OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #040
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Apr 13 2000 - 16:25:55 CDT


To: Security Express (SD397643)
Re: Your personalized newsletter

                      -- Security Alert Consensus --
                             Number 040 (00.16)
                         Thursday, April 13, 2000
                            Created for you by
                  Network Computing and the SANS Institute

------------------------------------------------------------------------
Welcome to SANS's distribution of the Security Alert Consensus.
 
This newsletter is customizable by software/OS of interest. Visit the
edit page at http://www.sans.org/sansaddr?hashid=SD397643jFg25PaJ7aa
to change your preferences or any other personalized information.

------------------------------------------------------------------------

This issue sponsored by Symantec

New Enterprise Security Web Site Launched!
Symantec provides content security solutions including antivirus,
Internet content/e-mail filtering and mobile code detection. For
up-to-the-minute information regarding enterprise security issues you
are facing, visit our Web site at:
http://www.symantec.com/specprog/sym/08302000.html

------------------------------------------------------------------------
                
The TrustedBSD Extensions project, announced this week, aims to add
system extensions to FreeBSD to help it meet Orange Book B1 evaluation
criteria. More information can be found at http://www.trustedbsd.org/.

Another interesting project, Sentinel, cropped up last week. Similar
to L0pht's AntiSniff, Sentinel attempts to remotely detect systems with
interfaces in promiscuous mode. It is available at
http://www.packetfactory.net/Projects/sentinel/.

For those of you attempting to ride the cutting edge, beta versions of
Netscape 6 have been made available. However, a denial of service has
already been found. As a rule of thumb, we will try to avoid reporting
on vulnerabilities found in alpha/beta versions.
http://archives.neohapsis.com/archives/technotronic/2000-q2/0000.html

Until next week,
- Security Alert Consensus Team

------------------------------------------------------------------------
                
------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.16.003} Xitami Web server vulnerabilities
--> {00.16.010} Win2K weak permissions with OEMPreinstall option
--> {00.16.014} pcAnywhere premature connection termination DoS
--> {00.16.001} Update to {00.13.007}: kreatecd local root compromise
--> {00.16.002} Update to {00.14.006}: gpm-root doesn't drop root
                privileges
--> {00.16.012} DoS with Linux trustees kernel patch
--> {00.16.007} Update to {00.12.021} ircII DCC chat buffer overflow
--> {00.16.015} PHNE_21261: Network data misdirection
--> {00.16.005} UnixWare telnet and FTP environment variable buffer
                overflows
--> {00.16.006} NBase-Xyplex EdgeBlaster WAN router DoS
--> {00.16.008} BeOS crashes on system call with invalid parameters
--> {00.16.009} BeOS TCP/IP / Networking process crash
--> {00.16.004} WebObjects denial of service
--> {00.16.011} CryptoAdmin/CryptoCard PT-1 Palm OS token vulnerability
--> {00.16.013} healthd local privilege elevation

--- Windows News -------------------------------------------------------

--> {00.16.003} Xitami Web server vulnerabilities

iMatix's Xitami Web server versions prior to 2.4d7 and 2.5b3 contain a
denial of service where a remote attacker can crash the Xitami service
by sending a malformed GET request. A report has also surfaced
indicating the included testcgi.exe application contains a buffer
overflow that allows for the execution of arbitrary code.

Update to version 2.4d7 or 2.5b3 to correct the denial-of-service issue;
we suggest removing testcgi.exe as well.

Source: iMatix (Vuln-Dev)
http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0029.html
http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0027.html

--> {00.16.010} Win2K weak permissions with OEMPreinstall option

When an unattended installation of Windows 2000 is performed with the
OEMPreinstall option, the installation fails to secure the permissions
on 'All Users' and 'Default Users' directories. This would let an
attacker Trojan local users.

No official patches have been made available. Because the normal
installation of Windows 2000 has secure permissions on the indicated
directories, it's just a matter of correcting the permissions (remove
write access except for Administrators and System).

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0027.html

--> {00.16.014} pcAnywhere premature connection termination DoS

pcAnywhere versions 8.0 and 9.0 contain a denial of service where an
attacker can terminate/cancel the connection before prompted to log in,
causing the service to crash. Various reports indicate that it may take
a few disconnections before the service crashes.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0031.html

--- Linux News ---------------------------------------------------------

--> {00.16.001} Update to {00.13.007}: kreatecd local root compromise

SuSE has released updated packages for {00.13.007} ("kreatecd local root
Compromise"). The updated packages fix a local buffer overflow that
allows for root privilege elevation.

Download the updated packages:

ftp://ftp.suse.com/pub/suse/axp/update/6.4/kpa1/
  kreatecd-0.3.8b-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/kpa1/
  kreatecd-0.3.8b-0.i386.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/kpa1/
  kreatecd-0.3.8b-0.ppc.rpm

Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2000-q2/0032.html

--> {00.16.002} Update to {00.14.006}: gpm-root doesn't drop root
                privileges

SuSE has released updated packages for {00.14.006} ("gpm-root doesn't
drop root privileges"). The updated packages fix a local buffer
overflow in gpm-root that allows for root access.

Download the updated packages:

ftp://ftp.suse.com/pub/suse/axp/update/6.1/ap1/
  gpm-1.18.1-44.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/ap1/
  gpm-1.18.1-44.alpha.rpm
ftp://ftp.suse.com/pub/suse/i386/update/5.3/ap1/
  gpm-1.18.1-44.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/
  gpm-1.18.1-44.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/
  gpm-1.18.1-44.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/
  gpm-1.18.1-45.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/
  gpm-1.18.1-44.i386.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.3/ap1/
  gpm-1.18.1-44.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/ap1/
  gpm-1.18.1-48.ppc.rpm

Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2000-q2/0031.html

--> {00.16.012} DoS with Linux trustees kernel patch

The Linux trustees kernel patch version 1.5 has been found to cause
processes to hang when working with an abnormally long file name. The
process becomes unkillable, and all processes that attempt to access
information on the hung process (via /proc or the like) wind up
SEGFAULTing.

For those who don't know, the Linux trustees kernel patch provides
NetWare-like file system permissions to Linux.

Version 1.6 of the trustees patch corrects the vulnerability. It is
available at:
http://www.braysystems.com/linux/trustees.html

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0035.html

--- BSD News -----------------------------------------------------------

--> {00.16.007} Update to {00.12.021} ircII DCC chat buffer overflow

FreeBSD has released an updated port of ircII that corrects a
vulnerability described in {00.12.021} ("ircII DCC chat buffer
overflow"). The vulnerability allows a remote attacker to execute
arbitrary code on the user's system via DCC chat.

Download the updated port:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-3-stable/irc/ircII-4.4S.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-3-stable/irc/ircII-4.4S.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
  packages-3-stable/irc/ircII-4.4S.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-5-current/irc/ircII-4.4S.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
  packages-5-current/irc/ircII-4.4S.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-04/0064.html

--- HP-UX News ---------------------------------------------------------

--> {00.16.015} PHNE_21261: Network data misdirection

HP has released patch PHNE_21261 for HP-UX version 11.04 (VVOS). The
patch corrects a bug where an interface configured with aliased IP
addresses may misdirect incoming network data to the wrong unprivileged
process.

Apply patch PHNE_21261.

Source: HP (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-04/0021.html

--- SCO News -----------------------------------------------------------

--> {00.16.005} UnixWare telnet and FTP environment variable buffer
                overflows

SCO has released SSE065, SSE066 and SSE067. These new SSEs correct
buffer overflows found in telnet and FTP that allow for the execution
of arbitrary code due to large environment variables.

Apply the appropriate SSE:

SSE067 (FTP) - UnixWare 7.0.0
SSE066 (FTP) - UnixWare 7.0.1 - 7.1.1
SSE065 (telnet) - UnixWare 7.0.0 - 7.1.1

Source: SCO
ftp://ftp.sco.com/SSE/

--- Network Appliances News --------------------------------------------

--> {00.16.006} NBase-Xyplex EdgeBlaster WAN router DoS

A denial of service has been found in NBase-Xyplex's EdgeBlaster WAN
router. The router seems unresponsive when a Web CGI scanner is used
against it.

No patches have been made available. NBase-Xyplex has been notified
and is researching the issue.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0022.html

--- Other News ---------------------------------------------------------

--> {00.16.008} BeOS crashes on system call with invalid parameters

BeOS versions 4.5.x and 5.0 have been found to crash when making a
direct system call (via interrupt 37), passing invalid parameters to
the system call.

This bug is already logged with Be:
http://bebugs.be.com/devbugs/detail.php3?oid=2324160

However, it has not been corrected.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0038.html

--> {00.16.009} BeOS TCP/IP / Networking process crash

It is possible to perform a denial of service against the BeOS TCP/IP
stack (part of the networking process). A remote attacker can send
specially crafted TCP packets that will cause the networking process to
crash.

This bug has been logged with Be; however, an update/patch is *not*
expected because Be has indicated the entire networking process is being
redeveloped.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0029.html

--- Cross-Platform News ------------------------------------------------

--> {00.16.004} WebObjects denial of service

A report has indicated WebObjects version 4.5 Development for NT will
crash when sent an HTTP request with 4.1 KB of header information.
WebObjects version 4.5 for Solaris, and supposedly the Deployment
versions, do not have this denial-of-service problem. The DoS situation
is due to a buffer overflow, and it is presently unclear whether it is
possible to execute arbitrary code.

According to the report, Apple suggests you upgrade to the Deployment
version to correct the bug.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0020.html

--> {00.16.011} CryptoAdmin/CryptoCard PT-1 Palm OS token vulnerability

The CryptoCard PT-1 token software version 1.04 for the Palm OS (to be
used with the CryptoAdmin server software) has been found to insecurely
contain the user's PIN within the generated .PDB (Palm OS application).
This means an attacker can either retrieve the .PDB from the Palm OS
unit or from the desktop used to generate and load it onto the Palm OS
unit, extract the PIN and generate identical token responses of the
legitimate user.

No solutions have been made available. For now, physical security of
Palm OS units is advised. You should also verify that the generated
CryptoCard .PDB is deleted from the desktop system once it has been
loaded onto the Palm OS unit.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0033.html

--> {00.16.013} healthd local privilege elevation

The FreeBSD healthd port version 0.3 was found to contain a buffer
overflow that lets local users gain root privileges. Healthd monitors
the environmental status of particular motherboards (temperature, fan
speed, etc.).

FreeBSD found and corrected the issue. However, healthd is a
third-party utility ported to FreeBSD so this vulnerability may exist
on other platforms and BSD distributions.

Update your healthd port:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-3-stable/sysutils/healthd-0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-3-stable/sysutils/healthd-0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
  packages-3-stable/sysutils/healthd-0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
  packages-5-current/sysutils/healthd-0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
  packages-5-current/sysutils/healthd-0.3.tgz

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-04/0065.html

------------------------------------------------------------------------

This issue sponsored by Symantec

New Enterprise Security Web site Launched!
Symantec provides content security solutions including antivirus,
Internet content/e-mail filtering and mobile code detection. For
up-to-the-minute information regarding enterprise security issues you
are facing, visit our Web site at:
http://www.symantec.com/specprog/sym/08302000.html

------------------------------------------------------------------------
                
If this e-mail was forwarded to you and you would like to subscribe,
see http://www.sans.org/sansnews/.
 
If you'd like to change your e-mail address or other information, or to
unsubscribe from this newsletter, please visit your personalized URL:
          http://www.sans.org/sansaddr?hashid=SD397643jFg25PaJ7aa

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
the SANS Institute (http://www.sans.org).