BugTraq summary, week of 4 jan 1999.

smb reuses challenges
Part of Windows SMB apparently uses a challenge-response type of authentication.  (The server sends a challenge message, which the client encrypts in some way and sends back.  The server compares the encrypted response with its own work to verify.)  But Windows will send the same challenge for about 15 minutes, which is bad because someone snooping the wire could listen to the response and remember it.  Then it could try to access the SMB server, which would give the same challenge, and the snooper could send its remembered response.

tripwire trips
Apparently a longstanding bug in Tripwire (and well-known in some circles) involved a routine that converted control characters to their octal form (ie, ^A becomes \001) for display output.  Unfortunately, C's iscntl() macro defines characters 128-255 as "control characters", not entirely an intuitive decision, and Tripwire didn't handle that case.  For characters in that range, it would also inadvertantly do a negative lookup in a table, since most operating systems define "char" as a signed value that ranges from -128 to 127, so 128-255 become their negative twins.  This would cause coredumps but no known exploits.

problematic web server logging
Apparently Apache's logging format leaves a little to be desired, and since it allows a CGI to accept any method name (including a name with control characters in it), a malicious CGI user can create misleading log entries by embedding backspaces and things in the method name.

l0phtcrack holes
A group called L0pht does a lot of security advisories on Bugtraq, and also apparently makes a program called L0phtcrack for "security checking".  Unfortunately it included a few obvious bugs like /tmp race conditions, so a new version was released.

solaris ff.core hole
This one is really convoluted.  If, on Solaris, your /vol is writable by everyone (which may depend on vold running, since my desktop's /vol is not world-writable, though I've killed off vold so I can play audio CDs), you can use softlinks to make ff.core let you rename any file on the system.  Here are the commands you'd type:
    ln -fs $A /vol/rmt/diskette0
    /usr/openwin/bin/ff.core -r /vol/rmt/diskette0/$B $C /floppy/
The $A is the name of the directory containing the file you want to rename.  The $B is the name of the file you want to rename, relative to $A.  It can be in any subdir of $A, but not above it (no ".." allowed).  The $C is the new name for the file, which must be in $A (no directory changes allowed).

Now that you can rename files, rename /usr/bin/sh to /usr/bin/admintool.  admintool has a softlink from /usr/sbin/swmtool, so rename /usr/sbin/swmtool to /usr/sbin/in.rlogind.  Now in.rlogind is pointing to sh, so you can telnet to the machine's login port and get a root shell.  Clever.  Sun has a patch that does not fix the bug.  It seems to exist in 2.6 and "7" (2.7).

no bugfix award for 1998
This wasn't on BugTraq, but Greg forwarded it to me and it's definitely relevant.  BugNet found that no software deserved the bigfix award for the year, because in general software had gotten worse.  The URL also includes a hilarious story of their dealings with Microsoft in trying to make the ill-devised "FrontPage 98" work -- or at least not erase their files.
http://www.bugnet.com/analysis/no_award.html
ddddd

buffer overflows