OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: NWC/SANS SAC Newsletter #037
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Mar 23 2000 - 20:34:03 CST

To: Security Express (SD397643)
Re: Your personalized newsletter

                         -- Security Alert Consensus --

                                Number 037 (00.13)

                             Thursday, March 23, 2000

                                Created for you by
                    Network Computing and the SANS Institute

------------------------------------------------------------------------

This issue is sponsored by Symantec.

Symantec, a world leader in Internet security technology, provides a
broad range of content security solutions, including antivirus, Internet
content and e-mail filtering, and mobile code-detection technologies.
http://www.symantec.com/solutions

------------------------------------------------------------------------

For those of you wanting some deeper insight into the evolution of
distributed denial of service (dDoS) tools, David Dittrich (with Sven
Dietrich and Neil Long) has written a great analysis of the "Shaft" dDoS
package; see http://www.sans.org/y2k/shaft.htm

Some reports have surfaced that deja.com does not filter JavaScript from
Usenet postings. Generically, any archive of public material (be it
Usenet, e-mail or other material) has the potential to contain embedded
scripting code. This is especially true for unmoderated mailing lists
and very similar to the Cross-Site Scripting (CSS) problem. Because the
problem lies with the restriction and management of HTML scripting
components at the client, we will avoid reporting on the infinite number
of ways someone could embed JavaScript into something that is
Web-enabled.
http://archives.neohapsis.com/archives/bugtraq/2000-03/0174.html

                        Until next week,
                                Security Alert Consensus Team

------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.13.001} MERCUR WebView WebMail-Client buffer overflow
--> {00.13.006} Patch for {00.11.015}: Trend Micro OfficeScan remote
                vulnerabilities
--> {00.13.009} MS00-016: Patch for Malformed Media License Request
--> {00.13.010} MS00-017: Patch for DOS device in path name
--> {00.13.011} MS00-018: Patch for IIS chunk encoding post
                vulnerability
--> {00.13.014} NAVIEG denial of service
--> {00.13.015} AIM buffer overflow
--> {00.13.016} Update to {00.12.017}: Windows "file device" denial of
                service
--> {00.13.018} imwheel HOME env variable buffer overflow
--> {00.13.002} Circumvent authentication in SuSE Linux IMAP server
--> {00.13.007} kreatecd local root compromise
--> {00.13.008} Update to {00.11.017}: dump local buffer overflow
--> {00.13.003} Update to {00.12.023}: New mtr packages available
--> {00.13.004} Incorrect SUID permissions in FreeBSD Orville-write port
--> {00.13.012} Update to {00.10.003}: Patches available for nmh
--> {00.13.005} DG/UX inetd service exhaustion patch
--> {00.13.013} Netscape Enterprise server "?wp" directory enumeration
--> {00.13.017} Multiple firewall FTP "ALG" vulnerability

--- Windows News -------------------------------------------------------

--> {00.13.001} MERCUR WebView WebMail-Client buffer overflow

A buffer overflow was found in MERCUR WebView WebMail version 1.0. The
included Web server (found on Port 1080) will crash when sent an HTTP
request larger than 1 KB in length. It is unclear whether the execution
of arbitrary code is possible.

No patches have been made available. Vendor home page:
http://www.atrium-software.com/

Source: Technotronic
http://archives.neohapsis.com/archives/technotronic/2000-q1/0025.html

--> {00.13.006} Patch for {00.11.015}: Trend Micro OfficeScan remote
                vulnerabilities

Trend Micro has released an updated patch for {00.11.015} (OfficeScan
remote vulnerabilities). The patch fixes a situation that would let an
attacker remotely control client installations of OfficeScan, as well
as crash the client service.

Patch is available at:
http://www.antivirus.com/download/ofce_patch.htm

Source: Trend Micro (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-03/0156.html

--> {00.13.009} MS00-016: Patch for Malformed Media License Request

Microsoft has released MS00-016 ("Patch Available for Malformed Media
License Request Vulnerability"). The patch corrects a denial of service
situation whereby an attacker could prevent the Windows Media License
Manager/Windows Media Rights Manager from issuing new licenses for
digital media.

Patch is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19171

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q1/0037.html

--> {00.13.010} MS00-017: Patch for DOS device in path name

Microsoft has released MS00-017 ("Patch Available for DOS Device in Path
Name Vulnerability"). The patch corrects the denial of service situation
in Windows 95 and 98, which is described in {00.12.017} ("Windows 'file
device' denial of service"). This bug has commonly been referred to as
the "con\con" vulnerability.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-017.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q1/0036.html

--> {00.13.011} MS00-018: Patch for IIS chunk encoding post
                vulnerability

Microsoft has released MS00-018 ("Patch Available for Chunked Encoding
Post Vulnerability"). The patch fixes a denial of service situation in
Internet Information Server version 4.0, whereby an attacker can cause
the server to reserve available memory by requesting that large amounts
of memory be allocated to a chunked POST or PUT request.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-018.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q1/0038.html

--> {00.13.014} NAVIEG denial of service

Norton Anti-Virus Internet Email Gateway (NAVIEG) has been found to
crash (GPF) when an overly long request/URL is sent to its included Web
server. Using Nessus seems to trigger this vulnerability.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-03/0202.html

--> {00.13.015} AIM buffer overflow

AOL Instant Messenger version 3.5.1856 contains a buffer overflow that
leads to the crashing of the client; it is unconfirmed whether this
overflow allows for the arbitrary execution of code. This is in addition
to the various denial of service attacks reported in the past, such as
{00.11.005} ("AIM invalid ASCII character denial of service"). Various
builds in the 2.5, 3.0 and 3.5 versions have been reported as
vulnerable.

No patches have been made available.

Source: Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2000-q1/0493.html
http://archives.neohapsis.com/archives/vuln-dev/2000-q1/0496.html

--> {00.13.016} Update to {00.12.017}: Windows "file device" denial of
                service

There has been a report that the "decon" third-party utility may
introduce other denial of service vulnerabilities (nonintentional).
Now that Microsoft has released an official patch (MS00-017), we suggest
you implement it. See {00.13.010} ("MS00-017: Patch for DOS device in
path name") within this issue.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-03/0177.html

--> {00.13.018} imwheel HOME env variable buffer overflow

The imwheel application contains a buffer overflow when an overly long
string is placed in the HOME environment variable. Coupled with the use
of an included SUID application wrapper, imwheel-solo, this could lead
to local root compromise.

No patches have been made available. We suggest removing SUID
permissions from imwheel-solo.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-03/0168.html

--- Linux News ---------------------------------------------------------

--> {00.13.002} Circumvent authentication in SuSE Linux IMAP server

SuSE has released an updated version of its Linux IMAP server (an
application developed by SuSE independent of its Linux distribution).
The updated version corrects a vulnerability that let an attacker
circumvent authentication and gain IMAP administrator privileges.

You can download the updated version at:
http://www.suse.de/de/produkte/susesoft/imas/imasupd/secfix.tgz

Source: SuSE
http://archives.neohapsis.com/archives/vendor/2000-q1/0035.html

--> {00.13.007} kreatecd local root compromise

A vulnerability has been found in the kreatecd application. This SUID
application (which is found in Halloween and SuSE Linux distributions)
attempts to execute an external application (cdrecord) under UID 0. A
local attacker can modify the path and cause the application to run a
trojan version of cdrecord, thus gaining root privileges.

No patches have been made available. We suggest removing SUID
permissions from the kreatecd binary.

Source: Bugtraq

http://archives.neohapsis.com/archives/bugtraq/2000-03/0162.html

--> {00.13.008} Update to {00.11.017}: dump local buffer overflow

TurboLinux has released a new version of dump, which fixes {00.11.017}
(dump local buffer overflow). The vulnerability lets local attackers
gain root privileges.

The new dump package is available at:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/dump-0.4b16-1.i386.rpm

Source: TurboLinux (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-03/0170.html

--- BSD News -----------------------------------------------------------

--> {00.13.003} Update to {00.12.023}: New mtr packages available

FreeBSD has released an updated port of mtr, which fixes a local root
compromise caused by the fact that mtr does not properly drop root
privileges. Versions of mtr prior to 0.42 are vulnerable.

Download an updated package:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-3-stable/net/mtr-0.42.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-4-current/net/mtr-0.42.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
  packages-4-current/net/mtr-0.42.tgz

(Note: These packages may not be immediately available)

For a temporary workaround/fix, FreeBSD recommends removing SUID
permissions from /usr/local/sbin/mtr.

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-03/0067.html

--> {00.13.004} Incorrect SUID permissions in FreeBSD Orville-write port

The Orville-write port prior to 3/9/2000 incorrectly gave SUID
permissions to /usr/local/bin/huh, which, when coupled with a local
buffer overflow, allows for root compromise.

Remove SUID permissions from /usr/local/bin/huh (they are not required).

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-03/0068.html

--> {00.13.012} Update to {00.10.003}: Patches available for nmh

FreeBSD has released updated nmh ports, which fix a buffer overflow
mhshow.

Download the updated nmh port packages:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-3-stable/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-4-current/mail/nmh-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
  packages-4-current/mail/nmh-1.0.3.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-03/0065.html

--- Other News ---------------------------------------------------------

--> {00.13.005} DG/UX inetd service exhaustion patch

Data General has released a patch for inetd that eliminates a denial of
service situation whereby an attacker can exhaust the number of allowed
incoming connections. Note that modern versions of inetd already protect
against this -- this is just a general alert of patch availability for
DG/UX users. DG/UX versions R4.20MU04, R4.20MU05 and R4.11MU06 are
vulnerable.

Data General has released patch tcpip_R4.20MU04.p11.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-03/0152.html

--- Cross-Platform News ------------------------------------------------

--> {00.13.013} Netscape Enterprise server "?wp" directory enumeration

Netscape Enterprise Web Server 3.x contains a bug that lets a remote
attacker gain directory listings by using various Web publishing command
extensions, such as "?wp-cs-dump."

The vulnerability is present if Web publishing is enabled. In addition,
a report indicates that the vulnerability still is present after Web
publishing has been disabled. Netscape has yet to comment on the
vulnerability.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-03/0191.html

--> {00.13.017} Multiple firewall FTP "ALG" vulnerability

Many firewalls have been found vulnerable to an FTP attack that could
result in the firewall opening up arbitrary ports to internal hosts.
The vulnerability has to do with firewalls/proxies automatically seeing
ftp PASV/PORT responses and permitting the indicated connection.

A patch for Linux ip_masq_ftp is available at:

http://archives.neohapsis.com/archives/bugtraq/2000-03/0216.html

Cisco has updated some versions of Pix, while others are still being
developed. More information is available at:

http://archives.neohapsis.com/archives/bugtraq/2000-03/0183.html

Check Point and Nokia have released Service Pack 5 for FireWall-1
version 4.0. Check Point also has published workarounds for this
vulnerability at:

http://www.checkpoint.com/techsupport/alerts/pasvftp.html

A demonstration exploit for the FTP PASV/ALG vulnerability:
http://naughty.monkey.org/~dugsong//ftpd-ozone.c.txt

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-02/0094.html

------------------------------------------------------------------------

This issue is sponsored by Symantec.

Symantec, a world leader in Internet security technology, provides a
broad range of content security solutions, including antivirus, Internet
content and e-mail filtering, and mobile code detection technologies.
http://www.symantec.com/solutions

------------------------------------------------------------------------

If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/ to become
a Security Alert Consensus member!

If you'd like to change your e-mail address or other information, or
to unsubscribe from this newsletter, please visit your personalized URL:
        http://www.sans.org/sansaddr?hashid=SD397643jFg25PaJ7aa

Miss an issue? You can find all back issues of Security Alert Consensus
(and Security Express) online at http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
the SANS Institute (http://www.sans.org).