OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #057
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Aug 10 2000 - 15:22:18 CDT


To: Security Express (SD397643)
Re: Your personalized newsletter

                  -- Security Alert Consensus --
                        Number 057 (00.33)
                    Thursday, August 10, 2000
                        Created for you by
             Network Computing and the SANS Institute

------------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.

------------------------------------------------------------------------

This issue sponsored by Symantec Corporation

***Symantec expands its Internet security expertise with acquisition of
Axent! For more information about Symantec's security offerings, visit
our website at:
http://www.symantec.com/specprog/sym/81000.html

------------------------------------------------------------------------

The talk of the town this week is the release of Brown Orifice, named
after the Back Orifice tool created by the Cult of the Dead Cow. Brown
Orifice demonstrates the vulnerabilities in Netscape's Web browser and
Java by setting up a full-fledged HTTP server on the user's system.
The full write-up is available in this issue as {00.33.010} (available
only to subscribers of the Windows category).

Until next week,
Security Alert Consensus Team

------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.33.002} MS00-053: Service control manager named pipe
                impersonation
--> {00.33.003} Multiple vulnerabilities in Net Tools PKI Server
--> {00.33.009} MS00-054: Malformed IPX ping DoS
--> {00.33.010} Brown Orifice Netscape vulnerability
--> {00.33.004} Update to {00.32.001}: Netscape JPEG COM marker buffer
                overflow
--> {00.33.008} LIDS promotes all users to uid 0
--> {00.33.011} Umb-scheme wrong file permissions
--> {00.33.017} Update to {00.31.020}: Pam_console allows access to
                system console
--> {00.33.001} Local buffer overflows in lp
--> {00.33.012} Raptor GFX configuration tool local vulnerabilities
--> {00.33.015} Sun AnswerBook remote command execution
--> {00.33.016} HP-UX ftpd remote code execution via format string
--> {00.33.013} Cisco gigabit switch-router bypass ACLs and DoS
--> {00.33.005} Mailman local privilege elevation
--> {00.33.006} Suidperl local command execution as root
--> {00.33.007} Ntop Web-mode directory transversal/remote file reading
--> {00.33.014} PCCS MySQL Web admin interface exposes MySQL password

--- Windows News -------------------------------------------------------

--> {00.33.002} MS00-053: Service control manager named pipe
                impersonation

Microsoft has released advisory MS00-053 ("Patch Available for Service
Control Manager Named Pipe Impersonation Vulnerability"), detailing a
problem in Windows 2000 in which a local user can create a pipe needed
by a higher service (particularly those required by services.exe) and
thus be able to gain elevated (Local_System) access.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-053.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q3/0025.html

--> {00.33.003} Multiple vulnerabilities in Net Tools PKI Server

Network Associates' Net Tools PKI Server version 1.0 contains multiple
security vulnerabilities, which are not patched by Hotfix 1 or 2. The
included Web server (strong.exe) contains a buffer overflow, which is
remotely exploitable via Port 444. The service also allows the reading
of arbitrary files from the system by using "../" HTTP request syntax.
Lastly, this same service exhibits a "format string" bug, which
essentially is a different way to execute arbitrary code.

Hotfix 3 corrects the vulnerabilities mentioned. It is available at:
http://www.nai.com/asp_set/download/upgrade/find.asp

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0473.html

--> {00.33.009} MS00-054: Malformed IPX ping DoS

Microsoft has released MS00-054 ("Patch Available for Malformed IPX Ping
Packet Vulnerability") to correct a denial of service in Windows 95 and
98. Very similar to the popular smurf denial-of-service attack, a
malicious user can forge IPX ping packets with a source of the broadcast
address, resulting in a large network load.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-054.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q3/0027.html

--> {00.33.010} Brown Orifice Netscape vulnerability

A demonstration exploit named Brown Orifice was released. The exploit
uses a vulnerability in Netscape coupled with a vulnerability in Java
to actually create a remotely accessible HTTPd on a user's machine.
However, even the demonstration exhibits a bug that lets a remote user
download arbitrary files by using ".." request syntax.

No patches have been released for Netscape browser; also, we do not
recommend the use of BOHTTPD.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0019.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0054.html

--- Linux News ---------------------------------------------------------

--> {00.33.004} Update to {00.32.001}: Netscape JPEG COM marker buffer
                overflow

TurboLinux and Mandrake have released updated Netscape packages that
fix the vulnerability discussed in {00.32.001} ("Netscape JPEG COM
marker buffer overflow").

TurboLinux:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/netscape-communicator-4.74-2.i386.rpm
                
Mandrake:
(Mandrake lists more than 30 new packages available for download; a
                full list
is available at:
http://archives.neohapsis.com/archives/bugtraq/2000-07/0456.html)

Source: TurboLinux, Mandrake (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-07/0475.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0456.html

--> {00.33.008} LIDS promotes all users to uid 0

A bug in LIDS version 0.9.7 effectively gives all users a uid of 0 when
LIDS is disabled.

A patch has been made available and been incorporated into the latest
version of LIDS.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0486.html

--> {00.33.011} Umb-scheme wrong file permissions

Red Hat has released updated packages that fix a vulnerability resulting
from two world-writable files installed in the umb-scheme package.

Download the updates:
ftp://updates.redhat.com/6.2/sparc/umb-scheme-3.2-12.sparc.rpm
ftp://updates.redhat.com/6.2/alpha/umb-scheme-3.2-12.alpha.rpm
ftp://updates.redhat.com/6.2/i386/umb-scheme-3.2-12.i386.rpm

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0059.html

--> {00.33.017} Update to {00.31.020}: Pam_console allows access to
                system console

Mandrake has released updated pam packages that correct the
vulnerability discussed in the update to {00.31.020} ("Pam_console
allows access to system console").

Download updated packages:
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/pam-0.72-7mdk.i586.rpm
                
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/pam-0.72-7mdk.i586.rpm
                
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/pam-0.72-7mdk.i586.rpm
                
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/pam-0.72-7mdk.i586.rpm
                
Source: Mandrake (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-07/0455.html

--- Solaris News -------------------------------------------------------

--> {00.33.001} Local buffer overflows in lp

Sun has released an advisory detailing two separate local buffer
overflows in the lp package. Solaris 7 and 2.6 are vulnerable to a
buffer overflow in libprint.so.2, which can be exploited via lpset to
gain root access. Solaris 8, 7 and 2.6 are vulnerable to a buffer
overflow in netpr, which lets a local attacker gain root access.

Sun has released patches:
SunOS 5.8 109320-01
SunOS 5.8_x86 109321-01
SunOS 5.7 107115-05
SunOS 5.7_x86 107116-05
SunOS 5.6 106235-06
SunOS 5.6_x86 106236-06

Source: Sun
http://archives.neohapsis.com/archives/sun/2000-q3/0000.html

--> {00.33.012} Raptor GFX configuration tool local vulnerabilities

TechSource's Raptor GFX video card for Sparc systems contain a suid
application named pgxconfig, which contains multiple vulnerabilities
that let a local user run arbitrary commands as root.

We suggest removing the +s bit from pgxconfig.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html

--> {00.33.015} Sun AnswerBook remote command execution

Two vulnerabilties have been found in Sun's AnswerBook2 server. First,
it is possible to add new user information, allowing an attacker to then
access the AnswerBook administrative interface. Further, it is possible
to remotely execute arbitrary command by creating log files (via the
administrative interface) whose names contain the commands that the
attacker wishes to run. Solaris versions 2.5.1, 2.6, 7 and 8 on both
Sparc and x86 are vulnerable.

Sun has released patches for the above listed platforms:
1.4.2 110011-02
1.4.2_x86 110012-02

Source: Sun
http://archives.neohapsis.com/archives/sun/2000-q3/0001.html

--- HP-UX News ---------------------------------------------------------

--> {00.33.016} HP-UX ftpd remote code execution via format string

HP-UX's ftpd version 1.7.212.2 has been found to be vulnerable to a
format string that can allow a remote attacker to execute arbitrary code
on the system.

No patches are currently available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0028.html

--- Network Appliances News --------------------------------------------

--> {00.33.013} Cisco gigabit switch-router bypass ACLs and DoS

Cisco has released a security advisory detailing how the 12008, 12012
and 12016 gigabit switch-routers were vulnerable to various
network-level attacks that would let an attacker bypass ACLs and also
keep the interface from responding, thus creating a denial-of-service
situation.

The following versions of IOS are not vulnerable:
     * 11.2(19)GS0.2
     * 12.0(8.0.2)S
     * 12.0(7)S1
     * 12.0(7.4)S
     * 12.0(8.3)SC
     * 12.0(7)SC

More information is available in the Cisco advisory, available at:
http://www.cisco.com/warp/public/707/gsraclbypassdos-pub.shtml

Source: Cisco (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-07/0485.html

--- Cross-Platform News ------------------------------------------------

--> {00.33.005} Mailman local privilege elevation

A vulnerability has been found in the mailman software that lets a local
user gain group mailman permission.

Updated source archive:
http://download.sourceforge.net/mailman/mailman-2.0beta5.tgz

Debian Linux:
ftp://ftp.debian.org/debian/dists/woody/main/binary-i386/mail/mailman_2.0beta5-1.deb
                
ftp://ftp.debian.org/debian/dists/woody/main/binary-m68k/mail/mailman_2.0beta5-1.deb
                
Conectiva Linux:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/mailman-2.0beta5-1cl.i386.rpm
                
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/mailman-2.0beta5-1cl.i386.rpm
                
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/mailman-2.0beta5-1cl.i386.rpm
                
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/mailman-2.0beta5-1cl.i386.rpm
                
Red Hat Linux:
ftp://updates.redhat.com/secureweb/3.2/i386/mailman-2.0beta5-1.i386.rp

Linux Mandrake:
- Not vulnerable

SuSE Linux:
- Not vulnerable

Source: Debian, SuSE, Red Hat, Conectiva, Mandrake (Bugtraq)
http://archives.neohapsis.com/archives/linux/suse/2000-q3/0310.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0474.html
http://archives.neohapsis.com/archives/bugtraq/2000-07/0479.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0006.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0020.html

--> {00.33.006} Suidperl local command execution as root

A vulnerability has been found in suidperl (all versions) that lets a
local user invoke /bin/mail by abusing a race condition when Perl opens
a script to run. Coupled with some undocumented features in mail, this
leads to the local user to execute commands as root. An exploit has been
published.

Patches have been committed into the Perl tree; however, a third-party
patch for Perl and mail are available at:
http://archives.neohapsis.com/archives/bugtraq/2000-08/0051.html

Red Hat Linux has released updated packages:
ftp://updates.redhat.com/5.2/sparc/mailx-8.1.1-16.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/perl-5.004m7-2.sparc.rpm
ftp://updates.redhat.com/5.2/alpha/mailx-8.1.1-16.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/perl-5.004m7-2.alpha.rpm
ftp://updates.redhat.com/5.2/i386/mailx-8.1.1-16.i386.rpm
ftp://updates.redhat.com/5.2/i386/perl-5.004m7-2.i386.rpm
ftp://updates.redhat.com/6.2/sparc/mailx-8.1.1-16.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/perl-5.00503-11.sparc.rpm
ftp://updates.redhat.com/6.2/i386/mailx-8.1.1-16.i386.rpm
ftp://updates.redhat.com/6.2/i386/perl-5.00503-11.i386.rpm
ftp://updates.redhat.com/6.2/alpha/mailx-8.1.1-16.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/perl-5.00503-11.alpha.rpm

We recommend removing the +s bit from suidperl/sperl until a patch
is available for your system.

Source: Red Hat, Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0022.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0057.html

--> {00.33.007} Ntop Web-mode directory transversal/remote file reading

A vulnerability in ntop's Web-mode feature lets remote users query ntop
for network statistics. Ntop allows a remote user to use "../" syntax
to request arbitrary files from the system; even worse, ntop runs at
elevated (root) privilege.

No patches have been made available. We suggest you discontinue use of
ntop's Web mode until patches are available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-07/0459.html

--> {00.33.014} PCCS MySQL Web admin interface exposes MySQL password

A vulnerability has been found in PCCS' MySQL Web administration
interface. A file located in the /incs directory contains, in clear
text, all the information needed for the Web application to connect and
administer the database.

No patches have been made available. We suggest, at a minimum, using
HTTP authentication on all directories under /pccmysqladmin/.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-08/0015.html

------------------------------------------------------------------------

This issue sponsored by Symantec Corporation

***Symantec expands its Internet security expertise with acquisition of
Axent! For more information about Symantec's security offerings, visit
our website at:
http://www.symantec.com/specprog/sym/81000.html

------------------------------------------------------------------------

If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.sans.org/sansnews/. Become a Security
Alert Consensus member!

Special Note:
To better secure your confidential information, we will no longer
include personal URLs in our Consensus newsletter mailings. Instead, we
have created a new form, located at http://www.sans.org/sansurl. There,
you can enter the SD number located near your name at the top of the
newsletter. When you submit this form, an e-mail will be sent to you
at the e-mail address on record, containing a URL. With this URL, you
can make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, please e-mail
us at <consensusnwc.com>.

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
The SANS Institute (http://www.sans.org).