OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: SANS NT Digest Vol. 3 Num. 3
From: The SANS Institute (sanssans.org)
Date: Mon Apr 03 2000 - 16:04:32 CDT

**********************************************************************

                    The SANS Windows Security Digest
       A Resource for Computer and Network Security Professionals
                           Volume 3, Number 3
                             April 3, 2000

              Dr. Jesper M. Johansson (Boston University)

Editorial Board:
     Dr. Matt Bishop (Univ. California, Davis)
     Jeff Brown (Merrill Lynch)
     Phil Cox (SystemExperts Corp.)
     Mark T. Edmead (IBM Security and Privacy Services)
     Chris Lalka (Exxon)
     Steve Lewis (GRCI)
     Eric Maiwald (Fortrex)
     Rob Marchand (Array Systems),
     Dr. Gene Schultz (Global Integrity Corporation, an SAIC Company)

Copyright 2000. The SANS Institute. All rights reserved. You may
forward this issue to your co-workers and encourage them to subscribe.
To do so, send a note with the subject "NT Digest" to digestsans.org

**********************************************************************

Welcome to the March 2000 installation of the SANS Windows Security
Digest. This month has been rather routine. Most of the new issues have
focused on Windows 2000, as is expected with a new operating system.
Perhaps the most important discovery was that Microsoft's instructions
for creating customized versions of IE 5 will enable an older version
of IE to install on Windows 2000. The result is that users will be
unable to log on to their workstations after installing the customized
IE. As usual, we also have a number of security bulletins to report on,
as well as various problems with third-party software.

JMJ

**********************************************************************

                      Table of Contents

1. Microsoft Security Bulletins

1.1. MS00-006 - Patch Available for "Malformed Hit-Highlighting
                Argument" Vulnerability
1.2. MS00-008 - Patch Available for "Registry Permissions" Vulnerability
1.3. MS00-014 - Patch Available for "SQL Query Abuse" Vulnerability
1.4. MS00-015 - Patch Available for "Clip Art Buffer Overrun"
                Vulnerability
1.5. MS00-016 - Patch Available for "Malformed Media License Request"
                Vulnerability
1.6. MS00-017 - Patch Available for "DOS Device in Path Name"
                Vulnerability
1.7. MS00-018 - Patch Available for "Chunked Encoding Post"
                Vulnerability
1.8. MS00-019 - Patch Available for "Virtualized UNC Share"
                Vulnerability
1.9. MS00-021 - Patch Available for "Malformed TCP/IP Print Request"
                Vulnerability
 
2. Microsoft Software Issues

2.1. Windows 2000 Only (Note: these are issues that affect only Windows
     2000. Win2K may also be affected by issues listed under All/Other
     Microsoft Software Issues below)

2.1.1. Serious problem with 128-bit customized IE versions installed on
       Windows 2000
2.1.2. Disk quota problem
2.1.3. OEM Preinstall fails to secure All Users profile directory
2.1.4. Terminal Servers Licensing denial of service vulnerability
2.1.5. Microsoft releases IIS 5.0 Security Configuration tool
2.1.6. IE windows opened with Run As... command may be reused by less
       privileged users

2.2. IE Issues

2.2.1. Serious problem with 128-bit customized IE versions installed on
       Windows 2000
2.2.2. IE 5 allows execution of arbitrary programs on remote host using
       ..chm files
2.2.3. IE 5.x and Outlook will execute arbitrary programs using .eml
       files
2.2.4. Multiple Cross Site Scripting and RDS vulnerabilities
2.2.5. Internet Explorer unable to determine zone correctly

2.3. All/Other Microsoft Software Issues

2.3.1. Office 2000 Service Release 1 available
2.3.2. A recap of automatic SMB connection vulnerabilities
2.3.3. Enumerate root directories on a IIS
2.3.4. Insecure password storage mechanism in SQL Server 7.0

3. Third-party software issues

3.1. Buffer overflows discovered this month

Many buffer overflows are discovered each month. We report the ones we
know about here. In addition, we have tried to give you a little more
information in a concise format. To that end, certain items are marked
with a # or sign. A # sign means that an exploit for this issue is
publicly available. An sign means that a fix is available currently.
We have also, in some cases, included a URL after the item. That URL
points to either a fix, if one is available, or to the vendor's
web-site, if we know it.

* # Netscape Enterprise Server 3.6 SP2
    (http://www.iplanet.com/downloads/download/detail_12_212.html)
* AOL Instant Messenger, multiple versions (http://www.aol.com)
* # AnalogX SimpleServer 1.03 (http://www.analogx.com)
* # MERCUR WebView WebMail-Client 1.0 (http://www.atrium-software.com)
* # MERCUR v3.2* (http://www.atrium-software.com)
* # Napster (http://www.napster.com) (Fixed by patching the Napster
     servers)
3.2. TrendMicro OfficeScan - Several holes uncovered
3.3. HP Openview Omniback - Remotely exploitable NT DOS due to memory
     leak
3.4. ISS RealSecure - current version fails to detect certain modified
     attacks
3.5. Norton Antivirus 7.0 Corporate Edition might interfere with roaming
     profiles
3.6. Norton AntiVirus for Internet Email Gateways remotely exploitable
     crash
3.7. Netscape Enterprise Server vulnerable to Cross Site Scripting attack
3.8. Oracle Application Server remote execution vulnerability
3.9. Firewall-1 may leak private addresses to the outside
3.10. Sojourn Search Engine can be used to access any file local to the
      web server
3.11. Directory traversal vulnerability in vqserver
3.12. Citrix ICA easily crackable passwords

4. Tip of the month: Get an Explorer window to run as an Administrator

=======================================================================

1. Microsoft Security Bulletins

1.1. MS00-006 - Patch Available for "Malformed Hit-Highlighting
                Argument" Vulnerability

Microsoft has re-released the patch for MS Index Server for Windows NT
4.0 to address a new variant of the original vulnerabilities. The
original bulletin, released on January 26, 2000 (See the January SANS
NT Digest for more details), announced a patch for two vulnerabilities
in MS Index Server for Windows NT 4.0 and the Indexing Services in
Windows 2000. However, the Cerberus Security Team discovered a variant
on the unauthorized file access vulnerability. By appending "%20" to
the end of a file requested from the webhits DLL, a malicious user can
retrieve the source code for any file on the web server. This new
variant on the vulnerability only affects Windows NT 4.0. The Indexing
Services in Windows 2000 are not affected by this problem. The new patch
is available at:

* Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727

* Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17728

For more information see:
* Microsoft Security Bulletin MS00-006
  http://www.microsoft.com/technet/security/bulletin/MS00-006.asp.
* Frequently Asked Questions: Microsoft Security Bulletin MS00-006
  http://www.microsoft.com/technet/security/bulletin/fq00-006.asp.
* The Cerberus Information Security Advisory
  http://www.cerberus-infosec.co.uk/adviishtw.html
* Microsoft Knowledge Base (KB) article Q251170 "Malformed Argument in
  Hit-Highlighting Request Allows Access to Web Server Files"
  http://www.microsoft.com/technet/support/kb.asp?ID=251170.
* Microsoft Knowledge Base (KB) article Q252463 "Index Server Error
  Message Reveals Physical Location of Web Directories"
  http://www.microsoft.com/technet/support/kb.asp?ID=252463.

1.2. MS00-008 - Patch Available for "Registry Permissions" Vulnerability

This bulletin announces an official patch to tighten some well-known
registry vulnerabilities that could allow a regular user to execute
arbitrary code as SYSTEM on an NT 4.0 system. This vulnerability is not
new, as most of these problems have been discussed in the past. It also
does not affect Windows 2000, which has much better default registry
permissions.

The patch tightens the permissions on the following keys to bar ordinary
users from writing to them: Hive: HKEY_LOCAL_MACHINE

* Key: \Software\Microsoft\Windows NT\CurrentVersion\AEDebug
* Key: \Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* Key: \Software\Microsoft\DataFactory
* Key: \System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunch

The AEDebug key specifies the debugger that is invoked when a program
crashes. The Shell Folders, among other things, point to the shared
Startup folder, and the other two keys govern security measures on
database servers. All of these keys are writeable by Everyone by
default. You can either apply the patch, or modify these settings
manually to remove the write permission from Everyone. The patch, which
can be executed against both local and remote computers, is available
at:

* Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=19172
* Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=19173

For more information see:
* Microsoft Security Bulletin MS00-008
  http://www.microsoft.com/technet/security/bulletin/MS00-008.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-008
  http://www.microsoft.com/technet/security/bulletin/fq00-008.asp

1.3. MS00-014 - Patch Available for "SQL Query Abuse" Vulnerability

Sven Hammesfahr discovered a serious problem in MS SQL Server 7.0. This
vulnerability, which also affects the MSDE, could allow anyone to
execute arbitrary commands, both on the SQL server and the underlying
operating system. The issue, which only occurs when Mixed Mode
authentication is used, appears to be that any user who can submit
queries to the SQL server can submit statements using the OPENROWSET()
function. When this is done, the statements submitted inside
OPENROWSET() are executed under the _SQLServer account, not the users
SQL Server account. This vulnerability affects both SQL Server 7.0,
and the Microsoft Data Environment. However, the problem does not affect
users connecting using integrated authentication. Thus, this
vulnerability does not affect SQL Servers that do not have any user
accounts specified and only use integrated authentication.

Microsoft has released a patch for the problem, available at:
http://www.microsoft.com/downloads/release.asp?ReleaseID=19132

For more information, see:
* Microsoft Security Bulletin MS00-014
  http://www.microsoft.com/technet/security/bulletin/MS00-014.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-014
  http://www.microsoft.com/technet/security/bulletin/fq00-014.asp
* Sven Hammesfahr's description of the problem
  http://itrain.de/english/openrowsete.asp

1.4. MS00-015 - Patch Available for "Clip Art Buffer Overrun"
                Vulnerability

This bulletin announces a vulnerability, and a patch, in the Clip Art
gallery that ships with many Microsoft Office 2000 products. Vulnerable
products include:

* Microsoft Office 2000
* Microsoft Works 2000
* Microsoft PictureIt 2000
* Microsoft HP 2000
* Microsoft Publisher99
* Microsoft PhotoDraw 2000 Version 1

The Clip Art Gallery allows users to download clip art from web sites.
Clip art files are packaged in a .cil file. The .cil file specifies
parameters regarding the clip art files contained in it. If the file
name field exceeds a certain length, the Clip Art Gallery crashes with
a classic buffer overrun. Note that .cil files are typically downloaded
automatically without alerting the user.

The vulnerability was discovered by the Stake Inc. L0pht Research Labs.
Microsoft provides a patch at:
http://cgl.microsoft.com/clipgallerylive/pss/bufovrun.htm

The patch is also included in Office 2000 SR-1 (see 2.3.1).

For more information see:
* Microsoft Security Bulletin MS00-015
  http://www.microsoft.com/technet/security/bulletin/MS00-015.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-015
  http://www.microsoft.com/technet/security/bulletin/fq00-015.asp

1.5. MS00-016 - Patch Available for "Malformed Media License Request"
                Vulnerability

This bulletin discusses a problem with the Microsoft Media Technologies
4.0 and 4.1. The vulnerability can be used to remotely crash the Windows
Media License Manager. Doing so would effectively create a denial of
service condition whereby legitimate users would be unable to receive
protected content because the server would not be able to issue new
licenses.

A patch is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19171

For more information see:
* Microsoft Security Bulletin MS00-016
  http://www.microsoft.com/technet/security/bulletin/MS00-016.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-016
  http://www.microsoft.com/technet/security/bulletin/fq00-016.asp
* Microsoft Knowledge Base (KB) article Q257200 "Windows Media Server
  Rights Manager May Stop Serving Licenses"
  http://www.microsoft.com/technet/support/kb.asp?ID=257200

1.6. MS00-017 - Patch Available for "DOS Device in Path Name"
                Vulnerability

This bulletin discusses a path parsing problem in Windows 9x.

For more information see:
* Microsoft Security Bulletin MS00-017
  http://www.microsoft.com/technet/security/bulletin/MS00-017.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-017
  http://www.microsoft.com/technet/security/bulletin/fq00-017.asp
* Microsoft Knowledge Base (KB) article Q256015 "Fatal Exception 0E with
  Multiple MS-DOS Device Names in Path"
  http://www.microsoft.com/technet/support/kb.asp?ID=256015

1.7. MS00-018 - Patch Available for "Chunked Encoding Post"
                Vulnerability

A new patch for IIS 4.0 is available. The patch fixes a vulnerability
whereby an attacker could perpetrate a denial of service attack against
the web server. IIS supports chunked encoding as a method for a post
request. Using a chunked encoding post, the client will send a post
request in chunks of a size agreed upon by the server and the client.
However, a client could request an arbitrary sized chunk size, and IIS
would then reserve memory to handle that chunk. That means that an
attacker could request a chunk size large enough to consume all
available memory, thereby effectively blocking the server from serving
other requests. The resources are reserved until the attacker releases
the session. If an attacker holds the session open indefinitely, the
only way to solve the problem is to stop the web server and restart it,
thereby killing all session, including legitimate ones.

The vulnerability affects only IIS 4.0, not IIS 5.0. Patches are
available for both Intel and Alpha platforms, as follows:
* Intel: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19761
* Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19762

For more information see:
* Microsoft Security Bulletin MS00-018
  http://www.microsoft.com/technet/security/bulletin/MS00-018.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-018
  http://www.microsoft.com/technet/security/bulletin/fq00-018.asp
* Microsoft Knowledge Base (KB) article Q252693 "Chunked Encoding
  Request with No Data Causes IIS Memory Leak"
  http://www.microsoft.com/technet/support/kb.asp?ID=252693

1.8. MS00-019 - Patch Available for "Virtualized UNC Share"
                Vulnerability

Another vulnerability, apparently related to that discussed in MS00-006
(see section 1.1 above) was discovered this month. MS Internet
Information Server allows virtual webs to be located on an SMB share.
This allows a web server to serve pages which are physically located on
a different file server. In this case, the web server would map a
virtual web to a UNC. However, if certain trailing characters are
appended to a URL request for a page located on a share, the web server
may fail to perform the requisite ISAPI processing, resulting in the
entire source code for the page being returned to the client. This can
be a very serious issue since the source code may reveal sensitive
information, such as passwords, usernames, physical structure of the
file system, and so on.

This issue affects several versions of IIS as well as other products
based on IIS:
* Microsoft Internet Information Server 4.0 and 5.0
* Microsoft Proxy Server 2.0
* Microsoft Site Server and Site Server, Commerce Edition 3.0
* Microsoft Commercial Internet System 2.0 and 2.5

Patches are available as follows:
* Internet Information Server 4.0 (Windows NT 4.0)
  Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=18900
  Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=18901
* Internet Information Server 5.0 (Windows 2000)
  http://www.microsoft.com/downloads/release.asp?ReleaseID=19982

For more information, see:
* Microsoft Security Bulletin MS00-019
  http://www.microsoft.com/technet/security/bulletin/MS00-019.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-019
  http://www.microsoft.com/technet/security/bulletin/fq00-019.asp
* Microsoft Knowledge Base (KB) article Q249599 "Virtual Directory
  Mapped to UNC Returns Server-Side Script Code When URL Contains
  Additional Characters at the End of the Request"
  http://www.microsoft.com/technet/support/kb.asp?ID=249599

1.9. MS00-021 - Patch Available for "Malformed TCP/IP Print Request"
                Vulnerability

There is a buffer overflow in Microsoft's LPD service (known as Print
Services for UNIX in Windows 2000). Underground Security Systems
Research discovered that an attacker could cause TCPSVC.EXE to crash by
sending specially malformed requests to port 515. Several other
services, such as the DHCP server and the FTP service, also rely on
TCPSVC.EXE, and would consequently also fail.

This vulnerability affects all versions of Windows NT 4.0 and Windows
2000. Patches are available as follows:

* Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT 4.0
  Server, Enterprise Edition:
  Intel:
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20015
  Alpha:
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20016
* Windows NT 4.0 Server, Terminal Server Edition:
  Not yet available
* Windows 2000 Professional, Server, and Advanced Server:
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19884

For more information, see:
* Microsoft Security Bulletin MS00-021
  http://www.microsoft.com/technet/security/bulletin/MS00-021.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-021
  http://www.microsoft.com/technet/security/bulletin/fq00-021.asp
* Microsoft Knowledge Base (KB) article Q257870 "Malformed Print Request
  May Stop Windows 2000 TCP/IP Printing Service"
  http://www.microsoft.com/technet/support/kb.asp?ID=257870

2. Microsoft Software Issues

2.1. Windows 2000 Only
     (Note: these are issues that affect only Windows 2000. Win2K may
     also be affected by issues listed under All/Other Microsoft
     Software Issues below)

2.1.1. Serious problem with 128-bit customized IE versions installed on
       Windows 2000

Microsoft discovered a serious problem with redistributing IE versions
5.0, 5.0a, and 5.0b with the 128-bit encryption installed on Windows
2000 clients. The issue is that the switches Microsoft once recommended
to build 128-bit encryption into the custom IE distribution are
incorrect. The /N:V switch will cause the RSAENH.DLL and SCHANNEL.DLL
files on the target system to be replaced by earlier versions. The /N:V
switch disables version checking, thus allowing this older version of
IE to be installed on Windows 2000. If a user already had the 128-bit
encryption package for Windows 2000 installed, the user will not be able
to log on when the computer reboots. Microsoft has prepared a protection
package for Windows 2000, which can be downloaded from Windows Update.
For more information on this issue, please see:

* The IEAK FAQ
http://www.microsoft.com/windows/ieak/en/support/faq/default.asp

* Microsoft Knowledge Base article Q255669 "Internet Explorer
  Administration Kit Builds Replace 128-Bit Encryption in Windows 2000"
  http://support.microsoft.com/support/kb/articles/Q255/6/69.asp

2.1.2. Disk quota problem

A bug in the disk quota feature of Windows 2000 was reported by Dave
Tarbatt. The problem means that unprivileged users can create 0-byte
files without having these files count against their disk quota.
Although this is problematic in and of itself, it is made worse by the
fact that users can then extend all of these 0-byte files by up to 768
bytes, even once they are over the quota. This could allow a malicious
user to easily fill up a disk. Microsoft has not responded to this
issue.

2.1.3. OEM Preinstall fails to secure All Users profile directory

A report was issued this month that installing Windows 2000 using an
unattended installation and specifying the OEMPreinstall option results
in certain directories not being secured properly. Frank Monroe reported
that if the OEMPreinstall option is used both the All Users and the
Default Users directories become writeable by unprivileged users. This
opens the possibility that a user may leave a trojan horse in the
startup directories on multi-user machines.

2.1.4. Terminal Servers Licensing denial of service vulnerability

David Ashwood reported that it is possible to create a denial of service
condition in the Windows 2000 Terminal Services licensing service. The
Terminal Server hands out licenses to clients when the clients connect
to the server. However, the licenses cannot be revoked. An attacker
could cause a denial of service condition by connecting to the Terminal
Server with multiple computer names and use up all available licenses.
After all the licenses are used, legitimate clients will get
limited-time licenses which are good for only 90 days. To work around
the issue, deactivate and then reactivate the license server.

2.1.5. Microsoft releases IIS 5.0 Security Configuration tool

Microsoft released a security configuration tool for IIS 5.0 this month.
It is designed to assist administrators in securing IIS 5.0 web servers.
The tool is available for download from
http://www.microsoft.com/technet/security/tools.asp.

2.1.6. IE windows opened with Run As... command may be reused by less
       privileged users

We discovered a potential problem in Internet Explorer running under
Windows 2000. It is best explained with a procedure:

1. Log on as a regular user
2. Click Start, then right-click on Windows Update and select Run As...
3. Open Windows Update as an administrator
4. Leave the IE window open.
5. Now open Outlook, or any other program that understands hyperlinks,
   as the regular user
6. Click on a hyperlink. The OS will send the hyperlink to the instance
   of IE that is running under that Admin account if that is the only open
   instance of IE

This could be a problem because the link was clicked in the context of
a less privileged user but was actually opened in the context of a much
more powerful user. If the page pointed to by the link contained
malicious code that code would now execute in the context of an
administrator, drastically increasing the potential for damage. There
is no work around for this issue and it is unlikely that we will see
one. This is not really a bug but rather just the way things work. When
an app is launched by using Run As... it runs within the same Window
Station and desktop as the user that launched it. Therefore there is
very little isolation between processes. Perhaps the best suggestion
for dealing with this issue was proposed by David LeBlanc: "I think we
just need to understand what RunAs is and isn't good for, explore the
interactions and limitations, and then adjust our practices to what we
individually deem an acceptable risk level." In other words, make sure
we realize what the feature is and is not good for.

2.2. IE Issues

2.2.1. Serious problem with 128-bit customized IE versions installed on
       Windows 2000

Please see item 2.1.1 below for this story.

2.2.2. IE 5 allows execution of arbitrary programs on remote host using
       ..chm files

Georgi Guninski discovered a vulnerability in IE 5.x which could allow
an attacker to execute an arbitrary program by using a compiled help
file (.chm). This vulnerability works at least up to IE 5.0 on Windows
2000, NT, and WinDos. The most serious problem, however, may be that
the ..chm file does not need to be local to the system that it is being
executed on. It will work with a UNC path. It will actually work even
if the UNC path specifies an administrative share. For example
\\127.0.0.1\c$\attack.chm will actually find the file from the C$ share
on the local host. The client does not apparently need permission to
that C$ share so even non-administrators would have this happen.
Currently the workaround is to disable Active Scripting.

2.2.3. IE 5.x and Outlook will execute arbitrary programs using .eml
       files

Georgi Guninski reported another way to get an arbitrary program to
execute on a user's computer. This one uses a .eml file, which contains
an embedded .chm (compiled help file). The .eml file can be called from
a web-page or from html embedded in an e-mail. This method is a bit
different because it causes a download dialog box to be presented to
the user. If the user chooses to run the file from its current location,
it will execute a program specified in the .chm file. Note here that
turning off Active Scripting does not appear to guard against this
vulnerability. This problem affects all current versions of IE 5, on
all platforms.

2.2.4. Multiple Cross Site Scripting and RDS vulnerabilities

Shane Hird reported several somewhat related vulnerabilities using Cross
Site Scripting (CSS) and Remote Data Services (RDS) to BugTraq
(http://www.securityfocus.com).

* Several protocols fail to recognize 8.3 names
  Several of the protocols available in IE, such as RES and MK fail to
  recognize 8.3 names. That means that when a user opens files
  underneath Temporary Internet Files using 8.3 names, they will be
  considered to be in the Local Intranet Zone, rather than the Internet
  Zone, as they would be if opened using LFN (Long File Names)

* Web Accessories problem
  Microsoft has released some add-ons for IE, called collectively the
  Web Accessories. These add-ons perform tasks on web pages to summarize
  them to users. However, the summaries are considered to be in the
  Local Intranet Zone, not in the Internet Zone, potentially affording
  them more privileges than what they should have. Since the web pages
  acted upon determine the output from the Web Accessories, this could
  represent a problem

* MHT files vulnerability
  The Web Archive file format, available for saving web pages in
  Internet Explorer, can be used to execute commands as the local user.
  The Web Archive file format is used to store web pages as a single,
  mime-encoded, file. This file may be able to interact with RDS to
  bypass the warnings about ActiveX controls, thereby allowing the
  attacker to execute RDS commands without the user's knowledge.

For full details on these vulnerabilities, see the original BugTraq post at:
student.qut.edu.au">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-8&msg=NCBBIIHPEECPEDAPODAHOEHDCCAA.s.hirdstudent.qut.edu.au

2.2.5. Internet Explorer unable to determine security zone correctly

Internet Explorer is in some circumstances unable to determine the zone
of a web page correctly. According to a report by Patrick Gosling, IE
will report web sites in the top-level domains as being in the local
zone. For example, http://ai./ is correctly put in the Internet Zone.
However, if the request is made to http://ai/ instead, the site will be
considered to be in the Local Intranet Zone.

2.3. All/Other Microsoft Software Issues

2.3.1. Office 2000 Service Release 1 available

Microsoft released Service Release 1 for Office 2000. This service
release fixes a number of problems with Office 2000. The entire list of
fixes is far too long to list here. For the full details, see:

http://support.microsoft.com/support/kb/articles/q245/0/21.asp

The update seems to have focused on bug fixes and security enhancements.
For example, Microsoft Outlook has been updated to support S/MIME v. 3.
In addition, a bug with the Office Server Extensions (OSE) when
installed on Windows 2000 was fixed in this update. The bug was that
the administration pages for OSE were by default accessible by everyone.

The update can be installed from Office Update. However, doing so is
clumsy and slow. Microsoft will also publish a CD version of the update.
For more information on that, see Office Update at:

http://officeupdate.microsoft.com

You may also download an "administrators installation" version as a
single file that contains all of the updates. This is available from:

http://www.microsoft.com/office/ork/2000/appndx/toolbox.htm#o2sr1au

Strangely enough, the full version is not available from MSDN Subscriber
Downloads. The version on MSDN Subscriber Downloads is merely the stub
to start the network installation that you can also get from the Office
Update.

2.3.2. A recap of automatic SMB connection vulnerabilities

A recent posting to BugTraq (http://www.securityfocus.com) and
Win2KsecAdvice discussed a very old vulnerability in Windows and
multiple applications, including IE and Netscape. The issue is that
these applications will automatically transmit the user's username and
password hashes to any server that requests authentication. This issue
was actually discovered over three years ago. However, it is probably
worth pointing it out again since its recent exposure on the lists will
probably mean that more sites requesting this authentication will
surface. This would also be a good time to check over your security
practices and make sure that all of your clients are set to only send
the NTLMv2 hash when authenticating. This will keep them from sending
the easily crackable LanMan and NTLM hashes to untrusted servers without
the user's knowledge. Remember too that if you are running an old
version of Windows 95, you are especially vulnerable since it will
actually send the plaintext password if asked. Unfortunately, very large
installations still exist which are still vulnerable to this. Check out
the following articles for more information:

http://support.microsoft.com/support/kb/articles/Q165/4/03.ASP
http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP

If you have followed the recommendations outlined in the SANS NT
Security Step-by-Step guide, you are not vulnerable.

2.3.3. Enumerate root directories on a IIS

Yet another enumerate root directories on IIS was reported by Jason
Lutz. If you request a .idq file from a web server that is rooted on a
share, the web server will respond that the file "\\server\share\file
is on a network share" and further inform you that .idq, .ida, and .htx
files cannot be stored on network shares. This is apparently true of
IIS 4 and 5.

2.3.4. Insecure password storage mechanism in SQL Server 7.0

The ISS X-Force team reported this month that SQL Server 7.0 under
certain circumstances stores passwords and usernames for the Database
Administrator insecurely. If a SQL Server uses mixed mode
authentication, and the "always prompt for password" option is not
selected, the password is stored in the registry when a new database is
registered. The exact location in the registry is in the user hive of
the DBA. The encryption mechanism used is a simple substitution cipher.
Since the password is stored in the user hive, roaming profiles
aggravates the problem. In that case, the user hive is copied to every
workstation that the DBA logs onto. Microsoft is aware of the problem,
but has not produced a solution as of this time. Currently, the
recommended workaround is to either select the "always prompt for
password" option, or, which is preferred, to use integrated security.

3. Third-party software issues

3.1. Buffer overflows discovered this month were reported in the table
     of contents above.

3.2. TrendMicro OfficeScan - Several holes uncovered

Gregory Duchemin uncovered a number of holes in TrendMicro's OfficeScan
network virus scanner product. The most serious hole may be that the
management interface is usable without authentication. OfficeScan's
management interface is a set of CGI applications running on an
administration server. The normal way to access these CGIs is through
a start page, which requires authentication. However, any regular user
can access the individual CGIs directly, without authentication, because
they have no concept of a session. An attacker could use these CGIs to
remotely uninstall any arbitrary OfficeScan workstation agent. Trend
has released a patch for OfficeScan 3.51. The patch works by securing
the actual CGI executables using NTFS permissions. The problem with the
patch is that the default setting is to only allow the NT Administrators
group access to the programs. Thus, if you apply the patch, any
OfficeScan administrator also has to be an administrator on the web
server where the executables are installed. It appears that this is the
only thing the patch does. Therefore, you may want to secure the
executables manually if you want to allow non-NT Administrators to
administer OfficeScan.

A few other vulnerabilities were also found in OfficeScan. Gregory
Duchemin discovered that, using a very specific command an attacker
could remotely uninstall the OfficeScan client from an arbitrary
workstation, without accessing the administration interface.
Furthermore, remote attackers can initiate and stop scans. Lastly, by
modifying the configuration files and the registry regular users may be
able to move the OfficeScan quarantine directories so that infected
files are written anywhere on the file system, and to modify the file
types scanned. Many of these vulnerabilities stem from lose permissions
on a registry key:

Hive: HKEY_LOCAL_MACHINE
Key: \Software\TrendMicro\PCCilin-NTCORP\CurrentVersion\Real Time Scan

Trend has released a patch for this vulnerability as well as a few
others. It is available at:
http://www.antivirus.com/download/ofce_patch.htm

For more information, see the TrendMicro security bulletin at:
http://www.antivirus.com/download/ofce_patch_35.htm

3.3. HP Openview Omniback - Remotely exploitable NT DOS due to memory
     leak

Jon Hittner discovered a remotely exploitable DOS attack in HP Openview
Omniback. Omniback apparently has no limitation on how many connections
it will accept on port 5555. Furthermore, if a connection is closed
Omniback fails to release any memory resources used by that connection.
Once the system runs out of memory Windows NT will halt. Therefore, an
attacker could actually cause a DOS on Windows NT through Omniback by
simply opening a large number of connections to port 5555. HP has not
released a patch for this problem as of this writing.

3.4. ISS RealSecure - current version fails to detect certain modified
     attacks

Stephane Aubert reported that the current version of ISS RealSecure
fails to detect certain modified attacks. Examples include a modified
Teardrop attack. In addition, RealSecure does not detect the Whisker
CGI scanning tool. ISS is aware of these issues and are addressing them
in the next major release.

3.5. Norton Antivirus 7.0 Corporate Edition might interfere with roaming
     profiles

Peter Heath reported this month that Norton Antivirus 7.0 might
interfere with roaming profiles for regular users. If NAV is installed
on a workstation, the roaming profile seldom gets uploaded to the server
when the user logs off. Symantec has been notified, but we are unaware
of a solution at this time. Unfortunately, the only current workaround
involves removing Norton Antivirus.

3.6. Norton AntiVirus for Internet Email Gateways remotely exploitable
     crash

This vulnerability, reported by Paul VanDyke, can be used to crash the
Norton AntiVirus for Internet E-mail Gateways virus scanner. This
product apparently uses a web server for configuration after
installation. A very long URL passed to that web server will cause the
product to crash. We are unaware of any fixes at this point.

3.7. Netscape Enterprise Server vulnerable to Cross Site Scripting
     attack

Marc Slemko reported that Netscape Enterprise Server is vulnerable to
a Cross Site Scripting attack. The problem arises from the fact that
the web server will present whatever is sent in the referrer header back
to the client in the 404 Not Found page. Thus, by pointing unassuming
users at a non-existent page on a trusted server and specifying
malicious code in the http-referrer header field, an attacker could
cause arbitrary scripts to be executed from the trusted server on the
users' machines. This problem was one of several cross-site scripting
related issues. For the entire list, see the original BugTraq posting
at:

alive.znep.com">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-8&msg=Pine.BSF.4.20.0003122017090.511-100000alive.znep.com.

A similar problem may affect IIS 5.0 as well.

3.8. Oracle Application Server remote execution vulnerability

A vulnerability was discovered in the Oracle Web Listener portion of
Oracle Application Server by the Cerberus Security team. The
vulnerability stems from the existence of a number of batch files in
the ows-bin directory that is created then the Oracle Application Server
is installed. This directory contains a number of dangerous files, which
can be called by an attacker to execute commands on the server. The
commands will execute in the context of the user running the Oracle Web
Listener; by default the SYSTEM account.

The Cerberus Security Team recommends as a work-around that the ows-bin
directory be repointed to another path. For more information, see:

http://www.cerberus-infosec.co.uk/advowl.html

3.9. Firewall-1 may leak private addresses to the outside

Chris Brenton released an advisory that certain versions of Firewall-1
may leak private IP addresses. Under certain loads it appears that the
private address is not translated on the first try. When the client does
not receive a response, it resends and the Firewall-1 translates the IP
address but uses the same source port. The server, or anyone in between,
would now have the information to map the source port to a private IP
address.

A workaround is to set up egress filtering to catch any private address
information being passed across the border. A how-to document on how to
do that is available at http://www.sans.org/y2k/egress.htm

3.10. Sojourn Search Engine can be used to access any file local to the
      web server

The Cerberus Security Team announced a vulnerability in the Sojourn
Search Engine (http://www.generationterrorists.com/details.html).
Requests for information from the search engine's catalogs are passed
in the URL. If a %00 is appended to the request, any file, regardless
of file extension, can be requested. In addition, the search engine will
follow .. directory traversal requests. Thus, this vulnerability could
be used to access any file on the same partition as the search engine
executable.

The suggested work around is to disable the search engine until the
vendor has completed a fix.

3.11. Directory traversal vulnerability in vqserver

Johan Nilsson reported that the vqserver web server
(http://www.vqsoft.com) version 1.9.9 will follow .. directory traversal
requests in a URL request. This would allow an attacker access to any
file on the server.

3.12. Citrix ICA easily crackable passwords

Dug Song reported this month that the ICA protocol (Independent
Computing Architecture) available with Citrix terminal server products
uses very poorly encrypted passwords. The encryption algorithm is a
variant on XOR encryption, and is easily reversible. Weld Pond and Chris
Knight suggested work arounds for various clients. For Windows and DOS
clients you can use Secure ICA, which uses better encryption. For
Macintosh, Unix, and Java clients, Secure ICA is not available. However,
with certain limitations, you may use an SSH tunnel for those clients
by forwarding port 1494 to the ICA server. However, this will not work
with the browser service, so the clients are somewhat limited in
functionality. A VPN solution may work better.

4. Tip of the month: Get an Explorer window to run as an Administrator

The Run As... feature is a very useful tool to Administrators since it
allows us to run our systems as less privileged users and then elevate
those privileges when we need to. However, there appears to be no way
to get a Windows Explorer window to open as an Administrative user; that
is until we realize that we can open Internet Explorer as an
Administrator. Once you have an Internet Explorer window open, go to
the View Menu:Explorer Bar:Folders, and you get a folder list. Your
Internet Explorer now "became" a Windows Explorer, running as an
Adminstrator. To leverage this you just have to shift-click on an
Internet Explorer Icon, for example in the Quick Launch toolbar and
select to run it as an Administrator. Once you have Explorer open, you
can now access anything normally available within an Explorer window,
such as the administrator's Desktop, and the Control Panels.

Note that you want to be certain that you realize the ramifications of
opening a window as an Administrator. See item 2.1.6 for more on that.
However, finding useful "bugs" makes our life much more interesting; at
least until Microsoft fixes the features that we use.

=======================================================================

The SANS Windows Security Digest is provided at no cost to those people
who attend SANS and SANS Network Security conferences. Others may
subscribe for a small annual fee. To subscribe, email digestsans.org
with the subject NT Digest.