A Windows NT local user or administrator account has a default, null, blank, or missing password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:nt-guestblankpw
   XF:nt-adminblankpw
   XF:nt-adminnopw
   XF:nt-usernopw
   XF:nt-guestnopw
   XF:nt-accountblankpw
   XF:nt-nopw
   XF:nt-operator-blankpwd
   XF:nt-server-oper-blank-pwd
   XF:nt-power-user-blankpwd
   XF:nt-backup-operator-blankpwd
   XF:nt-disabled-account-blankpwd
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.

Phase: Proposed (19990714)

Description:
A Windows NT domain user or administrator account has a guessable password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech

 Frech> XF:nt-guessed-domain-userpwd
   XF:nt-guessed-domain-guestpwd
   XF:nt-guessed-domain-adminpwd
   XF:nt-domain-userpwd
   XF:nt-domain-admin-userpwd
   XF:nt-domain-guest-userpwd
   XF:win2k-certpub-usrpwd
   XF:win2k-dhcpadm-usrpwd
   XF:win2k-dnsadm-usrpwd
   XF:win2k-entadm-usrpwd
   XF:win2k-schema-usrpwd
   XF:win2k-guessed-certpub
   XF:win2k-guessed-dhcpadm
   XF:win2k-guessed-dnsadm
   XF:win2k-guessed-entadm
   XF:win2k-guessed-schema

Phase: Proposed (19990714)

Description:
A Windows NT domain user or administrator account has a default, null, blank, or missing password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech

 Frech> XF:nt-domain-admin-blankpwd
   XF:nt-domain-admin-nopwd
   XF:nt-domain-guest-blankpwd
   XF:nt-domain-guest-nopwd
   XF:nt-domain-user-blankpwd
   XF:nt-domain-user-nopwd
   XF:win2k-certpub-blnkpwd
   XF:win2k-dhcpadm-blnkpwd
   XF:win2k-dnsadm-blnkpwd
   XF:win2k-entadm-blnkpwd
   XF:win2k-schema-blnkpwd

Phase: Proposed (19990714)

Description:
An account on a router, firewall, or other network device has a guessable password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech

 Frech> XF:firewall-tisopen
   XF:firewall-raptoropen
   XF:firewall-msopen
   XF:firewall-checkpointopen
   XF:firewall-ciscoopen

Phase: Proposed (19990714)

Description:
An account on a router, firewall, or other network device has a default, null, blank, or missing password.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> Note: Because the distinction between network hardware and software is not
   distinct, 
   the term 'network device' was liberally interpreted. Feel free to reject any
   of the
   below terms.
   XF:default-netranger
   XF:cayman-gatorbox
   XF:breezecom-default-passwords
   XF:default-portmaster
   XF:wingate-unpassworded
   XF:netopia-unpassworded
   XF:default-bay-switches
   XF:motorola-cable-default-pass
   XF:default-flowpoint
   XF:qms-2060-no-root-password
   XF:avirt-ras-password
   XF:webtrends-rtp-serv-install-password
   XF:cisco-bruteforce
   XF:cisco-bruteadmin
   XF:sambar-server-defaults
   XF:management-pfcuser
   XF:http-cgi-wwwboard-default
 Christey> DELREF XF:avirt-ras-password - does not fit CAN-1999-0508.

Phase: Modified (20000114-01)
Reference: CERT:CA-96.11

Description:
Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.

Votes:

   ACCEPT(2) Northcutt, Wall
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Christey> What is the right level of abstraction to use here?  Should
   we combine all possible interpreters into a single entry,
   or have a different entry for each one?  I've often seen
   Perl separated from other interpreters - is it included
   by default in some Windows web server configurations?
 Christey> Add tcsh, zsh, bash, rksh, ksh, ash, to support search.
 Frech> XF:http-cgi-vuln(146)

Phase: Proposed (19990726)

Description:
A router or firewall allows source routed packets from arbitrary hosts.

Votes:

   ACCEPT(2) Northcutt, Baker
   MODIFY(1) Frech

 Frech> XF:source-routing

Phase: Proposed (19990726)

Description:
IP forwarding is enabled on a machine which is not a router or firewall.

Votes:

   ACCEPT(2) Northcutt, Baker
   MODIFY(1) Frech

 Frech> XF:ip-forwarding

Phase: Modified (20020427-01)

Description:
A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.

Votes:

   ACCEPT(3) Northcutt, Baker, Shostack
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:smtp-sendmail-relay(210)
   XF:ntmail-relay(2257)
   XF:exchange-relay(3107) (also assigned to CVE-1999-0682)
   XF:smtp-relay-uucp(3470)
   XF:sco-sendmail-spam(4342)
   XF:sco-openserver-mmdf-spam(4343)
   XF:lotus-domino-smtp-mail-relay(6591)
   XF:win2k-smtp-mail-relay(6803)
   XF:cobalt-poprelayd-mail-relay(6806)
   
   Candidate implicitly may refer to relaying settings enabled by default, or
   the bypass/circumvention of relaying. Both interpretations were used in
   assigning this candidate.
 Christey> The intention of this candidate is to cover configurations in
   which the admin has explicitly enabled relaying.  Other cases
   in which the application *intends* to prvent relaying, but
   there is some specific input that bypasses/tricks it, count
   as vulnerabilities (or exposures?) and as such would be
   assigned different numbers.
   
   http://www.sendmail.org/~ca/email/spam.html seems like a good
   general resource, as does ftp://ftp.isi.edu/in-notes/rfc2505.txt
 Christey> I changed the description to make it more clear that the issue
   is that of explicit configuration, as opposed to being the
   result of a vulnerability.

Phase: Proposed (19990728)

Description:
An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Shostack

 Shostack> Overly broad
 Frech> XF:rsh-equiv(111)

Phase: Proposed (19990714)

Description:
An SNMP community name is guessable.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:snmp-get-guess
   XF:snmp-set-guess
   XF:sol-hidden-commstr
   XF:hpov-hidden-snmp-comm
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.

Phase: Proposed (19990714)

Description:
An SNMP community name is the default (e.g. public), null, or missing.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:nt-snmp
   XF:snmp-comm
   XF:snmp-set-any
   XF:snmp-get-public
   XF:snmp-set-public
   XF:snmp-get-any
 Christey> This candidate is affected by the CD:CF-PASS content decision,
   which determines the appropriate level of abstraction to
   use for password problems.  CD:CF-PASS needs to be accepted
   by the Editorial Board before this candidate can be
   converted into a CVE entry; the final version of CD:CF-PASS
   may require using a different LOA than this candidate is
   currently using.
 Christey> Consider adding BID:2112

Phase: Proposed (19990714)

Description:
A NETBIOS/SMB share password is guessable.

Votes:

   ACCEPT(5) Northcutt, Baker, Shostack, LeBlanc, Meunier
   MODIFY(1) Frech

 Frech> Change description term to NetBIOS.
   XF:nt-netbios-perm
   XF:sharepass
   XF:win95-smb-password
   XF:nt-netbios-dict

Phase: Proposed (19990714)

Description:
A NETBIOS/SMB share password is the default, null, or missing.

Votes:

   ACCEPT(5) Northcutt, Baker, Shostack, LeBlanc, Meunier
   MODIFY(1) Frech

 Frech> Change description term to NetBIOS.
   XF:decod-smb-password-empty
   XF:nt-netbios-everyoneaccess
   XF:nt-netbios-guestaccess
   XF:nt-netbios-allaccess
   XF:nt-netbios-open
   XF:nt-netbios-write
   XF:nt-netbios-shareguest
   XF:nt-writable-netbios
   XF:nt-netbios-everyoneaccess-printer
   XF:nt-netbios-share-print-guest

Phase: Proposed (19990803)

Description:
A system-critical NETBIOS/SMB share has inappropriate access control.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   RECAST(1) Northcutt
   REJECT(1) LeBlanc
   REVIEWING(1) Christey

 Northcutt> I think we need to enumerate the shares and or the access control
 Christey> One question is, what is "inappropriate"?  It's probably
   very dependent on the policy of the enterprise on which
   this is found.  And should writable shares be different
   from readable shares?  (Or file systems, mail spools, etc.)
   Yes, the impact may be different, but we could have a
   large number of entries for each possible type of access.
   A content decision (CD:CF-DATA) needs to be reviewed
   and accepted by the Editorial Board in order to resolve
   this question.
 LeBlanc> Unacceptably vague - agree with Christey's comments.
 Frech> associated to:
   XF:nt-netbios-everyoneaccess(1)
   XF:nt-netbios-guestaccess(2)
   XF:nt-netbios-allaccess(3)
   XF:nt-netbios-open(15)
   XF:nt-netbios-write(19)
   XF:nt-netbios-shareguest(20)
   XF:nt-writable-netbios(26)
   XF:nb-rootshare(393)
   XF:decod-smb-password-empty(2358)

Phase: Proposed (19990714)

Description:
An NIS domain name is easily guessable.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:nis-dom
 Christey> Consider http://www.cert.org/advisories/CA-1992-13.html
   as well as ftp://ciac.llnl.gov/pub/ciac/bulletin/c-fy92/c-25.ciac-sunos-nis-patch

Phase: Proposed (19990803)
Reference: CERT:CA-96.10

Description:
The permissions for a system-critical NIS+ table (e.g. passwd) are inappropriate.

Votes:

   ACCEPT(1) Wall
   NOOP(1) Christey
   RECAST(1) Northcutt

 Northcutt> Why not say world readable, this is what you do further down in the
   file (world exportable in CAN-1999-0554)
 Christey> ADDREF AUSCERT:AA-96.02

Phase: Proposed (19990726)

Description:
ICMP echo (ping) is allowed from arbitrary hosts.

Votes:

   MODIFY(1) Meunier
   REJECT(2) Northcutt, Frech

 Northcutt> (Though I sympathize with this one :)
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> Ping is a utility that can be run on demand; ICMP echo is a
   message 
   type. As currently worded, this candidate seems as if an arbitrary
   host 
   is vulnerable because it is capable of running an arbitrary program
   or
   function (in this case, ping/ICMP echo). There are many
   programs/functions that 
   'shouldn't' be on a computer, from a security admin's perspective.
   Even if this
   were a vulnerability, it would be impacted by CD-HIGHCARD.
 Meunier> Every ICMP message type presents a vulnerability or an
   exposure, if access is not controlled.  By that I mean not only those
   in RFC 792, but also those in RFC 1256, 950, and more.  I think that
   the description should be changed to "ICMP messages are acted upon
   without any access control".  ICMP is an error and debugging protocol.
   We complain about vendors leaving testing backdoors in their programs.
   ICMP is the equivalent for TCP/IP.  ICMP should be in the dog house,
   unless you are trying to troubleshoot something.  MTU discovery is
   just a performance tweak -- it's not necessary.  I don't know of any
   ICMP message type that is necessary if the network is functional.
   Limited logging of ICMP messages could be useful, but acting upon them
   and allowing the modification of routing tables, the behavior of the
   TCP/IP stack, etc... without any form of authentication is just crazy.

Phase: Proposed (19990726)

Description:
ICMP information such as netmask and timestamp is allowed from arbitrary hosts.

Votes:

   MODIFY(2) Frech, Meunier
   REJECT(1) Northcutt

 Frech> XF:icmp-timestamp
   XF:icmp-netmask
 Meunier> If this is not merged with 1999-0523 as I commented for that
   CVE, then the description should be changed to "ICMP messages of types
   13 and 14 (timestamp request and reply) and 17 and 18 (netmask request
   and reply) are acted upon without any access control".  It's a more
   precise and correct language.  I believe that this is a valid CVE
   entry (it's a common source of vulnerabilities or exposures) even
   though I see that the inferred action was "reject".  Knowing the time
   of a host also allows attacks against random number generators that
   are seeded with the current time.  I want to push to have it accepted.

Phase: Proposed (19990726)

Description:
IP traceroute is allowed from arbitrary hosts.

Votes:

   MODIFY(1) Frech
   REJECT(1) Northcutt

 Frech> XF:traceroute

Phase: Proposed (19990803)

Description:
The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten.

Votes:

   ACCEPT(3) Northcutt, Baker, Wall
   MODIFY(1) Frech

 Northcutt> That that starts to get specific :)
 Frech> ftp-writable-directory(6253)
   ftp-write(53)
   "writeable" in the description should be "writable." 

Phase: Proposed (19990726)

Description:
A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of.

Votes:

   ACCEPT(3) Northcutt, Baker, Meunier
   MODIFY(1) Frech

 Frech> possibly XF:nisd-dns-fwd-check
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:firewall-external-packet-forwarding(8372)

Phase: Proposed (19990726)

Description:
A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.

Votes:

   ACCEPT(1) Frech
   MODIFY(1) Meunier
   REJECT(1) Northcutt

 Northcutt> I have seen ISPs "assign" private addresses within their domain
 Meunier> A border router or firewall forwards packets that claim to come from IANA
   reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x,
   etc, outside of their area of validity.
 CHANGE> [Frech changed vote from REVIEWING to ACCEPT]

Phase: Proposed (19990728)

Description:
A system is operating in "promiscuous" mode which allows it to perform packet sniffing.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Shostack

 Frech> XF:etherstatd(264)
   XF:sniffer-attack(778) 
   XF:decod-packet-capture-remote(1072)
   XF:netmon-running(1448)
   XF:netxray3-probe(1450)
   XF:sol-snoop-getquota-bo(3670) (also assigned to CVE-1999-0974)

Phase: Proposed (19990728)

Description:
An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
   RECAST(1) Shostack
   REJECT(1) Northcutt

 Shostack> I think expn != vrfy, help, esmtp.
 Frech> XF:lotus-domino-esmtp-bo(4499) (also assigned to CVE-2000-0452 and
   CAN-2000-1046)
   XF:smtp-expn(128)
   XF:smtp-vrfy(130)
   XF:smtp-helo-bo(886)
   XF:smtp-vrfy-bo(887)
   XF:smtp-expn-bo(888)
   XF:slmail-vrfyexpn-overflow(1721)
   XF:smtp-ehlo(323)
   
   Perhaps add RCPT? If so, add XF:smtp-rcpt(1928)
 Christey> XF:smtp-vrfy(130) ?

Phase: Proposed (19990726)

Description:
A DNS server allows zone transfers.

Votes:

   MODIFY(1) Frech
   REJECT(1) Northcutt

 Northcutt> (With split DNS implementations this is quite appropriate)
 Frech> XF:dns-zonexfer

Phase: Proposed (19990726)

Description:
A DNS server allows inverse queries.

Votes:

   MODIFY(1) Frech
   REJECT(1) Northcutt

 Northcutt> (rule of thumb)
 Frech> XF:dns-iquery

Phase: Proposed (19990721)

Description:
A Windows NT user has inappropriate rights or privileges, e.g. Act as System, Add Workstation, Backup, Change System Time, Create Pagefile, Create Permanent Object, Create Token Name, Debug, Generate Security Audit, Increase Priority, Increase Quota, Load Driver, Lock Memory, Profile Single Process, Remote Shutdown, Replace Process Token, Restore, System Environment, Take Ownership, or Unsolicited Input.

Votes:

   ACCEPT(5) Christey, Baker, Shostack, Ozancin, Wall
   MODIFY(2) Northcutt, Frech

 Northcutt> If we are going to write a laundry list put access to the scheduler in it.
 Christey> The list of privileges is very useful for lookup.
 Frech> XF:nt-create-token
   XF:nt-replace-token
   XF:nt-lock-memory
   XF:nt-increase-quota
   XF:nt-unsol-input
   XF:nt-act-system
   XF:nt-create-object
   XF:nt-sec-audit
   XF:nt-add-workstation
   XF:nt-manage-log
   XF:nt-take-owner
   XF:nt-load-driver
   XF:nt-profile-system
   XF:nt-system-time
   XF:nt-single-process
   XF:nt-increase-priority
   XF:nt-create-pagefile
   XF:nt-backup
   XF:nt-restore
   XF:nt-debug
   XF:nt-system-env
   XF:nt-remote-shutdown

Phase: Proposed (19990721)

Description:
A Windows NT account policy for passwords has inappropriate, security-critical settings, e.g. for password length, password age, or uniqueness.

Votes:

   ACCEPT(2) Shostack, Wall
   MODIFY(2) Baker, Frech
   RECAST(2) Northcutt, Ozancin

 Northcutt> inappropriate implies there is appropriate.  As a guy who has been
   monitoring
   networks for years I have deep reservations about justiying the existance
   of any fixed cleartext password. For appropriate to exist, some "we" would 
   have to establish some criteria for appropriate passwords.
 Baker> Perhaps this could be re-worded a bit.  The CVE CAN-1999-00582
   specifies "...settings for lockouts".  To remain consistent with the
   other, maybe it should specify "...settings for passwords" I think
   most people would agree that passwords should be at least 8
   characters; contain letters (upper and lowercase), numbers and at
   least one non-alphanumeric; should only be good a limited time 30-90
   days; and should not contain character combinations from user's prior
   2 or 3 passwords.
   Suggested rewrite - 
   A Windows NT account policy does not enforce reasonable minimum
   security-critical settings for passwords, e.g. passwords of sufficient
   length, periodic required password changes, or new password uniqueness
 Ozancin> What is appropriate?
 Frech> XF:nt-autologonpwd
   XF:nt-pwlen
   XF:nt-maxage
   XF:nt-minage
   XF:nt-pw-history
   XF:nt-user-pwnoexpire
   XF:nt-unknown-pwdfilter
   XF:nt-pwd-never-expire
   XF:nt-pwd-nochange
   XF:nt-pwdcache-enable
   XF:nt-guest-change-passwords

Phase: Proposed (19990726)

Description:
A configuration in a web browser such as Internet Explorer or Netscape Navigator allows execution of active content such as ActiveX, Java, Javascript, etc.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Frech
   REJECT(1) LeBlanc

 Frech> Good candidate for dot notation.
   XF:nav-java-enabled
   XF:nav-javascript-enabled
   XF:ie-active-content
   XF:ie-active-download
   XF:ie-active-scripting
   XF:ie-activex-execution
   XF:ie-java-enabled
   XF:netscape-javascript
   XF:netscape-java
   XF:zone-active-scripting
   XF:zone-activex-execution
   XF:zone-desktop-install
   XF:zone-low-channel
   XF:zone-file-download
   XF:zone-file-launch
   XF:zone-java-scripting
   XF:zone-low-java
   XF:zone-safe-scripting
   XF:zone-unsafe-scripting
 LeBlanc> Not a vulnerability. These are just checks for configuration
   settings that a user might have changed. I understand need to increase
   number of checks in a scanning product, but don't feel like these belong
   in CVE. Scanner vendors could argue that these entries are needed to
   keep a common language.

Phase: Proposed (19990728)

Description:
A trust relationship exists between two Unix hosts.

Votes:

   MODIFY(1) Frech
   REJECT(2) Northcutt, Shostack

 Northcutt> Too non specific
 Frech> XF:trusted-host(341)
   XF:trust-remote-same(717)
   XF:trust-remote-root(718)
   XF:trust-remote-nonroot(719)
   XF:trust-remote-any(720)
   XF:trust-other-host(723)
   XF:trust-all-nonroot(726)
   XF:trust-any-remote(727)
   XF:trust-local-acct(728)
   XF:trust-local-any(729)
   XF:trust-local-nonroot(730)
   XF:trust-all-hosts(731)
   XF:nt-trusted-domain(1284)
   XF:rsagent-trusted-domainadded(1588)
   XF:trust-remote-user(2955)
   XF:user-trust-hosts(3074)
   XF:user-trust-other-host(3077)
   XF:user-trust-remote-account(3079)

Phase: Proposed (19990714)

Description:
A password for accessing a WWW URL is guessable.

Votes:

   ACCEPT(4) Northcutt, Baker, Shostack, Meunier
   MODIFY(1) Frech

 Frech> XF:http-password

Phase: Proposed (19990721)

Description:
The Windows NT guest account is enabled.

Votes:

   ACCEPT(5) Northcutt, Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech

 Frech> XF:nt-guest-account

Phase: Proposed (19990728)

Description:
An SSH server allows authentication through the .rhosts file.

Votes:

   ACCEPT(2) Baker, Shostack
   MODIFY(1) Frech
   NOOP(1) Northcutt

 Frech> XF:sshd-rhosts(315)

Phase: Proposed (19990728)

Description:
A superfluous NFS server is running, but it is not importing or exporting any file systems.

Votes:

   ACCEPT(1) Shostack
   REJECT(1) Northcutt

Phase: Proposed (19990630)

Description:
Windows NT automatically logs in an administrator upon rebooting.

Votes:

   ACCEPT(1) Hill
   MODIFY(3) Blake, Frech, Ozancin
   NOOP(1) Wall
   REJECT(1) Baker

 Wall> Don't know what this is.  Don't think it is a vulnerability and would
   initially reject.  This is different than just renaming the
   administrator account.
 Frech> Would appreciate more information on this one, as in a reference.
 Blake> Reference: XF:nt-autologin
 Ozancin> Needs more detail
 Baker> I tried to find the XF:nt-autologin reference, and got no matching records from their search engine.
   No refs, no details, should reject
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:nt-autologon(5)

Phase: Proposed (19990726)

Description:
A router's routing tables can be obtained from arbitrary hosts.

Votes:

   MODIFY(1) Frech
   RECAST(1) Northcutt

 Northcutt> Don't you mean obtained by arbitrary hosts
 Frech> XF:routed
   XF:decod-rip-entry
   XF:rip

Phase: Proposed (19990803)

Description:
NFS exports system-critical data to the world, e.g. / or a password file.

Votes:

   ACCEPT(2) Northcutt, Wall
   REVIEWING(1) Christey

 Christey> A content decision (CD:CF-DATA) needs to be reviewed
   and accepted by the Editorial Board in order to resolve
   this question.

Phase: Proposed (19990728)

Description:
A Unix account with a name other than "root" has UID 0, i.e. root privileges.

Votes:

   REJECT(2) Northcutt, Shostack

 Northcutt> This is very bogus

Phase: Proposed (19990728)

Description:
Two or more Unix accounts have the same UID.

Votes:

   NOOP(1) Christey
   REJECT(2) Northcutt, Shostack

 Christey> XF:duplicate-uid(876)
 Christey> Add terms "duplicate" and "user ID" to facilitate search.
   ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist

Phase: Proposed (19990803)

Description:
A system-critical Unix file or directory has inappropriate permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt

 Northcutt> Writable other than by root/bin/wheelgroup?

Phase: Proposed (19990803)

Description:
A system-critical Windows NT file or directory has inappropriate permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt

 Northcutt> I think we should specify these

Phase: Proposed (19990728)

Description:
IIS has the #exec function enabled for Server Side Include (SSI) files.

Votes:

   NOOP(1) Northcutt
   RECAST(1) Shostack
   REJECT(1) LeBlanc

 LeBlanc> Does not meet definition of a vulnerability. This function is
   just enabled. You can turn it off if you want. if you trust the people
   putting up your web pages, this isn't a problem. If you don't, this is
   just one of many things you need to change.

Phase: Proposed (19990721)

Description:
The registry in Windows NT can be accessed remotely by users who are not administrators.

Votes:

   ACCEPT(4) Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   RECAST(1) Northcutt

 Northcutt> This isn't all or nothing, users may be allowed to access part of the
   registry.
 Frech> XF:nt-winreg-all
   XF:nt-winreg-net

Phase: Proposed (19990728)

Description:
An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.

Votes:

   ACCEPT(2) Baker, Shostack
   NOOP(1) Northcutt

Phase: Proposed (19990728)

Description:
A Sendmail alias allows input to be piped to a program.

Votes:

   ACCEPT(1) Northcutt
   RECAST(1) Shostack

 Shostack> Is this a default alias?  Is my .procmailrc an instance of this?

Phase: Proposed (19990728)

Description:
rpc.admind in Solaris is not running in a secure mode.

Votes:

   ACCEPT(1) Northcutt
   NOOP(1) Christey
   RECAST(2) Shostack, Dik

 Shostack> are there secure modes?
 Dik> Several:
   1) there is no "rpc.admind" daemon.
   there used to be a "admind" RPC daemon (100087/10)
   and there's now an "sadmind" daemon (100232/10)
   The switch over was somewhere around Solaris 2.4.
   2) Neither defaults to "secure mode"
   3) secure mode is "using secure RPC" which does
   proper over the wire authentication by specifying
   the "-S 2" option in inetd.conf
   (security level 2)
 Christey> XF:rpc-admind(626)
   http://xforce.iss.net/static/626.php
   MISC:http://pulhas.org/xploitsdb/mUNIXes/admind.html

Phase: Modified (19991130-01)

Description:
A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file.

Votes:

   ACCEPT(1) Wall
   NOOP(1) Christey
   REJECT(1) Northcutt

 Northcutt> I do this intentionally somethings in high content directories
 Christey> XF:http-noindex(90) ?

Phase: Proposed (19990728)

Description:
Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Wall

 Northcutt> Here we are crossing into the best practices arena again.  However since
   passfilt does establish a measurable standard and since we aren't the
   ones defining the stanard, simply saying it should be employed I will
   vote for this.  
 Frech> XF:nt-passfilt-not-inst(1308)
   XF:nt-passfilt-not-found(1309)
 Christey> Consider MSKB:Q161990 and MSKB:Q151082

Phase: Modified (20020312-01)
Reference: BUGTRAQ:Feb5,1999

Description:
A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Christey, Northcutt

 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:ascend-config-kill(889)
   XF:cisco-ios-crash(1238)
   XF:webramp-remote-access(1670)
   XF:ascom-timeplex-debug(1824)
   XF:netopia-unpassworded(1850)
   XF:cisco-web-crash(1886)
   XF:cisco-router-commands(1951)
   XF:motorola-cable-default-pass(2002)
   XF:default-flowpoint(2091)
   XF:netgear-router-idle-dos(4003)
   XF:cisco-cbos-telnet(4251)
   XF:routermate-snmp-community(4290)
   XF:cayman-router-dos(4479)
   XF:wavelink-authentication(5185)
   XF:ciscosecure-ldap-bypass-authentication(5274)
   XF:foundry-firmware-telnet-dos(5514)
   XF:netopia-view-system-log(5536)
   XF:cisco-webadmin-remote-dos(5595)
   XF:cisco-cbos-web-access(5626)
   XF:netopia-telnet-dos(6001)
   XF:cisco-sn-gain-access(6827)
   XF:cayman-dsl-insecure-permissions(6841)
   XF:linksys-etherfast-reveal-passwords(6949)
   XF:zyxel-router-default-password(6968)
   XF:cisco-cbos-web-config(7027)
   XF:prestige-wan-bypass-filter(7146)
 Christey> I changed the description to make it more explicit that this
   candidate is about router configuration, as opposed to
   vulnerabilities that accidentally make a configuration
   service accessible to anyone.

Phase: Proposed (19990721)

Description:
.reg files are associated with the Windows NT registry editor, making the registry susceptible to Trojan Horse attacks.

Votes:

   ACCEPT(4) Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   NOOP(2) Christey, Northcutt

 Northcutt> I don't quite get what this means, sorry
 Frech> XF:nt-regfile(178)
 Christey> MISC:http://security-archive.merton.ox.ac.uk/nt-security-199902/0087.html

Phase: Proposed (19990721)

Description:
A Windows NT system's user audit policy does not log an event success or failure, e.g. for Logon and Logoff, File and Object Access, Use of User Rights, User and Group Management, Security Policy Changes, Restart, Shutdown, and System, and Process Tracking.

Votes:

   ACCEPT(4) Christey, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   RECAST(2) Northcutt, Baker

 Northcutt> It isn't a great truth that you should enable all or the above, if you
   do you potentially introduce a vulnerbility of filling up the file
   system with stuff you will never look at.
 Ozancin> It is far less interesting what a user does successfully that what they
   attempt and fail at.
 Christey> The list of event types is very useful for lookup.
 Frech> XF:nt-system-audit
   XF:nt-logon-audit
   XF:nt-object-audit
   XF:nt-privil-audit
   XF:nt-process-audit
   XF:nt-policy-audit
   XF:nt-account-audit
 CHANGE> [Baker changed vote from REVIEWING to RECAST]

Phase: Proposed (19990721)

Description:
A Windows NT system's file audit policy does not log an event success or failure for security-critical files or directories.

Votes:

   ACCEPT(3) Baker, Shostack, Wall
   MODIFY(2) Frech, Ozancin
   REJECT(1) Northcutt

 Northcutt> 1.) Too general are we ready to state what the security-critical files
   and directories are
   2.) Does Ataris, Windows CE, PalmOS, Linux have such a capability
 Ozancin> Some files and directories are clearly understood to be critical. Others are
   unclear. We need to clarify that critical is.
 Frech> XF:nt-object-audit

Phase: Proposed (19990721)

Description:
A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.

Votes:

   ACCEPT(2) Shostack, Wall
   MODIFY(3) Baker, Frech, Ozancin
   REJECT(1) Northcutt

 Ozancin> It is far less interesting what a user does successfully that what they
   attempt and fail at.
   Perhaps only failure should be logged.
 Frech> XF:nt-object-audit
 CHANGE> [Baker changed vote from REVIEWING to MODIFY]
 Baker> Failure on non-critical files is what should be monitored.

Phase: Proposed (19990721)

Description:
A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.

Votes:

   ACCEPT(4) Baker, Shostack, Ozancin, Wall
   MODIFY(1) Frech
   REJECT(1) Northcutt

 Ozancin> with reservation
   Again what is defined as critical
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:nt-object-audit(228)

Phase: Proposed (19990721)

Description:
A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.

Votes:

   ACCEPT(3) Baker, Shostack, Wall
   MODIFY(2) Frech, Ozancin
   REJECT(1) Northcutt

 Ozancin> Again only failure may be of interest. It would be impractical to wad
   through the incredibly large amount of logging that this would generate. It
   could overwhelm log entries that you might find interesting.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:nt-object-audit(228)

Phase: Proposed (19990803)

Description:
The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt

 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.

Phase: Proposed (19990803)

Description:
The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt

 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.

Phase: Proposed (19990721)

Description:
A Windows NT account policy has inappropriate, security-critical settings for lockout, e.g. lockout duration, lockout after bad logon attempts, etc.

Votes:

   ACCEPT(3) Shostack, Ozancin, Wall
   MODIFY(2) Baker, Frech
   REJECT(1) Northcutt

 Northcutt> The definition is?
 Baker> Maybe a rewording of this one too.  I think most people would agree on
   some "minimum" policies like 3-5 bad attempts lockout for an hour or
   until the administrator unlocks the account.
   Suggested rewrite -
   A Windows NT account policy does not enforce reasonable minimum
   security-critical settings for lockouts, e.g. lockout duration,
   lockout after bad logon attempts, etc.
 Ozancin> with reservations
   What is appropriate?
 Frech> XF:nt-thres-lockout
   XF:nt-lock-duration
   XF:nt-lock-window
   XF:nt-perm-lockout
   XF:lockout-disabled

Phase: Proposed (19990728)

Description:
There is a one-way or two-way trust relationship between Windows NT domains.

Votes:

   NOOP(1) Christey
   REJECT(2) Northcutt, Shostack

 Christey> XF:nt-trusted-domain(1284)

Phase: Proposed (19990728)

Description:
A Windows NT file system is not NTFS.

Votes:

   ACCEPT(2) Northcutt, Wall
   MODIFY(1) Frech
   NOOP(1) Christey

 Wall> NTFS partition provides the security.  This could be re-worded
   to "A Windows NT file system is FAT" since it is either NTFS or FAT
   and FAT is less secure.
 Frech> XF:nt-filesys(195)
 Christey> MSKB:Q214579
   MSKB:Q214579
   http://support.microsoft.com/support/kb/articles/Q100/1/08.ASP

Phase: Proposed (19990721)

Description:
A Windows NT administrator account has the default name of Administrator.

Votes:

   ACCEPT(1) Ozancin
   MODIFY(1) Frech
   REJECT(3) Northcutt, Baker, Shostack
   REVIEWING(1) Wall

 Wall> Some sources say this is not a vulnerability, but a warning.  It just
   slows down the search for the admin account (SID = 500) which can
   always be found.
 Northcutt> I change this on all NT systems I am responsible for, but is
   root a vulnerability?
 Baker> There are ways to identify the administrator account anyway, so this
   is only a minor delay to someone that is knowledgeable.  This, in and
   of itself, doesn't really strike me as a vulnerability, anymore than
   the root account on a Unix box.
 Shostack> (there is no way to hide the account name today)
 Frech> XF:nt-adminexists

Phase: Proposed (19990728)

Description:
A network service is running on a nonstandard port.

Votes:

   RECAST(1) Shostack
   REJECT(1) Northcutt

 Shostack> Might be acceptable if clearer; is that a standard service on a
   non-standard port, or any service on an unassigned port?

Phase: Proposed (19990803)

Description:
A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt

 Northcutt> While I would accept this for Unix, I am not sure this applies to NT,
   VMS, palm pilots, or commodore 64

Phase: Proposed (19990726)

Description:
A filter in a router or firewall allows unusual fragmented packets.

Votes:

   MODIFY(1) Frech
   REJECT(1) Northcutt

 Northcutt> I want to vote to accept this one, but unusual is a shade broad.
 Frech> XF:nt-rras
   XF:cisco-fragmented-attacks
   XF:ip-frag

Phase: Proposed (19990803)

Description:
A system-critical Windows NT registry key has inappropriate permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(2) Christey, Northcutt

 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.
 Christey> Upon further reflection, this is too high-level for CVE.
   Specific registry keys with bad permissions is roughly
   equivalent to Unix configuration files that have bad
   permissions; those permission problems can be created by
   any vendor, not just a specific one.  Therefore this
   candidate should be RECAST into each separate registry
   key that has this problem.

Phase: Proposed (19990728)

Description:
A system does not present an appropriate legal message or warning to a user who is accessing it.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Christey
   RECAST(1) Shostack

 Christey> ADDREF CIAC:J-043
   URL:http://ciac.llnl.gov/ciac/bulletins/j-043.shtml
   Also add "banner" to the description to facilitate search.

Phase: Proposed (19990803)

Description:
An event log in Windows NT has inappropriate access permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt

 Northcutt> splain Lucy, splain

Phase: Proposed (19990728)

Description:
The Logon box of a Windows NT system displays the name of the last user who logged in.

Votes:

   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(2) Northcutt, Wall

 Wall> Information gathering, not vulnerability
 Northcutt> Ah a C2 weenie must have snuck this in, this can be a good thing 
   not just vulnerability
 Frech> XF:nt-display-last-username(1353)
   Use it if you will. :-) If not, let us know so I can remove the CAN
   reference from our database.
 Christey> MSKB:Q114463
   http://support.microsoft.com/support/kb/articles/q114/4/63.asp

Phase: Proposed (19990728)

Description:
A user is allowed to shut down a Windows NT system without logging in.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   REJECT(1) Northcutt

 Wall> Still a denial of service.
 Northcutt> May well be appropriate
 Frech> XF:nt-shutdown-without-logon(1291)

Phase: Proposed (19990728)

Description:
A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Northcutt

 Wall> Perhaps it can be re-worded to "removable media drives
   such as a floppy disk drive or CDROM drive can be accessed (shared) in a
   Windows NT system."
 Northcutt> - what good is my NT w/o its floppy
 Frech> XF:nt-allocate-cdroms(1294)
   XF:nt-allocate-floppy(1318)
 Christey> MSKB:Q172520
   URL:http://support.microsoft.com/support/kb/articles/q172/5/20.asp

Phase: Proposed (19990728)
Reference: MSKB:Q182086

Description:
A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(1) Northcutt

 Frech> XF:nt-clearpage(216)
   XF:reg-pagefile-clearing(2551)

Phase: Proposed (19990728)

Description:
A Windows NT log file has an inappropriate maximum size or retention period.

Votes:

   MODIFY(1) Frech
   REJECT(2) Northcutt, Wall

 Northcutt> define appropriate
 Frech> XF:reg-app-log-small(2521)
   XF:reg-sec-log-maxsize(2577)
   XF:reg-sys-log-small(2586)

Phase: Proposed (19990728)

Description:
A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire.

Votes:

   ACCEPT(1) Northcutt
   MODIFY(1) Frech
   REJECT(1) Wall

 Frech> XF:nt-forced-logoff(1343)

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection.

Votes:

   ACCEPT(3) Northcutt, Baker, Armstrong
   NOOP(1) Frech
   REVIEWING(1) Christey

 Frech> Waiting for CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers.

Votes:

   ACCEPT(2) Northcutt, Baker
   NOOP(1) Frech
   REVIEWING(1) Christey

 Frech> Waiting for CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not verify the checksum on a packet.

Votes:

   ACCEPT(2) Northcutt, Baker
   NOOP(1) Frech
   REVIEWING(1) Christey

 Frech> Waiting for CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets.

Votes:

   ACCEPT(2) Northcutt, Baker
   NOOP(1) Frech
   REVIEWING(1) Christey

 Frech> Waiting for Godot, er, CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

Phase: Proposed (19990726)

Description:
A network intrusion detection system (IDS) does not properly reassemble fragmented packets.

Votes:

   ACCEPT(2) Northcutt, Baker
   NOOP(1) Frech
   REVIEWING(1) Christey

 Frech> Waiting for CIEL.
 Christey> This is a design flaw, along with the other reported IDS
   problems; at least reference Ptacek/Newsham's paper.
 Christey> URL:http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html

Phase: Proposed (19990728)

Description:
In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc.

Votes:

   MODIFY(1) Frech
   REJECT(2) Northcutt, Wall

 Frech> XF:nt-system-operator
   XF:nt-admin-group
   XF:nt-replicator
   XF:nt-print-operator
   XF:nt-power-user
   XF:nt-guest-in-group
   XF:nt-backup-operator
   XF:nt-domain-admin
   XF:nt-domain-guest
   XF:win2k-acct-oper-grp
   XF:win2k-admin-grp
   XF:win2k-backup-oper-grp
   XF:win2k-certpublishers-grp
   XF:win2k-dhcp-admin-grp
   XF:win2k-dnsadm-grp
   XF:win2k-domainadm-grp
   XF:win2k-entadm-grp
   XF:win2k-printoper-grp
   XF:win2k-replicator-grp
   XF:win2k-schemaadm-grp
   XF:win2k-serveroper-grp
   You asked for it... :-) Use or reject at your discretion. If rejected,
   please let us know so we can remove CAN references from database.

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the WebStore 1.0 shopping cart CGI program "web_store.cgi" could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

 Frech> XF:webstore-misconfig(3861)

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the Order Form 1.0 shopping cart CGI program could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Northcutt, Wall

 Frech> XF:orderform-misconfig(3860)
 Christey> BID:2021
 Christey> Mention affected files: order_log_v12.dat and order_log.dat
   fix version number (1.2)

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the EZMall 2000 shopping cart CGI program "mall2000.cgi" could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Northcutt, Wall

 Frech> XF:ezmall2000-misconfig(3859)
 Christey> Add mall_log_files/order.log to desc

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the QuikStore shopping cart CGI program "quikstore.cgi" could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Northcutt, Wall

 Frech> XF:quikstore-misconfig(3858)
 Christey> http://www.quikstore.com/help/pages/Security/security.htm says:
   
   "It is IMPORTANT that during the setup of the QuikStore program, you
   check to make sure that the cgi-bin or executable program directory
   of your web site not be viewable from the outside world. You don't
   want the users to have access to your programs or log files that could
   be stored there!
   
   ...
   
   If you can view or download these files from the browser, someone
   else can too"
   
   So is this a configuration problem?  See the configuration file at
   http://www.quikstore.com/help/pages/Configuration/configparametersfull.htm
   The [DIRECTORY_PATHS] section identifies pathnames and describes how
   pathnames are constructed.  It clearly uses relative pathnames,
   so all data is underneath the base directory!!
   
   If we call this a configuration problem, then maybe this (and
   all other "CGI-data-in-web-tree" configuration problems) should
   be combined.
 Christey> Consider adding BID:1983

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the SoftCart CGI program "SoftCart.exe" could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(3) Christey, Northcutt, Wall

 Frech> XF:softcart-misconfig(3856)
 Christey> Consider adding BID:2055

Phase: Proposed (19990728)
Reference: BUGTRAQ:19990420 Shopping Carts exposing CC data
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92462991805485&w=2

Description:
An incorrect configuration of the Webcart CGI program could disclose private information.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(2) Northcutt, Wall

 Frech> Cite reference as:
   BUGTRAQ:19990424  Re: Shopping Carts exposing CC data 
   URL:
   http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
   3D1%26date%3D2000-08-22%26msg%3D3720E2B6.6031A2E7@datashopper.dk
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:webcart-data-exposure(8374)

Phase: Proposed (19990803)

Description:
A system-critical Windows NT registry key has an inappropriate value.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt

 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.

Phase: Proposed (19990721)

Description:
The rpc.sprayd service is running.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt

 Frech> XF:sprayd

Phase: Proposed (19990804)

Description:
The FTP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The SNMP service is running.

Votes:

   ACCEPT(3) Prosser, Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt

 Baker> Although newer versions on snmp are not as vulnerable as prior versions,
   this can still be a significant risk of exploitation, as seen in recent
   attacks on snmp services via automated worms
 Christey> XF:snmp(132) ?
 Prosser> This fits the "exposure" description although we also know there are many vulnerabilities in SNMP.  This is more of a policy/best practice issue for administrators.  If you need SNMP lock it down as tight as you can, if you don't need it, don't run it.

Phase: Proposed (19990804)

Description:
The TFTP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The SMTP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Modified (19990921-01)
Reference: XF:rexec

Description:
The rexec service is running.

Votes:

   ACCEPT(4) Northcutt, Baker, Ozancin, Wall
   MODIFY(1) Frech

 Frech> XF:decod-rexec
   XF:rexec

Phase: Proposed (19990804)

Description:
The Telnet service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
A component service related to NIS is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt

 Christey> XF:ypserv(261)

Phase: Proposed (19990804)

Description:
A component service related to NETBIOS is running.

Votes:

   ACCEPT(2) Baker, Wall
   MODIFY(1) Frech
   REJECT(2) Northcutt, LeBlanc

 LeBlanc> There is insufficient description to even know what this is.
   Lots of component services related to NetBIOS run, and usually do not
   constitute a problem.
 Frech> associated to:
   XF:nt-alerter(29)
   XF:nt-messenger(69)
   XF:reg-ras-gateway-enabled(2567)

Phase: Proposed (19990804)

Description:
A component service related to DNS service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The X Windows service is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt

 Christey> Add "X11" to facilitate search.

Phase: Interim (19990925)
Reference: XF:rstat-out
Reference: XF:rstatd

Description:
The rstat/rstatd service is running.

Votes:

   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(2) Wall, Meunier

 Frech> XF:rstat-out
   XF:rstatd

Phase: Proposed (19990721)

Description:
The rpc.rquotad service is running.

Votes:

   ACCEPT(3) Northcutt, Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall

 Frech> XF:rquotad

Phase: Proposed (19990721)

Description:
The ident/identd service is running.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(2) Christey, Wall
   REJECT(1) Northcutt

 Frech> possibly XF:identd?
 Christey> XF:ident-users(318) ?
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:identd-vuln(61)
   XF:ident-users(318)

Phase: Proposed (19990804)

Description:
The NT Alerter and Messenger services are running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt

 Christey> http://support.microsoft.com/support/kb/articles/q189/2/71.asp

Phase: Proposed (19990804)

Description:
The NFS service is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt

 Christey> XF:nfs-nfsd(76) ?
 Christey> Add rpc.mountd/mountd to facilitate search.

Phase: Proposed (19990804)

Description:
The RPC portmapper service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The HTTP/WWW service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The SSH service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The echo service is running.

Votes:

   ACCEPT(3) Northcutt, Baker, Wall
   REVIEWING(1) Christey

 Northcutt> The method to my madness is echo is the common denom in the dos attack
 Christey> How much of this is an overlap with the echo/chargen flood
   problem (CVE-1999-0103)?  If this is only an exposure because
   of CVE-1999-0103, then maybe this should be REJECTed.

Phase: Proposed (19990804)

Description:
The discard service is running.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The systat service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The daytime service is running.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The chargen service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt
   REVIEWING(1) Christey

 Christey> How much of this is an overlap with the echo/chargen flood
   problem (CVE-1999-0103)?  If this is only an exposure because
   of CVE-1999-0103, then maybe this should be REJECTed.

Phase: Proposed (19990804)

Description:
The Gopher service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The UUCP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
A POP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The IMAP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The NNTP news service is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt

 Christey> XF:nntp-post(88) ?

Phase: Proposed (19990804)

Description:
The IRC service is running.

Votes:

   ACCEPT(2) Baker, Wall
   NOOP(1) Christey
   REJECT(1) Northcutt

 Christey> XF:irc-server(767) ?

Phase: Proposed (19990804)

Description:
The LDAP service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990721)

Description:
The bootparam (bootparamd) service is running.

Votes:

   ACCEPT(2) Baker, Ozancin
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt

 Frech> XF:bootp

Phase: Proposed (19990804)

Description:
The X25 service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The FSP service is running.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The netstat service is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
The rsh/rlogin service is running.

Votes:

   ACCEPT(2) Baker, Wall
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Northcutt

 Christey> aka "shell" on UNIX systems (at least Solaris) in the
   /etc/inetd.conf file.
 Frech> associated to:
   XF:nt-rlogin(92) 
   XF:rsh-svc(114)
   XF:rshd(2995)

Phase: Proposed (19990804)

Description:
A database service is running, e.g. a SQL server, Oracle, or mySQL.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Northcutt

 Frech> XF:nt-sql-server(1289)
   XF:msql-detect(2211)
   XF:oracle-detect(2388)
   XF:sybase-detect-namedpipes(1461)

Phase: Proposed (19990804)

Description:
A component service related to NIS+ is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990728)

Description:
The OS/2 or POSIX subsystem in NT is enabled.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Northcutt

 Wall> These subsystems could still allow a process to persist across logins.
 Frech> XF:nt-posix(217)
   XF:nt-posix-sub-c2(2397)
   XF:nt-posix-sub-onceonly(2478)
   XF:nt-os2-sub(218)
   XF:nt-os2-sub-c2(2396)
   XF:nt-os2-sub-onceonly(2477)
   XF:nt-os2-registry(2550)
 Christey> s2-file-os2(1865)

Phase: Proposed (19990721)

Description:
A service may include useful information in its banner or help function (such as the name and version), making it useful for information gathering activities.

Votes:

   ACCEPT(5) Northcutt, Baker, Frech, Ozancin, Wall

 CHANGE> [Frech changed vote from REVIEWING to ACCEPT]

Phase: Proposed (19990804)

Description:
The ugidd service is running.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
WinGate is being used.

Votes:

   ACCEPT(1) Baker
   NOOP(1) Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
DCOM is running.

Votes:

   ACCEPT(2) Baker, Wall
   REJECT(1) Northcutt

Phase: Proposed (19990804)

Description:
A Windows NT Primary Domain Controller (PDC) or Backup Domain Controller (BDC) is present.

Votes:

   REJECT(3) Northcutt, Baker, Wall

 Wall> Don't consider this a service or a problem.
 Baker> concur with wall on this

Phase: Proposed (19990804)

Description:
A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.

Votes:

   ACCEPT(4) Northcutt, Baker, Wall, Hill
   NOOP(1) Christey

 Christey> Add "back door" to description.

Phase: Modified (20020801-01)
Reference: CERT:CA-1994-07
Reference: URL:http://www.cert.org/advisories/CA-1994-07.html
Reference: CERT:CA-1994-14
Reference: URL:http://www.cert.org/advisories/CA-1994-14.html
Reference: CERT:CA-1999-01
Reference: URL:http://www.cert.org/advisories/CA-1999-01.html
Reference: CERT:CA-1999-02
Reference: URL:http://www.cert.org/advisories/CA-1999-02.html
Reference: BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102820843403741&w=2
Reference: BUGTRAQ:20020801 OpenSSH Security Advisory: Trojaned Distribution Files
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102821663814127&w=2

Description:
A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, or (5) OpenSSH 3.4p1.

Votes:

   ACCEPT(4) Northcutt, Baker, Wall, Hill
   NOOP(1) Christey

 Christey> Should add the specific CERT advisory references for
   well-known Trojaned software.
   TCP Wrappers -> CERT:CA-1999-01
   CERT:CA-1999-02 includes util-linux
   wuarchive - CERT:CA-94.07
   IRC client - CERT:CA-1994-14
 Christey> BUGTRAQ:20020801 trojan horse in recent openssh (version 3.4 portable 1)
   Modify description to use dot notation.
 Christey> CERT:CA-2002-24
   URL:http://www.cert.org/advisories/CA-2002-24.html
   XF:openssh-backdoor(9763)
   URL:http://www.iss.net/security_center/static/9763.php
   BID:5374
   URL:http://www.securityfocus.com/bid/5374

Phase: Proposed (19990804)

Description:
A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete.

Votes:

   ACCEPT(4) Northcutt, Baker, Wall, Hill

Phase: Proposed (19990804)

Description:
A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified.

Votes:

   ACCEPT(3) Baker, Wall, Hill
   RECAST(1) Northcutt

 Northcutt> This needs to be worded carefully.  
   1. Rootkits evade checksum detection.
   2. The modification could be positive (a patch)

Phase: Proposed (19990803)

Description:
An application-critical Windows NT registry key has inappropriate permissions.

Votes:

   ACCEPT(1) Wall
   RECAST(2) Christey, Northcutt

 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.
 Christey> Upon further reflection, this is too high-level for CVE.
   Specific registry keys with bad permissions is roughly
   equivalent to Unix configuration files that have bad
   permissions; those permission problems can be created by
   any vendor, not just a specific one.  Therefore this
   candidate should be RECAST into each separate registry
   key that has this problem.

Phase: Proposed (19990803)

Description:
An application-critical Windows NT registry key has an inappropriate value.

Votes:

   ACCEPT(1) Wall
   RECAST(1) Northcutt

 Northcutt> I think we can define appropriate, take a look at the nt security .pdf
   and see if you can't see a way to phrase specific keys in a way that
   defines inappropriate.

Phase: Proposed (19991222)

Description:
The ARP protocol allows any host to spoof ARP replies and poison the ARP cache to conduct IP address spoofing or a denial of service.

Votes:

   ACCEPT(2) Blake, Cole
   MODIFY(1) Stracener
   NOOP(1) Christey
   REJECT(1) Frech

 Stracener> Add Ref: BUGTRAQ:19970919 Playing redir games with ARP and ICMP
 Frech> Cannot proceed without a reference. Too vague, and resembles XF:netbsd-arp:
   CAN-1999-0763: NetBSD on a multi-homed host allows ARP packets on one
   network to modify ARP entries on another connected network.
   CAN-1999-0764: NetBSD allows ARP packets to overwrite static ARP entries.
   Will reconsider if reference provides enough information to render a
   distinction.
 Christey> This particular vulnerability was exploited by an attacker
   during the ID'Net IDS test network exercise at the SANS
   Network Security '99 conference.  The attacker adapted a
   publicly available program that was able to spoof another
   machine on the same physical network.
   
   See http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019797&w=2
   for the Bugtraq reference that Tom Stracener suggested.
   This generated a long thread on Bugtraq in 1997.
 Blake> I'll second Tom's request to add the reference, it's a very
   posting good and the vulnerability is clearly derivative of
   the work.
   
   (I do recall talking to the guy and drafting a description.)

Phase: Interim (19991229)
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308

Description:
The Eyedog ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.

Votes:

   ACCEPT(5) Prosser, Baker, Ozancin, Wall, Cole
   MODIFY(2) Frech, Stracener
   REVIEWING(1) Christey

 Frech> XF:ms-scriptlet-eyedog-unsafe
 Stracener> Add Ref: MSKB Q240308
 Christey> Should CAN-1999-0669 and 668 be merged?  If not, then this is
   a reason for not merging CAN-1999-0988 and CAN-1999-0828.

Phase: Proposed (19991208)
Reference: MS:MS99-032
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
Reference: CIAC:J-064
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml

Description:
Buffer overflow in the Eyedog ActiveX control allows a remote attacker to execute arbitrary commands.

Votes:

   ACCEPT(3) Prosser, Ozancin, Wall
   MODIFY(2) Frech, Stracener
   REJECT(2) Baker, Cole

 Frech> XF:ie-eyedog-bo
 Cole> Based on the references and information listed this is the same as
   CAN-1999-0669
 Stracener> Add Ref: MSKB Q240308
 Baker> Duplicate

Phase: Proposed (19991222)
Reference: BID:574
Reference: URL:http://www.securityfocus.com/bid/574

Description:
Buffer overflow in ALMail32 POP3 client via From: or To: headers.

Votes:

   ACCEPT(6) Blake, Baker, Levy, Wall, Cole, Collins
   MODIFY(2) Frech, Stracener
   NOOP(3) Oliver, Landfield, Armstrong
   REVIEWING(1) Ozancin

 Stracener> AddRef: ShadowPenguinSecurity:PenguinToolbox,No.037
 Frech> XF:almail-bo
 CHANGE> [Cole changed vote from NOOP to ACCEPT]

Phase: Modified (19991228-01)
Reference: BUGTRAQ:19990802 [LoWNOISE] Password hunting with webramp
Reference: BID:577
Reference: URL:http://www.securityfocus.com/bid/577

Description:
The WebRamp web administration utility has a default password.

Votes:

   ACCEPT(3) Blake, Baker, Stracener
   MODIFY(2) Frech, Cole
   NOOP(2) Christey, Armstrong

 Cole> I would add that is is not forced to be changed.
 Frech> XF:webramp-default-password
 Christey> This problem may have been detected in January 1999:
   BUGTRAQ:19990121 Re: WebRamp M3 remote network access bug
   http://marc.theaimsgroup.com/?l=bugtraq&m=91702375402055&w=2

Phase: Proposed (19991214)
Reference: HP:HPSBUX9904-097

Description:
Denial of service in Sendmail 8.8.6 in HPUX.

Votes:

   ACCEPT(2) Blake, Cole
   MODIFY(3) Prosser, Frech, Stracener
   REJECT(1) Christey

 Stracener> Add Ref: CIAC: J-040
 Prosser> Might change description to indicate DoS caused by multiple connections
 Christey> Andre's right.  This is a duplicate of CAN-1999-0684.
 Frech> Without further information and/or references, this issue looks like an
   ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail
   8.8.6 related to accepting connections.
   
   (was REJECT)
   XF:hp-sendmail-connect-dos

Phase: Proposed (19991222)

Description:
Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux.

Votes:

   ACCEPT(6) Blake, Baker, Ozancin, Cole, Armstrong, Collins
   MODIFY(1) Frech
   NOOP(4) Levy, Wall, Landfield, Stracener
   REJECT(1) Christey

 Stracener> Is the candidate referring to the denial of service problem mentioned in
   the
   changelogs for versions previous to 1.4.3-1 or does it pertain to some
   problem with or
   1.4.8-1?
 Frech> Depending on the version, this could be any number of DoSes 
   related to ippl.
   From http://www.larve.net/ippl/:
   9 April 1999: version 1.4.3 released, correctly fixing a 
   potential denial of service attack.
   7 April 1999: version 1.4.2 released, fixing a potential 
   denial of service attack. 
   XF:linux-ippl-dos
 Christey> Changelog: http://pltplp.net/ippl/docs/HISTORY
   
   See comments for version 1.4.2 and 1.4.3
   Another source: http://freshmeat.net/news/1999/04/08/923586598.html
 CHANGE> [Stracener changed vote from REVIEWING to NOOP]
 CHANGE> [Christey changed vote from NOOP to REJECT]
 Christey> As mentioned by others, this could apply to several different
   versions.  Since the description is too vague, this CAN should
   be REJECTED and recast into other candidates.

Phase: Proposed (19991214)
Reference: CALDERA:CSSA-1999:009
Reference: XF:linux-coas

Description:
A vulnerability in Caldera Open Administration System (COAS) allows the /etc/shadow password file to be made world-readable.

Votes:

   ACCEPT(4) Baker, Frech, Cole, Stracener
   MODIFY(1) Blake
   NOOP(1) Armstrong
   REVIEWING(1) Christey

 Blake> This obscurely-written advisory seems to state that COAS will make the
   file world-readable, not that it allows the user to make it so.  I hardly
   think that allowing the user to turn off security is a vulnerability.
 Christey> It's difficult to write the description based on what's in
   the advisory.  If COAS inadvertently changes permissions
   without user confirmation, then it should be ACCEPTed with
   appropriate modification to the description.
 Christey> ADDREF BID:137
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]

Phase: Proposed (20010214)
Reference: NTBUGTRAQ:19990823 IBM Gina security warning
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534
Reference: BID:608
Reference: URL:http://www.securityfocus.com/bid/608
Reference: XF:ibm-gina-group-add
Reference: URL:http://xforce.iss.net/static/3166.php

Description:
IBM GINA, when used for OS/2 domain authentication of Windows NT users, allows local users to gain administrator privileges by changing the GroupMapping registry key.

Votes:

   ACCEPT(3) Baker, Frech, Cole

 Frech> XF:ibm-gina-group-add 

Phase: Proposed (19991208)
Reference: L0PHT:May7,1999
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368

Description:
The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Prosser, Ozancin, Wall, Stracener
   MODIFY(2) Frech, Cole
   REVIEWING(1) Christey

 Frech> XF:iis-samples-showcode
 Cole> There are several sample files that allow this.  I would quote
   showcode.asp but make it more generic.
 Prosser> (Modify)
   Have a question on this and on the following three candidates as well.  All
   of these are part of the file viewers utilities that allow unauthorized
   files reading, but MSKB Q231368 also mentioned the diagnostics
   program,Winmsdp.exe, as another vulnerable viewer in this same set of
   viewers.  If we are going to split out the seperate viewer tools then
   shouldn't there should be a seperate CAN for Winmsdp.exe also.
 Christey> Mike's question basically touches on the CD:SF-EXEC
   content decision - what do you do when you have the same bug
   in multiple executables?  CD:SF-EXEC needs to be reviewed
   and approved by the Editorial Board before we can decide
   what to do with this candidate.
 Christey> Mark Burnett says that Microsoft's mention of winmsdp.exe in
   MSKB:Q231368 may be an error, and that winmsdp.exe is a
   Microsoft Diagnostics Report Generator which may not even
   be installed as part of IIS.
   
   Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html
 Christey> ADDREF BID:167
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=167

Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q231656

Description:
The viewcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Prosser, Ozancin, Wall, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Cole

 Frech> XF:iis-samples-viewcode
 Cole> I would combine this with the previous.
 Prosser> (modify)
   See comments in 0736 above
 Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
   for additional details.

Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368

Description:
The code.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Prosser, Ozancin, Wall, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Cole

 Frech> XF:iis-samples-code
 Cole> Same as above
 Prosser> (modify)
   See comments in 0736 above
 Christey> See http://www.securityfocus.com/focus/microsoft/iis/showcode.html
   for additional details.

Phase: Proposed (19991208)
Reference: MS:MS99-013
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-013.asp
Reference: MSKB:Q232449
Reference: MSKB:Q231368

Description:
The codebrws.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(4) Prosser, Ozancin, Wall, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Cole

 Frech> XF:iis-samples-codebrws
 Cole> Same as above.
 Prosser> (modify)
   See comments in 0736 above
 Christey> codebrw2.asp and Codebrw1.asp also need to be included
   somewhere.
   
   Also see http://www.securityfocus.com/focus/microsoft/iis/showcode.html

Phase: Proposed (19991222)
Reference: BUGTRAQ:19990818 QMS 2060 printer security hole
Reference: BID:593
Reference: URL:http://www.securityfocus.com/bid/593
Reference: XF:qms-2060-no-root-password

Description:
QMS CrownNet Unix Utilities for 2060 allows root to log on without a password.

Votes:

   ACCEPT(4) Baker, Frech, Levy, Stracener
   NOOP(2) Christey, Oliver

 Christey> change description - anyone can log on *as* root
 Frech> (Note: this XF also cataloged under CAN-1999-0508.)

Phase: Proposed (19991214)
Reference: REDHAT:RHSA-1999:017-01

Description:
Buffer overflows in Red Hat net-tools package.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REJECT(1) Blake

 Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the
   absence of knowing whether or not the problems actually existed, I don't
   think we have an entry here.
 Frech> XF:redhat-net-tool-bo

Phase: Proposed (19991222)
Reference: BUGTRAQ:19990913 Hotmail security vulnerability - injecting JavaScript using 'STYLE' tag
Reference: BID:630
Reference: URL:http://www.securityfocus.com/bid/630

Description:
Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account.

Votes:

   ACCEPT(1) Levy
   MODIFY(2) Frech, Stracener

 Stracener> Many sites are vulnerable to this problem. I recommend removing the
   explicit references to Hotmail and making the description more generic.
   Suggest: Javascript can be injected using the STYLE tag in an HTML
   formatted e-mail, allowing remote attackers to execute commands on user
   accounts.
 Frech> XF:hotmail-html-style-embed

Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-08
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=10969&Method=Full
Reference: XF:coldfusion-encryption
Reference: URL:http://xforce.iss.net/static/2208.php

Description:
The ColdFusion CFCRYPT program for encrypting CFML templates has weak encryption, allowing attackers to decrypt the templates.

Votes:

   ACCEPT(3) Baker, Frech, Cole
   NOOP(1) Christey

 Frech> XF:coldfusion-encryption 
 Christey> BUGTRAQ:19990724 Re: New Allaire Security Zone Bulletins and KB Articles
   URL:http://www.securityfocus.com/archive/1/19471
 Christey> ADDREF BID:275
   URL:http://www.securityfocus.com/bid/275

Phase: Proposed (19991214)
Reference: SUN:00189

Description:
Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES environmental variable.

Votes:

   ACCEPT(4) Blake, Baker, Cole, Dik
   MODIFY(2) Frech, Stracener
   REVIEWING(2) Christey, Prosser

 Stracener> Add Ref: CIAC: J-069
 Frech> XF:sun-libc-lcmessages
 Prosser> BID 268 is an additional reference for this one as it has info on the Sun
   vulnerability.  However, BID 268 also includes AIX in this vulnerability and
   refs APARS issued to fix a vulnerability in various 'nixs with the Natural
   Language Service environmental variables NSLPATH and PATH_LOCALE depending
   on the 'nix, ref CERT CA-97.10, CVE-1999-0041.  However, Georgi Guninski
   reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it
   is possible the AIX APARs fix an earlier, similar vulnerability to the Sun
   BO in LC_MESSAGES.   This should probably be considered under a different
   CAN.  Any ideas? 
 Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH
   and PATH_LOCALE, I'd say that's good evidence that this is not
   the same problem.  But a buffer overflow in libc in
   LC_MESSAGES... We must ask if these are basically the same
   codebase.
   
   ADDREF CIAC:J-069
 Christey> While the description indicates multiple programs, CD:SF-EXEC
   does not apply because the vulnerability was in libc, and
   rcp and ufsrestore were both statically linked against libc.
   Thus CD:SF-LOC applies, and a single candidate is maintained
   because the problem occurred in a library.
 Dik> Sun bug 4240566
 Christey> I'm consulting with Casper Dik and Troy Bollinger to see if
   this should be combined with the AIX buffer overflows for
   LC_MESSAGES; current indications are that they should be
   split.
 Christey> For further consultation, consider this post, though it's
   associated with CVE-1999-0041:
   BUGTRAQ:19970213 Linux NLSPATH buffer overflow
   http://www.securityfocus.com/archive/1/6296
   Also add "NLSPATH" and "PATH_LOCALE" to the description to
   facilitate search.

Phase: Proposed (19991214)
Reference: NTBUGTRAQ:19990506 ".."-hole in Alibaba 2.0
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=NTBUGTRAQ&P=R1533
Reference: XF:http-alibaba-dotdot

Description:
Alibaba HTTP server allows remote attackers to read files via a .. (dot dot) attack.

Votes:

   ACCEPT(4) Frech, Ozancin, Levy, Stracener
   MODIFY(1) Baker
   NOOP(6) Blake, LeBlanc, Wall, Landfield, Cole, Armstrong
   REVIEWING(1) Christey

 Christey> This candidate is unconfirmed by the vendor.
   
   Posted by Arne Vidstrom.
 Blake> I'd like to change my vote on this from ACCEPT to NOOP.  I did some
   digging and the vendor seems to have discontinued the product, so no
   information is available beyond Arne's post.  Unless Andre has a copy
   in his archive and can test it, I think we have to leave it out.
 Wall> I agree with Blake.  We have not seen the product and it has been discontinued.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> If this is (or was) tested by some tool, we should ACCEPT it.
 Baker> http://www.securityfocus.com/bid/270
 Christey> BID:270
   URL:http://www.securityfocus.com/bid/270

Phase: Proposed (20010214)
Reference: NTBUGTRAQ:19980827 NERP DoS attack possible in Oracle
Reference: URL:http://archives.neohapsis.com/archives/ntbugtraq/1998/msg00536.html
Reference: BUGTRAQ:19990104 Re: Fw:"NERP" DoS attack possible in Oracle
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_1/0056.html
Reference: BUGTRAQ:19981228 Oracle8 TNSLSNR DoS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_4/0764.html

Description:
Denial of service in Oracle TNSLSNR SQL*Net Listener via a malformed string to the listener port, aka NERP.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(1) Cole

 Frech> XF:oracle-tnslsnr-dos(1551)

Phase: Modified (20000827)
Reference: MISC:http://www2.merton.ox.ac.uk/~security/rootshell/0022.html

Description:
ROUTERmate has a default SNMP community name which allows remote attackers to modify its configuration.

Votes:

   ACCEPT(1) Baker
   MODIFY(2) Frech, Stracener
   NOOP(1) Christey
   REVIEWING(1) Levy

 Stracener> Change the Ref to read: ROOTSHELL: Osicom Technologies ROUTERmate
   Security
   Advisory
 Frech> XF:routermate-snmp-community
 Christey> BUGTRAQ:19980914 [rootshell] Security Bulletin #23
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90581019105693&w=2

Phase: Proposed (19991222)
Reference: NAI:NAI-27

Description:
The NIS+ rpc.nisd server allows remote attackers to execute certain RPC calls without authentication to obtain system information, disable logging, or modify caches.

Votes:

   ACCEPT(2) Baker, Stracener
   MODIFY(1) Frech
   NOOP(1) Ozancin

 Frech> XF:sun-nisplus

Phase: Proposed (19991222)
Reference: BUGTRAQ:19981204 bootpd remote vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2

Description:
Buffer overflow in bootpd on OpenBSD, FreeBSD, and Linux systems via a malformed header type.

Votes:

   ACCEPT(2) Ozancin, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey

 Christey> Is CAN-1999-0389 a duplicate of CAN-1999-0798?  CAN-1999-0389
   has January 1999 dates associated with it, while CAN-1999-0798
   was reported in late December.
   
   http://marc.theaimsgroup.com/?l=bugtraq&m=91278867118128&w=2
   
   SCO appears to have acknowledged this as well:
   ftp://ftp.sco.com/SSE/security_bulletins/SB-99.01a
   
   The poster also claims that OpenBSD fixed this as well.
 Frech> XF:bootp-remote-bo
 Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
 CHANGE> [Christey changed vote from REJECT to NOOP]
 Christey> What was I thinking?  Brian Caswell pointed out that this is
   *not* the same bug as CVE-1999-0799.  As reported in the
   1998 Bugtraq post, the bug is in bootpd.c, and is related
   to providing an htype value that is used as an index
   into an array, and exceeds the intended boundaries of that
   array.

Phase: Proposed (20010214)
Reference: BUGTRAQ:19990512 DoS with Netware 4.x's TTS
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1999_2/0439.html
Reference: XF:novell-tts-dos
Reference: URL:http://xforce.iss.net/static/2184.php

Description:
Novell NetWare Transaction Tracking System (TTS) in Novell 4.11 and earlier allows remote attackers to cause a denial of service via a large number of requests.

Votes:

   ACCEPT(2) Baker, Frech
   NOOP(2) Christey, Cole

 Christey> BID:276
   URL:http://www.securityfocus.com/vdb/bottom.html?vid=276
 Frech> XF:novell-tts-dos

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980518 DHCP 1.0 and 2.0 SECURITY ALERT! (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925960&w=2
Reference: CIAC:I-053
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-053.shtml
Reference: MISC:ftp://ftp.isc.org/isc/dhcp/dhcp-1.0-history/dhcp-1.0.0-1.0pl1.diff.gz

Description:
Multiple buffer overflows in ISC DHCP Distribution server (dhcpd) 1.0 and 2.0 allow a remote attacker to cause a denial of service (crash) and possibly execute arbitrary commands via long options.

Votes:

   ACCEPT(4) Foat, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

 Frech> XF:dhcp-remote-dos(7248)

Phase: Modified (20000313-01)
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-default-pass

Description:
The Motorola CableRouter allows any remote user to connect to and configure the router on port 1024.

Votes:

   ACCEPT(3) Baker, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Christey, LeBlanc

 Christey> This candidate is unconfirmed by the vendor.
 Frech> XF:motorola-cable-default-pass

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 another hole of Solaris7 kcms_configure
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net
Reference: BID:831
Reference: URL:http://www.securityfocus.com/bid/831

Description:
Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(4) Prosser, Frech, Cole, Dik
   REVIEWING(1) Christey

 Cole> This can cause code to be executed.
 Frech> XF:sol-kcms-conf-netpath-bo
 Dik> the bug has nothing to do with kcms_configure; it's a bug
   in libnsl.so.  All set-uid executables that trigger this code path are
   vulnerable.  Sun bug 4295834; fixed in Solaris 8.
 Prosser> Okay, I am confused.  Based on Casper's comments and checking
   on the Sun patch site, I found the 4295834 bug(4295834 NETPATH security
   problem in libnsl) fixed in  SunOS 5.4, Patch 101974-37(x86) 101973 (sparc).
   Multiple libnsl vulnerabilities was first reported in an 98 Sun Bulletin
   #00172 for 5.4 up through 2.6.   Was this NETPATH a problem that resurfaced
   in 7 (looks like in 5.4 as well) and was fixed in 8?
 Christey> Need to dig up my offline email on this.
 Christey> May be a duplicate of CVE-1999-0321, whose sole reference
   (XF:sun-kcms-configure-bo) no longer exists.  Also examine
   BID:452 and
   BUGTRAQ:19981223 Merry Christmas to Sun! (Was: L0pht NFR N-Code
   Modules Updated)
   
   which are the same as XF:sol-kcms-conf-p-bo(3652), which could
   be the new name for XF:sun-kcms-configure-bo.

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities
Reference: BID:838
Reference: URL:http://www.securityfocus.com/bid/838

Description:
FreeBSD seyon allows local users to gain privileges by providing a malicious program in the -emulator argument.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REJECT(1) Cole
   REVIEWING(1) Prosser

 Cole> I would combine this with the previous.  To me the general
   vulnerabilities are similar it is just the end result that changes.
 Frech> XF:freebsd-seyon-setgid
 Christey> ADDREF? CALDERA:CSSA-1999-037.0

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 serious Qpopper 3.0 vulnerability
Reference: BUGTRAQ:19991130 qpop3.0b20 and below - notes and exploit
Reference: BID:830
Reference: URL:http://www.securityfocus.com/bid/830

Description:
Buffer overflow in Qpopper (qpop) 3.0 allows remote root access via AUTH command.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Prosser

 Frech> XF:qpopper-auth-bo
 Christey> ADDREF? DEBIAN:19991215 buffer overflow in qpopper v3.0
   ADDREF XF:qpopper-auth-bo

Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991203 UnixWare read/modify users' mail
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BID:849
Reference: URL:http://www.securityfocus.com/bid/849

Description:
The default permissions for UnixWare /var/mail allow local users to read and modify other users' mail.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Prosser

 Frech> XF:sco-mail-permissions
 Christey> ADDREF ftp://ftp.sco.com/SSE/security_bulletins/SB-99.25a

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Default IE 5.0 security settings allow frame spoofing

Description:
By default, Internet Explorer 5.0 and other versions enables the "Navigate sub-frames across different domains" option, which allows frame spoofing.

Votes:

   ACCEPT(3) LeBlanc, Armstrong, Stracener
   MODIFY(2) Frech, Cole
   REVIEWING(1) Prosser

 Cole> The BID is 855.  If I have the right vulnerability, this allows an
   attacker to access URL's of there choosing which could lead to a compromise
   of private information.
 Frech> XF:http-frame-spoof
   Question: Similar vulnerability to MS98-020 / CAN-1999-0869?
 LeBlanc> MSRC tells me this is patched in MS00-009

Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991203 UnixWare and the dacread permission
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status
Reference: BID:853
Reference: URL:http://www.securityfocus.com/bid/853

Description:
UnixWare pkg commands such as pkginfo, pkgcat, and pkgparam allow local users to read arbitrary files via the dacread permission.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Frech, Cole
   REVIEWING(2) Christey, Prosser

 Cole> This is BID 850.
 Christey> See comments on CAN-1999-0988.  Perhaps these two should be
   merged. ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a
   loosely alludes to this problem; the README for patch SSE053
   effectively confirms it.
 Frech> XF:sco-pkg-dacread-fileread

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991201 HP Secure Web Console

Description:
HP Secure Web Console uses weak encryption.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Prosser

 Cole> I could not find details on this using the above references.
 Frech> XF:hp-secure-console

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #6]: UnixWare 7's Xsco

Description:
Buffer overflow in SCO UnixWare Xsco command via a long argument.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(3) Prosser, Frech, Cole
   REVIEWING(1) Christey

 Cole> This is BID 824 and the BUGTRAQ reference is 19991125.
 Frech> XF:sco-unixware-xsco
 Christey> Confirmed by vendor, albeit vaguely:
   http://marc.theaimsgroup.com/?l=bugtraq&m=94581379905584&w=2
   
 Prosser> agree with Steve on vendor confirmation, however not sure the
   fix ref'd in BID 824 (SSE041) is right.  It lists fixes for libnsl and
   tcpip.so, nothing about xsco.  SSE050b
   (ftp://ftp.sco.com/SSE/security_bulletins/SB-99.26b) fixes a buffer overflow
   in xsco on OpenServer (the vendor message Steve refers to) but not the
   UnixWare vulnerability reported on Bugtraq and in BID824. Anyone more
   familar with SCO shed some light on this? Are they the same codebase so fix
   would be same?  From the SCO site it seems the UnixWare and OpenSever
   products are similar but have differences.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> BID:824
   http://www.securityfocus.com/bid/824

Phase: Proposed (19991208)
Reference: BID:832
Reference: URL:http://www.securityfocus.com/bid/832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow

Description:
Buffer overflow in CDE dtmail and dtmailpr programs via the -f option.

Votes:

   ACCEPT(3) Armstrong, Dik, Stracener
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Prosser

 Cole> I went to 1129 and it looks like a reference for a different
   vulnerability.
 Frech> In the description, should dtmailptr be dtmailpr?
   XF:solaris-dtmailpr-overflow
   XF:solaris-dtmail-overflow
 Dik> sun bug: 4166321

Phase: Proposed (19991208)
Reference: BID:832
Reference: URL:http://www.securityfocus.com/bid/832
Reference: BUGTRAQ:19991129 Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow

Description:
Buffer overflow in CDE mailtool allows local users to gain root privilege via a long MIME Content-Type.

Votes:

   ACCEPT(4) Cole, Armstrong, Dik, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

 Frech> XF:cde-mailtool-bo
 Dik> bug 4163471
   (Root access is only possible when mail is send to root and he
   uses dtmail to read it)

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991104 Cisco NAT DoS (VD#1)
Reference: BUGTRAQ:19991128 Re: Cisco NAT DoS (VD#1)

Description:
Denial of service in Cisco routers running NAT via a PORT command from an FTP client to a Telnet port.

Votes:

   ACCEPT(3) Balinsky, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong
   REVIEWING(3) Christey, Prosser, Ziese

 Frech> XF:cisco-nat-dos
 Christey> Mike Prosser's REVIEWING vote expires July 17, 2000
 Ziese> After reviewing
   http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml 
   I can not confirm this exists unless it's restructred to
   describe a problem against IOS per se; not NAT per se.  I am
   reviewing this and it may take some time.
 CHANGE> [Christey changed vote from NOOP to REVIEWING]
 Christey> Not sure if Kevin's suggested reference really describes this
   one.  However, a followup email by Jim Duncan of Cisco does
   acknowledge the problem as discussed in the Bugtraq post:
   http://marc.theaimsgroup.com/?l=vuln-dev&m=94385601831585&w=2
   The original post is:
   http://marc.theaimsgroup.com/?l=bugtraq&m=94184947504814&w=2
   
   It could be that the researcher believed that the problem was
   NAT, but in fact it wasn't.
   
   I need to follow up with Ziese/Balinsky on this one.

Phase: Proposed (19991208)
Reference: NTBUGTRAQ:19991124 Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability
Reference: BID:823
Reference: URL:http://www.securityfocus.com/bid/823
Reference: BID:820
Reference: URL:http://www.securityfocus.com/bid/820

Description:
Denial of service in MDaemon WorldClient and WebConfig services via a long URL.

Votes:

   ACCEPT(1) Stracener
   MODIFY(2) Frech, Cole
   NOOP(1) Armstrong
   RECAST(1) Christey
   REVIEWING(1) Prosser

 Cole> 823 and 820 are two different vulnerabilities and should be
   separated out.  They are both buffer overflows but accomplish it in a
   different fashion and the end exploit is different.
 Frech> (RECAST?)
   XF:mdaemon-worldclient-dos
   XF:mdaemon-webconfig-dos
   Recast request: This is really two services exhibiting the same problem.
 Christey> as suggested by others.
   
   Also see confirmation at:
   http://mdaemon.deerfield.com/helpdesk/hotfix.cfm

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991126 [w00giving '99 #5 and w00news]: UnixWare 7's su
Reference: SCO:99.19
Reference: BUGTRAQ:19991128 SCO su patches

Description:
Buffer overflow in SCO su program allows local users to gain root access via a long username.

Votes:

   ACCEPT(4) Prosser, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Christey> DUPE CAN-1999-0317?
 Frech> XF:sco-su-username-bo
 Christey> ADDREF BID:826
   CONFIRM:ftp://ftp.sco.com/SSE/sse039.tar.Z

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991129 MDaemon 2.7 J DoS
Reference: BUGTRAQ:19991130 Fwd: RE: Multiples Remotes DoS Attacks in MDaemon Server v2.8.5.0 Vulnerability

Description:
Denial of service in MDaemon 2.7 via a large number of connection attempts.

Votes:

   ACCEPT(4) Prosser, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:mdaemon-dos
 Christey> CAN-1999-0844 is confirmed by MDaemon at
   http://mdaemon.deerfield.com/helpdesk/hotfix.cfm but there
   is no apparent confirmation for this problem, even
   though it was posted the same day.
 Prosser> Looks like from a follow-on message on Bugtraq from Nobuo
   <http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-28&msg=199912011604.HJI39569.BX-NOJ@lac.co.jp> Deerfield sent a reply about the
   DoS problems in MDaemon 2.8.5, that also talks about fixing the 2.7 J DoS
   that Nobuo initially reported. Can't find the original message, so may have
   been limited distro. Looks like an upgrade to the latest release might be
   the final solution here.

Phase: Proposed (19991208)
Reference: BID:845
Reference: URL:http://www.securityfocus.com/bid/845
Reference: BUGTRAQ:19991202 Insecure default permissions for MailMan Professional Edition, version 3.0.18

Description:
The default permissions for Endymion MailMan allow local users to read email or modify files.

Votes:

   ACCEPT(2) Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong
   REVIEWING(1) Prosser

 Frech> XF:endymion-mailman-perms

Phase: Proposed (19991208)
Reference: BID:844
Reference: URL:http://www.securityfocus.com/bid/844
Reference: BUGTRAQ:19991202 WebSphere protections from installation

Description:
IBM WebSphere sets permissions that allow a local user to modify a deinstallation script or its data files stored in /usr/bin.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

 Frech> XF:websphere-protect

Phase: Proposed (19991208)
Reference: BID:834
Reference: URL:http://www.securityfocus.com/bid/834
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit

Description:
Buffer overflow in FreeBSD gdc program.

Votes:

   ACCEPT(3) Prosser, Armstrong, Stracener
   MODIFY(2) Frech, Cole
   NOOP(1) Christey

 Cole> The BID is 834 and the reference is 19991201 not 1130.
 Frech> XF:freebsd-gdc-bo
 Christey> ADDREF BID:780 ?

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 FreeBSD 3.3 gated-3.1.5 local exploit
Reference: BID:835
Reference: URL:http://www.securityfocus.com/bid/835

Description:
FreeBSD gdc program allows local users to modify files via a symlink attack.

Votes:

   ACCEPT(3) Prosser, Armstrong, Stracener
   MODIFY(2) Frech, Cole

 Cole> This is via debug output.
 Frech> XF:freebsd-gdc

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991130 Solaris 2.x chkperm/arp vulnerabilities
Reference: BID:837
Reference: URL:http://www.securityfocus.com/bid/837

Description:
Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.

Votes:

   ACCEPT(2) Armstrong, Stracener
   MODIFY(2) Frech, Dik
   NOOP(1) Christey
   REJECT(1) Cole
   REVIEWING(1) Prosser

 Cole> This is the same as the pervious.
 Frech> XF:sol-chkperm-vmsys
 Dik> include reference to Sun bug 4296167
 Christey> Remove BID:837, which is for arp, not chkperm

Phase: Proposed (19991208)
Reference: BUGTRAQ:19991202 PostgreSQL RPM's permission problems

Description:
Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file.

Votes:

   ACCEPT(3) Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Prosser

 Frech> XF:postgresql-insecure-perms

Phase: Proposed (19991208)
Reference: BUGTRAQ:19970617 Seyon vulnerability - IRIX
Reference: BUGTRAQ:19991108 FreeBSD 3.3's seyon vulnerability
Reference: BUGTRAQ:19991130 Several FreeBSD-3.3 vulnerabilities

Description:
Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI.

Votes:

   ACCEPT(4) Prosser, Cole, Armstrong, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:freebsd-seyon-bo
 Christey> ADDREF? CALDERA:CSSA-1999-037.0
 Christey> May be multiple bugs here, or a single library problem.
   CD:SF-LOC needs to be resolved before determining if this
   candidate should be SPLIT.  Also see CAN-1999-0821.

Phase: Proposed (19991214)
Reference: BID:759
Reference: URL:http://www.securityfocus.com/bid/759
Reference: BID:611
Reference: URL:http://www.securityfocus.com/bid/611
Reference: REDHAT:RHSA-1999:030-02

Description:
Buffer overflow in Vixie cron allows local users to gain root access via a long MAILTO environment variable in a crontab file.

Votes:

   MODIFY(2) Frech, Cole
   REJECT(3) Christey, Blake, Stracener

 Cole> 611 is the mail to listed above but 759 is for the mail from and
   should be listed as a separate vulenrability.
 Blake> This does not appear materially different from CAN-1999-0768
 Christey> This is an apparent duplicate of CAN-1999-0768.
   REDHAT:RHSA-1999:030-02 describes two issues, one of which is
   CAN-1999-0768, and the other is CVE-1999-0769.
 Stracener> This is a duplicate of candidate CAN-1999-0768.
 Frech> XF:cron-sendmail-bo-root
 Christey> BID:759 is improperly assigned to this candidate and doesn't
   even describe it.  It may have been inadvertently copied
   from CAN-1999-0873.

Phase: Proposed (19991214)
Reference: BUGTRAQ:19991025 Falcon Web Server
Reference: BINDVIEW:Falcon Web Server

Description:
Falcon web server allows remote attackers to determine the absolute path of the web root via long file names.

Votes:

   ACCEPT(3) Blake, Baker, Stracener
   MODIFY(1) Frech
   NOOP(2) Cole, Armstrong

 Frech> XF:falcon-server-long-filename

Phase: Modified (20000313-01)
Reference: BUGTRAQ:19991103 More Alibaba Web Server problems...
Reference: URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-01&msg=01BF261F.928821E0.kerb@fnusa.com
Reference: BID:770
Reference: URL:http://www.securityfocus.com/bid/770
Reference: XF:alibaba-url-file-manipulation

Description:
Alibaba web server allows remote attackers to execute commands via a pipe character in a malformed URL.

Votes:

   ACCEPT(2) Baker, Stracener
   MODIFY(1) Frech
   NOOP(5) Christey, Blake, LeBlanc, Cole, Armstrong

 Christey> This candidate is unconfirmed by the vendor.
 Blake> Same as CAN-1999-0776.
 Frech> XF:alibaba-url-file-manipulation
 Christey> CD:SF-LOC and CD:SF-EXEC may say to merge this candidate with
   the problems described in:
   BUGTRAQ:20000718 Multiple bugs in Alibaba 2.0
   URL:http://archives.neohapsis.com/archives/bugtraq/2000-07/0237.html
   
   If so, then ADDREF BID:1485 as well.
 Christey> Include the names of the affected CGI's, including tst.bat,
   get32.exe, alibaba.pl, etc.

Phase: Proposed (19991208)
Reference: MS:MS99-035
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms99-035.asp
Reference: BID:625
Reference: URL:http://www.securityfocus.com/bid/625

Description:
Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user.

Votes:

   ACCEPT(3) Prosser, Ozancin, Wall
   MODIFY(2) Frech, Stracener
   REJECT(1) Cole

 Frech> XF:siteserver-cis-cookie-cache
 Cole> Whether cookies are a vulnerbality is a debate for another time, the
   question here is whether the
   expiration feature is a vulnerability and I do not think it is
   because the underlying concerns for this
   are present even without this feature.  The expiration feature does
   not add any new vulenrabilities
   that are not already present with cookies.
 Stracener> Add Ref: MSKB Q238647

Phase: Proposed (19991214)
Reference: BUGTRAQ:19990827 ProFTPD
Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more
Reference: FREEBSD:FreeBSD-SA-99:03
Reference: BID:612
Reference: URL:http://www.securityfocus.com/bid/612

Description:
Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote attackers to gain root access via a series of MKD and CWD commands that create nested directories.

Votes:

   ACCEPT(5) Blake, Prosser, Baker, Cole, Stracener
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Frech> XF:proftpd-long-dir-bo(3399)
 Christey> Not absolutely sure if this isn't the same as Palmetto
   (CVE-1999-0368), which describes a similar type of overflow.
   
   NETBSD:NetBSD-SA1999-003 may refer to CVE-1999-0368:
   ADDREF URL:ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-003.txt.asc
 Christey> ADDREF CIAC:J-068
   Include version numbers; too many wu-ftp/etc. problems
   were published in summer/fall 1999

Phase: Proposed (19991214)
Reference: BUGTRAQ:19990804 NSW Dragon Fire gets drowned
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93383593909438&w=2
Reference: BID:564
Reference: URL:http://www.securityfocus.com/bid/564

Description:
dfire.cgi script in Dragon-Fire IDS allows remote users to execute commands via shell metacharacters.

Votes:

   ACCEPT(2) Blake, Stracener
   MODIFY(1) Frech
   NOOP(3) LeBlanc, Cole, Armstrong
   REVIEWING(1) Christey

 Christey> Some voters should use ABSTAIN.  
 Frech> XF:dragon-fire-ids-metachar(3834)
 CHANGE> [Armstrong changed vote from REVIEWING to NOOP]

Phase: Modified (20020226-02)
Reference: BUGTRAQ:19980510 Security Vulnerability in Motorola CableRouters
Reference: URL:http://www.netspace.org/cgi-bin/wa?A2=ind9805B&L=bugtraq&P=R1621
Reference: XF:motorola-cable-crash(2004)
Reference: URL:http://xforce.iss.net/static/2004.php

Description:
A memory leak in a Motorola CableRouter allows remote attackers to conduct a denial of service via a large number of telnet connections.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(7) Christey, Ozancin, LeBlanc, Wall, Landfield, Armstrong, Stracener
   REVIEWING(1) Levy

 Christey> This candidate is unconfirmed by the vendor.
 Frech> XF:motorola-cable-crash
 Christey> This has enough votes, but not the "confidence" yet (until we
   resolve the question of the amount of verification needed
   for CVE).

Phase: Proposed (20010214)
Reference: ALLAIRE:ASB99-02
Reference: URL:http://www.allaire.com/handlers/index.cfm?ID=8739&Method=Full

Description:
Sample runnable code snippets in ColdFusion Server 4.0 allow remote attackers to read files, conduct a denial of service, or use the server as a proxy for other HTTP calls.

Votes:

   ACCEPT(2) Baker, Cole
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:coldfusion-source-display(1741)
   XF:coldfusion-syntax-checker(1742)
   XF:coldfusion-file-existence(1743)
   XF:coldfusion-sourcewindow(1744)
 Christey> List all affected runnable code snippets to facilitate
   search, which may include:
   viewexample.cfm (though could that be part of CVE-1999-0922?)

Phase: Modified (20020829-01)
Reference: BUGTRAQ:19980903 Web servers / possible DOS Attack / mime header flooding
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90486243124867&w=2

Description:
UnityMail allows remote attackers to conduct a denial of service via a large number of MIME headers.

Votes:

   ACCEPT(2) Baker, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Levy

 Frech> XF:unitymail-web-dos(1630)
 Christey> BID:1760
   URL:http://www.securityfocus.com/bid/1760
 Christey> Affected version is 2.0
   Change date of Bugtraq post - it was 1998.

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990903 Web servers / possible DOS Attack / mime header flooding
Reference: URL:http://archives.neohapsis.com/archives/bugtraq/1998_3/0742.html

Description:
Apache allows remote attackers to conduct a denial of service via a large number of MIME headers.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(3) Christey, Wall, Foat

 Christey> BID:1760
   URL:http://www.securityfocus.com/bid/1760
 Frech> XF:unitymail-web-dos(1630)

Phase: Interim (19991229)
Reference: BUGTRAQ:19990616 Novell NetWare webservers DoS

Description:
Novell NetWare with Novell-HTTP-Server or YAWN web servers allows remote attackers to conduct a denial of service via a large number of HTTP GET requests.

Votes:

   ACCEPT(4) Blake, Cole, Armstrong, Stracener
   MODIFY(1) Frech

 Frech> XF:novell-webserver-dos(2287)

Phase: Proposed (19991222)
Reference: BUGTRAQ:19980728 mutt x.x
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2

Description:
Mutt mail client allows a remote attacker to execute commands via shell metacharacters.

Votes:

   ACCEPT(1) Stracener
   NOOP(1) Christey
   REJECT(1) Frech
   REVIEWING(1) Levy

 Frech> References are vague, but seem to be identical to CAN-1999-0940
   (XF:mutt-text-enriched-mime-bo). According to the references, the malformed
   messages consist of metacharacters. In addition, -0941's reference and
   -0940's SuSE reference both refer to fixes in 1.0pre3 release. Will
   reconsider vote if other clearer references are forthcoming.
 Christey> Modify to mention that the metachar's are in the Content-Type header.
   http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526154&w=2

Phase: Proposed (19991222)
Reference: BUGTRAQ:19991024 password leak in IBM WebSphere / HTTP Server / ikeyman

Description:
IBM WebSphere ikeyman tool uses weak encryption to store a password for a key database that is used for SSL connections.

Votes:

   ACCEPT(2) Stracener, Baker
   MODIFY(1) Frech
   NOOP(2) Christey, Bollinger
   REVIEWING(1) Levy

 Frech> XF:websphere-database-pwd-accessible
 Christey> ADDREF BID:1763
   URL:http://www.securityfocus.com/bid/1763

Phase: Proposed (19991222)
Reference: BID:757
Reference: URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares

Description:
Buffer overflow in uum program for Canna input system allows local users to gain root privileges.

Votes:

   ACCEPT(2) Stracener, Levy
   MODIFY(1) Frech
   NOOP(1) Christey

 Christey> CAN-1999-0948 and CAN-1999-0949 are extremely similar.
   uum (0948) is exploitable through a different set of options
   than canuum (0949).  If it's the same generic option parsing
   routine used by both programs, then CD:SF-CODEBASE says to
   merge them.  But if it's not, then CD:SF-LOC and CD:SF-EXEC
   says to split them.  However, this is a prime example of
   how SF-EXEC might be modified - uum and canuum are clearly
   part of the same package, so in the absence of clear
   information, maybe we should merge them.
 Frech> XF:canna-uum-bo

Phase: Proposed (19991222)
Reference: BID:757
Reference: URL:http://www.securityfocus.com/bid/757
Reference: BUGTRAQ:19991102 Some holes for Win/UNIX softwares

Description:
Buffer overflow in canuum program for Canna input system allows local users to gain root privileges.

Votes:

   ACCEPT(2) Stracener, Levy
   MODIFY(1) Frech
   NOOP(1) Christey

 Christey> CAN-1999-0948 and CAN-1999-0949 are extremely similar.
   uum (0948) is exploitable through a different set of options
   than canuum (0949).  If it's the same generic option parsing
   routine used by both programs, then CD:SF-CODEBASE says to
   merge them.  But if it's not, then CD:SF-LOC and CD:SF-EXEC
   says to split them.  However, this is a prime example of
   how SF-EXEC might be modified - uum and canuum are clearly
   part of the same package, so in the absence of clear
   information, maybe we should merge them.
   
   Also review BID:758 and BID:757 - may need to change the BID
   here.
 Frech> XF:canna-uum-bo
 Christey> CHANGEREF BID:757 BID:758

Phase: Proposed (19991222)
Reference: BUGTRAQ:19990126 Buffer overflow in Solaris 2.6/2.7 /usr/bin/lpstat
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91759216618637&w=2

Description:
Buffer overflow in Solaris lpstat via class argument allows local users to gain root access.

Votes:

   ACCEPT(3) Stracener, Baker, Ozancin
   MODIFY(2) Frech, Dik
   REVIEWING(1) Christey

 Frech> XF:solaris-lpstat-bo
 Christey> It is unclear from Casper Dik's followup whether this is
   exploitable or not.
 Dik> Sunbug 4129917
   (other reports in the same thread suggest that the then current patchd id
   fix the problem)
 Christey> Confirm with Casper Dik that the overflow is in the -c option,
   and if so, include it in the description to differentiate
   it from the lpstat -n buffer overflow.

Phase: Modified (20020226-01)
Reference: BUGTRAQ:19990605 Remote Exploit (Bug) in OmniHTTPd Web Server
Reference: URL:http://www.securityfocus.com/archive/1/14311
Reference: XF:omnihttpd-dos(2271)
Reference: URL:http://xforce.iss.net/static/2271.php
Reference: BID:1808
Reference: URL:http://www.securityfocus.com/bid/1808

Description:
The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created.

Votes:

   ACCEPT(3) Stracener, Blake, Baker
   MODIFY(1) Frech
   NOOP(1) Christey
   REVIEWING(1) Levy

 Frech> XF:omnihttpd-dos
 Christey> Some sort of confirmation might be findable at:
   http://www.omnicron.ab.ca/httpd/docs/release.html
 Christey> See http://www.omnicron.ab.ca/index.html
   The August 16, 2000 news item says "This release fixes some
   security problems."  It's for version 2.07, but the discloser
   didn't say what version was available.
   
   Other security fixes are in the release notes at
   http://www.omnicron.ab.ca/httpd/docs/release.html Notes for
   Professional Version 1.01 say "Patched up two security weaknesses."
   Notes for version 2.07 say "Fixes dot-appending vulnerability."
   Professional Alpha 7 says "Revamped CGI launching and security,"
   Professional Alpha 4 says "Fixed SSI path mapping and security
   problems," Alpha 5 says "Security fixup."
   
   In other words, you can't tell whether they've fixed this bug
   or not.
 Christey> BID:1808
   URL:http://www.securityfocus.com/bid/1808

Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Description:
Whois Internic Lookup program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Votes:

   ACCEPT(3) Stracener, Blake, Cole
   MODIFY(1) Frech
   REVIEWING(1) Christey

 Christey> More examination is required to determine if CAN-1999-0983,
   CAN-1999-0984, or CAN-1999-0985 are the same codebase.
 Frech> XF:whois-internic-shell-meta
 Christey> ADDREF BID:2000
 Christey> The XF appears to be gone.  Perhaps it's this one:
   XF:http-cgi-whois-meta(3798)

Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Description:
Matt's Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Votes:

   ACCEPT(2) Stracener, Blake
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Christey

 Cole> How is this different than the previous?
 Christey> More examination is required to determine if CAN-1999-0983,
   CAN-1999-0984, or CAN-1999-0985 are the same codebase.
 Frech> XF:matts-whois-meta
 Christey> ADDREF BID:2000
 Christey> XF reference is gone.  Replace with http-cgi-matts-whois-meta(3799) ?

Phase: Proposed (19991214)
Reference: BUGTRAQ:19991109 Whois.cgi - ADVISORY.

Description:
CC Whois program whois.cgi allows remote attackers to execute commands via shell metacharacters in the domain entry.

Votes:

   ACCEPT(2) Stracener, Blake
   MODIFY(1) Frech
   NOOP(1) Cole
   REVIEWING(1) Christey

 Cole> I would combine all of these.
 Christey> More examination is required to determine if CAN-1999-0983,
   CAN-1999-0984, or CAN-1999-0985 are the same codebase.
 Frech> XF:cc-whois-meta
 Christey> ADDREF BID:2000
 Frech> Change cc-whois-meta(3800) to http-cgi-ccwhois(3747)
 Christey> Replace XF reference with XF:cc-whois-meta(3800) ?

Phase: Modified (20000121-01)
Reference: BUGTRAQ:19991204 UnixWare pkg* command exploits
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BUGTRAQ:19991223 FYI, SCO Security patches available.
Reference: BUGTRAQ:19991220 SCO OpenServer Security Status

Description:
UnixWare pkgtrans allows local users to read arbitrary files via a symlink attack.

Votes:

   ACCEPT(2) Blake, Cole
   MODIFY(1) Frech
   RECAST(1) Stracener
   REVIEWING(1) Christey

 Stracener> The pkg* programs pkgtrans, pkginfo, pkgcat, pkginstall, and pkgparam
   can be used to mount etc/shadow printing attacks as a result of the
   "dacread" permission (cf. /etc/security/tcb/privs). The procedural
   differences between the individual exploits for each of these utilities
   are therefore inconsequential. CAN-1999-0988 should be merged with
   CAN-1999-0828. From the standpoint of maintaining consistency of the
   level of abstraction used in CVE, the co-existence of CANS
   1999-0988/1999-0828 present two choices: either merge 0988 with 0828, or
   split 0828 into 4 distinct candidates, keeping 0988 intact. Due to the
   very small differences (in principle) between the exploits subsumed by
   0828 and 0988 and the shared dacread permissions of the pkg* suite, I
   suggest a merge. Below is a summary of the data upon which my decision
   was based.
   utility         exploit
   --------      ---------------------------------- 
   pkgtrans  --> symlink + dacread permission prob
   pkginfo   --> truss (debugging utility) in conjunction with pkginfio -d
   etc/shadow. In this case, it captures the interaction between
   pkginfo                the shadow file. Once again: dacread.
   pkgcat    --> buffer overflow  + dacread permission prob
   pkginstall -> buffer overflow + dacread permission prob
   pkgparam --> -f etc/shadow (works because of dacread).
 Christey> This is a tough one.  While there are few procedural
   differences, one could view "assignment of an improper
   permission" as a "class" of problems along the lines of
   buffer overflows and the like.  Just like some programs
   were fine until they got turned into CGI scripts, this
   could be an emerging pattern which should be given
   consideration.  Consider the Eyedog and scriptlet.typelib
   ActiveX utilities being marked as safe for scripting
   (CAN-1999-0668 and 0669).
   
   ftp://ftp.sco.com/SSE/security_bulletins/SB-99.28a loosely
   alludes to this problem; the README for patch SSE053
   effectively confirms it.
 Frech> XF:unixware-pkgtrans-symlink

Phase: Interim (19991229)
Reference: BUGTRAQ:19991205 gdm thing

Description:
Error messages generated by gdm with the VerboseAuth setting allows an attacker to identify valid users on a system.

Votes:

   ACCEPT(3) Stracener, Blake, Cole
   MODIFY(1) Frech

 Frech> XF:verbose-auth-identify-user(3804)

Phase: Proposed (19991222)
Reference: NTBUGTRAQ:19991213 Changing ACL's in Exchange Server

Description:
Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed.

Votes:

   ACCEPT(2) Stracener, Wall
   MODIFY(1) Frech
   NOOP(1) Cole
   REJECT(1) LeBlanc

 Frech> XF:exchange-acl-changes(3916)
 LeBlanc> Not a vulnerability

Phase: Modified (20030619-01)
Reference: MISC:http://www.rstcorp.com/news/bad-crypto.html
Reference: BUGTRAQ:19991216 Reinventing the wheel (aka "Decoding Netscape Mail passwords")
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94536309217214&w=2
Reference: BUGTRAQ:19991220 Netscape password scrambling
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94570673523998&w=2

Description:
Netscape Navigator uses weak encryption for storing a user's Netscape mail password.

Votes:

   ACCEPT(4) Baker, Wall, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Christey

 Frech> XF:netscape-mail-encryption(3921)
 Christey> CHANGEREF make the RCA URL a "MISC" reference

Phase: Proposed (19991222)
Reference: BUGTRAQ:19991214 Local / Remote D.o.S Attack in War FTP Daemon 1.70 Vulnerability
Reference: BUGTRAQ:19991216 Statement: Local / Remote D.o.S Attack in War FTP Daemon 1.70

Description:
War FTP Daemon 1.70 allows remote attackers to cause a denial of service by flooding it with connections.

Votes:

   ACCEPT(3) Baker, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall

 Frech> XF:warftp-connection-flood

Phase: Proposed (19991222)
Reference: BUGTRAQ:19991219 Groupewise Web Interface
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94571433731824&w=2

Description:
Groupwise web server GWWEB.EXE allows remote attackers to determine the real path of the web server via the HELP parameter.

Votes:

   ACCEPT(4) Prosser, Baker, Cole, Stracener
   MODIFY(1) Frech
   NOOP(2) Wall, Christey

 Frech> XF:groupwise-web-path
 Prosser> Pretty well confirmed by testing with responses to BugTraq list.
   
   additional ref:  BugTraq ID 879  http://www.securityfocus.com/bid/879
 Christey> A later discovery almost 2 years later is at:
   BUGTRAQ:20020227 SecurityOffice Security Advisory:// Novell
   GroupWise Web Access Path Disclosure Vulnerability
   http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2
   CD:SF-LOC might suggest merging these together.

Phase: Proposed (19991222)
Reference: BUGTRAQ:19991213 Privacy hole in Go Express Search

Description:
The Disney Go Express Search allows remote attackers to access and modify search information for users by connecting to an HTTP server on the user's system.

Votes:

   ACCEPT(1) Baker
   MODIFY(1) Frech
   NOOP(4) Balinsky, Wall, Cole, Stracener

 Frech> XF:disney-search-info(3955)
 Balinsky> The go.express.com web site does not mention the existence of the Express web server mentioned in the advisory. There appears to be no way of verifying this.

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 AS/400
Reference: URL:http://www.securityfocus.com/archive/1/13527
Reference: BID:173
Reference: URL:http://www.securityfocus.com/bid/173

Description:
SMTP component of Lotus Domino 4.6.1 on AS/400, and possibly other operating systems, allows a remote attacker to crash the mail server via a long string.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

 Frech> (Task 1770)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:lotus-domino-smtp-dos(8790)

Phase: Proposed (20010912)
Reference: BID:673
Reference: URL:http://www.securityfocus.com/bid/673
Reference: BUGTRAQ:19990923 named-xfer hole on AIX (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93837026726954&w=2

Description:
named-xfer in AIX 4.1.5 and 4.2.1 allows members of the system group to overwrite system files to gain root access via the -f parameter and a malformed zone file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:aix-named-xfer-root-access(3308)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 AppleShare IP Mail Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89200657216213&w=2
Reference: BID:61
Reference: URL:http://www.securityfocus.com/bid/61

Description:
Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:smtp-helo-bo(886)

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990827 HTML code to crash IE5 and Outlook Express 5
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93578772920970&w=2
Reference: BID:606
Reference: URL:http://www.securityfocus.com/bid/606

Description:
Microsoft HTML control as used in (1) Internet Explorer 5.0, (2) FrontPage Express, (3) Outlook Express 5, and (4) Eudora, and possibly others, allows remote malicious web site or HTML emails to cause a denial of service (100% CPU consumption) via large HTML form fields such as text inputs in a table cell

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(2) Foat, Christey

 Frech> XF:ms-html-table-form-dos(3246)
 Frech> XF:ms-html-table-form-dos(3246)
 Christey> Add period to the end of the description.

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990728 Seattle Labs EMURL Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93316253431588&w=2
Reference: BID:544
Reference: URL:http://www.securityfocus.com/bid/544

Description:
Seattle Labs Emurl 2.0, and possibly earlier versions, stores e-mail attachments in a specific directory with scripting enabled, which allows a malicious ASP file attachment to execute when the recipient opens the message.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> (Task 2281)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:emurl-attachment-execution(8794)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990727 Linux 2.2.10 ipchains Advisory
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93312523904591&w=2
Reference: BID:543
Reference: URL:http://www.securityfocus.com/bid/543

Description:
IPChains in Linux kernels 2.2.10 and earlier does not reassemble IP fragments before checking the header information, which allows a remote attacker to bypass the filtering rules using several fragments with 0 offsets.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

 Frech> XF:linux-ipchains-bypass-filter(6516)
 Frech> XF:linux-ipchains-bypass-filter(6516)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980918 NMRC Advisory - Default NDS Rights
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90613355902262&w=2
Reference: BID:484
Reference: URL:http://www.securityfocus.com/bid/484
Reference: XF:novell-nds(1364)
Reference: URL:http://xforce.iss.net/static/1364.php

Description:
The installation of Novell Netware NDS 5.99 provides an unauthenticated client with Read access for the tree, which allows remote attackers to access sensitive information such as users, groups, and readable objects via CX.EXE and NLIST.EXE.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

Phase: Proposed (20010912)
Reference: BUGTRAQ:19941002
Reference: URL:http://www.securityfocus.com/archive/1/930
Reference: XF:sgi-serialports(2111)
Reference: URL:http://xforce.iss.net/static/2111.php
Reference: BID:464
Reference: URL:http://www.securityfocus.com/bid/464

Description:
serial_ports administrative program in IRIX 4.x and 5.x trusts the user's PATH environmental variable to find and execute the ls program, which allows local users to gain root privileges via a Trojan horse ls program.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Foat, Christey

 Christey> Note: CAN-1999-1310 is a duplicate of this candidate.
   CAN-1999-1310 will be REJECTed; this is the proper CAN to use.
   
   CIAC:F-01
   URL:http://ciac.llnl.gov/ciac/bulletins/f-01.shtml
   SGI:19941001-01-P
   URL:ftp://patches.sgi.com/support/free/security/advisories/19941001-01-P
   MISC:http://www.netsys.com/firewalls/firewalls-9410/0019.html

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990610 Sun Useradd program expiration date bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92904175406756&w=2
Reference: BID:426
Reference: URL:http://www.securityfocus.com/bid/426

Description:
useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired.

Votes:

   ACCEPT(1) Dik
   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Dik> sun bug: 4222400
 Frech> XF:solaris-useradd-expired-accounts(8375)
   CONFIRM:(2.6)110883-01, (2.6_x86) 110884-01, (7)110869-01,
   (7_x86) 110870-01

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990616 tcpdump 3.4 bug?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92955903802773&w=2
Reference: BUGTRAQ:19990617 Re: tcpdump 3.4 bug?
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92963447601748&w=2
Reference: BUGTRAQ:19990620 Re: tcpdump 3.4 bug? (final)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92989907627051&w=2
Reference: BID:313
Reference: URL:http://www.securityfocus.com/bid/313

Description:
ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

 Frech> XF:tcpdump-ipprint-dos(8373)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981012 Annoying Solaris/CDE/NIS+ bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90831127921062&w=2
Reference: SUNBUG:4115685
Reference: URL:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F106027&zone_32=411568%2A%20
Reference: BID:294
Reference: URL:http://www.securityfocus.com/bid/294

Description:
CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string.

Votes:

   ACCEPT(4) Foat, Cole, Dik, Stracener
   MODIFY(1) Frech

 Frech> XF:solaris-cde-nisplus-lock(7473)
 Dik> sun bug: 4115685

Phase: Proposed (20010912)
Reference: BUGTRAQ:19961220 Solaris 2.5 x86 aspppd (semi-exploitable-hole)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420343&w=2
Reference: BID:292
Reference: URL:http://www.securityfocus.com/bid/292

Description:
aspppd on Solaris 2.5 x86 allows local users to modify arbitrary files and gain root privileges via a symlink attack on the /tmp/.asppp.fifo file.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Foat

 Frech> XF:sun-aspppd-tmp-symlink(7173)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990513 - J.J.F. / Hackers Team warns for SSHD 2.x brute force password hacking
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004280&w=2
Reference: BID:277
Reference: URL:http://www.securityfocus.com/bid/277
Reference: XF:ssh2-bruteforce(2193)
Reference: URL:http://xforce.iss.net/static/2193.php

Description:
SSH server (sshd2) before 2.0.12 does not properly record login attempts if the connection is closed before the maximum number of tries, allowing a remote attacker to guess the password without showing up in the audit logs.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2
Reference: BID:267
Reference: URL:http://www.securityfocus.com/bid/267

Description:
counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:http-cgi-counter-long(2196)
 Frech> XF:http-cgi-counter-long(2196)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92713790426690&w=2
Reference: NTBUGTRAQ:19990519 Denial of Service in Counter.exe version 2.70
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=92707671717292&w=2
Reference: BID:267
Reference: URL:http://www.securityfocus.com/bid/267

Description:
counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via a long argument.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:http-cgi-counter-long(2196)
 Frech> XF:http-cgi-counter-long(2196)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990511 Outlook Express Win98 bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92647407427342&w=2
Reference: BUGTRAQ:19990512 Outlook Express Win98 bug, addition.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92663402004275&w=2
Reference: BID:252
Reference: URL:http://www.securityfocus.com/bid/252

Description:
Microsoft Outlook Express before 4.72.3612.1700 allows a malicious user to send a message that contains a .., which can inadvertently cause Outlook to re-enter POP3 command mode and cause the POP3 session to hang.

Votes:

   ACCEPT(2) Wall, Cole
   MODIFY(1) Frech
   NOOP(1) Foat

 Frech> (Task 2241)
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:outlook-pop3-dot-dos(8926)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2

Description:
COPS 1.04 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files in (1) res_diff, (2) ca.src, and (3) mail.chk.

Votes:

   ACCEPT(1) Foat
   MODIFY(1) Frech
   NOOP(2) Wall, Cole

 Frech> XF:cops-temp-file-symlink(7325)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980626 vulnerability in satan, cops & tiger
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221103125976&w=2

Description:
Tiger 2.2.3 allows local users to overwrite arbitrary files via a symlink attack on various temporary files in Tiger's default working directory, as defined by the WORKDIR variable.

Votes:

   ACCEPT(1) Foat
   MODIFY(1) Frech
   NOOP(2) Wall, Cole

 Frech> XF:tiger-workdir-symlink(7326)

Phase: Proposed (20010912)
Reference: SGI:19980502-01-P3030
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980502-01-P3030

Description:
Vulnerability in (1) diskalign and (2) diskperf in IRIX 6.4 patches 2291 and 2848 allow a local user to create root-owned files leading to a root compromise.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   REJECT(1) Frech

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980408 SGI O2 ipx security issue
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89217373930054&w=2
Reference: SGI:19980501-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/19980501-01-P2869
Reference: CIAC:I-055
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-055.shtml

Description:
Vulnerabilities in (1) ipxchk and (2) ipxlink in NetWare Client 1.0 on IRIX 6.3 and 6.4 allows local users to gain root access via a modified IFS environmental variable.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   NOOP(1) Christey
   REJECT(1) Frech

 Christey> This candidate and CAN-1999-1501 are duplicates.  However,
   CAN-1999-1501 will be REJECTed in favor of this candidate.
   Add the following references:
   BID:70
   URL:http://www.securityfocus.com/bid/70
   BID:71
   URL:http://www.securityfocus.com/bid/71
   XF:irix-ipxchk-ipxlink-ifs-commands(7365)
   URL:http://xforce.iss.net/static/7365.php

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980827 SCO mscreen vul.
Reference: URL:http://www.securityfocus.com/archive/1/10420
Reference: BUGTRAQ:19980926 Root exploit for SCO OpenServer.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90686250717719&w=2
Reference: SCO:SB-98.05a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-98.05a
Reference: CERT:VB-98.10
Reference: URL:http://www.cert.org/vendor_bulletins/VB-98.10.sco.mscreen

Description:
Buffer overflow in mscreen on SCO OpenServer 5.0 and SCO UNIX 3.2v4 allows a local user to gain root access via (1) a long TERM environmental variable and (2) a long entry in the .mscreenrc file.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
   REVIEWING(1) Christey

 Frech> XF:sco-openserver-mscreen-bo(1379)
 Christey> Possible dupe with CAN-1999-1185.

Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml

Description:
Cisco Resource Manager (CRM) 1.0 and 1.1 creates world-readable log files and temporary files, which may expose sensitive information, to local users such as user IDs, passwords and SNMP community strings.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(3) Balinsky, Armstrong, Christey

 Frech> XF:cisco-crm-file-vuln(1575)
 Armstrong> I think that this is the same as Can-1999-1126
 Balinsky> This is the same as CAN-1999-1126. Merge them.
 Christey> DUPE CAN-1999-1126, as noted by others.
   This candidate will be rejected.  CAN-1999-1126 will be
   promoted.

Phase: Proposed (20010912)
Reference: MS:MS98-007
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms98-007.asp

Description:
Microsoft Exchange Server 5.5 and 5.0 does not properly handle (1) malformed NNTP data, or (2) malformed SMTP data, which allows remote attackers to cause a denial of service (application error).

Votes:

   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech

 Frech> XF:exchange-dos(1223)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990302 Multiple IMail Vulnerabilites
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92038879607336&w=2
Reference: BID:504
Reference: URL:http://www.securityfocus.com/bid/504
Reference: XF:imail-imonitor-overflow(1897)
Reference: URL:http://xforce.iss.net/static/1897.php

Description:
Buffer overflow in IMonitor in IMail 5.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 8181.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990222 Severe Security Hole in ARCserve NT agents (fwd)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91972006211238&w=2

Description:
ARCserve NT agents use weak encryption (XOR) for passwords, which allows remote attackers to sniff the authentication request to port 6050 and decrypt the password.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:arcserve-agent-passwords(1822)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991112 FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34600
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34939
Reference: BID:798
Reference: URL:http://www.securityfocus.com/bid/798
Reference: BID:799
Reference: URL:http://www.securityfocus.com/bid/799
Reference: XF:formhandler-cgi-absolute-path(3550)
Reference: URL:http://xforce.iss.net/static/3550.php

Description:
Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Christey

 Christey> Abstraction and definition issue: CD:SF-LOC suggests combining
   issues of the same type.  Some people refer to "directory
   traversal" and just mean .. problems; but there are other
   issues (specifying an absolute pathname, using C: drive
   letters, doing encodings) that, to my way of thinking, are
   "different."  Perhaps this should be split.
   
   My brain hurts too much right now.  There are a couple
   problems with the references and descriptions of CAN-1999-1050
   and CAN-1999-1051.  I'm interpreting the underlying nature
   of the problem(s) a little differently than others are.
   Some of it may be due to differing definitions or thoughts
   about what "directory traversal vulnerabilities" are.

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991116 Re: FormHandler.cgi
Reference: URL:http://www.securityfocus.com/archive/1/34939

Description:
Default configuration in Matt Wright FormHandler.cgi script allows arbitrary directories to be used for attachments, and only restricts access to the /etc/ directory, which allows remote attackers to read arbitrary files via the reply_message_attach attachment parameter.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole
   REVIEWING(1) Christey

 Frech> XF:formhandler-cgi-reply-message(7782)
 Christey> I view one of these as a configuration issue: FormHandler.cgi
   *could* be configured to limit hard-coded pathnames to a single
   directory which, while being an information leak, would still be
   "reasonably secure."  But by default, it's just not configured that
   way.
   
   My brain hurts too much right now.  There are a couple
   problems with the references and descriptions of CAN-1999-1050
   and CAN-1999-1051.  I'm interpreting the underlying nature
   of the problem(s) a little differently than others are.
   Some of it may be due to differing definitions or thoughts
   about what "directory traversal vulnerabilities" are.

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990824 Front Page form_results
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582550911564&w=2

Description:
Microsoft FrontPage stores form results in a default location in /_private/form_results.txt, which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive information submitted by other users.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole

 Frech> XF:frontpage-formresults-world-readable(8362)

Phase: Proposed (20010912)
Reference: VULN-DEV:19990913 Guestbook perl script (long)
Reference: URL:http://www.securityfocus.com/archive/82/27296
Reference: VULN-DEV:19990916 Re: Guestbook perl script (error fix)
Reference: URL:http://www.securityfocus.com/archive/82/27560
Reference: BUGTRAQ:19991105 Guestbook.pl, sloppy SSI handling in Apache? (VD#2)
Reference: URL:http://www.securityfocus.com/archive/1/33674
Reference: BID:776
Reference: URL:http://www.securityfocus.com/bid/776

Description:
guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:guestbook-cgi-command-execution(7783)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980925 Globetrotter FlexLM 'lmdown' bogosity
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90675672323825&w=2

Description:
The default configuration of FLEXlm license manager 6.0d, and possibly other versions, allows remote attackers to shut down the server via the lmdown command.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat

Phase: Proposed (20010912)
Reference: CERT:CA-1992-18
Reference: URL:http://www.cert.org/advisories/CA-1992-18.html

Description:
Vulnerability in VMS 5.0 through 5.4-2 allows local users to gain privileges via the Monitor utility.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech
   NOOP(1) Wall
   REJECT(1) Christey

 Frech> XF:vms-monitor-gain-privileges(7136)
 Christey> DUPE CAN-1999-1395
   This CAN is being rejected in favor of CAN-1999-1395 because
   CAN-1999-1395 has more references.

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=94337185023159&w=2
Reference: BUGTRAQ:19991122 Remote DoS Attack in Vermillion FTP Daemon (VFTPD) v1.23 Vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94329968617085&w=2
Reference: XF:vermillion-ftp-cwd-overflow(3543)
Reference: URL:http://xforce.iss.net/static/3543.php
Reference: BID:818
Reference: URL:http://www.securityfocus.com/bid/818

Description:
Buffer overflow in Vermillion FTP Daemon VFTPD 1.23 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via several long CWD commands.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990217 Tetrix 1.13.16 is Vulnerable
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91937090211855&w=2
Reference: BID:340
Reference: URL:http://www.securityfocus.com/bid/340

Description:
Buffer overflow in Tetrix TetriNet daemon 1.13.16 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by connecting to port 31457 from a host with a long DNS hostname.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:tetrinet-dns-hostname-bo(7500)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference: URL:http://xforce.iss.net/static/1876.php

Description:
HP Laserjet printers with JetDirect cards, when configured with TCP/IP, can be configured without a password, which allows remote attackers to connect to the printer and change its IP address or disable logging.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(1) Foat

 Frech> CONFIRM:http://www.hp.com/cposupport/printers/support_doc/bpl
   02914.html

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971004 HP Laserjet 4M Plus DirectJet Problem
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602248518480&w=2
Reference: XF:laserjet-unpassworded(1876)
Reference: URL:http://xforce.iss.net/static/1876.php

Description:
HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(1) Foat

 Frech> DELREF:XF:laserjet-unpassworded(1876)
   ADDREF:XF:hp-printer-flood(1818)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990601 whois_raw.cgi problem
Reference: URL:http://www.securityfocus.com/archive/1/14019
Reference: BID:304
Reference: URL:http://www.securityfocus.com/bid/304
Reference: XF:http-cgi-cdomain(2251)
Reference: URL:http://xforce.iss.net/static/2251.php

Description:
CDomain whois_raw.cgi whois CGI script allows remote attackers to execute arbitrary commands via shell metacharacters in the fqdn parameter.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990822
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93555317429630&w=2
Reference: BUGTRAQ:19990824 Re: WindowMaker bugs (was sub:none )
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93582070508957&w=2
Reference: BID:596
Reference: URL:http://www.securityfocus.com/bid/596

Description:
Multiple buffer overflows in WindowMaker 0.52 through 0.60.0 allow attackers to cause a denial of service and possibly execute arbitrary commands by executing WindowMaker with a long program name (argv[0]).

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:windowmaker-bo(3249)
 Frech> XF:windowmaker-bo(3249)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991104 Palm Hotsync vulnerable to DoS attack
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94175465525422&w=2

Description:
Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

 Frech> XF:palm-hotsync-bo(7785)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991222 Quake "smurf" - Quake War Utils
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94589559631535&w=2

Description:
Quake 1 server responds to an initial UDP game connection request with a large amount of traffic, which allows remote attackers to use the server as an amplifier in a "Smurf" style attack on another host, by spoofing the connection request.

Votes:

   MODIFY(1) Frech
   NOOP(4) Wall, Foat, Cole, Christey

 Christey> This is apparently a problem with the connection protocol.
   See BUGTRAQ:19980522 NetQuake Protocol problem resulting in smurf like effect.
   URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925989&w=2
 Frech> XF:quake-udp-connection-dos(7862)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970507 Re: SGI Security Advisory 19970501-01-A - Vulnerability in webdist.cgi
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420919&w=2
Reference: XF:sgi-machineinfo

Description:
SGI MachineInfo CGI program, installed by default on some web servers, prints potentially sensitive system status information, which could be used by remote attackers for information gathering activities.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

 Frech> I'd be a lot more confident in this vote if there was a more
   concrete reference strongly associating webdist.cgi and machineinfo.

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970723 DoS against Oracle Webserver 2.1 with PL/SQL stored procedures
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602661419366&w=2

Description:
Oracle Webserver 2.1, when serving PL/SQL stored procedures, allows remote attackers to cause a denial of service via a long HTTP GET request.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole

 Frech> XF:oracle-webserver-dos(1812)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971108 Security bug in iCat Suite version 3.0
Reference: URL:http://www.securityfocus.com/archive/1/7943
Reference: BID:2126
Reference: URL:http://www.securityfocus.com/bid/2126
Reference: XF:icat-carbo-server-vuln(1620)
Reference: URL:http://xforce.iss.net/static/1620.php

Description:
Directory traversal vulnerability in carbo.dll in iCat Carbo Server 3.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the icatcommand parameter.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(1) Foat

 Frech> iCat's site at http://www.icat.com/ is shut down, and no
   further support seems to be available.

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980725 Annex DoS
Reference: URL:http://www.securityfocus.com/archive/1/10021

Description:
Buffer overflow in ping CGI program in Xylogics Annex terminal service allows remote attackers to cause a denial of service via a long query parameter.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:annex-ping-crash(2090)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2
Reference: XF:excite-world-write(1417)
Reference: URL:http://xforce.iss.net/static/1417.php

Description:
Excite for Web Servers (EWS) 1.1 installs the Architext.conf authentication file with world-writeable permissions, which allows local users to gain access to Excite accounts by modifying the file.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2

Description:
Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi.

Votes:

   NOOP(3) Wall, Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981130 Security bugs in Excite for Web Servers 1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91248445931140&w=2

Description:
Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack.

Votes:

   NOOP(3) Wall, Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980318 AIX 4.1.5 DoS attack (aka "Port 1025 problem")
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89025820612530&w=2

Description:
inetd in AIX 4.1.5 dynamically assigns a port N when starting ttdbserver (ToolTalk server), but also inadvertently listens on port N-1 without passing control to ttdbserver, which allows remote attackers to cause a denial of service via a large number of connections to port N-1, which are not properly closed by inetd.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:aix-ttdbserver(813)
   CONFIRM:APAR IX70400

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991026 Mac OS 9 Idle Lock Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94096348604173&w=2
Reference: BID:745
Reference: URL:http://www.securityfocus.com/bid/745

Description:
Idle locking function in MacOS 9 allows local users to bypass the password protection of idled sessions by selecting the "Log Out" option and selecting a "Cancel" option in the dialog box for an application that attempts to verify that the user wants to log out, which returns the attacker into the locked session.

Votes:

   ACCEPT(2) Foat, Cole
   MODIFY(1) Frech
   NOOP(1) Wall

 Frech> XF:macos-idle-screenlock-bypass(7794)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991101 Re: Mac OS 9 Idle Lock Bug
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94149318124548&w=2
Reference: BID:756
Reference: URL:http://www.securityfocus.com/bid/756

Description:
Idle locking function in MacOS 9 allows local attackers to bypass the password protection of idled sessions via the programmer's switch or CMD-PWR keyboard sequence, which brings up a debugger that the attacker can use to disable the lock.

Votes:

   ACCEPT(2) Foat, Cole
   MODIFY(1) Frech
   NOOP(1) Wall

 Frech> XF:macos-debug-screenlock-access(3426)

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19990729 WS_FTP Pro 6.0 Weak Password Encryption Vulnerability
Reference: URL:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&D=0&P=10370&F=P
Reference: BID:547
Reference: URL:http://www.securityfocus.com/bid/547

Description:
WS_FTP Pro 6.0 uses weak encryption for passwords in its initialization files, which allows remote attackers to easily decrypt the passwords and gain privileges.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:wsftp-weak-password-encryption(8349)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990506 AIX Security Fixes Update
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92601792420088&w=2
Reference: BUGTRAQ:19990825 AIX security summary
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93587956513233&w=2
Reference: AIXAPAR:IX80470
Reference: URL:http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&org=apars&doc=08E0B1A1B85472A1852567C90031BB36
Reference: BID:439
Reference: URL:http://www.securityfocus.com/bid/439

Description:
Vulnerability in ptrace in AIX 4.3 allows local users to gain privileges by attaching to a setgid program.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

 Frech> XF:aix-ptrace-setgid(7487)

Phase: Proposed (20010912)
Reference: MISC:http://www.w3.org/Security/Faq/wwwsf8.html#Q87
Reference: MISC:http://www.roxanne.org/faqs/www-secure/wwwsf4.html#Q35
Reference: XF:http-nov-files(2054)
Reference: URL:http://xforce.iss.net/static/2054.php

Description:
Vulnerability in files.pl script in Novell WebServer Examples Toolkit 2 allows remote attackers to read arbitrary files.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(1) Foat

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991008 Jana webserver exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93941794201059&w=2
Reference: BID:699
Reference: URL:http://www.securityfocus.com/bid/699

Description:
Directory traversal vulnerability in Jana proxy web server 1.40 allows remote attackers to ready arbitrary files via a "......" (modified dot dot) attack.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

 Frech> XF:jana-server-directory-traversal(6513)

Phase: Proposed (20010912)
Reference: BUGTRAQ:20000502 Security Bug in Jana HTTP Server
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=95730430727064&w=2
Reference: BID:699
Reference: URL:http://www.securityfocus.com/bid/699

Description:
Directory traversal vulnerability in Jana proxy web server 1.45 allows remote attackers to ready arbitrary files via a .. (dot dot) attack.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

 Frech> XF:jana-server-directory-traversal(6513)

Phase: Proposed (20010912)
Reference: NTBUGTRAQ:19980622 Yet another "get yourself admin rights exploit":
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222453431604&w=2
Reference: MSKB:Q103861
Reference: URL:http://support.microsoft.com/support/kb/articles/q103/8/61.asp
Reference: MS:MS00-008
Reference: URL:http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
Reference: CIAC:K-029
Reference: URL:http://www.ciac.org/ciac/bulletins/k-029.shtml
Reference: BID:1044
Reference: URL:http://www.securityfocus.com/bid/1044

Description:
The "AEDebug" registry key is installed with insecure permissions, which allows local users to modify the key to specify a Trojan Horse debugger which is automatically executed on a system crash.

Votes:

   ACCEPT(3) Wall, Foat, Cole
   MODIFY(1) Frech

 Frech> XF:nt-registry-permissions(4111)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990715 NMRC Advisory: Netware 5 Client Hijacking
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93214475111651&w=2
Reference: BID:528
Reference: URL:http://www.securityfocus.com/bid/528

Description:
Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

 Frech> XF:netware-ipx-session-spoof(2350)

Phase: Proposed (20010912)
Reference: HP:HPSBUX9701-050
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: XF:hp-chsh(2012)
Reference: URL:http://xforce.iss.net/static/2012.php

Description:
Vulnerability in chsh command in HP-UX 9.X through 10.20 allows local users to gain privileges.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

Phase: Proposed (20010912)
Reference: BUGTRAQ:19961209 the HP Bug of the Week!
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420285&w=2
Reference: HP:HPSBUX9701-049
Reference: CIAC:H-21
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-21.shtml
Reference: CIAC:H-16
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/h-16.shtml
Reference: AUSCERT:AA-96.18
Reference: XF:hp-chfn(2008)

Description:
Buffer overflow in chfn command in HP-UX 9.X through 10.20 allows local users to gain privileges via a long command line argument.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

Phase: Proposed (20010912)
Reference: BUGTRAQ:19960903 [BUG] Vulnerability in TIN
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419835&w=2
Reference: BUGTRAQ:19960903 Re: BoS: [BUG] Vulnerability in TIN
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167419839&w=2
Reference: BUGTRAQ:19970329 symlink bug in tin/rtin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420726&w=2
Reference: XF:tin-tmpfile(431)
Reference: URL:http://xforce.iss.net/static/431.php

Description:
UNIX news readers tin and rtin create the /tmp/.tin_log file with insecure permissions and follow symlinks, which allows attackers to modify the permissions of files writable by the user via a symlink attack.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991117 default permissions for tin
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=94286179032648&w=2

Description:
tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:tin-insecure-permissions(7796)
   Confirmed in changelog for 1.4.1
   http://ftp.kreonet.re.kr/pub/tools/news/tin/v1.4/CHANGES

Phase: Proposed (20010912)
Reference: BUGTRAQ:19971006 KSR[T] Advisory #3: updatedb / crontabs
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87619953510834&w=2
Reference: BUGTRAQ:19980303 updatedb stuff
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88890116304676&w=2
Reference: BUGTRAQ:19980303 updatedb: sort patch
Reference: BUGTRAQ:19980302 overwrite any file with updatedb
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88886870129518&w=2

Description:
sort creates temporary files and follows symbolic links, which allows local users to modify arbitrary files that are writable by the user running sort, as observed in updatedb and other programs that use sort.

Votes:

   MODIFY(1) Frech
   NOOP(3) Foat, Cole, Christey

 Frech> XF:sort-tmp-file-symlink(7182)
 Christey> This issue clearly has a long history.
   CALDERA:CSSA-2002-SCO.21
   URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0018.html
   CALDERA:CSSA-2002-SCO.2
   URL:http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html
   (There are 2 Caldera advisories because one is for Open UNIX
   and UnixWare, and the other is for OpenServer)
   
   XF:openserver-sort-symlink(9218)
   URL:http://www.iss.net/security_center/static/9218.php

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980516 kde exploit
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925954&w=2
Reference: BUGTRAQ:19980517 simple kde exploit fix
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221101925959&w=2
Reference: XF:kde-klock-home-bo(1644)
Reference: URL:http://xforce.iss.net/static/1644.php

Description:
Buffer overflow in kscreensaver in KDE klock allows local users to gain root privileges via a long HOME environmental variable.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990504 Microsoft Netmeeting Hole
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=92586457816446&w=2
Reference: XF:netmeeting-clipboard(2187)
Reference: URL:http://xforce.iss.net/static/2187.php

Description:
Microsoft NetMeeting 2.1 allows one client to read the contents of another client's clipboard via a CTRL-C in the chat box when the box is empty.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990219 Yet Another password storing problem (was: Re: Possible Netscape Crypto Security Flaw)
Reference: URL:http://www.securityfocus.com/archive/1/12618

Description:
Kabsoftware Lydia utility uses weak encryption to store user passwords in the lydia.ini file, which allows local users to easily decrypt the passwords and gain privileges.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:lydia-ini-passwords(7501)
   ADDREF:http://www.kabsoftware.com/lydia_history.txt (Version
   History for Lydia, V3.3 - 11/24/00)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980429 Security hole in kppp
Reference: URL:http://www.securityfocus.com/archive/1/9121
Reference: XF:kde-kppp-account-bo(1643)
Reference: URL:http://xforce.iss.net/static/1643.php
Reference: BID:92
Reference: URL:http://www.securityfocus.com/bid/92

Description:
Buffer overflow in kppp in KDE allows local users to gain root access via a long -c (account_name) command line argument.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-kppp-path-bo(1650)
Reference: URL:http://xforce.iss.net/static/1650.php

Description:
Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19981118 Multiple KDE security vulnerabilities (root compromise)
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=91141486301691&w=2
Reference: XF:kde-kppp-path-bo(1650)
Reference: URL:http://xforce.iss.net/static/1650.php

Description:
Buffer overflow in kppp in KDE allows local users to gain root access via a long PATH environmental variable.

Votes:

   ACCEPT(1) Cole
   NOOP(2) Wall, Foat
   REJECT(1) Frech

 Frech> Has exactly the same attributes as CAN-1999-1107.

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991114 IE 5.0 and Windows Media Player ActiveX object allow checking the existence of local files and directories
Reference: URL:http://www.securityfocus.com/archive/1/34675
Reference: BID:793
Reference: URL:http://www.securityfocus.com/bid/793

Description:
Windows Media Player ActiveX object as used in Internet Explorer 5.0 returns a specific error code when a file does not exist, which allows remote malicious web sites to determine the existence of files on the client.

Votes:

   ACCEPT(1) Wall
   MODIFY(1) Frech
   NOOP(2) Foat, Cole

 Frech> XF:ie-mediaplayer-activex(7800)

Phase: Proposed (20010912)
Reference: BUGTRAQ:19991109 Irfan view 3.07 buffer overflow
Reference: URL:http://www.securityfocus.com/archive/1/34066
Reference: MISC:http://stud4.tuwien.ac.at/~e9227474/main2.html
Reference: XF:irfan-view32-bo(3549)
Reference: URL:http://xforce.iss.net/static/3549.php
Reference: BID:781
Reference: URL:http://www.securityfocus.com/bid/781

Description:
Buffer overflow in IrfanView32 3.07 and earlier allows attackers to execute arbitrary commands via a long string after the "8BPS" image type in a Photo Shop image header.

Votes:

   ACCEPT(1) Frech
   NOOP(3) Wall, Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980414 MacOS based buffer overflows...
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=89258194718577&w=2
Reference: BID:75
Reference: URL:http://www.securityfocus.com/bid/75

Description:
Buffer overflow in Eudora Internet Mail Server (EIMS) 2.01 and earlier on MacOS systems allows remote attackers to cause a denial of service via a long USER command to port 106.

Votes:

   MODIFY(1) Frech
   NOOP(3) Wall, Foat, Cole

 Frech> XF:eudora-ims-user-dos(7300) 

Phase: Proposed (20010912)
Reference: CERT:CA-1991-07
Reference: URL:http://www.cert.org/advisories/CA-1991-07.html
Reference: SUN:00107
Reference: URL:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/107&type=0&nav=sec.sba
Reference: BID:21
Reference: URL:http://www.securityfocus.com/bid/21
Reference: BID:22
Reference: URL:http://www.securityfocus.com/bid/22
Reference: XF:sun-sourcetapes(582)
Reference: URL:http://xforce.iss.net/static/582.php

Description:
The installation of Sun Source (sunsrc) tapes allows local users to gain root privileges via setuid root programs (1) makeinstall or (2) winstall.

Votes:

   ACCEPT(5) Frech, Foat, Cole, Dik, Stracener
   NOOP(1) Wall

 Dik> sun bug: 1059621

Phase: Proposed (20010912)
Reference: MISC:http://packetstorm.securify.com/mag/phrack/phrack54/P54-08

Description:
HTTP Client application in ColdFusion allows remote attackers to bypass access restrictions for web pages on other ports by providing the target page to the mainframeset.cfm application, which requests the page from the server, making it look like the request is coming from the local host.

Votes:

   ACCEPT(2) Wall, Cole
   NOOP(1) Foat

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970919 Instresting practises of Oracle [Oracle Webserver]
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019796&w=2

Description:
Oracle Webserver 2.1 and earlier runs setuid root, but the configuration file is owned by the oracle account, which allows any local or remote attacker who obtains access to the oracle account to gain privileges or modify arbitrary files by modifying the configuration file.

Votes:

   MODIFY(1) Frech
   NOOP(2) Foat, Cole

 Frech> XF:oracle-webserver-gain-root(7174)

Phase: Proposed (20010912)
Reference: CISCO:19980813 CRM Temporary File Vulnerability
Reference: URL:http://www.cisco.com/warp/public/770/crmtmp-pub.shtml
Reference: CIAC:I-086
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/i-086.shtml
Reference: XF:cisco-crm-file-vuln(1575)
Reference: URL:http://xforce.iss.net/static/1575.php

Description:
Cisco Resource Manager (CRM) 1.1 and earlier creates certain files with insecure permissions that allow local users to obtain sensitive configuration information including usernames, passwords, and SNMP community strings, from (1) swim_swd.log, (2) swim_debug.log, (3) dbi_debug.log, and (4) temporary files whose names begin with "DPR_".

Votes:

   ACCEPT(5) Frech, Foat, Cole, Armstrong, Stracener
   NOOP(1) Wall
   REJECT(1) Balinsky

 Balinsky> Duplicate of CAN-1999-1042

Phase: Proposed (20010912)
Reference: MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
Reference: MISC:http://members.tripod.com/~unibyte/iebug3.htm

Description:
Internet Explorer 3.01 on Windows 95 allows remote malicious web sites to execute arbitrary commands via a .isp file, which is automatically downloaded and executed without prompting the user.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Christey, Foat

 Frech> XF:http-ie-exec(462)
 Christey> DELREF MISC:http://oliver.efri.hr/~crv/security/bugs/NT/ie3.html
   ADDREF MISC:http://focus.silversand.net/vulner/allbug/ie3.html

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990901 VLAN Security
Reference: URL:http://www.securityfocus.com/archive/1/26008
Reference: MISC:http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v8x/eescg8x/aleakyv.htm
Reference: XF:cisco-catalyst-vlan-frames(3294)
Reference: URL:http://xforce.iss.net/static/3294.php
Reference: BID:615
Reference: URL:http://www.securityfocus.com/bid/615

Description:
Cisco Catalyst 2900 Virtual LAN (VLAN) switches allow remote attackers to inject 802.1q frames into another VLAN by forging the VLAN identifier in the trunking tag.

Votes:

   ACCEPT(2) Frech, Foat
   NOOP(2) Wall, Cole

 CHANGE> [Foat changed vote from NOOP to ACCEPT]

Phase: Proposed (20010912)
Reference: BUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=93346448121208&w=2
Reference: NTBUGTRAQ:19990730 Netscape Enterprise Server yeilds source of JHTML
Reference: URL:http://marc.theaimsgroup.com/?l=ntbugtraq&m=93337389603117&w=2
Reference: BID:559
Reference: URL:http://www.securityfocus.com/bid/559

Description:
Default configuration of the search engine in Netscape Enterprise Server 3.5.1, and possibly other versions, allows remote attackers to read the source of JHTML files by specifying a search command using the HTML-tocrec-demo1.pat pattern file.

Votes:

   ACCEPT(1) Cole
   MODIFY(1) Frech
   NOOP(2) Wall, Foat

 Frech> XF:netscape-enterprise-view-jhtml(8352)

Phase: Modified (20020217-01)
Reference: HP:HPSBUX9709-069
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602880019776&w=2
Reference: XF:hp-vue-dt(499)
Reference: URL:http://xforce.iss.net/static/499.php

Description:
HP-UX 9.x and 10.x running X windows may allow local attackers to gain privileges via (1) vuefile, (2) vuepad, (3) dtfile, or (4) dtpad, which do not authenticate users.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener
   NOOP(1) Christey

 Christey> CHANGEREF:  chaneg XF reference to XF:hp-vue-dt(499)

Phase: Modified (20020217-01)
Reference: HP:HPSBUX9404-008
Reference: URL:http://packetstorm.securify.com/advisories/hpalert/008
Reference: CIAC:E-23
Reference: URL:http://ciac.llnl.gov/ciac/bulletins/e-23.shtml
Reference: XF:hp-vue(2284)
Reference: URL:http://www.iss.net/security_center/static/2284.php

Description:
Vulnerability in Vue 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4038, PHSS_4055, and PHSS_4066.

Votes:

   ACCEPT(3) Foat, Cole, Stracener
   MODIFY(1) Frech

 Frech> XF:hp-vue(2284)
   Packetstorm URL is dead. Try another archive.

Phase: Proposed (20010912)
Reference: HP:HPSBUX9504-027
Reference: URL:http://packetstorm.securify.com/advisories/hpalert/027
Reference: XF:hp-vue(2284)
Reference: URL:http://xforce.iss.net/static/2284.php

Description:
Vulnerability in VUE 3.0 in HP 9.x allows local users to gain root privileges, as fixed by PHSS_4994 and PHSS_5438.

Votes:

   ACCEPT(4) Frech, Foat, Cole, Stracener

Phase: Proposed (20010912)
Reference: BUGTRAQ:19970515 MicroSolved finds hole in Ascom Timeplex Router Security
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420981&w=2
Reference: XF:ascom-timeplex-debug(1824)
Reference: URL:http://xforce.iss.net/static/1824.php

Description:
Ascom Timeplex router allows remote attackers to obtain sensitive information or conduct unauthorized activities by entering debug mode through a sequence of CTRL-D characters.

Votes:

   ACCEPT(1) Frech
   NOOP(2) Foat, Cole

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980716 S.A.F.E.R. Security Bulletin 980708.DOS.1.1
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=90221104525993&w=2
Reference: XF:csm-proxy-dos(1422)
Reference: URL:http://xforce.iss.net/static/1422.php

Description:
Buffer overflow in CSM Proxy 4.1 allows remote attackers to cause a denial of service (crash) via a long string to the FTP port.

Votes:

   ACCEPT(2) Frech, Cole
   NOOP(2) Wall, Foat

Phase: Proposed (20010912)
Reference: BUGTRAQ:19980630 Livingston Portmaster - ISN generation is loosy!
Reference: URL:http://www.securityfocus.com/archive/1/9723
Reference: XF:portmaster-fixed-isn(1882)
Reference: URL:http://xforce.iss.net/static/1882.php