BugTraq summary, week of 21 dec 1998.

embedded controller network software
Someone pointed out that the TCP/IP software on many embedded controllers is vulnerable to the same exploits that have been posted and publicized over the past year.  OS-9 in particular was singled out, as well as some of the cable-TV boxes that are just being rolled out.  Many of these network stacks are probably based on the old BSD codebase and come with all the same flaws.  Also this week, there were several reports along the lines of "Router X is vulnerable to nestea [an old TCP/IP flaw]."  So this stuff is still ongoing.

3com total control hub creates ghost account
The 3Com "Total Control" hub with a HyperARC card (don't ask me what that is) creates an account "adm" with no password.  You can delete this account, but when you do a hardware reset (which is the last step in configuring the unit), the ghost account magically reappears.  Someone posted that of the 37 hubs he tried, 21 were able to be broken into this way.  Another person pointed out that this is documented in the release notes so it could be considered a pilot error.

iis could lock up
Microsoft reported that they fixed a bug in IIS (the web server that comes with NT) which would cause it to lock up on certain malformed GET requests.  No other info was given.

bsd new network hole
There's a tiny bug in the BSD-based network stacks (FreeBSD and family) that could (rarely) cause a crash.  Part of the BSD network code assumed that the received packet was at least big enough to hold the IP header.

remote explorer?
Someone posted about an NT worm/trojan called "Remote Exploder", and seemed to assume that everyone would know what he was talking about.  Apparently this program, if run as a normal user, just replaces various files with itself (storing the original file in a resource fork of the new file).  But if run as root, it sets itself up as a service, encrypts some data files, and attempts to spread itself across the network.  As far as I can tell, the only new thing it does is the resource fork thing, and it only affects NT boxes, so it's probably not otherwise interesting.

pam hole (except redhat)
PAM is a pluggable auth module used on Linux and Solaris (and possibly more, these days).  pam-0.64-2 and some previous versions came with a module called "pam_unix_passwd" that has a race condition in it.  This race condition allows you to read and write the /etc/shadow file where passwords are stored.  Worse, you can use gdb to breakpoint the "passwd" command at the spot needed, so there's no "race" to it -- take your time.  Basically, the shadow file is copied to /etc/nshadow using your current umask (so possibly the copy has world read-write permission).  After the changes are made, the /etc/nshadow is copied back into /etc/shadow. Solaris does not use this version of PAM so it's believed to be okay (and it has no "pam_unix_passwd" module anyway).  RedHat doesn't use that module either.

logoff people on the yahoo pager
The Yahoo pager (a small chat client) allows you to have a primary identity, and then a few alternate identities.  Apparently the command you send to deactivate an identity doesn't require you to be the owner of that identity.  So you can send control messages to deactivate the identity of anyone who's currently on Yahoo's pager, and it looks like they've logged out.

solaris ldap server logs a little too much
The LDAP server that comes with Solaris (it's called SDS) logs user passwords in plaintext.  The log file (typically /var/opt/SUNWconn/ldap/log/slapd.log) is conveniently world-readable (and writeable!).  This is bad because the LDAP server is used to authenticate people using the IMAP server.  Beware.

buffer overflows

ie frame bug fix
There was a bug in IE's handling of frames that allowed a site to insert content into another IE window, even if that window was aimed at a completely different site.  It meant that a malicious site could try to grab passwords or credit card numbers aimed at different sites, by impersonating that site.  Microsoft released a patch to fix it.