|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Thu Mar 01 2001 - 06:51:10 CST
To: Security Express (SD397643)
Re: SANS Windows Security Digest Vol. 4 Num. 2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**********************************************************************
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 4, Number 2
February 28, 2001
Dr. Jesper M. Johansson (Boston University)
Editorial Board:
Dr. Matt Bishop (Univ. California, Davis)
Jeff Brown
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (MTE Software)
Chris Lalka (ExxonMobil)
Steve Lewis (GRCI)
Eric Maiwald (Fortrex)
Rob Marchand (Array Systems),
Dr. Gene Schultz (Global Integrity Corporation, an SAIC Company)
Copyright 2001. The SANS Institute. All rights reserved.
You may forward this issue to your co-workers and encourage them
to subscribe. To do so, send a note with the subject "NT Digest"
to digestsans.org
We are now signing the Windows Security Digest
with PGP. The new SANS' PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can also be accessed from the SANS web site (http://www.sans.org)
**********************************************************************
This month we have seen six new security bulletins from
Microsoft. MS01-007 should be of particular concern to administrators
of Terminal Servers, since it affords unprivileged users the ability to
run code as Local System. See item 1.1 for additional information. We
also have another buffer overflow in Outlook and Outlook express
to tell you about. This time it is the vCard handler that is
affected. See item 1.6 for more on information. Other than those
issues, the main item of note is a rather large number of directory
traversal vulnerabilities in a number of minor web servers. See item
4.7 for more information.
JMJ
************** This issue sponsored by SurfControl, Inc **************
MONITOR & MANAGE INTERNET USE - FREE TRIAL!
If you're not managing Internet access, you're asking for
trouble. SurfControl, the #1 market leader in Internet filtering,
improves security & frees up network traffic. Find out exactly WHO
is doing WHAT, WHEN, & WHERE on the 'Net. *FREE* 30-day trial.
http://www.surfcontrol.com/promo/SSD0223
**********************************************************************
Table of Contents
1. Microsoft Security Bulletins
1.1. MS01-007 - Patch Available for "Network DDE Agent Request"
Vulnerability
1.2. MS01-008 - NTLMSSP Privilege Elevation Vulnerability
1.3. MS01-009 - Patch Available for "Malformed PPTP Packet Stream"
Vulnerability
1.4. MS01-010 - Patch Available for "Windows Media Player Skins File
Download" Vulnerability
1.5. MS01-011 - Malformed Request to Domain Controller can Cause
Denial of Service
1.6. MS01-012 - Outlook, Outlook Express vCard Handler Contains
Unchecked Buffer
1.7. MS01-013 - Windows 2000 Event Viewer Contains Unchecked Buffer
2. Virus warnings
2.1. New Melissa-style worm
3. Microsoft Software Issues
3.1. IE Issues
3.1.1. Certain IE versions interpret HTML in image files
3.2. Windows 2000 Only (Note, these are issues that affect only
Windows 2000)
3.2.1. Smart Card removal behavior settings ignored if screen saver
is running
3.2.2. Driver debug code allows patching of kernel
3.2.3. Winlogon Denial of Service vulnerabilities
3.2.4. Active Directory concurrent data access problem
4. Third Party Software Issues
4.1. Buffer overflows discovered this month
4.2. Other Remote Denial of Service (DoS) Attacks discovered this month
4.3. IEEE 802.11 Wired Equivalent Privacy vulnerabilities
4.4. Sun Java Run-time Environment vulnerability
4.5. Lotus Notes stored forms vulnerability
4.6. Novell Group Wise allows viewing all files on a locked down system
4.7. Web server directory traversal vulnerabilities
4.7.1. GoAhead WebServer, v.2.0 and v.2.1
4.7.2. SEDUM HTTP Server v2.0
4.7.3. Free Java Web Server v1.0
4.7.4. BiblioWeb Server 2.0
4.7.5. AOLserver v3.2
4.7.6. Soft Lite ServerWorx v3.00
4.7.7. Oracle8i Release 8.1.7, iAS Release 1.0.2, Oracle JSP
4.7.8. Resin 1.2.2
4.7.9. ITAfrica's WEBactive HTTP Server 1.00
4.8. BadBlue Web Server vulnerabilities
4.9. Van Dyke Technologies VShell v1.0 and 1.0.1 vulnerabilities
=======================================================================
1. Microsoft Security Bulletins
1.1. MS01-007 - Patch Available for "Network DDE Agent Request"
Vulnerability
Dildog, of Stake, discovered a vulnerability in the Network
Dynamic Data Exchange (DDE) service in Windows 2000. Network DDE
is a technology to enable applications on different computers to
share data. It relies on the DDE Share Database Manager service,
NetDDE DSDM. That service is set to start manually, but any user can
start it. It runs as LocalSystem on Windows 2000. Once the Net DDE
services are started, processes can communicate using what is known
as trusted shares. By default, three such shares, chat$, CLPBK$,
and hearts$, exist on all Windows 2000 systems. To determine what
shares a particular system has, use the ddeshare.exe program.
Once a share is trusted, the client can then send a message to the
server to activate that share. However, in the activation message
the client can also specify the executable to bind to that share. The
Network DDE server will then run that executable, in its own context:
LocalSystem.
This attack cannot be run remotely. However, any system on
which untrusted users can execute code is at risk from this
vulnerability. This includes primarily Windows terminal servers and
workstations.
Microsoft has produced a patch that does two things. First, it
removes the default trusted Network DDE shares. Second, the patch
ensures that when Network DDE executes a message it does so in the
context of the calling process, rather than in the context of Local
System. The patch is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526
This patch will be included in Service Pack 3 for Windows 2000. Service
pack 2 is being readied for release and no further fixes are added
to it.
For more information see:
* Microsoft Security Bulletin MS01-007
http://www.microsoft.com/technet/security/bulletin/MS01-007.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS01-007
http://www.microsoft.com/technet/security/bulletin/fq01-007.asp
* Microsoft Knowledge Base (KB) article Q285851 "Patch Available for
Network DDE Agent Request Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=285851
* The Stake Advisory
http://www.atstake.com/research/advisories/2001/a020501-1.txt
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2001-015
1.2. MS01-008 - NTLMSSP Privilege Elevation Vulnerability
The Bindview Razor team discovered a vulnerability affecting all
versions of Windows NT 4.0. The vulnerability, in the NTLM Security
Support Provider (NTLMSSP) allows users who can send messages to the
NTLMSSP to execute arbitrary code on the system. All local users can
send such messages.
When a client process connects to the NTLMSSP it sends messages with
a function index to the NTLMSSP. However, the NTLMSSP performs the
validity check on the index incorrectly. This means that the client
can pass any index it wants. If the client has previously mapped some
code into the NTLMSSPs address space, which it is allowed to do, it
can cause the NTLMSSP to execute that code by specifying a certain
index. The NTLMSSP will execute this code in its own context: SYSTEM.
Patches are available as follows:
* Microsoft Windows NT 4.0 Workstation, Server, and Enterprise Edition
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27804
* Microsoft Windows NT 4.0 Server, Terminal Server Edition
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27824
For more information see:
* Microsoft Security Bulletin MS01-008
http://www.microsoft.com/technet/security/bulletin/MS01-008.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS01-008
http://www.microsoft.com/technet/security/bulletin/fq01-008.asp
* Microsoft Knowledge Base (KB) article Q280119 "A Patch Is Available
for the NTLMSSP Privilege Elevation Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=280119
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2001-016
1.3. MS01-009 - Patch Available for "Malformed PPTP Packet Stream"
Vulnerability
Kirk Corey discovered this denial of service vulnerability in
Windows NT 4.0. PPTP uses TCP port 1723 and the Generic Routing
and Encapsulation (GRE) protocol. There are several flaws in the
implementation.
First, by sending a stream of null characters to TCP port 1723
certain PPTP servers will crash with a blue screen. This particular
vulnerability was actually fixed in Service Pack 6.
Second, the PPTP service has a flaw in how it handles certain malformed
GRE packets. Handling these packets cause a kernel memory leak. If
enough of these packets are sent to a server all kernel memory on
the server would be exhausted, and the server would fail. The server
would have to be restarted to restore normal operation.
Third, sending a relatively small amount of malformed GRE data will
cause the server to blue screen.
Microsoft has produced fixes as follows:
* Windows NT 4.0 Workstation, Windows NT 4.0 Server
and Windows NT 4.0 Server, Enterprise Edition
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27836
A patch for Windows NT 4.0 Server, Terminal Server Edition is in
preparation but is not yet ready.
For more information see:
* Microsoft Security Bulletin MS01-009
http://www.microsoft.com/technet/security/bulletin/MS01-009.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS01-009
http://www.microsoft.com/technet/security/bulletin/fq01-009.asp
* Microsoft Knowledge Base (KB) article Q283001 "Patch
Available for Malformed PPTP Packet Stream Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=283001
1.4. MS01-010 - Patch Available for "Windows Media Player Skins File
Download" Vulnerability
This bulletin announces a patch for the Windows Media Player Skins
vulnerability announced in January 2001, by Georgi Guninski. Windows
Media Player will automatically download new skins from a web site. The
skins will be stored in a predictable location on the user's system
(%systemdrive%\Program Files\Windows Media Player\Skins) as compressed
file. An attacker can create a skin that contains a Java class and
cause the browser to download it. The skin can then be opened as an
application directly from the local system. Since the applet runs from
the local system it has the ability to execute code on that system.
A patch is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27961
For more information see:
* Microsoft Security Bulletin MS01-010
http://www.microsoft.com/technet/security/bulletin/MS01-010.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS01-010
http://www.microsoft.com/technet/security/bulletin/fq01-010.asp
* Microsoft Knowledge Base (KB) article Q287045 "Patch Available
for Windows Media Player Skins File Download Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=287045
1.5. MS01-011 - Malformed Request to Domain Controller can Cause
Denial of Service
This bulletin announces a patch for Windows 2000 Domain Controllers. An
attacker can cause a denial of service condition on those machines
by sending garbage to UDP port 464 (Kerberos Password). Rather than
ignoring such packets, the server will process them and send back a
response. This means that an attacker can use up virtually all CPU
on the domain controller by sending a large number of these packets.
Microsoft has produced a patch for Windows 2000 Server and Advanced
Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28064
Administrators of Windows 2000 Datacenter Server are advised to
contact their OEM to obtain a patch.
This patch will be included in Service Pack 3 for Windows 2000. Service
pack 2 is being readied for release and no further fixes are added
to it.
Note that the online version of this bulletin uses a new bulletin
format. The frequently asked questions are included in the bulletin
itself, and there is no FAQ available separately.
For more information see:
* Microsoft Security Bulletin MS01-011
http://www.microsoft.com/technet/security/bulletin/MS01-011.asp
* Microsoft Knowledge Base (KB) article Q287397 "Patch Available for
Malformed Domain Controller Service Request Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=287397
* The CVE Information
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0018
1.6. MS01-012 - Outlook, Outlook Express vCard Handler Contains
Unchecked Buffer
This bulletin announces a patch for Outlook 2000 and Outlook
Express. In August 2000 (See the September 2000 SANS Windows Security
Digest) Joel Moses announced a Denial of Service attack against Outlook
and Outlook Express. The attack involved getting the user to open
a particularly malformed vCard. vCards are virtual business cards,
and is a common way for users to exchange contact information.
vCards are a standardized mechanism to exchange user information, such
as phone numbers, e-mail addresses, etc. It is defined in RFC 2426
that is supported by mail user agents (MUA) from many companies. Both
Outlook 98/2000 and Outlook Express support vCards.
At the time Joel Moses reported the problem it was believed that the
overflow condition was not exploitable. Because of the lack of an
exploit Microsoft deemed it to be a minor problem and did not issue
a hotfix. However, the Stake Labs have discovered how to exploit
this buffer overflow using a malformed Birthday field. Consequently,
Microsoft has now created a patch and the bulletin.
It is important to realize that if scripts are allowed to run within
e-mail, this exploit could be triggered automatically when the user
opens the e-mail. Windows may not prompt a user before opening a
vCard. Prompting can be turned on or off by editing the file type in
Windows Explorer, or configuring the following registry key:
Hive: HKEY_CLASSES_ROOT
Key: \vcffile
Value: EditFlags
Type: REG_BINARY
Data: 00000100 to turn off prompting, 00000000 to turn on prompting.
This vulnerability affects several versions of Outlook and Outlook
Express:
* Microsoft Outlook 98
* Microsoft Outlook 2000
* Microsoft Outlook Express 5.01
* Microsoft Outlook Express 5.5
The patch is available at:
http://www.microsoft.com/windows/ie/download/critical/
q283908/download.asp
For more information see:
* Microsoft Security Bulletin MS01-012
http://www.microsoft.com/technet/security/bulletin/MS01-012.asp
* Microsoft Knowledge Base (KB) article Q283908 "OLEXP: Patch Available
for Malformed vCard Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=283908
* The Stake Advisory
http://www.atstake.com/research/advisories/2001/a022301-1.txt
* The CVE Information
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0756
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0145
* RFC 2426 "vCard MIME Directory Profile"
http://www.cis.ohio-state.edu/htbin/rfc/rfc2426.html
* The September 2000 SANS Windows Security Digest
http://www.sans.org/newlook/digests/ntarchives/093000.htm#2.3.1
1.7. MS01-013 - Windows 2000 Event Viewer Contains Unchecked Buffer
Blake Watts discovered a buffer overflow exploit in the Windows 2000
Event Viewer. An attacker could create an event with a malformed data
field. If a user opens that even in Event Viewer to view the event
details, Event Viewer would crash. The malformed data field could
contain code that would then be executed in the context of the user
account that viewed the event.
There is no mechanism, either built-in, or using the Resource Kit,
to create a sufficiently malformed event. Such an even can only be
created using custom code. However, an event can be created remotely
if Windows Networking can see the target machine. Normally, Windows
Networking would be blocked by a firewall, making this an internal
exploit scenario only.
Microsoft has produced a patch for all versions
of Windows 2000 except Datacenter Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27842
This patch will be included in Service Pack 3 for Windows 2000. Service
pack 2 is being readied for release and no further fixes are added
to it.
Administrators of Windows 2000 Datacenter Server would need to contact
their OEM to obtain a fix.
For more information see:
* Microsoft Security Bulletin MS01-013
http://www.microsoft.com/technet/security/bulletin/MS01-013.asp
* Microsoft Knowledge Base (KB) article Q285156
"Windows 2000 Event Viewer Contains an Unchecked Buffer"
http://www.microsoft.com/technet/support/kb.asp?ID=285156
2. Virus warnings
2.1. New Melissa-style worm
Another high-profile Melissa-style worm was released this month; this
one named after Anna Kournikova, a popular tennis player. What is more
interesting is the apparently very large number of still-vulnerable
Outlook 98 and 2000 installations out there. If a few minor steps had
been taken, these types of worms would have virtually no effect at
all. The first step is to install the appropriate Outlook Security
Update:
* Outlook 98
http://www.officeupdate.com/downloadDetails/Out98sec.htm
* Outlook 2000
http://www.officeupdate.com/2000/downloadDetails/Out2ksec.htm
Technically, that is enough. However, we also recommend tightening up
the restricted sites zone in Internet Explorer. The Security Updates
set Outlook to read e-mail in that zone, and we feel that the default
settings leave a few too many things enabled. For additional security,
more or less everything in that zone should be disabled.
3. Microsoft Software Issues
3.1. IE Issues
3.1.1. Certain IE versions interpret HTML in image files
An announcement by Kee Hinckley detailed a discovery by Anders Pearson
and Peter Leonard. Certain Internet Explorer versions (IE 4 and 5 on
the Macintosh and IE 4 on Windows were found vulnerable) will examine
the content of files that it opens and modify how it displays them. For
example, if a JPEG image contains HTML in it, IE will actually
interpret the HTML. This could be used to perpetrate exploits such
as the CSS and DHTML exploit of web-based e-mail systems discovered
last month (see the January 2001 SANS Windows Security Digest:
http://www.sans.org/newlook/digests/ntarchives/013101.htm#2.6). The
problem, from the attackers standpoint, is that normally images are
displayed inline in web-based e-mail systems, and the attack only
works if the image is opened separately. To force the image to open
separately the attacker must convince the web-based e-mail system
that the image is not an image by changing its content type. This
will cause the image to appear as an attachment. The solution, then,
is to teach users not to open images that show up as attachments in
web based e-mail systems.
3.2. Windows 2000 Only (Note, these are issues that affect only
Windows 2000. Windows 2000 may also be affected by issues listed
under All/Other Microsoft Software Issues below)
3.2.1. Smart Card removal behavior settings ignored if screen saver
is running
John Allberg reported this month that there is a bug in the Windows
2000 Smart Card routines. Windows 2000 can be set to automatically lock
the console or log the user out when a Smart Card is removed. However,
if a screen saver is running when the Smart Card is removed,
this setting is ignored, resulting in the console not locking as
expected. Microsoft is aware of the issue. Currently, the obvious
workaround is to ensure that the console is locked or that the user
is logged out after the Smart Card is removed.
3.2.2. Driver debug code allows patching of kernel
Andrey Kolishak announced that a technique commonly used in drivers
to process debug messages opens up the system to kernel patching. The
problem is that a certain technique used to print the debug messages
uses a vulnerable string function. This is a common technique.
Currently, enforcing kernel memory write protection does guard
against this issue. It can be turned off, however, ordinary users do
not have the rights to do so. Thus, at present, this issue is not of
great concern. However, if at some time in the future, a mechanism
is found whereby ordinary users can turn off memory write protection,
this could be of great concern.
3.2.3. Winlogon Denial of Service vulnerabilities
A post this month to BugTraq detailed a vulnerability in the Winlogon
process. Winlogon handles messages from other processes. If it receives
certain malformed messages the Winlogon process crashes. There is
also the possibility of filling the Winlogon processes memory space
with garbage, but it is unclear at this point what use that would
be. At this time, this appears to be a local DoS exploit only, and
therefore of limited impact, with the possible exception of terminal
servers. We are unaware of any workaround at this time.
3.2.4. Active Directory concurrent data access problem
InfoWorld ran a story about a problem with the Windows 2000 Active
Directory that could cause data loss. The problem is in the locking
mechanism used when an Administrator is updating a container object
in Active Directory.
Concurrency control is the concept of ensuring that multiple users
can access the same data at the same time without conflicting. It
is important in a multi-user distributed database, such as Active
Directory, that one user's changes to the database does not overwrite
changes made by another user. However, the distributed locking
mechanism used in Active Directory is a mechanism known as "optimistic
locking." Optimistic locking essentially means that we assume that
no two users will modify the same data at the same time. However,
should this happen, the results are undefined.
For example, assume that an Administrator opens a container object,
such as a group, to remove userA from the group. At the same time,
on a different domain controller, another administrator adds userB
to the same group. This is actually done be rewriting the entire
group membership list for the group in both places, rather than
simply marking it with the changes that were made. In this case,
when the changes are replicated to the other domain controllers, some
conflict resolution mechanism has to decide which set of changes to
keep, because we have two complete lists of group members, with no
indication as to the exact changes that were made to them. Thus,
the outcome could be that userB was added to the group, and that
userA is still a member. However, it is just as likely that userA
was removed but that the addition of userB is lost.
This problem will be solved in Windows XP, a.k.a. Windows NT 5.1 and/or
Windows Whistler. According to InfoWorld, Microsoft has no plans on
modifying this behavior in Windows 2000. The current workaround is
to establish policies regarding when and where updates to Active
Directory are allowed. Remember, this is particularly problematic
with container objects that store multi-valued attributes, such as
group memberships, domain memberships, and so on. Further, it would
be prudent to keep track of all changes to the contents of Active
Directory so that you can go back and determine what changes should
be made if you information is lost.
4. Third Party Software Issues
4.1. Buffer overflows discovered this month
Buffer overflows can generally be used to execute arbitrary code on
the victim host. Many buffer overflows are discovered each month. We
report the ones we know about here. In addition, we have tried to
give you a little more information in a concise format. To that end,
certain items are marked with an (F) and/or (E). (E) means that an
exploit for this issue is publicly available. (F) means that a fix
is available currently. We have also, in some cases, included a URL
after the item. That URL points to either a fix, if one is available,
or to the vendor's web site, if we know it.
* (E) MERCUR SMTP-Server v3.30.03
(http://www.atrium-software.com/mercur/mercur_e.cfm)
* (F) Trend Micro Virus Buster 2001
version 8.01 Japanese (fix available at:
http://www.trendmicro.co.jp/homeuser/download/vb2001sp2.htm)
* (F) Van Dyke Technologies VShell v1.0 and 1.0.1 (fixed in VShell
1.0.2: http://www.vandyke.com/download/vshell)
* (F) Symantec PCAnywhere 9.0 (fixed in version 9.0.1 available at
http://www.symantec.com)
* Pi3Web v1.0.1
* WebReflex 1.55 (http://www.sapio.com/reflex/)
4.2. Other Remote Denial of Service (DoS) Attacks discovered this month
Buffer overflows can also be used to perpetrate DoS attacks. In
addition, DoS attacks can be launched many other ways, as well. In
this section, we report new DoS attacks that we know about. Some
are discussed in more detail below. (F) means that there is a
vendor-supplied fix available
* BiblioWeb Server 2.0 (http://www.biblioscape.com)
* SEDUM HTTP Server v2.0 (http://www.frassetto.it/)
* Reflection FTP Server 7.01. This product has been discontinued and
the issue will not be fixed.
* Serv-U FTP Server 2.5i (http://ftpserv-u.deerfield.com/)
* Netscape Collabra Server V3.54
(http://home.netscape.com/collabra/v3.5/index.html)
* Orange Web Server v2.1
(http://www.orangesoftware.net/orangewebserver.html)
* A1 Server v1.0a
(http://msnhomepages.talkcity.com/windowsway/lriver2/a1server.htm)
4.3. IEEE 802.11 Wired Equivalent Privacy vulnerabilities
Although this issue is not strictly Windows related, we thought
you would be interested in it anyway. A team of researchers
consisting of Nikita Borisov, Ian Goldberg, and David Wagner at the
University of California Berkeley has published a study of the Wired
Equivalent Privacy (WEP) protocol that is part of the IEEE 802.11
and 802.11b wireless LAN (WLAN) specifications. Their conclusion
is that the protocol suffers from both a poor design and a poor
implementation. These shortcomings could lead to intruders being
able to compromise the security of transmissions over a WLAN. Among
the possible compromises are data insertion, eavesdropping, and
dictionary building, allowing automatic decryption of traffic after a
little bit of time. The shortcomings stem from the implementation of
the RC4 encryption protocol in WEP, and the fact that the integrity
checking is performed using CRC-32. It is possible to modify encrypted
traffic and compute a new, correct, CRC-32 without ever decrypting
the traffic. Furthermore, to prevent key reuse, which opens up RC4 to
simple known attacks, WEP uses an initialization vector to alter the
key each time a packet is transmitted. However, the initialization
vector is too short to guarantee key uniqueness. In addition, the
implementation of the initialization vector is extremely poor in some
products. Lucent's Orinoco system, for example, uses an initialization
vector that always starts with 0 each time a card is initialized.
For more information on the discoveries about WEP, refer to the
website at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html.
4.4. Sun Java Run-time Environment vulnerability
Sun announced a vulnerability in its Java Run-time Environment (JRE)
for multiple platforms, Windows among them. If a Java component
has been granted the right to execute a command it can execute a
number of potentially dangerous and malicious commands. By default,
no permissions to execute commands are granted.
Sun reported that the following Windows releases of the Software
Development Kit (SDK), Java Development Kit (JDK) are vulnerable:
SDK and JRE 1.2.2_005 or earlier
SDK and JRE 1.2.1_003 or earlier
JDK and JRE 1.1.8_003 or earlier
JDK and JRE 1.1.7B_005 or earlier
JDK and JRE 1.1.6_007 or earlier
Sun has released updates for all of these versions. For download
locations, and further information, please refer to the Sun bulletin:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/
201&type=0&nav=sec.sba
No further details on this vulnerability were publicized. However,
since the current versions of both Netscape Navigator and Microsoft
Internet Explorer are based on different Java environments, neither
one is vulnerable to this particular problem.
4.5. Lotus Notes stored forms vulnerability
This is actually a very old vulnerability, originally discovered by
Oliver Buerger. However, Chris Jones reposted it this month, and
since we have not covered it before in the digest, we thought it
would be important.
Lotus Notes contains a feature known as stored forms. An attacker can
craft her own stored form and send it along with an e-mail, rather
than using the built-in forms. The form could contain executable
code. This has the same effect as including executable code in a
Microsoft Outlook e-mail, and could potentially be used to create a
Melissa-style virus targeting Lotus Notes.
To guard against this vulnerability, modify the mailbox database
properties so that the "Allow stored forms" setting is unchecked.
4.6. Novell Group Wise allows viewing all files on a locked down system
Adam Gray reported that the Novell Group Wise client does not properly
respect system policies or ZEN policies. If a system is locked down
such that users cannot see the drives, they can now open Group Wise
and click file:open and see the drives.
Novell has produced a patch that uses a different routine to display
the open dialog. Group Wise client release service pack 3 will solve
the problem.
Note here that the exact same behavior is present in the entire
Microsoft Office 2000 suite. Office 2000 uses its own open dialog,
which does not respect system policies. This has been known for
several years, and will probably not be fixed in the foreseeable
future. The main reason for not fixing it is that hiding drives is
considered security by obscurity, which is generally an inadequate
security measure. Security should be based on Access Control Lists
rather than hidden drives.
4.7. Web server directory traversal vulnerabilities
An unusual number of web server directory traversal vulnerabilities
were reported this month. The impact of a directory traversal
vulnerability is that the server will follow ../ directives in a
URL, allowing an attacker to break out of the web root and access
information in other directories on the partition that hosts the
web content. Except where otherwise stated, we are unaware of both
a vendor response and a patch. The following products were reported
vulnerable this month:
4.7.1. GoAhead WebServer, v.2.0 and v.2.1
Discovered by Sergey Nenashev and Yevgeny V.Yourkhov
4.7.2. SEDUM HTTP Server v2.0
Discovered by Joe Testa. The SEDUM homepage is available at
http://www.frassetto.it/sdm/e_index.htm.
4.7.3. Free Java Web Server v1.0
Discovered by Joe Testa. The publishers site seems to be unavailable,
indicating that this server is probably no longer supported.
4.7.4. BiblioWeb Server 2.0
Discovered by Joe Testa. The BiblioWeb homepage is at
http://www.biblioscape.com/biblioweb.htm.
4.7.5. AOLserver v3.2
Discovered by Joe Testa. This vulnerability is a little different
than the rest, in that it only works if the attacker uses a
... (triple-dot) instead of .. (double-dot). The AOLServer homepage
is at http://www.aolserver.com/.
4.7.6. Soft Lite ServerWorx v3.00
Discovered by Joe Testa. The Soft Lite ServerWorx homepage is at
http://www.softlite.net/products/serverworx/.
4.7.7. Oracle8i Release 8.1.7, iAS Release 1.0.2, Oracle JSP
Last month Georgi Guninski discovered this vulnerability (see the
January 2001 SANS WSD for more details). The vulnerability is fixed
in version 1.1.2.0.0 of Oracle JSP. That version can be downloaded
from the Oracle Technology Network. http://otn.oracle.com/.
4.7.8. Resin 1.2.2
Discovered by Joe Testa. This issue was fixed in Resin 1.2.3, available
at http://www.caucho.com/download/index.xtp.
4.7.9. A1 Server v1.0a
Discovered by b10oz. The A1 Server web site is at
http://msnhomepages.talkcity.com/windowsway/lriver2/a1server.htm.
4.7.10. The Simple Server
Discovered by b10oz. The Simple Servers web site is at
http://dattaraj_rao.tripod.com/Java/.
4.7.11. ITAfrica's WEBactive HTTP Server 1.00
Discovered by b10oz. It is unknown who makes this web
server, but is apparently available for download from
ftp://ftp.euro.net/d3/Windows/winsock-l/Windows95/Daemons/
HTTPD/activ100.zip
4.8. BadBlue Web Server vulnerabilities
BadBlue is a web server designed for serving web pages as well as file
sharing. The product is available from http://www.badblue.com. SNS
Research reported that there are two vulnerabilities in the current
incarnation.
All requests to BadBlue go to a file called ext.dll. If a call is made
to ext.dll without specifying a complete request, BadBlue will return
the local path on the web server. This affords an attacker insight into
the setup of the server. A worse problem is that by making a malformed
request to ext.dll, an attacker can shut down the server altogether.
These problems are fixed in BadBlue version 1.02.8.
4.9. Van Dyke Technologies VShell v1.0 and 1.0.1 vulnerabilities
In addition to the buffer overflow in VShell reported in item 4.1
above, VShell also contains a default rule which causes problems. The
rule is 0.0.0.0/0.0.0.0 and using that rule any user with a valid
account on the VShell SSH server to forward ports to any internal
or external server as long as the internal addressing scheme is
known. These problems were fixed in release 1.0.2 of VShell, available
at http://www.vandyke.com/download/vshell
=======================================================================
The SANS Windows Security Digest is available at no cost
to all system, network, and security professionals who work
with Windows. To subscribe, email digestsans.org with the
subject Windows Security Digest. Back issues are available at
http://www.sans.org/newlook/digests/ntdigest.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6njxJ+LUG5KFpTkYRAl5pAJ0ZvlWf1dD0UOOJBQjYIsPK3j7gQACePbCi
HbCDUP/IZkIXu202Li2iJ00=
=+PBC
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]