OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #051
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Jun 29 2000 - 15:25:09 CDT


To: Security Express (SD397643)
Re: Your personalized newsletter

                       -- Security Alert Consensus --
                             Number 051 (00.27)
                          Thursday, June 29, 2000
                            Created for you by
                   Network Computing and the SANS Institute

------------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.

------------------------------------------------------------------------

This issue sponsored by Symantec Corp.

New Enterprise Security Web Site Launched! Symantec provides content
security solutions including antivirus, Internet content/e-mail
filtering and mobile code detection. For up-to-the-minute information
regarding enterprise security issues you are facing, visit our Web site
at:
http://www.symantec.com/specprog/sym/08302000.html

------------------------------------------------------------------------

Another widespread wu-ftpd vulnerability was found this week. A buffer
overflow in the "site exec" command lets a remote attacker log onto the
system anonymously and execute code. If you use wu-ftpd, you should
either consult your vendor for updated packages or download and apply
a source patch, available from:
http://archives.neohapsis.com/archives/bugtraq/2000-06/0228.html

More information regarding the wu-ftpd buffer overflow is in this issue
as item {00.27.007}, which is available only to individuals who have
selected the "Cross-Platform" category. Instructions for changing your
categories are included at the bottom of all Security Alert e-mails.
You can view archived issues, which include all categories and,
therefore, all items, at:
http://archives.neohapsis.com/archives/securityexpress/current/

Until next week,
Security Alert Consensus Team

------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.27.004} Update to {00.23.003}: Multiple HP JetAdmin
                vulnerabilities
--> {00.27.008} NetWin dMail DoS and unrestricted mail relay
--> {00.27.011} Microsoft DNS server exposes administrator account
--> {00.27.016} Proxy+ proxy gateway bypasses localhost authentication
--> {00.27.017} Internet Explorer 5 remote system access via object tag
--> {00.27.001} Update to {00.26.012}: Zope exposes insecure method
--> {00.27.006} Multiple updated Mandrake packages
--> {00.27.009} Update to {00.25.004}: Linux kernel setuid/setcap
                vulnerability
--> {00.27.013} Red Hat incorrectly installs gkermit sgid uucp
--> {00.27.021} xconq local user buffer overflows
--> {00.27.003} NetBSD lack of /dev/urandom causes weak key generation
--> {00.27.005} FreeBSD IP options DoS
--> {00.27.019} cdmount lets local users execute commands as root
--> {00.27.015} Netscape Enterprise Server for NetWare buffer overflow
--> {00.27.018} Update to {00.22.019}: TopLayer 2500 Layer 7 Switch DoS
--> {00.27.002} JRun installs many insecure sample servlets
--> {00.27.007} wu-ftpd site exec remote buffer overflow
--> {00.27.010} Remote command execution in ISC DHCP client
--> {00.27.012} glftpd privpath allows bypassing directory permissions
--> {00.27.014} BEA WebLogic Server exposes source code
--> {00.27.020} Selena Sol WebBanner allows for executing of commands

--- Windows News -------------------------------------------------------

--> {00.27.004} Update to {00.23.003}: Multiple HP JetAdmin
                vulnerabilities

HP has released an updated version of the JetAdmin package, which
corrects a denial-of-service situation found in JetAdmin version 6.0.
Note that {00.23.003} discusses other vulnerabilities in version 5.3;
the proper solution is to upgrade to the lastest version (6.0.1233; see
below).

Download version 6.0.1233 at:
http://www.hp.com/cposupport/swindexes/hpwebjetad1880_swen.html

Source: HP (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0210.html

--> {00.27.008} NetWin dMail DoS and unrestricted mail relay

Two vulnerabilities have been found in NetWin's dMail package, before
version 2.6j. A remote attacker can crash the dMailWeb service by
submitting long strings to the POP login CGI application. The included
mail server, cMail, also allows unrestricted mail relay.

Upgrading to version 2.6j seems to correct these problems.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0200.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0243.html

--> {00.27.011} Microsoft DNS server exposes administrator account

Microsoft's DNS server inserts the name of the administrator account
into the SOA field of DNS records served; if the account is renamed, it
will include the renamed account-which defeats many purposes of renaming
the administrator account in the first place.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0254.html

--> {00.27.016} Proxy+ proxy gateway bypasses localhost authentication

The Proxy+ package includes a remote administration port, which allows
connections only from localhost by default. However, it is possible
for an attacker to log into the telnet proxy, then log into the
administration port (bypassing the localhost-only security).

No patches have been released. It is suggested that you enable Basic
Authentication on the remote administration port.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0268.html

--> {00.27.017} Internet Explorer 5 remote system access via object tag

Microsoft Internet Explorer 5.01 has been found to contain many
vulnerabilities that would let a malicious Web site execute commands
and save arbitrary files onto the user's filesystem. This has to do
with opening Office documents using the object tag.

No patches have been made available.

Source: Win2KSecAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0184.html
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0185.html

--- Linux News ---------------------------------------------------------

--> {00.27.001} Update to {00.26.012}: Zope exposes insecure method

Red Hat has released a hot fix that corrects the problems discussed in
{00.26.012} ("Zope exposes insecure method").

Download the hot fix RPM:
ftp://updates.redhat.com/powertools/6.2/noarch/Zope-Hotfix-06_16_2000-1.noarch.rpm
                
Note: This hot fix RPM can be applied only to Zope version 2.1.2-5,
which is included with the Red Hat 6.2 PowerTools distribution. If
you're using the Zope RPM included in the version 6.1 PowerTools
distribution, you'll need to upgrade to the newer RPM before applying
the hot fix.

Source: Red Hat (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0216.html

--> {00.27.006} Multiple updated Mandrake packages

Mandrake has released several updated RPMs for Mandrake Linux version
7.1 to upgrade software packages that are known to have security
problems.

Install the udpated RPMs:
http://rpmfind.net/linux/Mandrake/7.1/RPMS/bind-8.2.2P5-6mdk.i586.rpm
http://rpmfind.net/linux/Mandrake/7.1/RPMS/bind-devel-8.2.2P5-6mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/bind-utils-8.2.2P5-6mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/cdrecord-1.8.1-4mdk.i586.rpm
http://rpmfind.net/linux/Mandrake/7.1/RPMS/dump-0.4b16-3mdk.i586.rpm
http://rpmfind.net/linux/Mandrake/7.1/RPMS/fdutils-5.3-11mdk.i586.rpm
http://rpmfind.net/linux/Mandrake/7.1/RPMS/kdesu-0.98-14mdk.i586.rpm
http://rpmfind.net/linux/Mandrake/7.1/RPMS/xemacs-21.1.9-8mdk.i586.rpm
http://rpmfind.net/linux/Mandrake/7.1/RPMS/xemacs-el-21.1.9-8mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/xemacs-extras-21.1.9-8mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/xemacs-info-21.1.9-8mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/xemacs-mule-21.1.9-8mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/xlockmore-4.16.1-1mdk.i586.rpm
                
Source: Mandrake (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0230.html

--> {00.27.009} Update to {00.25.004}: Linux kernel setuid/setcap
                vulnerability

Mandrake and Red Hat have released updated kernel packages that correct
the vulnerability discussed in update to {00.25.004} ("Linux kernel
setuid/setcap vulnerability").

Mandrake:
http://rpmfind.net/linux/Mandrake/7.1/RPMS/kernel-2.2.16-9mdk.i586.rpm
http://rpmfind.net/linux/Mandrake/7.1/RPMS/kernel-fb-2.2.16-9mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/kernel-headers-2.2.16-9mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/kernel-linus-2.2.16-2mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/kernel-pcmcia-cs-2.2.16-9mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/kernel-secure-2.2.16-9mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/kernel-smp-2.2.16-9mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/kernel-utils-2.2.16-9mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/reiserfs-utils-2.2.16_3.5.19-9mdk.i586.rpm
                http://rpmfind.net/linux/Mandrake/7.1/RPMS/alsa-2.2.16_0.5.7-9mdk.i586.rpm
                
Red Hat:
ftp://updates.redhat.com/6.2/i386/kernel-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-headers-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-utils-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-smp-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-BOOT-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-pcmcia-cs-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/kernel-ibcs-2.2.16-3.i386.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-headers-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-utils-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-smp-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/kernel-BOOT-2.2.16-3.alpha.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-headers-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-utils-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-smp-2.2.16-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/kernel-BOOT-2.2.16-3.sparc.rpm

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0241.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0273.html

--> {00.27.013} Red Hat incorrectly installs gkermit sgid uucp

Red Hat Linux will incorrectly install the gkermit application with
set-group permissions for group uucp. The gkermit application also has
many buffer overflows, which would let a local user gain sgid uucp
privileges.

You should remove the set-gid permission from the gkermit application.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0226.html

--> {00.27.021} xconq local user buffer overflows

Many buffer overflows have been found in the xconq game, which would
allow local users to gain sgid games privilege. While not an immediate
security threat, administrators should be aware of these types of
privilege elevation problems.

No patches have been made available. We suggest removing the sgid bit.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html

--- BSD News -----------------------------------------------------------

--> {00.27.003} NetBSD lack of /dev/urandom causes weak key generation

NetBSD has released an advisory detailing a security vulnerability on
systems that lack /dev/urandom. In particular, Kerberos components may
generate weak (predictable) keys because a constant is being used to
seed a pseudo-random function generator.

NetBSD-current since version 20000622 is not vulnerable.

Source: NetBSD (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-06/0208.html

--> {00.27.005} FreeBSD IP options DoS

FreeBSD has been found to be vulnerable to the problem discussed in
{00.20.009} ("NetBSD IP options DoS").

A patch for FreeBSD is available at:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:23/ip_options.diff

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-06/0193.html

--- AIX News -----------------------------------------------------------

--> {00.27.019} cdmount lets local users execute commands as root

A vulnerability in cdmount lets a local user pass commands to be
executed with root privilege to cdmount via command-line options.

No patches have been made available. IBM has assigned this APAR IY10903.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0193.html

--- NetWare News -------------------------------------------------------

--> {00.27.015} Netscape Enterprise Server for NetWare buffer overflow

A buffer overflow has been found in the Netscape Enterprise Server for
NetWare. An overly long URL containing a virtual directory name can
cause the server to crash and possibly execute arbitrary code.

Novell has released patches:
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956734
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956733

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0264.html

--- Network Appliances News --------------------------------------------

--> {00.27.018} Update to {00.22.019}: TopLayer 2500 Layer 7 Switch DoS

TopLayer has released updated firmware software for its Layer 7
switches; the update corrects a denial-of-service situation discussed
in {00.22.019}.

Obtain version 3.1 from TopLayer.

Source: Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0921.html

--- Cross-Platform News ------------------------------------------------

--> {00.27.002} JRun installs many insecure sample servlets

Allaire's JRun version 2.3.x installs many various sample servlets that
let a remote attacker view server configurations, access session
information and download arbitrary files from the system.

Allaire recommends removing all servlets and files in the following
locations:
JRUN_HOME/servlets/
JRUN_HOME/jsm-default/services/jws/htdocs/

Source: Allaire
http://archives.neohapsis.com/archives/vendor/2000-q2/0051.html

--> {00.27.007} wu-ftpd site exec remote buffer overflow

Version 2.6.0 and prior of wu-ftpd have been found to have a remotely
exploitable buffer overflow in the "site exec" command. This
vulnerability can be leveraged with anonymous ftp login, and many
exploits have been made publicly available.

Third-party patch for wu-ftpd:
http://archives.neohapsis.com/archives/bugtraq/2000-06/0228.html

Third-party patch for wu-ftpd-academ:
http://archives.neohapsis.com/archives/bugtraq/2000-06/0270.html

Many vendors have also made updated packages available.

Conectiva Linux:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/wu-ftpd-2.6.0-11cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/wu-ftpd-2.6.0-11cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/wu-ftpd-2.6.0-11cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
                ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/servidor-1.0/i386/wu-ftpd-2.6.0-11cl.i386.rpm
                
Debian Linux:
http://security.debian.org/dists/slink/updates/binary-i386/wu-ftpd-academ_2.4.2.16-13.1_i386.deb
                http://security.debian.org/dists/slink/updates/binary-sparc/wu-ftpd-academ_2.4.2.16-13.1_sparc.deb
                http://security.debian.org/dists/potato/updates/main/binary-all/wu-ftpd-academ_2.6.0-5.1_all.deb
                http://security.debian.org/dists/potato/updates/main/binary-alpha/wu-ftpd_2.6.0-5.1_alpha.deb
                http://security.debian.org/dists/potato/updates/main/binary-arm/wu-ftpd_2.6.0-5.1_arm.deb
                http://security.debian.org/dists/potato/updates/main/binary-i386/wu-ftpd_2.6.0-5.1_i386.deb
                http://security.debian.org/dists/potato/updates/main/binary-powerpc/wu-ftpd_2.6.0-5.1_powerpc.deb
                http://security.debian.org/dists/potato/updates/main/binary-sparc/wu-ftpd_2.6.0-5.1_sparc.deb
                
Caldera Linux:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/wu-ftpd-2.5.0-7.i386.rpm
                ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/wu-ftpd-2.5.0-7.i386.rpm
                ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/wu-ftpd-2.5.0-7.i386.rpm
                
Red Hat Linux:
ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.6.0-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/alpha/wu-ftpd-2.6.0-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/wu-ftpd-2.6.0-2.5.x.sparc.rpm
ftp://updates.redhat.com/6.2/i386/wu-ftpd-2.6.0-14.6x.i386.rpm
ftp://updates.redhat.com/6.2/alpha/wu-ftpd-2.6.0-14.6x.alpha.rpm
ftp://updates.redhat.com/6.2/sparc/wu-ftpd-2.6.0-14.6x.sparc.rpm

Source: Various
http://archives.neohapsis.com/archives/bugtraq/2000-06/0233.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0234.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0235.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0240.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0244.html

--> {00.27.010} Remote command execution in ISC DHCP client

A remotely exploitable root exploit has been found in the ISC DHCP
client code. A renegade DHCP server can send command-line commands to
the client to be executed with root privileges.

OpenBSD, for example, uses the ISC DHCP client code. Other platforms
might as well, so you should check with your vendor.

Version 2.0pl1 and 3.0b1pl14 correct the problem; they are available
at:
ftp://ftp.isc.org/isc/DHCP

OpenBSD has provided patches available at:
http://www.openbsd.org/errata.hml#dhclient

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0247.html
http://archives.neohapsis.com/archives/bugtraq/2000-06/0259.html

--> {00.27.012} glftpd privpath allows bypassing directory permissions

A bug in the privpath function in glftpd up to and including version
1.21b8 lets a remote attacker access a directory he or she should
otherwise not be able to access (because of permissions) by relying on
glftpd's path completion functionality to supply the rest of the path
beyond the first letter, which is supplied by the attacker.

A third-party patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2000-06/0255.html

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0255.html

--> {00.27.014} BEA WebLogic Server exposes source code

A vulnerability in BEA's WebLogic Server version 5.1.x and prior lets
a remote attacker view the source of Java servlets by prepending
"/file/" to the URL.

BEA recommends disabling the "file" servlet, which is documented at:
http://www.weblogic.com/docs51/admindocs/http.html#file

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0196.html

--> {00.27.020} Selena Sol WebBanner allows for executing of commands

A bug in the Selena Sol Random Banner CGI allows for a remote attacker
to execute command-line commands under the uid of the Web server.

You can download the latest patched version from
http://www.extropia.com.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-06/0194.html

------------------------------------------------------------------------

This issue sponsored by Symantec Corp.

New Enterprise Security Web Site Launched! Symantec provides content
security solutions including antivirus, Internet content/e-mail
filtering and mobile code detection. For up-to-the-minute information
regarding enterprise security issues you are facing, visit our Web site
at:
http://www.symantec.com/specprog/sym/08302000.html

------------------------------------------------------------------------

Please join us in Washington, D.C., July 5-10 to enhance your security
skills and prove you have mastered the material. SANS certifications
are the industry's most difficult to obtain, but the training is
extraordinary and those who make the grade are immediately recognized
as knowledgeable and skilled. The respect that comes along with that
recognition can help you get the support to improve security in your
organization.

Or if you cannot come to Washington, try the online version.

Complete program details: http://www.sans.org/dc2000.htm

Certification information: http://www.sans.org/giactc.htm

------------------------------------------------------------------------

If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.sans.org/sansnews/. Become a Security
Alert Consensus member!

Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail will be sent to you
at the address on record, containing a URL. With this URL, you can make
changes to your account (edit the content of your Consensus mailing,
for example) without endangering the security of your personal URL. If
you'd like to change your e-mail address or other information or
unsubscribe to this newsletter, please visit your new URL as described
above. If you have any problems or questions, please e-mail us at
<consensusnwc.com>.

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).