OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #041
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Apr 20 2000 - 14:10:10 CDT


To: Security Express (SD397643)
Re: Your personalized newsletter

                     -- Security Alert Consensus --
                             Number 041 (00.17)
                         Thursday, April 20, 2000
                            Created for you by
                  Network Computing and the SANS Institute

------------------------------------------------------------------------

Welcome to SANS's distribution of the Security Alert Consensus.
 
This newsletter is customizable by software/OS of interest. Visit the
edit page at http://www.sans.org/sansaddr?hashid=SD397643jFg25PaJ7aa
to change your preferences or any other personalized information.

------------------------------------------------------------------------
                
This issue sponsored by Symantec

New Enterprise Security Web Site Launched!
Symantec provides content security solutions including antivirus,
Internet content/e-mail filtering and mobile code detection. For
up-to-the-minute information regarding enterprise security issues you
are facing, visit our Web site at:
http://www.symantec.com/specprog/sym/08302000.html

------------------------------------------------------------------------
                
Well, if you have been watching the digital technology media sites over
the weekend, you probably have seen articles on the "backdoor" in
Microsoft FrontPage server components. In the end, it turns out there's
a buffer overflow contained in dvwssr.dll, which is more severe than
the original vulnerability (reading files); to abuse this, however, you
need special permissions anyway, so it's still being debated as to how
much of a problem it really is. The interesting part is the involvement
of a string in the .dll that read "Netscape engineers are weenies!"
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0015.html

I wanted to take a few moments to go over the subscription category
options, as we've been receiving lots of messages as of late.

Many of you are worried that we are not going to cover a particular OS
or platform simply because we do not have a category for it. This is
incorrect. We have purposely included an "Other" category for this
reason. We report on all publicly disclosed security-related
vulnerabilities we can find, regardless of subscription categories. The
categories allow you to filter the content to better suit your needs.

So do we specifically cover Cisco IOS? Yes. Cisco product
vulnerabilities are classified under "Network Appliances." Do we include
problems with MacOS? Absolutely. They would be found under "Other."
Why do we not have specific MacOS and IOS categories? The same reason
we do not have QNX, Nortel, DGUX and so on-having a specific category
for each vendor would become a management nightmare, and the amount of
vulnerabilities related to some platforms is extremely minimal (fewer
than six per year). Therefore, it's much more efficient to include more
general categories ("Network Appliances," "Other" and so on) and include
many vendors under them. But we still do include security
vulnerabilities for QNX, Nortel, DGUX.

A few people inquired why we don't include more problems associated with
a particular vendor. Well, to put it frankly, if there's no problems,
then there's nothing for us to include. Be happy that in the meantime,
your system is secure. :)

Lastly, this month has us seeing a lot of cross-platform
vulnerabilities. Many are Web-based applications that run on Unix and
Windows, and others are open-source applications that run on the various
Unix flavors. Just a reminder that you should consider subscribing to
the "Cross-Platform" category in addition to your native platform
category, as that may contain additional alerts for your platform.

Until next week,
Security Alert Consensus Team

------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.17.001} MS00-023: patch for IIS "myriad escape characters" DoS
--> {00.17.002} MS00-024: fix for "OffloadModExpo" registry permissions
--> {00.17.003} MS00-025: link view server-side component fix
--> {00.17.014} AVM's Ken! ISDN proxy vulnerabilities
--> {00.17.017} IE 5 Java malicious Web proxy
--> {00.17.018} TrendMicro Interscan DoS
--> {00.17.012} Update to {00.02.018}: Local root access in (Linux)
                userhelper
--> {00.17.016} Xwindows xfs DoS
--> {00.17.007} Performance Copilot vulnerabilities
--> {00.17.013} QNX crypt() weakness
--> {00.17.004} Update to {00.13.012}: mhshow (mh/nmh) buffer overflow
--> {00.17.005} UW imapd LIST buffer overflow
--> {00.17.006} XFree86 xkbmap parameter buffer overflow
--> {00.17.008} BizDB search CGI command execution
--> {00.17.009} Infonautics getdoc.cgi unauthorized document access
--> {00.17.010} TalentSoft webplus CGI allows recursive file reading
--> {00.17.011} Multiple vulnerabilities in Dansie shopping cart CGI
--> {00.17.015} StarOffice crashes on corrupt files

--- Windows News -------------------------------------------------------

--> {00.17.001} MS00-023: patch for IIS "myriad escape characters" DoS

Microsoft has released MS00-023 ("Patch Available for Myriad Escape
Characters Vulnerability"). This patch corrects a denial of service
vulnerability in IIS 4.0 and 5.0 in which an attacker can submit an
overly complex encoded URL, which takes the server extra time to
process. By submitting many of these URLs at once, they can effectively
cause a denial of service situation.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-023.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q2/0006.html

--> {00.17.002} MS00-024: fix for "OffloadModExpo" registry permissions

Microsoft has released MS00-024 ("Tool Available for OffloadModExpo
Registry Permissions Vulnerability"). The registry permissions on a
particular listing of drivers for hardware-based cryptographic
accelerators would allow a malicious local interactive user to install
a Trojan .dll, which would receive all private cryptographic keys of
every subsequent user.

FAQ and tool:
http://www.microsoft.com/technet/security/bulletin/fq00-024.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q2/0007.html

--> {00.17.003} MS00-025: link view server-side component fix

Microsoft has released MS00-025 ("Procedure Available to Eliminate Link
View Server-Side Component"). Dvwssr.dll, which is installed by default
with the NT 4 Option Pack, Personal Web Server versions 95 and 98, and
Front Page 98 Server Extensions, contains a buffer overflow that could
let malicious users with Web authoring permissions to execute arbitrary
code on the system. Note that dvwssr.dll is the component recently
featured on the news for containing a backdoor. This is not considered
to be a vulnerability by Microsoft, and considering a more severe buffer
overflow exists within the .dll, we suggest removing the
.dll to correct both situations, regardless.

Microsoft recommends deleting all instances of dvwssr.dll. This will
break the generation of link views in InterDev version 1.0. Further
information can be found in the FAQ:
http://www.microsoft.com/technet/security/bulletin/fq00-025.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q2/0010.html
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0015.html

--> {00.17.014} AVM's Ken! ISDN proxy vulnerabilities

AVM's Ken! ISDN proxy/gateway software includes a Web server listening
on port 3128. A denial of service is possible by sending random garbage
data to the service; it is also possible to read arbitrary files on the
system by using '..' notation for HTTP file requests.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0073.html

--> {00.17.017} IE 5 Java malicious Web proxy

Internet Explorer version 5.0 has been reported to be vulnerable to a
variation of a previous bug found in older versions of IE. The bug
allows a malicious Web server to give a Java applet to a user, and then
use that Java applet to access other Web servers via that user's
desktop-possibly behind a firewall.

However, we'd like to state that at this point in time, we have two
reports: one indicating the vulnerability and one indicating they can't
reproduce it.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0081.html

--> {00.17.018} TrendMicro Interscan DoS

TrendMicro's Interscan version 3.32 for NT has been found to contain
(another) denial of service situation, in which an attacker can crash
the SMTP service by issuing a HELO command of 4075 characters. It is
unclear at this time if it is possible to execute arbitrary code.

TrendMicro has a patch available to correct the problem; however, it
has not yet been publicly released.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0087.html

--- Linux News ---------------------------------------------------------

--> {00.17.012} Update to {00.02.018}: Local root access in (Linux)
                userhelper

TurboLinux has released updated PAM packages that correct a
vulnerability that would allow local users to gain root privileges.

Updated packages:

ftp://ftp.turbolinux.com/pub/updates/6.0/security/
  pam-0.72-3.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/
  usermode-1.18-1.i386.rpm

Source: TurboLinux (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-04/0065.html

--> {00.17.016} Xwindows xfs DoS

A recent report has indicated that it is possible to crash the xfs
shipped with RedHat version 6.x, which would lead to a denial of service
situation for Xwindows. It is unclear at this moment if other Linux
distributions are affected.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0079.html

--- SGI News -----------------------------------------------------------

--> {00.17.007} Performance Copilot vulnerabilities

The Performance Copilot package version 2.1 included with IRIX version
6.5 has been found to be enabled by default, with all remote access
restrictions disabled. This means an attacker can query your machine
for disk configuration and process information. Further, a denial of
service exists whereby an attacker can crash the daemon and consume
large amounts of memory.

SGI is working on a patch. In the interim, it's suggested you append
the following configuration lines to the end of your /etc/pmcd.conf:

[access]
allow localhost: all ;
disallow * : all;

This will enable access restriction. If you do not use Performance
Copilot, then you can disable the service entirely.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0056.html

--- Other News ---------------------------------------------------------

--> {00.17.013} QNX crypt() weakness

The crypt() functionality provided with QNX has been found to use a
simple encoding, and not cryptographically strong hashes. Therefore,
it is possible to derive the plaintext from crypt()ed data.

Note that many network appliances use embedded versions of QNX; one
example would be the IOpener appliances.

No patches have been made available. This vulnerability requires an
attacker to be able to retrieve the crypt()ed data (such as the password
hashes), so proper system and file restriction should still be enforced.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0072.html

--- Cross-Platform News ------------------------------------------------

--> {00.17.004} Update to {00.13.012}: mhshow (mh/nmh) buffer overflow

Nmh version 1.0.4 has been released. It seems the security fixes
contained in version 1.0.3, which corrected a buffer overflow of the
MIME-type parsing (discussed in {00.13.012}), was found to be
incomplete. Version 1.0.4 fixes this problem.

Download nmh version 1.0.4 from:
ftp://ftp.mhost.com/pub/nmh/nmh-1.0.4.tar.gz

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0078.html

--> {00.17.005} UW imapd LIST buffer overflow

A buffer has been found in the LIST command of the University of
Washington's imapd server version 4.7 (the banner prints "IMAP4rev1
v12.264"). An attacker can execute arbitrary code on the system; a valid
login is required, however, and the code will execute only under the
context of the valid login ID provided. This does not seem to be a
problem with older versions.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0074.html

--> {00.17.006} XFree86 xkbmap parameter buffer overflow

XFree86 versions 3.3.5 and 3.3.6 have been found to contain a buffer
overflow in the xkbmap command-line switch. An attacker can execute
arbitrary code as root, since XFree86 runs either with setuid
permissions, or via a wrapper that is setuid.

No patches have been made available. Version 4.0.0 is reported to be
fixed.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0076.html

--> {00.17.008} BizDB search CGI command execution

Cnctek's BizDB CGI application includes a search CGI that does not
correctly escape shell metacharacters; this allows a remote attacker to
execute shell commands under the context of the Web server.

No patches have been made available. Product home page:
http://www.cnctek.com/bizdb-html/

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0058.html

--> {00.17.009} Infonautics getdoc.cgi unauthorized document access

Infonautics getdoc.cgi is meant to control access to documents on a
payment basis. However, a method of bypassing the payment process has
been found, which would allow for a remote attacker to immediately gain
access to the site's protected documents.

Vendor home page:
http://www.infonautics.com

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0049.html

--> {00.17.010} TalentSoft webplus CGI allows recursive file reading

TalentSoft's webplus application prior to build 512 allows a remote
attacker to read files (readable by the Web server's user context) by
using '..' notation in the script parameter passed to the webplus CGI.

A patch is available by contacting TalentSoft. Vendor home page:
http://www.talentsoft.com

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0050.html

--> {00.17.011} Multiple vulnerabilities in Dansie shopping cart CGI

The Dansie shopping cart CGI version 3.04 (and various other versions
as well) contains three vulnerabilities: The application automatically
sends usage information to techdansie.net, there is a mechanism
embedded in the CGI that would allow a remote attacker to execute
arbitrary commands under the uid of the Web server and it is possible
to manipulate shopping cart orders and view associated databases by
manipulating CGI parameters.

Dansie has made available patches, which will be sent to registered
customers.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0051.html
http://archives.neohapsis.com/archives/bugtraq/2000-04/0061.html
http://archives.neohapsis.com/archives/bugtraq/2000-04/0088.html

--> {00.17.015} StarOffice crashes on corrupt files

StarOffice version 5.1 and 5.2 preview have been found to crash when
dealing with many abnormal situations, including corrupt StarOffice
documents and long URLs in HTML documents.

Note: For this to be a security vulnerability, the user has to open
Trojaned documents sent by an attacker.

Sun Microsystems is working on a fix.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-04/0077.html

------------------------------------------------------------------------

This issue sponsored by Symantec

New Enterprise Security Web Site Launched! Symantec provides content
security solutions including antivirus, Internet content/e-mail
filtering and mobile code detection. For up-to-the-minute information
regarding enterprise security issues you are facing, visit our Web site
at: http://www.symantec.com/specprog/sym/08302000.html

------------------------------------------------------------------------
                
If this e-mail was forwarded to you and you would like to subscribe,
see http://www.sans.org/sansnews/.

If you'd like to change your e-mail address or other information, or to
unsubscribe from this newsletter, please visit your personalized URL:
      http://www.sans.org/sansaddr?hashid=SD397643jFg25PaJ7aa

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
the SANS Institute (http://www.sans.org).