OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RESEND: SANS Windows Security Digest Vol. 3 Num. 2
From: The SANS Institute (sanssans.org)
Date: Wed Mar 01 2000 - 08:43:58 CST

This is a resend of the digest. Thousands (tens of thousands?) of people
failed to receive a copy because the spooling filesystem filled. That
filesystem also kept the logfiles, so I can't determine who received
the digest and who didn't. This version is identical to that sent out
about 14 hours ago. Sorry for the interruption if you were among the
lucky ones who received the digest the first time.

                                                        RK

**************************************************************************

                    The SANS Windows Security Digest
       A Resource for Computer and Network Security Professionals
                           Volume 3, Number 2
                            February 29, 2000

               Dr. Jesper M. Johansson (Boston University)
                                 Editor

Editorial Board:
     Dr. Matt Bishop (Univ. California, Davis)
     Jeff Brown (Merrill Lynch)
     Phil Cox (SystemExperts Corp.)
     Mark T. Edmead (IBM Global Security Services)
     Chris Lalka (Exxon)
     Steve Lewis (GRCI)
     Eric Maiwald (Fortrex)
     Rob Marchand (Array Systems),
     Dr. Gene Schultz (Global Integrity Corporation, an SAIC Company)

Copyright (c) 2000 The SANS Institute. All rights reserved.

You may forward this issue to your co-workers and encourage them to
subscribe. To do so, send a note with the subject "NT Digest" to
digestsans.org

**********************************************************************

A lot of things happened this month. Most importantly, of course, is
that the SANS NT Digest changed its name to the Windows Security Digest.
In other developments, Microsoft released eight new or updated security
bulletins, Allaire released two, and a fairly large number of
vulnerabilities were found in various Microsoft software as well as
software from other vendors.

Oh, I almost forgot, Microsoft released Windows 2000, nee Windows NT
5.0. On that note, we have divided the issues with Microsoft software
into a few sections this month. Since most of you are probably only
evaluating Windows 2000 at this point, we thought it prudent to keep
issues affecting only Windows 2000 separate from those affecting all
Microsoft software. That will save you some reading if you do not care
about Windows 2000-specific bugs at this point. Keep in mind, however,
that issues listed under "All/Other Microsoft Software Issues" may also
affect Windows 2000, in addition to other MS software.

JMJ

**********************************************************************

                       Table of Contents

1. Microsoft Security Bulletins

1.1 MS00-004 - Patch: "RDISK Registry Enumeration File" Vulnerability
1.2 MS00-006 - Patch: "Malformed Hit-Highlighting Argument" Vulnerability
1.3 MS00-007 - Patch: "Recycle Bin Creation" Vulnerability
1.4 MS00-009 - Patch: "Image Source Redirect" Vulnerability
1.5 MS00-010 - Patch: "Site Wizard Input Validation" Vulnerability
1.6 MS00-011 - Patch: "VM File Reading" Vulnerability
1.7 MS00-012 - Patch: "Remote Agent Permissions" Vulnerability
1.8 MS00-013 - Patch: "Misordered Windows Media Services Handshake"
                       Vulnerability

2. Virus warnings
2.1 Some virus programs fail to scan Recycle Bin
2.2 Distributed Denial of Service trojans can run on Windows based
    operating systems

3. Microsoft Software Issues

3.1 IE Issues
3.2 Microsoft Java Virtual Machine allows reading of local files
3.3 CERT cross-site scripting vulnerability bulletin
3.4 Windows 2000 Only (Note, these are issues that affect only Windows
    2000. Win2K may also be affected by issues listed under All/Other
    Microsoft Software Issues below)
3.4.1 Issues with junction points on Win2K domain controllers
3.4.2 Win2K administrative shares world accessible during installation
3.4.3 Win2K windowstation vulnerability
3.4.4 Win2K versus Office Server Extensions data corruption problem
3.4.5 Application compatibility update and Iomega tools update
3.4.6 Do not use passwords beginning with * during unattended setup
3.4.7 Circumventing blocked inherited rights in Active Directory
3.4.8 Users can exceed quotas

3.5 All/Other Microsoft Software Issues
3.5.1 Keep workstations from giving up domain Security Identifiers - Win2K Tip
3.5.2 Microsoft Server Extensions disclose IUSR account name and physical paths
3.5.3 Index Server may still be vulnerable to unauthorized file access
3.5.4 Active Server Pages - include files vulnerability
3.5.5 Crash in inetinfo.exe from invalid e-mail file name
3.5.6 MS Active Setup will silently install signed components from Microsoft
3.5.7 Autorun vulnerability

4. Third-party software issues
4.1 Buffer overflows discovered this month
    Many buffer overflows are discovered each month. We report the ones
    we know about here. In addition, we have tried to give you a little
    more information in a concise format. To that end, certain items
    are marked with a # or sign. A # sign means that an exploit for
    this issue is publicly available. An sign means that a fix is
    available currently. We have also, in some cases, included a URL
    after the item. That URL points to either a fix, if one is available,
    or to the vendor's web-site, if we know it.
* #Tiny FTPd 0.52 beta3
* # War-ftpd 1.66x4s and 1.67-3 (http://war.jgaa.com/alert/)
* #Serv-U FTP-Server v2.5b (http://ftpserv-u.deerfield.com/)
* # Internet Anywhere Mail Server Ver.3.1.3
* #BTT Software's SNMP Trap Watcher 1.16 (http://www.bttsoftware.co.uk/)
* #Timbuktu Pro 2.0b650 (http://www.netopia.com/software/tb2/)
* #InterAccess TelnetD Server 4.0 (Fixed in a new version:
   http://www.pragmasys.com/TelnetD/)
* # TrendMicro OfficeScan 3.5 (http://www.trendmicro.com)

4.2 New DDOS defense tool from Simple Nomad
4.3 Allaire Security Bulletin ASB00-04: Patch Available for Allaire
    Spectra 1.0 Security Authentication System
4.4 ASB00-05: Cross-Site Scripting Vulnerability Information for Allaire
    Customers
4.5 Many web shopping carts vulnerable to form tampering to change price
4.6 EZ Shopper 3.0 allows remote command execution
4.7 surfControl web filter fails to filter sites with period appended
4.8 Lexmark printer drivers fix BSOD in Terminal Server
4.9 Webspeed can be hacked through messenger administration tool
4.10 Zeus web server code exposure vulnerability
4.11 MySQL allows unauthenticated access
4.12 WWWThreads privilege elevation vulnerability
4.13 Ability to open communication on arbitrary port to FTP server behind
     Firewall-1
4.14 Veritas Manage Exec report service pack 5 incorrectly
4.15 BAT file vulnerability in SAMBAR web and ftp server

5. Tip of the month: Use terminal services to administer Windows 2000
                     remotely

=======================================================================

1. Microsoft Security Bulletins

1.1 MS00-004 - Patch Available for "RDISK Registry Enumeration File"
               Vulnerability

After taking considerable flak (from, among others, the Digest editorial
board), Microsoft has posted fixes for the RDISK registry enumeration
file vulnerability for all vulnerable platforms this month. This
vulnerability, which was reported in January, exposes the registry files,
including the SAM database in improperly controlled temporary files
while RDISK runs.

The fixes are available at:

* Windows NT 4.0 Server, Terminal Server Edition:
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17384

* All Other Intel-based NT 4.0 versions
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17745

* All Other Alpha-based NT 4.0 versions
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17747

For more information see:
* Microsoft Security Bulletin MS00-004
  http://www.microsoft.com/technet/security/bulletin/MS00-004.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-004
  http://www.microsoft.com/technet/security/bulletin/fq00-004.asp
* Microsoft Knowledge Base (KB) article Q249108 "Registry Data Is Viewable
  By All Users After Rdisk Repair Update"
  http://www.microsoft.com/technet/support/kb.asp?ID=249108.
* Microsoft Knowledge Base (KB) article Q156328 "Description of Windows
  NT Emergency Repair Disk"
  http://www.microsoft.com/technet/support/kb.asp?ID=156328

1.2 MS00-006 - Patch Available for "Malformed Hit-Highlighting Argument"
               Vulnerability

This bulletin, originally released in January, announces an updated
version of the Index Server fix for Windows 2000. The new fix is
functionally equivalent to the one posted in January. However, it is
packaged in a different hotfix installation package. The new package
improves the inventory comments for hotfixes to make it easier to
determine which hotfixes have been installed. It also determines the
user's language settings and input locale to install the proper hotfix
and it is compatible with the new Windows File Protection feature of
Windows 2000. This new packaging is applicable only to Windows 2000.

The new Windows 2000 fix is available at:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726

For more information, see:

* The January SANS NT Digest
* Microsoft Security Bulletin MS00-006
  http://www.microsoft.com/technet/security/bulletin/MS00-006.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-006
  http://www.microsoft.com/technet/security/bulletin/fq00-006.asp.
* Microsoft Knowledge Base (KB) article Q251170 "Malformed Argument in
  Hit-Highlighting Request Allows Access to Web Server Files"
  http://www.microsoft.com/technet/support/kb.asp?ID=251170.
* Microsoft Knowledge Base (KB) article Q252463 "Index Server Error
  Message Reveals Physical Location of Web Directories
  http://www.microsoft.com/technet/support/kb.asp?ID=252463.

1.3 MS00-007 - Patch Available for "Recycle Bin Creation" Vulnerability

This bulletin announces a patch for a vulnerability regarding how the
recycle bin is created. Arne Vidström and Nobuo Miwa discovered the
problem.

The recycle bins are stored under <systemdrive>\recycler, for example
c:\recycler. Inside that folder are a number of sub-folders, identified
by the Security Identifier (SID) of the user they belong to. If a
malicious user logs on before some other users, the malicious user can
create these folders for other users and grant permissions on them. That
alone will not let the malicious user read files that the other users
have thrown away. However, the malicious user could delete these files,
and even replace them with different files of his/her choosing. Now
imagine that a malicious user creates a recycle bin for an administrator.
If the administrator moves an executable to the recycle bin, the malicious
user could possibly get to replace that executable with a Trojan. If
the administrator then restores the executable and runs it, the Trojan
will be executed, in the context of the administrators.

There are a lot of things that must happen for this to be a serious
problem, not the least of which is that the system must be set to store
files in the recycle bin. For security reasons, files should be scrubbed
when they are deleted, not moved to a different directory. In addition,
the machine must be available to multiple users, or the malicious user
must be able to access the recycle bin from the network. For example,
this could be a problem in a student laboratory environment. In most
cases, unless a remote user can map the system drive, this is a problem
where multiple users have local access.

Vulnerable versions include:
* Windows NT 4.0 Workstation
* Windows NT 4.0 Server
* Windows NT 40 Server Enterprise Edition
* Windows 2000 Professional (although Microsoft has not acknowledged
  this, the discoverers reported that it was vulnerable)

Windows NT 4.0 Server Terminal Server Edition is not vulnerable. In
addition, it is unknown whether Windows 2000 Server editions are
vulnerable since they include the terminal services.

The patches for NT 4.0 can be downloaded as follows:

* Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17606
* Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17607

For more information see:
* Microsoft Security Bulletin MS00-007
  http://www.microsoft.com/technet/security/bulletin/MS00-007.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-007
  http://www.microsoft.com/technet/security/bulletin/fq00-007.asp
* Microsoft Knowledge Base (KB) article Q248399 "Shared Workstation
  Setup may Permit Access to Recycle Bin Files"
http://www.microsoft.com/technet/support/kb.asp?ID=248399

1.4 MS00-009 - Patch Available for "Image Source Redirect" Vulnerability

This bulletin announces the release of a patch for Internet Explorer
4.x and 5.x. The vulnerability fixed in this patch could allow a malicious
web site operator to read local files. The vulnerability is what Georgi
Guninski reported in January as "Circumventing Cross-Frame security
possible."

In this vulnerability, the malicious site would open a window to a file
local to the user. This is allowed, and the file has to be viewable in
a web browser. The malicious site would then re-direct that window to
a page in its own domain. During this re-direct, the old contents of
the window - the local file - has not yet been classified and is available
to the remote site.

Microsoft has acknowledged that this vulnerability affects the following
versions:
* Microsoft Internet Explorer 4.0 and 4.01 running on Windows NT 4.0
  and Windows 9x
* Microsoft Internet Explorer 5 and 5.01 running on Windows NT 4.0 and
  Windows 9x

This issue also affects Windows 2000. However, Microsoft has not
acknowledged this and no fix is provided for Windows 2000 yet.

The fixes are available as follows:
* http://windowsupdate.microsoft.com
* http://www.microsoft.com/windows/ie/security/patch5.asp

For more information see:
* Microsoft Security Bulletin MS00-009
  http://www.microsoft.com/technet/security/bulletin/MS00-009.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-009
  http://www.microsoft.com/technet/security/bulletin/fq00-009.asp
* No KBase article is available yet

1.5 MS00-010 - Patch Available for "Site Wizard Input Validation"
               Vulnerability

This patch eliminates a vulnerability in applications based on Microsoft
Site Server, Commerce Edition (SSCE) Two of the sample applications that
come with SSCE and one wizard that comes with it fail to validate SQL
statements before passing them to the database. An attacker could provide
entire SQL statements in place of the parameters that are expected, and
these would be executed against the database. The attacker could thereby
gain access to sensitive data in the database.

This vulnerability is strikingly similar to the WWWThreads vulnerability
discussed in section 4.11 below. Any SQL interface that does not validate
the user input is susceptible to this kind of attack. If the SQL statement
is constructed from form input, and one of the fields is expected to be
numeric, it is absolutely critical that the form input is validated to
be numeric. It is trivial to pass SQL statements as part of a form field.

The affected web applications are:
* Volcano Coffee Sample Site
o product.asp
* Custom-Site (created by Site Builder Wizard)
o product.ast

The fix for this issue is available at
http://www.microsoft.com/downloads/Release.asp?ReleaseID=18767

For more information please see

* Microsoft Security Bulletin MS00-010
  http://www.microsoft.com/technet/security/bulletin/MS00-010.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-010
  http://www.microsoft.com/technet/security/bulletin/fq00-010.asp
* Microsoft Knowledge Base Article "Potential Security Vulnerability
  Due to Unvalidated Variable in Wizard and Some Sample Sites"
  http://www.microsoft.com/technet/support/kb.asp?ID=252614

1.6 MS00-011 - Patch Available for "VM File Reading" Vulnerability

This bulletin announces an update to the Microsoft Virtual Machine for
Java. The virtual machine has a vulnerability that allows code executed
in it to escape the Java sandbox and read files on the local machine.
The vulnerability affects most versions of Internet Explorer that allow
Java to be executed.

You can determine whether a specific installation is vulnerable by
executing the JView command from a command prompt. You will get a screen
where the first few lines look like:

C:\WINNT>jview
Microsoft (R) Command-line Loader for Java Version 5.00.3229
Copyright (C) Microsoft Corp 1996-1999. All rights reserved.

The version number consists of a major version number, followed by minor
version, followed by build number. In the case above, the major version
is 5, the minor version is 00, and the build number is 3229. The following
build numbers are vulnerable (regardless of version number):
* 2000-2444
* 3000-3190
* 3229-3234

Thus, the version shown in the printout above is vulnerable.

The virtual machine ships with a number of vehicles, including the
operating system and Internet Explorer. Builds 2xxx ship with IE 4.x.
Builds 30xx and 31xx ship with IE 5.0, and builds 32xx ship with IE 5.01
and Windows 2000.

Patches are available as follows:
* 2000 series builds: http://www.microsoft.com/java/vm/dl_vmsp2.htm
* 3100 series builds: http://www.microsoft.com/java/vm/dl_vm32.htm
* 3200 series builds: http://www.microsoft.com/java/vm/dl_vm40.htm

For more information see:

* Microsoft Security Bulletin MS00-011
  http://www.microsoft.com/technet/security/bulletin/MS00-011.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-011
  http://www.microsoft.com/technet/security/bulletin/fq00-011.asp
* Microsoft Knowledge Base (KB) article Q253562 "VM File Reading Security
  Vulnerability"
  http://www.microsoft.com/technet/support/kb.asp?ID=253562

1.7 MS00-012 - Patch Available for "Remote Agent Permissions" Vulnerability

This bulletin announces a patch for the SMS remote control vulnerability
that was reported in the January Digest. The issue is that no Access
Control List is applied to the remote control executable on client
machines. That means that unprivileged users can replace it with a
trojan. When the administrator connects to the client for remote control,
the trojan would execute.

This vulnerability affects SMS 2.0. Patches are available as follows:
* Intel: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=18498
* Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=18499

For more information see:
* Microsoft Security Bulletin MS00-012
  http://www.microsoft.com/technet/security/bulletin/MS00-012.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-012
  http://www.microsoft.com/technet/security/bulletin/fq00-012.asp
* No knowledge base article is available on this issue

1.8 MS00-013 - Patch Available for "Misordered Windows Media Services
               Handshake" Vulnerability

There is a vulnerability in the Windows Media Services that could allow
a client to remotely crash the Windows Media Server.

When a client connects to a Windows Media Server the client software
performs a handshake routine with the server. This handshake routine is
structured such that certain components have to initialize before
dependent components can initialize. However, an attacker could re-order
the handshake procedure such that a dependent component initializes
prior to its dependencies. This would cause the Media Services to crash
on the server.

This vulnerability affects Windows Media Services 4.0 and 4.1. However,
the patch is available only for version 4.1. Media Servers running
Windows NT 4.0 need to be upgraded to Media Services 4.1 prior to being
patched. That upgrade is available at
http://www.microsoft.com/windows/windowsmedia/.

The patches are available at:

* Windows NT Server 4.0
  http://download.microsoft.com/download/winmediatech40/Update/4954/NT4/EN-US/WMSU4954_NT4.EXE
* Windows 2000 Server
  http://download.microsoft.com/download/winmediatech40/Update/4954/NT5/EN-US/WMSU4954_Win2000.EXE

For more information see:

* Microsoft Security Bulletin MS00-013
  http://www.microsoft.com/technet/security/bulletin/MS00-013.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-013
  http://www.microsoft.com/technet/security/bulletin/fq00-013.asp
* Microsoft Knowledge Base (KB) article, Q253943 " Misordered Windows
  Media Services Handshake Vulnerability"
  http://www.microsoft.com/technet/support/kb.asp?ID=253943

2. Virus warnings
2.1 Some virus programs fail to scan Recycle Bin

Certain virus programs fail to scan files stored in the Windows recycle
bin. This could allow virus to be stored there and escape detection by
the scanner. For example, it appears that Symantec's Norton AntiVirus
versions prior to 7.0 and Network Associates VirusScan are vulnerable.
In some versions, recycle bin scanning can be turned on. To test a
specific system, obtain the EICAR test file from
http://www.eicar.com/anti_virus_test_file.htm.

2.2 Distributed Denial of Service trojans can run on Windows based
    operating systems

A series of distributed denial of service attacks launched against sites
such as Amazon.com, Buy.com, eBay, E*Trade, CNN, Yahoo!, and Zdnet took
a heavy toll. These sites, as well as others that were attacked,
experienced outages due to crashed web servers, causing disruption in
ongoing e-business activity. Financial loss estimates varied so widely
that it was difficult to determine which were and were not accurate.
Victim platforms included Solaris, Linux, Windows NT and other systems.
Several newspapers inaccurately reported that certain organizations knew
of impending attacks and specific victims that were targeted, but did
not forewarn the victim organizations. For measures that counter DDOS
attacks, visit:
                   http://www.sans.org/giac.htm
Be aware that many of the tools used for these attacks do run on Windows
based operating systems. For example, the ISS X-Force has an advisory
about a trin00 for Windows program. The advisory is available at
http://xforce.iss.net/alerts/advise44.php3. However, determining exactly
what is listening on a Windows platform is not simple. There is a write
up at http://www.sans.org/y2k/finding.htm about a tool that helps you
identify which services are listening on which ports.

3. Microsoft Software Issues

3.1 IE Issues
3.2 Microsoft Java Virtual Machine allows reading of local files

This issue was reported in section 1.6 above.

3.3 CERT cross-site scripting vulnerability bulletin

CERT issued an advisory regarding the possibility for attackers to inject
scripts into a web site. This script would then be passed on to
unsuspecting users visiting that site. This could be exploited in several
ways. For example, an attacker can construct an HTML link to a dynamically
generated page on a "trusted" site. The link itself could contain a
script statement. When an unsuspecting user clicks the link, the trusted
site would generate a page containing the script and send it to the
victim who, presumably, would allow it to execute since "it came from
the trusted site."

Note that although certain caution is typically taken when users are
visiting web sites, the ability to construct such a link and send it in
an e-mail makes this vulnerability extremely dangerous. An attacker can
construct the link and put it in an HTML formatted e-mail. If the victim
clicks the link from the e-mail the "trusted" site will send the script
back to the victim.

Web site developers need to ensure that the dynamic page generators do
not return user-submitted code to the user. Users should be careful when
browsing and avoid e-mail programs that generate and interpret HTML.

For more information see the CERT advisory at
http://www.cert.org/advisories/CA-2000-02.html.

3.4 Windows 2000 Only

Note, these are issues that affect only Windows 2000. Win2K may also be
affected by issues listed under All/Other Microsoft Software Issues,
below

3.4.1 Issues with junction points on Win2K domain controllers

If you are planning to install a Windows 2000 domain controller you
would be well advised to avoid using junction points, also known as
volume mount points, in certain situations. A junction point is
essentially what in UNIX is known as a symbolic link. You can create an
empty directory and then mount a drive to that directory, rather than
assigning it a drive letter. However, putting certain Active Directory
files underneath a junction point will cause the File Replication Service
to fail on the domain controller. This is best explained with the steps
that lead to the problem:
* Install Windows 2000 Server or Advanced Server
* Create a directory called C:\DATA and leave it empty
* Format a blank drive as NTFS and assign it to the C:\DATA mount point.
  You can now access this new drive as C:\DATA
* Run DCPROMO and promote this machine to a domain controller. When
  asked where to put the SysVol directory, put it in C:\DATA (Note: It is
  recommended that the SysVol share is located on a different drive than
  the operating system, the boot partition, to enable it to grow without
  restricting the OS)
* After the reboot, look in the File Replication Service event log. You
  will notice that the file replication service is failing with Event ID
  13515. This is preventing the SYSVOL$ share from being created.

The problem is occurring because certain API calls used by the File
Replication Service fail when the replicated directory is beneath a
junction point. This problem will prevent most normal domain operations.
That also means that you cannot demote the server in question to fix
the problem and move the share. To solve the problem, take the following
steps:
1. Stop the NETLOGON service
2. Edit this registry value:
      Hive: HKEY_LOCAL_MACHINE
      Key: CurrentControlSet\Service\NetLogon\Parameters
      Value: SysVolReady
      Type: REG_DWORD
      Data: It will be shown as 0. Set it to 1
3. Start the NETLOGON service
4. Run DCPROMO on the affected machine and demote it to a server or
   member server

At this point you can create a new drive letter to put SysVol on and
run DCPROMO again to re-promote the computer. Note that is this is the
first or only controller in the domain you will lose any user and computer
accounts you have created on the domain.

3.4.2 Win2K administrative shares world accessible during installation

The C$ share on Windows 2000 points to the C:\, and the ADMIN$ share
points to the %systemroot% directory. These shares are available to
network users during the installation of Windows 2000. Unfortunately,
it is available before the password is applied to the Administrator
account. Consequently, network users can map to the C$ share, for example,
without a password during the operating system setup process.

This vulnerability makes possible various other interesting attacks as
well. For example, an attacker could change the administrator password.
When the machine is rebooted, the new password is used, and the real
administrator cannot log on to the machine. Worse yet, the attacker
could also use this hole to plant a trojan on the system while the OS
is being installed.

UNIX administrators have known for years that the network interfaces
are live while the OS is being installed. It appears that now the same
is true of Windows. Administrators would be prudent to take proper
precautions to ensure that their machines are not compromised during
the OS installation process.

3.4.3 Win2K window station vulnerability

The window station is an object that has a clipboard, and contains some
global objects. When a user logs on at the console, an interactive window
station is created that also contains the keyboard, mouse, and so on.
In NT 4.0, this window station is secured from access by anyone other
than the interactively logged on user. However, Keith Brown, of
develop.com, discovered that in Windows 2000, this window station is
available to non-interactive users. That means that a service can for
example create objects on the interactive window station, or make hooks
into it to trap keystrokes. If a service runs as system, this is to be
expected, since the system user has root access to the OS. However,
apparently services running as less privileged users can also access
the window station of the interactive user. This highlights the importance
of examining all services that are run on a machine. It is not enough
to just run them in the context of unprivileged users.

3.4.4 Win2K versus Office Server Extensions data corruption problem

Microsoft has released a series of updates for Windows 2000 on Windows
Update. One of them is packaged as the "Windows 2000 Critical Update,
February 17, 2000." It contains three fixes: * An update that fixes a
date related problem with non-gregorian calendars * The update for the
malformed hit-highlighting vulnerability discussed in section 1.2 above
* An update that corrects a data corruption problem that could occur
when users of Office 2000 save HTM files to an Office Server Extensions
enabled web server

The Office 2000 problem can occur if you are logged on as a client to
a Windows 2000 terminal server and simultaneously attempt to save an
HTM file to a web server. More information on that issue is available
at http://www.microsoft.com/technet/support/kb.asp?ID=252633.

The fixes, packaged in one file, are available on Windows Update:
http://windowsupdate.microsoft.com

3.4.5 Application compatibility update and Iomega tools update

Microsoft also released two more updates for Windows 2000. The first is
an "application compatibility update." This update is designed to make
Windows 2000 more compatible with a host of applications, mostly games.
The second is designed to make the Iomega tools recognize parallel port
drives. Both of these updates are available on Windows Update.

3.4.6 Do not use passwords beginning with * during unattended setup

The unattended installation tools in Windows 2000 fail to properly
recognize passwords that begin with a *. These passwords are incorrectly
interpreted to be blank, and no password is applied while the installation
is being done.

3.4.7 Circumventing blocked inherited rights in Active Directory

A couple of days before the Windows 2000 release, Novell "discovered"
a security flaw in Active Directory. Novell issued a bulletin on the
flaw, unfortunately not before the marketing department got to edit it.
The bulletin is available at
http://www.novell.com/advantage/nds/ad-security.html. The flaw that
Novell discovered was that administrators have the ability to reclaim
control of objects that they created, but subsequently granted exclusive
management rights of to someone else. Consider:

1. An administrator creates an Organizational Unit (OU, a sub-unit of
   an Active Directory domain)
2. The administrator grants full control of the OU to someone else, in
   Novell's example Pete.
3. The administrator removes all other permissions from the OU, including
   his own
4. The security on the OU object now states that Pete is the sole person
   with any rights at all to the OU
5. The administrator, although he has no rights to the object can still
   grant himself rights to the object.

In Novell's example, the owner is never changed. Thus, the administrator
is still the owner of the OU, and can change permissions. However, even
if Pete takes ownership of the OU, the administrator retains implicit
"take ownership" control to the OU because the administrator created
it. Thus, even if Pete has sole permissions and is the owner of the OU,
the administrator, as the creator, has the right to take ownership back
and grant himself permissions.

This is essentially no different than how Windows NT has worked all
along. Thus, as improper as this may seem, it just means that if we
cannot trust administrators to view certain objects, we need to move
those objects completely out of the administrator's control and into a
separate domain. This is what Microsoft recommended to solve this problem
in their response to the Novell report, available at
http://www.microsoft.com/Windows2000/news/bulletins/novellresponse3.asp.

It is worth noting here that Windows 2000 includes a number of new
groups. One of these is the Enterprise Administrators group. This group
has control over the entire Active Directory forest. In other words,
they are implicitly trusted with access to any object in that forest.
There seems to be no way to revoke their permissions to any objects
within the forest, including domains. Therefore, moving security sensitive
objects to a different domain within the forest will not keep them beyond
the control of the Enterprise Administrators group.

3.4.8 Users can exceed quotas

A post on BugTraq reported that it is possible for users in Windows 2000
to significantly exceed their disk quotas. They can do this because the
OS allows them to extend existing files by a very small amount. However,
by extending a large number of files by a very small amount, the user
could greatly exceed the disk quota. At this point, no official Microsoft
response is known. However, early adopters of Windows 2000 would be well
advised to monitor their user directories for a large number of very
small files that do not appear to belong to anything.

3.5 All/Other Microsoft Software Issues
3.5.1 Keep workstations from giving up domain Security Identifiers - Win2K Tip

An attacker can cause a workstation in a domain to obtain information
about the security identifiers used on the domain and send those back
to the attacker. This can be fixed by using a program called fixpol.exe
that sets a DACL on the Local Security Authority. That program was
written by Phil Brass and can be downloaded from the NTBugTraq download
page at http://www.ntbugtraq.com/default.asp?pid=33&sid=1

If you are running Windows 2000, there is another option to solve this
issue. Windows 2000 introduces a third value for RestrictAnonymous (NT
4.0 only had a binary value). In Windows 2000, you can set
RestrictAnonymous to 2, thereby completely blocking null session access
to all objects without specific null session permissions. This setting
can be made in the registry at:
        Hive: HKEY_LOCAL_MACHINE
        Key: \SYSTEM\ControlSet001\Control\Lsa
        Value: RestrictAnonymous
It can also be applied using Computer Policy. Open up the MMC and add
the Group Policy snap-in. The Group Policy snap-in can manage a domain
or a single computer, in which case it is called the Local Policy. Once
it is added, navigate to:

Computer Configuration\Windows Settings\Security Settings\Local Policies\
Security Options

where there is a value called "Additional Restrictions for Anonymous
Connections." Set it to "No access without explicit anonymous
permissions."

3.5.2 Microsoft Server Extensions disclose IUSR account name and physical
      paths

Cerberus Information Security announced two vulnerabilities in the
Microsoft Server Extensions (Both the FrontPage server extensions and
the Office server extensions are vulnerable). The first vulnerability
discloses the name of the IUSR_<computer name> account when a certain
request is made to the shtml.dll program in the /vti_bin directory. The
second vulnerability discloses the physical path of the virtual root
when a request is made to the htimage.exe file in the cgi-bin directory.

Microsoft has been notified of these problems, but apparently has no
intention of fixing them until the next version of FrontPage. Note also,
however, that this vulnerability also affects the version of the FrontPage
server extensions that ships with Windows 2000 as well as the Office
2000 server extensions.

3.5.3 Index Server may still be vulnerable to unauthorized file access

Cerberus also released a bulletin about a further vulnerability in Index
Server. The issue is that some IDQ files that ship with Index Server
resolve a value specifying the name of an HTX template to a variable:

CiTemplate = %TemplateName%

This could allow an attacker to specify the template name. Index server
will also follow .. directives in this template, allowing the attacker
to break out of the web root. To make things worse, Index Server will
truncate the name of the template to 260 characters. Thus, even though
the template name has to end in .htx, the .htx would be truncated before
the template was loaded. That could allow the attacker to access files
local to the web server root.

The fix is to make sure that CiTemplate is not allowed to resolve to a
variable. Examine all your IDQ files and hard-code a template name. If
you absolutely must have the template name resolve to a variable, you
can mitigate the problem by installing the webhits.dll patch (discussed
in section 1.2 above) and append .htx to the end of the variable.

3.5.4 Active Server Pages - include files vulnerability

It was "discovered" this month that Active Server Pages include files
that do not have .asp extensions can be requested by a web browser. If
these files do not have a .asp extension - for example, they often have
a .inc extension - they will not be parsed by the ASP engine. That means
that all the code in them is returned to the requestor unexecuted. This
poses a code exposure vulnerability. For security reasons, all pages
containing any code whatsoever should have an extension that will be
parsed by the code interpreter.

3.5.5 Crash in inetinfo.exe from invalid e-mail file name

It is possible to crash the IIS inetinfo.exe executable by storing an
improperly named file in the mailroot\pickup directory. If a file with
a name over a certain limit is placed in that directory, the inetinfo.exe
service crashes. This apparently occurs on Windows NT 4.0, but not on
Windows 2000. It happens because long file names are not supported by
the inetinfo service.

3.5.6 MS Active Setup will silently install signed components from Microsoft

Internet Explorer contains an ActiveX control called Active Setup. It
is used to install software over the Internet. Ordinarily, this control
will prompt the user to install the software. However, Juan Carlos Garcia
Cuartango discovered that this control does not prompt to install certain
software signed by Microsoft. In essence, Microsoft has privileged its
own software so that it will install without asking. The only way to
disable that is to disable ActiveX controls. You can set them to prompt
and then say no if you do not want them to run.

3.5.7 Autorun vulnerability

An old vulnerability with autorun was re-discovered this month. Autorun
is the process of automatically executing commands in an autorun.inf
file when a disk is mounted. Normally, this is used with CDs. However,
at times, Windows will execute autorun.inf files in other types of drives
as well, such as network shares. This could pose a serious security
threat since a malicious user could post a trojan in a network share,
and then get an administrator to map the share, thereby automatically
executing the trojan.

To be able to guard against this, we need to look at the keys controlling
autorunning in the registry. There are several:

Hive: HKEY_CURRENT_USER
Key: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: NoDriveTypeAutoRun
Type: REG_DWORD
Default: 0x95 (translates into binary 10010101)

Hive: HKEY_CURRENT_USER
Key: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: NoDriveAutoRun
Type: REG_DWORD
Default: 0x95 (translates into binary 10010101)

Hive: HKEY_LOCAL_MACHINE
Key: \System\CurrentControlSet\Services\CDRom
Value: Autorun
Type: REG_BINARY
Default: 1, set to 0 to disable autorun for CDs

The last key is the one we typically use to disable autorun. However,
it applies to CDs only. To truly disable autorun, you need to look at
the previous two keys. The first, NoDriveTypeAutoRun lets you disable
autorun on a drive-type by drive-type basis. The value is calculated as
follows:

Bit Number Bitmask Constant Autorun by default
0x01 reserved for future use no
0x04 DRIVE_REMOVEABLE yes
0x08 DRIVE_FIXED no
0x10 DRIVE_REMOTE yes
0x20 DRIVE_CDROM yes
0x40 DRIVE_RAMDISK no

If a bitmask value is set to 0 the drive type is set to autorun. If it
is 1, it will not autorun. The default thus enables autorun for removable
drives, remote drives and CD-ROMs. To disable autorunning for all drive
types, set this to 0x7D. To disable autorunning for all drive types
except CD-ROMs, set it to 0x5D.

The NoDriveAutoRun disables autorunning for certain drive letters. Bit
0 is drive A, bit 1 is drive B and so forth. The default value here too
is 0x95, enabling autorunning for the B, D, F and G drives. Thus, to
disable autorunning for all drive letters, set this to 0x3FFFFFF. To
disable autorunning for all drive letters except D, set it to 0x3FFFFF7

4. Third-party software issues
4.1 Buffer overflows discovered this month were covered in the table of
    contents above

4.2 New DDOS defense tool from Simple Nomad

Simple Nomad has written a tool to tell the DDOS clients that appear to
have been used in the recent spate of DDOS attacks to stop flooding.
The tool, which works against Troj_Trinoo, Trinoo, TFN, and Stacheldraht,
is available in Unix and NT versions. Go to http://razor.bindview.com/
for details.

4.3 Allaire Security Bulletin ASB00-04: Patch Available for Allaire
    Spectra 1.0 Security Authentication System

Allaire posted a patch for the Allaire Spectra 1.0 product this month.
The bug allows an attacker to post a value for the bAuthenticated variable
in the URL, telling the Remote Access Service that they are already
authenticated. The patch that eliminates the problem is available at
http://download.allaire.com/patches/ASB00-04.zip. For more information,
see the bulletin at
http://www.allaire.com/handlers/index.cfm?ID=14300&Method=Full.

4.4 ASB00-05: Cross-Site Scripting Vulnerability Information for Allaire
    Customers

Allaire also posted a bulletin with information on the cross-site
scripting vulnerability announced by CERT (see item 3.3 above). The
bulletin explains what steps developers should take to secure programs
running on Allaire products. For more information see the bulletin at
http://www.allaire.com/handlers/index.cfm?ID=14557&Method=Full.

4.5 Many web shopping carts vulnerable to form tampering to change price

The ISS X-Force issued an advisory about several shopping cart packages
that allow a user to tamper with form data. This could allow malicious
users to submit their own discounts on products, or even the price of
the product to the application, bypassing the price the application
received from the database. Eleven shopping carts were found vulnerable.
For the complete details see http://xforce.iss.net/alerts/advise42.php3

4.6 EZ Shopper 3.0 allows remote command execution

The EZ Shopper web shopping cart is vulnerable to two serious problems.
The first is that it gives up the path of the web server when a request
is made for a non-existent file. The second is that it will follow ../
commands, allowing an attacker to access any file on the file system
that the web service has access to. The vendor has released a fixed
version. Contact AHG Inc. for more information.
http://www.ahg.com/software.htm#ezshopper

4.7 surfControl web filter fails to filter sites with period appended

SurfControl SuperScout 2.6.1.6 is a web filter used to block user access
to certain sites. At least some versions of SurfControl fail to block
sites if a period is appended to the site name. For example,
http://www.naughtysite.com is blocked, but http://www.naughtysite.com.
is not. SurfControl has posted an upgrade to version 2.6.1.7 at
http://www.surfcontrol.com/support/index.html. However, it is unknown
whether that patch solves this problem.

4.8 Lexmark printer drivers fix BSOD in Terminal Server

Lexmark has released new drivers for their printers. These drivers solve
problems with blue screen crashes in Terminal Server when multiple users
access the printer simultaneously. The new drivers are available at:
http://drivers.lexmark.com/drivers.nsf/SelectPrinter?OpenForm&Lexmark+Optra+S

4.9 Webspeed can be hacked through messenger administration tool

Webspeed is a web site creation language used to connect to a back-end
database. It comes with a Messenger utility that is managed through the
WebSpeed Messenger Administration Tool (WSMAdmin). There is a setting
in the WebSpeed Java GUI configuration program, the Progress Explorer
tool, to disable WSMAdmin. It is recommended that WSMAdmin is disabled
on production servers since it could give hackers valuable information
about the server. However, the setting in the Progress Explorer does
not work. To disable the tool, you need to manually edit a configuration
file.

This problem has been fixed in version 3.1A of WebSpeed. For more
information, and specific instructions on how to disable it, refer to
the Knowledge base available at http://www.progress.com.

4.10 Zeus web server code exposure vulnerability

The Zeus web server, from Zeus Technology has a code exposure
vulnerability. URLs with a null appended to them will return the source
code of CGI scripts. E.g. requesting http://somesite/script.cgi%00 will
return the source code of the script.cgi file. This issue has been fixed
in version version 3.3.5A, which is available from
ftp://ftp.zeustechnology.com/pub/products/z3/

4.11 MySQL allows unauthenticated access

MySQL has a vulnerability that could allow a user with a valid username
to bypass the authentication process. The problem has been fixed, along
with several other problems, in version 3.22.32 of MySQL. The new version
is available at http://www.mysql.org/download_3.22.html

4.12 WWWThreads privilege elevation vulnerability

WWWThreads has a SQL input validation vulnerability. WWWThreads apparently
fails to check the validity on numeric data it receives from a form. An
attacker could therefore pass SQL statements in a numeric field, and
the statement will be executed against the database. Rain.forest.puppy
discovered that this vulnerability could be used in a privilege elevation
attack to become the WWWThreads administrator on a server. For complete
details, see the advisory at
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=2.

4.13 Ability to open communication on arbitrary port to FTP server behind
     Firewall-1

Firewall-1 may allow a user to open communication to an arbitrary port
on an FTP server protected by Firewall-1. The issue is that a user can
cause Firewall-1 to think that the FTP server has authorized a passive
connection to any non-privileged port. CheckPoint has issued an
announcement and a patch against the problem. They are available at
http://www.checkpoint.com/techsupport/alerts/pasvftp.html.

4.14 Veritas Manage Exec report service pack 5 incorrectly

Veritas has issued a patch for Manage Exec 5.50 build 054. That build
fails to report service pack 5 correctly on managed clients. The patch
is available at
http://ftp.support.veritas.com/pub/support/products/manage_exec/me551pen.exe.

4.15 BAT file vulnerability in SAMBAR web and ftp server

The SAMBAR web and ftp server comes with two batch files that are stored
in the /cgi-bin directory by default. These files are called echo.bat
and hello.bat. An attacker can pass commands to these files and have
them executed on the server. For example, if the attacker requests
http://someserver/cgi-bin/hello.bat?&dir+c:\ a directory listing of the
C drive is returned. Users running the Sambar server are advised to
remove these files.

5. Tip of the month: Use terminal services to administer Windows
   2000 remotely

One of the recurring complaints about NT 4.0 is that it is difficult to
effectively administer NT servers remotely. Windows 2000 solves this in
an innovative way by bundling the terminal services with the OS. An
administrator can set up the terminal services and then use a terminal
services client to obtain a remote console on the server. The
administrator can then interact with the console almost as if s/he was
sitting at the keyboard. The only shortcoming we have been able to find
was that you cannot eject the CD-ROM drive. Of course, doing so when
you are half-way across the world is probably of limited usefulness. .
If you try to do this across a firewall, however, you will need to open
port 3389, which may be undesirable. The best part of this is that the
OS comes with an administrative license for Terminal Services. Thus,
you don't need to worry about the overly complicated Microsoft licensing
rules if all you use Terminal Services for is remote administration

=======================================================================

The SANS Windows Security Digest is provided at no cost to those people
who attend SANS and SANS Network Security conferences. Others may
subscribe for a small annual fee. To subscribe, email digestsans.org
with the subject NT Digest.