OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #044
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu May 11 2000 - 15:22:42 CDT

To: Security Express (SD397643)
Re: Your personalized newsletter

                     -- Security Alert Consensus --
                            Number 044 (00.20)
                         Thursday, May 11, 2000
                           Created for you by
                Network Computing and the SANS Institute

------------------------------------------------------------------------

Welcome to SANS's distribution of the Security Alert Consensus.
 
This newsletter is customizable by software/OS of interest. Visit the
edit page at
http://www.sans.org/sansaddr?hashid=SD397643jFg25PaJ7aa
to change your preferences or any other personalized information.

------------------------------------------------------------------------
                
This issue sponsored by Symantec Corp.

New Enterprise Security Web Site Launched!
Symantec provides content security solutions including antivirus,
Internet content/e-mail filtering and mobile code detection. For
up-to-the-minute information regarding enterprise security issues you
are facing, visit our Web site at:
http://www.symantec.com/specprog/sym/08302000.html

-----------------------------------------------------------------------
By far the biggest news last week was the "I Love You" VBScript worm.
We received many inquiries as to why SAC did not contain mention of it;
the reason is because of the publishing schedule SAC goes through.

SAC is composed taking a week's worth of vulnerabilities, up to and
including vulnerabilities found on Tuesdays. On Wednesday, an editorial
board comprising various security professionals and vendor
representatives reviews and confirms problems; finally, it goes through
a copy-edit process and is entered into the e-mail distribution system
for disbursement Thursday morning.

Given that the "I Love You" worm was disclosed on Thursday morning, it
was too late for the inclusion in issue 43. However, SANS GIAC (Global
Incident Alert Center) maintained updated status and reports on the
worm. GIAC is available at http://www.sans.org/giac/

Also, the SAC policy (this applies only to Security Alert Consensus,
and not other SANS or Network Computing digests, alerts or publications)
is not to report on viruses, Trojans and worms. Why? Because the topic
is large enough to warrant a separate industry to track and analyze.
In the case of "I Love You," there are already multiple variants:

VBS.LoveLetter.A (LoveLetter) I LOVE YOU
VBS.LoveLetter.B (Lithuanian)
VBS.LoveLetter.C (VeryFunny) JOKE
VBS.LoveLetter.D (BugFix)
VBS.LoveLetter.E (MothersDay)
VBS.LoveLetter.F (VirusWarning)
VBS.LoveLetter.G (Virus ALERT!!!)
VBS.LoveLetter.H (No Comments)
VBS.LoveLetter.I (Important! Read carefully!!)

There is no need to re-alert on every new variant that surfaces.
Large-scale worm/virus infections are reported to GIAC, and most virus
vendors maintain separate alert mechanisms as well.

Until next week,
- Security Alert Consensus Team

------------------------------------------------------------------------
                
------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.20.014} Quake3Arena auto-download vulnerability
--> {00.20.015} Interscan Viruswall UUencoded filename buffer overflow
--> {00.20.016} FrontPage shtml.exe reveals physical path
--> {00.20.019} pcAnywhere weak local password storage
--> {00.20.020} Allaire ClusterCATS appends stale query to redirected
                URL
--> {00.20.011} Linux kernel exec/open bug
--> {00.20.017} Ipchains DoS
--> {00.20.009} NetBSD IP options DoS
--> {00.20.004} Buffer overflow in shutdown command-line options
--> {00.20.005} Update to {99.17.017}: HP-UX automountd can run user
--> {00.20.003} Cisco "enabled" commands available in normal mode
--> {00.20.012} Cayman DSL router DoS
--> {00.20.013} Aladdin eToken information retrieval
--> {00.20.001} pam_console allows users to retain ownership of devices
--> {00.20.002} Tcpdump DNS loop DoS
--> {00.20.006} DNewsWeb query buffer overflow
--> {00.20.007} DMailWeb query buffer overflow
--> {00.20.008} ListServ Web archives CGI query buffer overflow
--> {00.20.010} DBMan leaks setup and environment information
--> {00.20.018} Ultraboard CGI view any file

--- Windows News -------------------------------------------------------

--> {00.20.014} Quake3Arena auto-download vulnerability

ISS has released an advisory detailing a vulnerability in Quake3Arena.
Version 1.16 introduces an auto-update mechanism, which allows the Quake
server to send updated files to the client (without their necessarily
having knowledge of it happening). The vulnerability lies in that the
server is not restricted in which files it can replace, allowing them
to possibly send Trojans, modify system configurations and so on.

Upgrade to 1.17, available at:
http://www.quake3arena.com/

Source: ISS
http://archives.neohapsis.com/archives/iss/2000-q2/0144.html

--> {00.20.015} Interscan Viruswall UUencoded filename buffer overflow

Trend Micro's Interscan Viruswall version 3.32 and prior are vulnerable
to a buffer overflow in the length of the filename used in UUencoded
attachments. The result is the remote execution of arbitrary code under
the Viruswall daemon context, which is typically LOCAL_SYSTEM.

Trend Micro has released an updated version (3.4), available at:
ftp://ftp.antivirus.com/products/beta/

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0045.html

--> {00.20.016} FrontPage shtml.exe reveals physical path

Reports have indicated that the shtml.exe application included with some
versions of FrontPage extensions will reveal the physical path of
requested files when the requested file does not exist.

Microsoft has verified the problem does not exist in a planned service
release, to be offered in the near future.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0084.html

--> {00.20.019} pcAnywhere weak local password storage

We just wanted to remind everyone again about insecure local password
storage, and the implications of applications "saving" passwords
locally. In many cases, the client application needs to send the
original password to the server; therefore, the application needs to be
able to "retrieve" the original password. This means the password, in
general, is retrievable by anyone with access to the location of storage
(file, registry and so on).

With this said, pcAnywhere was found to only use XOR for obfuscating
stored passwords.

Symantec mentions the ability to use public-key cryptography to securely
store the password locally; however, it seems this feature is not well
documented.

Source: Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0390.html

--> {00.20.020} Allaire ClusterCATS appends stale query to redirected
                URL

Allaire's ClusterCATS has been found to append old Web query information
to redirected URLs. It's possible that this information could contain
sensitive information submitted by another user prior.

A patched teserver.dll is available at:
ftp://ftp.allaire.com/outgoing/clustercats/teserver.dll

Source: Allaire
http://archives.neohapsis.com/archives/vendor/2000-q2/0020.html

--- Linux News ---------------------------------------------------------

--> {00.20.011} Linux kernel exec/open bug

A note has been posted about a vulnerability found in the 2.2.14 Linux
kernel, which let any user read any file or device on the system.
Vulnerability information is minimal at this point--we will release
further reports when information is made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0073.html

--> {00.20.017} Ipchains DoS

A report has surfaced that alludes to a denial of service in ipchains
masquerading support in the Debian 2.2.10 kernel. We have yet to
confirm this problem.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0102.html

--- BSD News -----------------------------------------------------------

--> {00.20.009} NetBSD IP options DoS

A denial of service has been found in NetBSD, where a particular
sequence of IP options will cause a kernel panic. NetBSD-current
versions prior to 20000507 are vulnerable. Other 4.4BSD-derived systems
may be vulnerable.

NetBSD-current contains the necessary patches.

NetBSD 1.4.1 should download the following patch:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000507-ipopt141

NetBSD 1.4.2 should download the following patch:
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000507-ipopt142

Source: NetBSD (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-05/0089.html
http://archives.neohapsis.com/archives/bugtraq/2000-05/0088.html

--- HP-UX News ---------------------------------------------------------

--> {00.20.004} Buffer overflow in shutdown command-line options

A buffer overflow has been found in the shutdown binary. The
vulnerability allows local attackers to gain root privileges.

HP has released updates:

HP-UX 11.00: PHCO_21534;
HP-UX 10.20 and 10.10: PHCO_21574.
HP-UX VirtualVault (VVOS) 11.04: PHCO_21567;
HP-UX VirtualVault (VVOS) 10.24: PHCO_21566.

Source: HP (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-05/0047.html

--> {00.20.005} Update to {99.17.017}: HP-UX automountd can run user
            programs as root

HP has finally released patches for the automountd vulnerability
reported in October 1999. The vulnerability lets remote attackers
access the system under root uid.

Apply patch updates:

HP-UX 11.00: PHNE_20371
HP-UX 10.20: PHNE_20628

Source: HP (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-05/0033.html

--- Network Appliances News --------------------------------------------

--> {00.20.003} Cisco "enabled" commands available in normal mode

It turns out that Cisco IOS lets users in "normal" mode access commands
that were thought to be restricted to "enabled" mode. In particular,
the "show" command allows normal users to access 62 commands listed only
in enabled mode. In particular, such commands as "show cdp", "show
logging", "show access-lists", and "show vlans" may provide attackers
with extra information.

Change the access level required to use the "show" command by running:
privilege exec level 15 show

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0027.html

--> {00.20.012} Cayman DSL router DoS

A denial of service has been found in Cayman 3220-H DSL routers, where
abnormally long username or password strings sent to the HTTP
administrative interface cause the router to reboot.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0075.html

--- Other News ---------------------------------------------------------

--> {00.20.013} Aladdin eToken information retrieval

An advisory was released that detailed methods to retrieve private
information stored on Aladdin eToken devices, without requiring the
knowledge of the owner's PIN. It is possible to open the key, extract
the information and replace it without evidence of tampering.

No updates for the device have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0043.html

--- Cross-Platform News ------------------------------------------------

--> {00.20.001} pam_console allows users to retain ownership of devices

Upon logging into the console of a PAM-enabled system, pam_console will
chown particular devices (namely tty*, vcs*, fd*, cdrom, kbd* and so
on) to the user logging in. It is possible for the console user to
retain access to these devices after logging out, allowing them to
snoop/sniff on particular ttys, cdrom usage, floppy drive usage and so
on.

Note that this vulnerability applies only to systems with the
pam_console module installed. Many different Unix distributions use
PAM as part of their login process but not all of them use pam_console.
To determine if pam_console is used on a system, check /etc/pam.conf or
the contents of /etc/pam.d/*.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0023.html

--> {00.20.002} Tcpdump DNS loop DoS

A denial of service has been found in tcpdump. An attacker can send a
special DNS query packet that contains a recursive compression jump
reference, throwing tcpdump into an infinite loop state.

The current (unreleased) version of tcpdump has a fix. Tcpdump is
available from:
http://www.tcpdump.org/

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0025.html

--> {00.20.006} DNewsWeb query buffer overflow

A buffer overflow has been found in multiple query parameters in the
DNewsWeb CGI application that allows a remote attacker to execute
arbitrary code under the UID of the Web application.

Update to version 5.4c3, available from:
ftp://ftp.netwinsite.com/pub/dnewsweb/beta/

Source: Win2kSecAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0087.html

--> {00.20.007} DMailWeb query buffer overflow

The DMailWeb CGI application contains a buffer overflow in the "utoken"
parameter that allows for the execution of arbitrary code under the uid
of the Web application.

Update to version 2.5e, available from:
ftp://ftp.netwinsite.com/pub/dmailweb/beta/

Source: Win2KSecAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0079.html

--> {00.20.008} ListServ Web archives CGI query buffer overflow

A buffer overflow has been found in the ListServ web archive CGI
application, allowing a remote attacker to execute arbitrary code under
the web application's uid.

A patch is available from Lsoft.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0048.html

--> {00.20.010} DBMan leaks setup and environment information

Gossamer Thread's DBMan CGI application will print out configuration
information, including environment variables, when it encounters an
error. It is possible for a remote attacker to induce an error,
resulting in the display of the configuration information.

Product homepage:
http://www.gossamer-threads.com/scripts/dbman

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0067.html

--> {00.20.018} Ultraboard CGI view any file

Ultraboard version 1.6 allows for a remote user to view files accessible
to the Web server uid by making a particular type of query to the
Ultraboard CGI.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0028.html

------------------------------------------------------------------------

This issue sponsored by Symantec Corp.

New Enterprise Security Web Site Launched! Symantec provides content
security solutions including antivirus, Internet content/e-mail
filtering and mobile code detection. For up-to-the-minute information
regarding enterprise security issues you are facing, visit our Web site
at:
http://www.symantec.com/specprog/sym/08302000.html

------------------------------------------------------------------------
                
Get the most comprehensive labs-based networking information and
comprehensive network case studies. Subscribe to NETWORK COMPUTING
magazine:
http://subscribe.networkcomputing.com/sac1

------------------------------------------------------------------------
                
If this e-mail was forwarded to you and you would like to subscribe,
see http://www.sans.org/sansnews/.

If you'd like to change your e-mail address or other information, or to
unsubscribe from this newsletter, please visit your personalized URL:
http://www.sans.org/sansaddr?hashid=SD397643jFg25PaJ7aa

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
the SANS Institute (http://www.sans.org).