|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Fri Mar 30 2001 - 20:04:30 CST
To: Security Express (SD397643)
Re: SANS Windows Security Digest Vol. 4 Num. 3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**********************************************************************
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 4, Number 3
March 31, 2001
Dr. Jesper M. Johansson (Boston University)
Editorial Board:
Dr. Matt Bishop (Univ. California, Davis)
Jeffrey W. Brown
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (KPMG Information Risk Management Group)
Chris Lalka (ExxonMobil)
Steve Lewis (GRCI)
Eric Maiwald (Fortrex)
Rob Marchand (VoiceGenie Technologies),
Dr. Gene Schultz (University of California - Berkeley Lab)
Special Guest Editor: Matt Scarborough, IC
Copyright 2001. The SANS Institute. All rights reserved.
You may forward this issue to your co-workers and encourage them
to subscribe. To do so, send a note with the subject "NT Digest"
to digestsans.org
We are now signing the Windows Security Digest
with PGP. The new SANS' PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can also be accessed from the SANS web site (http://www.sans.org)
**********************************************************************
This month we have seen several important developments. First, we have
a new release of the most popular backdoor Trojan on our hands. sub7
2.2 was released this month, and contrary to earlier versions of this
trojan, 2.2 runs on Windows NT 4.0. A very serious vulnerability was
also announced in IBM WebSphere, complete with an exploit that will
generate all the username-password combinations for the WebSphere
server, in cleartext. If you are administering WebSphere, you will
want to read item 4.4. We also have a special report on the BackGate
Trojan Kit for IIS by Matt Scarborough. This trojan kit is a complete
kit to fully take over an IIS web server. That issue is discussed in
item 3.1. Lastly, some good news: Microsoft announced the release of
updated search functionality on their security pages on March 28. You
can now go to http://www.microsoft.com/technet/security/current.asp and
search for hotfixes based on both product and patch level. Previously,
determining which fixes were needed for a particular product was very
difficult, and this new search page makes it much easier.
JMJ
***************** This issue sponsored by PentaSafe ******************
WRITE YOUR INFORMATION SECURITY POLICIES IN A DAY!
INSTANT, DEFINITIVE, UP-TO-DATE POLICIES! INFORMATION SECURITY
POLICIES MADE EASY Version 7 is a compilation of 1000+ already-written
information security policies in both text and CD/ROM. Save thousands
of dollars while developing security policy documents in minutes.
Find out more at http://www.pentasafe.com/products/policyoverview.htm
**********************************************************************
Table of Contents
1. Microsoft Security Bulletins
1.1. MS01-014 - Malformed URL can cause Service Failure in IIS 5.0
and Exchange 2000
1.2. MS01-015 - IE can Divulge Location of Cached Content
1.3. MS01-016 - Malformed WebDAV Request Can Cause IIS to Exhaust
CPU Resources
1.4. MS01-017 - Erroneous VeriSign-Issued Digital Certificates Pose
Spoofing Hazard
1.5. MS01-018 - Visual Studio VB-TSQL Object Contains Unchecked Buffer
1.6. MS01-019 - Passwords for Compressed Folders are Recoverable
1.7. MS01-020 - Incorrect MIME Header Can Cause IE to Execute E-mail
Attachment
2. First cross-platform virus reported
3. Microsoft Software Issues
3.1. Special Report: BackGate Trojan kit for IIS - By Matt Scarborough
3.2. Clarification to Outlook Certificate Export issue in January
2001 WSD
3.3. IE Issues
3.3.1. IE can be used to retrieve web-based Exchange e-mail
4. Third Party Software Issues
4.1. Buffer overflows discovered this month
4.2. Other Remote Denial of Service (DoS) Attacks discovered this month
4.3. New version of the Sub7 Backdoor
4.4. Remote password cracking exploit for IBM WebSphere Commerce
Suite 4.1
4.5. Bea Weblogic directory browsing vulnerability
4.6. New attack tool against Intrusion Detection Systems
4.7. Eudora allows unauthorized execution of active content
4.8. Directory traversal vulnerability in WhitSoft SlimServe FTPd
4.9. Directory traversal vulnerability in WhitSoft SlimServe HTTPD 1.1a
4.10. Directory traversal vulnerability in FtpXQ Server 2.0.93
4.11. Directory traversal vulnerability in Transsoft Broker FTP
Server 5.0
4.12. Directory traversal vulnerability in JGAA War FTP 1.67b04
=======================================================================
1. Microsoft Security Bulletins
1.1. MS01-014 - Malformed URL can cause Service Failure in IIS 5.0
and Exchange 2000
This bulletin announces a patch for a denial of service issue in IIS
5.0. The problem occurs because IIS 5.0 fails to properly handle a
specific URL. The construction of the URL has to be very specific,
and it must be sent to IIS several times. However, if it is sent
enough times, IIS will crash. By default, IIS is configured to
restart on failure, so the interruption will be minimal unless the
recovery features of Windows 2000 have been turned off for the IIS
Admin Service.
The issue also affects Exchange Server 2000. Exchange relies on IIS
to provide certain services, such as web-based e-mail services. The
component of Exchange that handles this contains the same coding
flaw as IIS. This means that to patch an Exchange 2000 server you
must apply both the IIS 5.0 patch and the Exchange 2000 patch. The
patches are available as follows:
* Microsoft IIS 5.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28155
* Microsoft Exchange 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28369
This issue has received CVE candidate number CAN-2001-0146.
For more information see:
* Microsoft Security Bulletin MS01-014
http://www.microsoft.com/technet/security/bulletin/MS01-014.asp
* Microsoft Knowledge Base (KB) article Q286818 "IIS: Malformed URL
Can Cause Service Failure in IIS 5.0 and Exchange 2000 Server"
http://www.microsoft.com/technet/support/kb.asp?ID=286818
* Microsoft Knowledge Base (KB) article Q287678 "XWEB: Malformed URL
Can Cause Service Failure in IIS 5.0 and Exchange 2000 Server"
http://www.microsoft.com/technet/support/kb.asp?ID=287678
* The CVE candidate information
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0146
1.2. MS01-015 - IE can Divulge Location of Cached Content
This bulletin announces several patches. The first one eliminates
a number of vulnerabilities in Internet Explorer. The major issue
covered by this bulletin is the program files execution with .chm
files vulnerability that Georgi Guninski announced in November, 2000
(see the November 2000 SANS WSD for more information).
This vulnerability uses a "shotgun" approach. The attackers start by
downloading a large number of .chm files (compiled help files) to a
user's computer by, for example, specifying them in an image tag on
a malicious web page. These files will be stored in the Temporary
Internet Files cache folder on the user's computer. That folder
contains a number of randomly named sub-folders. They are randomly
named to guard against scripts on a web page accessing information
in them. By using random names, scripts ostensibly cannot locate the
folders, until now.
After having downloaded all these help files, the malicious web
page launches a new web page in a new domain by using an <OBJECT>
tag with the desired web page as the source of the object. Objects
are first downloaded to one of the sub-directories of the Temporary
Internet Files directory and are then accessed from there. Thus,
script in this page can retrieve the path to the sub-directory of the
Temporary Internet Files directory where the new web page is stored.
Once the path is known, the attacker now attempts to open all the
.chm files downloaded earlier, one by one. By pure chance, it is
likely that at least one of them will be located in the path that
was discovered. This is the reason why so many of them are downloaded
(hence the "shotgun" approach). The more of them are retrieved, the
better the chance that at least one will exist in the one path that
was discovered. Once a file is located, the attacker could launch it
using the window.showHelp() directive. This would cause the file to
execute in the Local Computer Zone, allowing the .chm file to launch
programs on the user's computer.
In November, we reported that setting the "Run ActiveX Controls"
setting in the Internet Security Zone to disable would counter
this vulnerability. You should also have been able to guard against
this problem by disabling the "Access data sources across domains"
security setting. However, that setting was faulty. If you set it to
disable, IE would actually allow the access of data sources across
domains. If you set it to enable, IE would allow access as well, but
in a manner that did not expose the path of the Temporary Internet
Files cache. This issue was actually fixed in Internet Explorer 5.01
by the patch announced in MS00-093 (see the December 2000 SANS WSD
for details). However, Internet Explorer 5.5 was not fixed until now.
Microsoft calls this issue the "cached content identification"
vulnerability. It affects Internet Explorer 5.01 Service Pack 1,
5.5, and 5.5 Service Pack 1 and has received the CVE candidate number
CAN-2001-0002.
This patch also eliminates a new variant of the "frame domain
verification vulnerability." That vulnerability has been the subject
of several security bulletins, most recently MS00-093. Georgi Guninski
reported the new variant in January (see the January 2001 WSD). It
relies on using the Windows Media Player to open files on a user's
system and then access their contents. The flaw, however, is actually
in Internet Explorer 5.5 and 5.5 Service Pack 1 and not in the Windows
Media Player. Internet Explorer 5.01 is not affected by this problem.
WMP is registered as an ActiveX control and marked as "safe for
scripting." The control has a LaunchURL method that can be used to
open URLs to web sites. It can also be used to run JavaScript that
can access the contents of other frames opened by the attacker. An
attacker can thus open a frame to a local file on the user's system,
and then read the contents of that file.
The Windows Media Player frame domain verification vulnerability has
received the CVE candidate number CAN-2001-0148.
The patch for these two issues is available at:
http://www.microsoft.com/windows/ie/download/critical/q286045/default.asp
The second patch released with this bulletin is for the Windows
Scripting Host. It is also a frame domain verification problem, and
it works identically to the frame domain verification vulnerability
described above. However, whereas the vehicle of execution for that
issue was Internet Explorer, the vehicle of execution here is Windows
Scripting Host instead.
This problem affects Windows Scripting Host 5.1 and 5.5. To determine
whether a particular system is vulnerable, inspect the version number
on one of two files:
* %systemroot%\system32\jscript.dll
* %systemroot%\system32\vbscript.dll
Only one of these files need be inspected. The following versions
are vulnerable:
* 5.1 versions older than 5.1.x.5907
* 5.5 versions older than 5.5.x.5824
If the first two digits of the file inspected on a particular system
is 5.1, apply the fix for WSH 5.1, available at:
http://www.microsoft.com/msdownload/vbscript/scripting51.asp
If the first two digits of the file inspected on a particular system
is 5.5, apply the fix for WSH 5.5, available from:
http://www.microsoft.com/msdownload/vbscript/scripting.asp
If the version is lower than 5.1, it is also vulnerable. However,
Microsoft will only produce patches for versions 5.1 and
5.5. Therefore, you will need to upgrade an affected system
instead. However, that is done by applying either of the patches above.
The Windows Scripting Host frame domain verification vulnerability
has received CVE candidate number CAN-2001-0149.
The third vulnerability discussed in this bulletin is present in the
Services for Unix (SFU) 2.0, which is an add-on service to Windows NT
4.0 and 2000 that includes a number of Unix utilities. SFU includes,
among other things, a telnet client. The SFU telnet client has a
logging feature that can record a complete transcript of a telnet
session to an arbitrary location on disk. This client can, as can all
Windows telnet clients, be launched from a URL. An attacker could
launch the client, specifying the logging feature, and then stream
data to the client. This data would be recorded in the location chosen
in the URL. An attacker could use this to create files in arbitrary
locations on the user's system.
Microsoft calls this vulnerability the "telnet invocation
vulnerability." The patch does not modify the telnet client. Rather,
it restricts the parameters that can be passed in a URL.
The vulnerable version of the telnet client is 5.2000.0328.1,
built on Dec. 7 1999. The patch is available at:
http://www.microsoft.com/windows/ie/download/critical/q286043/default.asp
The telnet invocation vulnerability has received CVE candidate number
CAN-2001-0150.
For more information see:
* Microsoft Security Bulletin MS01-015
http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
* Microsoft Knowledge Base (KB) article Q286045 "Patch Available for
Cached Content Identification Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=286045
* Microsoft Knowledge Base (KB) article Q280768 "INFO: Update Available
for "Cross-Domain File Reading Vulnerability" Issue"
http://www.microsoft.com/technet/support/kb.asp?ID=280768
* Microsoft Knowledge Base (KB) article Q286043 "Patch Available for
Telnet Logging Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=286043
* The CVE Candidate Information
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0002
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0148
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0149
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0150
* The November 2000 SANS Windows Security Digest
http://www.sans.org/newlook/digests/ntarchives/113000.htm#2.1.3
* The December 2000 SANS Windows Security Digest
http://www.sans.org/newlook/digests/ntarchives/123100.htm#1.4
1.3. MS01-016 - Malformed WebDAV Request Can Cause IIS to Exhaust
CPU Resources
On March 8 Georgi Guninski announced a denial of service attack for
Internet Information Services 5.0 (Windows 2000). Later that day,
Microsoft released the bulletin to provide administrators with
a work-around until they were able to produce a patch. The attack
proceeds by sending a malformed request to the Distributed Authoring
and Versioning (WEB-DAV) component of IIS. This request will either
cause the IIS services to crash, in which case the operating system
will immediately restart them, or it will drive CPU utilization on
the server to 100% until the attack ceases.
Microsoft replaced the work-around released on March 8 with a patch
on March 14. The patch, which will be included in Windows 2000 Service
Pack 2, is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28564
Web-DAV is used to remotely author web contents on an IIS server,
for example, via Microsoft FrontPage. In those environments where
Web-DAV is not used, the work-around can be used to turn it off. To
do so, put an access control list on the Httpext.dll that provides
the FrontPage Server Extensions functionality. Note that you will
need to stop the IIS services before being able to do this. Denying
Everyone access to this file will effectively disable Web-DAV. For
more information see the Knowledge Base Article Q241520.
This issue has received CVE Candidate Number CAN-2001-0151.
Guninski reported a different vulnerability later in the month,
also for IIS, along with a sample exploit. Guninski claims that
this vulnerability exploited a buffer overflow in Web-DAV, and has
the potential to run arbitrary code on the server. However, we have
been unable to verify this claim. The patch for MS01-016 also fixes
this issue.
For more information see:
* Microsoft Security Bulletin MS01-016
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp
* Microsoft Knowledge Base (KB) article Q241520 "How to Disable WebDAV
for IIS 5.0"
http://www.microsoft.com/technet/support/kb.asp?ID=241520
* Microsoft Knowledge Base (KB) article Q291845 "Malformed WebDAV
Request Can Cause IIS to Exhaust CPU Resources"
http://www.microsoft.com/technet/support/kb.asp?ID=291845
* The CVE Information
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0151
1.4. MS01-017 - Erroneous VeriSign-Issued Digital Certificates Pose
Spoofing Hazard
This bulletin actually does not cover a specific vulnerability in a
Microsoft product. In fact, it is not even something that Microsoft
caused. On January 29 and 30, someone called up VeriSign and claimed to
be an employee of Microsoft. The caller requested a new code-signing
certificate, which VeriSign issued. With this certificate, this
person could now create malicious code and sign it to certify that
it is from Microsoft.
Note that code signed with these certificates would not automatically
be trusted. Trust is on a per-certificate basis; thus, code signed
with these certificates would generate an error message. However,
even security conscious users might trust these certificates because
they are allegedly issued to Microsoft Corporation.
VeriSign has revoked the certificates. All certificates may contain
an entry called the Certificate Revocation List (CRL) Distribution
Point (CDP). However, the VeriSign certificates that are issued with
all Microsoft software since 1995 contain a blank CDP field, and thus
cannot check the CRL. Microsoft has prepared a fix that installs new
certificates, with the proper CDP field. The fix is available for
all versions and all service packs of the following platforms:
* Microsoft Windows 95
* Microsoft Windows 98
* Microsoft Windows Me
* Microsoft Windows NT 4.0
* Microsoft Windows 2000
* Microsoft Windows XP (Whistler) Beta 2
The fix can be downloaded from:
http://www.microsoft.com/downloads/release.asp?ReleaseID=28888
The fix will not work on any of these operating systems that has a
version of Internet Explorer prior to 4.0 (only Windows 95 and Windows
NT 4.0 shipped with versions of IE older than 4.0). It will be included
in Windows 2000 Service Pack 2, Internet Explorer 6.0, and the Gold
builds (final release) of Windows XP Personal and Professional, as
well as the as yet unnamed Windows Codename Whistler Server, Advanced
Server, and Data Center Server products. (Note: Microsoft has named the
workstation and consumer versions of Windows Codename Whistler Windows
XP, but has stated that the server products may not use that name).
Those customers who cannot install the patch are recommended to
inspect all certificates for the issue date. No bona fide Microsoft
certificates were issued on January 29 and 30, 2001. Furthermore,
they may wish to install the Outlook Security Patches (or any similar
updates for another e-mail package) and to set their web browser to
prompt before opening any Office documents, to ensure that no software
can be silently installed.
For more information see:
* Microsoft Security Bulletin MS01-017
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
* Microsoft Knowledge Base (KB) article Q293818 "Erroneous
VeriSign-Issued Digital Certificates Pose Spoofing Hazard"
http://www.microsoft.com/technet/support/kb.asp?ID=293818
* A VeriSign alert: "VeriSign Security Alert Fraud Detected in
Authenticode Code Signing Certificates March 22, 2001 "
http://www.verisign.com/developer/notice/authenticode/index.html
1.5. MS01-018 - Visual Studio VB-TSQL Object Contains Unchecked Buffer
The Bindview Razor team discovered a buffer overflow vulnerability
in a DCOM object that ships with Visual Studio 6.0 Enterprise Edition.
The vulnerable method is called newSPID() and is defined in the file
C:\Program Files\Microsoft Visual Studio\VB98\Tsql\vbsdicli.exe. It is
installed as part of the Visual Basic Enterprise Components of Visual
Interdev 6.0 Enterprise Edition. It is used to remotely debug Transact
SQL stored procedures, and it can be initiated remotely as long as a
user is logged on to the system where the component is installed. In
order to invoke the attack, the attacker would also need to be able to
connect over SMB (port 138, 139, or 445). An exploit would run with
the privileges of the user logged on at the time of the attack. If
that user is a low-privileged user, the scope of the attack would
be limited.
The vulnerability is caused by a call to sprintf() from the
newSPID() method that passes in one of the parameters used to call
the newSPID() method. The functionality defined in the newSPID()
method is undocumented.
The patch can be installed on top of Visual Studio Enterprise Edition
6.0, Service Pack 5. It will be included in Service Pack 6, and is
available separately at:
http://msdn.microsoft.com/vstudio/downloads/debugging/default.asp
This issue has received CVE Candidate number CAN-2001-0153
For more information see:
* Microsoft Security Bulletin MS01-018
http://www.microsoft.com/technet/security/bulletin/MS01-018.asp
* Microsoft Knowledge Base (KB) article Q281297 will be available
soon at
http://www.microsoft.com/technet/support/kb.asp?ID=281297
* The Bindview advisory
http://razor.bindview.com/publish/advisories/adv_vbtsql.html
* The CVE Information
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0153
1.6. MS01-019 - Passwords for Compressed Folders are Recoverable
This bulletin discusses a "vulnerability" in Microsoft Plus! 98 and
Microsoft Windows Me.
For more information see:
* Microsoft Security Bulletin MS01-019
http://www.microsoft.com/technet/security/bulletin/MS01-019.asp
* Microsoft Knowledge Base (KB) article Q252694 "Fix for Exposed
Passwords in Compressed Files"
http://www.microsoft.com/technet/support/kb.asp?ID=252694
* Microsoft Knowledge Base (KB) article Q265131 "Encrypted Compressed
Folder Password Saved to Local File"
http://www.microsoft.com/technet/support/kb.asp?ID=265131
1.7. MS01-020 - Incorrect MIME Header Can Cause IE to Execute E-mail
Attachment
Juan Carlos Garcia Cuartango discovered a serious error in how Internet
Explorer handles e-mail attachments in HTML e-mails. Internet Explorer
is used to render HTML e-mail in a number of e-mail programs, such
as Microsoft Outlook and Outlook Express, Eudora, and AOL Mail. When
an e-mail that contains attachments is received, IE checks the MIME
types of the attachment and treats it accordingly. However, certain
MIME types are not treated properly. If an e-mail containing an
attachment that is executable, such as a program, but the e-mail was
modified to indicate that the attachment was one of the types that
IE cannot handle, IE would launch the attachment immediately when
the e-mail is read. This would cause the executable to be launched
on the user's computer in the context of that user. No other action
would be needed than to receive and render the e-mail, for example,
in the preview pane in the e-mail program.
This vulnerability affects Internet Explorer 5.01 and 5.5. Note,
however, that IE 5.01 Service Pack 2 is not affected by this
vulnerability. Further, although previous versions of Internet Explorer
(such as 4.x) may be affected, Microsoft has not tested them and
indicated whether they are affected or not. Microsoft also has not
produced a patch for these versions due to the fact that they are no
longer officially supported.
Microsoft has produced a patch, which is available at:
http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
This issue has received CVE candidate number CAN-2001-0154
For more information see:
* Microsoft Security Bulletin MS01-020
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
* Microsoft Knowledge Base (KB) article Q290108 will be available
soon at:
http://www.microsoft.com/technet/support/kb.asp?ID=290108
* The CVE information
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0154
2. First cross-platform virus reported
InfoWorld carried the story of the first cross-platform virus
on March 29. This virus, nick-named Winux, can spread and infect
executables both on Windows and on Linux. While this particular virus
is relatively low threat, it may indicate the face of things to come,
as more and more users are either switching to Linux or dual-booting
between Linux and NT.
The InfoWorld story is at:
http://www.infoworld.com/articles/hn/xml/01/03/28/010328hnvirlin.xml?0329tham
3. Microsoft Software Issues
3.1. Special Report: BackGate Trojan kit for IIS - By Matt Scarborough
A remote point-and-click attack tool for subverting IIS 4 webservers
was found in the wild and later released on a public forum. The kit,
nicknamed "BackGate" installs hidden services on compromised Windows
NT 4.0 or Windows 2000 servers.
BackGate installs an FTP server and proxy, Telnet and WWW proxies,
and Winsock re-director. The kit also compromises the Winlogon process
by registering as a GINA (the Windows NT logon screen.) The trojaned
GINA captures and stores local logon usernames and passwords in a
cleartext file. A remote attacker can later retrieve or view that
file saved in the %systemdrive% root.
To successfully execute the attack the attacker would need ability to
write files into a web-site that uses low process isolation. Several
well-known vulnerabilities such as "The Unicode Bug" (MS00-078, see
the October 2000 SANS Windows Security Digest), or the "Web Server
File Request Parsing" vulnerability (MS00-086, see the November 2000
SANS Windows Security Digest) as well as server misconfiguration could
provide this functionality. Several older vulnerabilities could also
facilitate this attack.
Servers unpatched for these vulnerabilities, with improper permissions
on %systemroot%\system32\ executables, will facilitate writing ASPs
below \wwwroot by the IUSR account. Low process isolation, also the
default on IIS 4.0, runs all server-side code in the context of the
local SYSTEM account. On IIS 5.0, the default is medium isolation,
which runs server-side scripts as the IUSR account significantly
limiting the exposure.
IIS hosts vulnerable to the Unicode-Bug that are misconfigured for
low process isolation, could be at an attackers' mercy for point-and
click installation of BackGate.
A full analysis of the kit is available at the SANS web-site.
http://www.sans.org/y2k/unicode.htm
The kit has received CVE number CVE-2000-0886
For more information, see:
* The October 2000 SANS WSD
http://www.sans.org/newlook/digests/ntarchives/103100.htm#1.10
* The November 2000 SANS WSD
http://www.sans.org/newlook/digests/ntarchives/113000.htm#1.7
* The CVE Information
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0886
* BackGate Kit Analysis and Defense
http://www.sans.org/y2k/unicode.htm
3.2. Clarification to Outlook Certificate Export issue in January
2001 WSD
The January 2001 SANS Windows Security Digest covered an issue
concerning saving certificates from Microsoft Outlook and Outlook
Express. Depending on how the certificate was saved, the encryption
attributes requested by the sender were removed from the certificate
and the certificate would only support RC2(40) encryption. Microsoft
requested to be able to respond to this issue to clarify the issue,
and we agreed to include a further clarification.
The reason behind this behavior has to do with the types of
certificates used, and the S/MIME standard itself. S/MIME v2 and 3 uses
X.509 version 3 certificates, defined in RFC 2459. When an e-mail is
encrypted according to S/MIME a symmetric key is generated that is used
to encrypt the e-mail. That symmetric key is then encrypted using the
recipient's public key before the e-mail is transferred. The encryption
type and strength to be used is not specified by the standards,
only that certain types may be supported. All S/MIME implementations
(regardless of version) have to support RC2/40. RFC 2459 does not
include a standard method for storing the user's symmetric encryption
preferences in the X.509 v3 certificate. Therefore, Outlook adds
that information within the PKCS#7 data structure to protect it from
modification in transit, but it does not add any symmetric encryption
information to the certificate itself. (PKCS #7 is the Public-Key
Cryptography Standards #7. This is the data format for signed e-mail,
defined in RFC 2315). When a user exports the certificate to a file
only the certificate itself is stored, not the PKCS #7 data structure,
and hence the symmetric key information is lost.
One could argue that the strongest possible encryption should
be used when it is not known what encryption levels the recipient
supports. Outlook 2000 Service Release 1 supports S/MIME v3 (RFC 2633),
although to fully enable that support the user must properly configure
the computer for it. To do so, add the following registry value:
Hive: HKEY_LOCAL_MACHINE
Key: \Software\Microsoft\Office\9.0\Outlook\Security
Value: EnableSRFeatures
Type: REG_DWORD
Data: 1
RFC 2633, which defines S/MIME v2, essentially states that if
the encryption level of the recipient is unknown, and the sending
agent is not willing to risk that the recipient cannot read the
message, then the sending agent should use RC2/40. Hence, Microsoft
is within the bounds of the standard, and in order to maintain
backward compatibility, defaults back to RC2/40. While the wisdom of
backward compatibility can be argued, Microsoft is fully compliant
with the standards as far as this behavior goes. Administrators must
therefore take care to educate their users as to how to save encryption
certificates for their e-mail contacts to avoid the security exposure
inherent in 40-bit encryption.
For more information, see:
* RFC 2315 PKCS #7: Cryptographic Message Syntax
http://www.ietf.org/rfc/rfc2315.txt?number=2315
* RFC 2459: Internet X.509 Public Key Infrastructure, Certificate
and CRL Profile
http://www.ietf.org/rfc/rfc2459.txt?number=2459
* RFC 2633: S/MIME Version 3 Message Specification
http://www.ietf.org/rfc/rfc2633.txt?number=2633
* Microsoft Knowledge Base Article Q249780: "OL2000: XCLN: Updated
Outlook Security Features Installed with Office 2000 SR-1"
http://www.microsoft.com/technet/support/kb.asp?ID=249780
3.3. IE Issues
3.3.1. IE can be used to retrieve web-based Exchange e-mail
This exposure, discovered by Georgi Guninski, could potentially be
used to retrieve a user's e-mail. Internet Explorer 5.x ships with a
component called msdaipp.dll. This object provides a standard ADODB
connection to an IIS server with web-mail. An attacker could contrive
a web page which uses ActiveScripting to instantiate a connection
to the web-mail server and retrieves the user's e-mail. This attack
relies on a number of pre-requisites. First of all, both the username
and the location of the web-mail server must be known. Second, the
user must be automatically authenticated to the web-mail server,
although if the web-mail server is in the user's intranet zone,
this is done automatically by default. Third, the user's browser
must permit ActiveX objects to be instantiated from the server that
hosts the malicious page. If the user's e-mail is configured properly,
neither ActiveX nor ActiveScripting would be permitted in an incoming
e-mail, thus defeating the attack.
4. Third Party Software Issues
4.1. Buffer overflows discovered this month
Buffer overflows can generally be used to execute arbitrary code on
the victim host. Many buffer overflows are discovered each month. We
report the ones we know about here. In addition, we have tried to
give you a little more information in a concise format. To that end,
certain items are marked with an (F) and/or (E). (E) means that an
exploit for this issue is publicly available. (F) means that a fix
is available currently. We have also, in some cases, included a URL
after the item. That URL points to either a fix, if one is available,
or to the vendor's web site, if we know it.
* (F) Netscape/iPlanet Directory Server 4.11 and 4.12 (fixed in 4.13)
* WinZip 8.0
* (E) WFTPD 3.00 R1 (http://www.wftpd.com/)
* (F) Compaq Management Software (see the bulletin at
http://www.compaq.com/products/servers/management/mgtsw-advisory.html
for information on vulnerable software and fixes)
4.2. Other Remote Denial of Service (DoS) Attacks discovered this month
Buffer overflows can also be used to perpetrate DoS attacks. In
addition, DoS attacks can be launched many other ways, as well. In
this section, we report new DoS attacks that we know about. Some
are discussed in more detail below. (F) means that there is a
vendor-supplied fix available
* SlimServe HTTPd v1.1 (http://www.whitsoftdev.com)
* SurgeFTP 1.0b (http://www.netwinsite.com/surgeftp/index.htm)
* Baltimore Technologies Websweeper 4.0
(http://www.baltimore.com/websweeper/index.html)
* (F) SSH Secure Shell for Windows Server 2.4 (corrected in version
2.5, available from http://www.ssh.com/)
* (F) MDaemon 3.5.4 (fixed in version 3.5.6, available from
http://mdaemon.deerfield.com/download/getmdaemon.cfm)
* MDaemon 3.5.6
* (F) NTMail V6.0.3c (patch is available at:
ftp://ftp.gordano.com/ntmail6/hotfixes/ntmail6C_Intel_20010317.zip)
* 602Pro Lansuite 2000a 1.34 (http://www.602software.com/)
* Inframail (http://www.infradig.com)
* Website Pro/3.0.37 (http://website.oreilly.com/)
4.3. New version of the Sub7 Backdoor
Version 2.2 of the Sub7 backdoor was released this month. Sub7 has
been the most widely scanned for backdoor application for quite some
time, surpassing both BackOrifice and NetBus. This new version is
an important milestone for several reasons. First of all, whereas
previous versions of Sub7 ran only on WinDos, the new version now runs
on Windows NT 4.0. It installs on Windows 2000 and runs. However,
our testing showed that it was unable to open any ports and even
failed to notify the attacker that it was installed.
The new version contains additional functionality as well. It has
the ability to listen on a random port, although the default port is
27374. In order to notify the attacker of the listening port, the
sub7 server component (the component installed on the victim host)
will send messages over ICQ, IRC, e-mail, SIN, or CGI.
The new version has multiple startup methods,
including the ability to add itself as a value under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run. It also is capable
of exploiting the relative shell-path vulnerability fixed with MS00-052
(see the July 2000 SANS Windows Security Digest) by installing a Trojan
Explorer.exe in the C:\ directory. Most servers will probably use
all of the startup methods just to ensure that it is always started.
After the server has been installed (by the victim user running the
installation executable) the server can be "melted." This will cause
the server to modify the server executable and then delete the original
executable, to make it more difficult to find the server.
The program comes with a number of plugins, such as a password capture
plugin, a keystroke logger, and a packet sniffer. These plugins can
be configured to log to a file on the victim host, or to forward the
logs automatically to a preset e-mail address.
A default server is detectable using most virus scanner packages, which
will flag them as the backdoor Trojan. However, our tests showed that
virus scanners may not be able to detect a modified server, even one
that has only a few plugins in it (we tested with Norton Antivirus
7.01 Corporate Edition with the 3/23/2001 set of definitions). The
stealth features of the server may make it extremely difficult to
detect, especially once it is installed. However, it appears to leave
some detritus:
* If it is set to start up using the explorer method, it will leave
a program called explorer.exe in the C:\ directory. Note that the
file will always be in the C:\ directory, even if %systemdrive%
points somewhere else.
* The default port for the Trojan is 27374, but that can be configured.
* If the server is configured for e-mail notification it will send
an e-mail from a random spoofed hotmail account, including the IP
address of the server and the port the client is listening on.
* All plugins, if any are installed, have random names, with random
three-character extensions. They are stored in %systemroot%\system32. A
scan of that directory would reveal a number of strange looking files.
* Many of the plugins are written specifically for Windows 9x, and
will not work on Windows NT 4.0 or 2000.
* If the packet sniffer component is included in the server there will
be files in %systemroot%\system32 called zpacket.vxd and packet32.dll.
* The default port source port for the client is TCP 5873, although
this is also configurable
* In an attempt to hide its tracks it will remove the auditing settings
on the HKEY_LOCAL_MACHINE registry tree.
* If you telnet to the port that the server listens to you will get
a prompt: [RPL]002
If you respond with the password:
password '<insert password here>'
the server will respond with
server time/date: 13:51.54 / 3/28/2001, version 2.2
if the password given was correct. If the password was incorrect,
the server will not respond at all.
Sub7 is associated with two different CVE numbers:
CAN-1999-0660
CAN-2000-0138
For more information see:
* The July 2000 SANS Windows Security Digest
http://www.sans.org/newlook/digests/ntarchives/073100.htm#1.13
* The ISS X-Force advisory
http://xforce.iss.net/alerts/advise73.php
4.4. Remote password cracking exploit for IBM WebSphere Commerce
Suite 4.1
xor37h and darkman created a password cracking exploit for IBM
WebSphere CommerceSuite 4.1 and earlier.
The following products are confirmed vulnerable:
Net.Commerce: v3.1, v3.1.1, v3.1.2, v3.2
Websphere Commerce Suite: v4.1, v4.1.1
Net.Commerce Hosting Server: v3.1.1, v3.1.2, v3.2
Websphere Commerce Suite, Service Provider Edition: v3.2
Websphere Commerce Suite, Market Place Edition: v4.1
WebSphere stores passwords by encrypting them using a key that is
specified during installation. Most installations use the default
key provided by IBM, rather than developing their own. This opens
up the prospect of a very simple password cracking attack, since the
key is well-known.
xor37h and darkman posted code using various built-in macros on
WebSphere that will list all the usernames and their stored passwords,
as well as only administrator usernames and passwords. Furthermore,
they posted an application that takes these password representations
and return the clear-text password. The application has since been
removed, but it is safe to assume that most people who would be
interested in using it already have it.
IBM created patches for the built-in macros in January, and has
now posted a security bulletin about the password exposure issue
that details how to fix the problem. That bulletin is available at:
http://www-4.ibm.com/software/webservers/commerce/servers/2001-2.htm
IBM security bulletin 2001-1 covers how to secure the built-in macros:
http://www-4.ibm.com/software/webservers/commerce/servers/2001-1.htm
4.5. Bea Weblogic directory browsing vulnerability
Peter Gründl, of Defcom, discovered a directory browsing vulnerability
in Bea Weblogic Server 6.0 and earlier. By appending certain ASCII
characters to a URL, the default page is bypassed and an attacker is
able to browse the web directories of the server. In earlier versions
of Weblogic, it is also possible to use this vulnerability to retrieve
.jsp pages unparsed. However, that does not seem to work on 6.0.
Bea has produced a patch for this issue, available at:
http://commerce.bea.com/downloads/weblogic_server.jsp#wls
4.6. New attack tool against Intrusion Detection Systems
The National Infrastructure Protection Council (NIPC) warned against a
new attack tool, dubbed "stick," that can be used against an Intrusion
Detection System (IDS). The tool operates by launching a large number
of false attacks against the system, eventually overwhelming the
system. ISS RealSecure 5.0 for Windows is vulnerable to this method
of attack, and ISS has prepared a fix for it in X-Press Update MU 2.2,
which is available at:
A white paper by Coretez Giovanni on the stick tool is available at:
http://www.eurocompton.net/stick
4.7. Eudora allows unauthorized execution of active content
http-equiv reported that Eudora 5 can be made to execute content
as soon as an e-mail is read. This can be done even when the "Allow
executable content in HTML mail" setting is disabled. The announcement
also included a sample exploit, so it may be desirable at this point
to ensure that the work-around is in place.
To work around this problem set Eudora to not "use Microsoft
viewer." This behavior will be fixed in version 5.1, which will be
available shortly at http://www.eudora.com.
4.8. Directory traversal vulnerability in WhitSoft SlimServe FTPd
Joe Testa reported that SlimServe FTPd 1.0 will follow .../ (three
dots) directives to break out of the ftp root directory and into the
root of the drive hosting the ftp site. The WhitSoft homepage is at
http://www.whitsoftdev.com/main/index.html.
4.9. Directory traversal vulnerability in WhitSoft SlimServe HTTPD 1.1a
Someone reported that SlimServe HTTPD 1.1a was also vulnerable to
the directory traversal attack.
4.10. Directory traversal vulnerability in FtpXQ Server 2.0.93
Joe Testa reported that FtpXQ Server 2.0.93 will follow ../ directives
to break out of the ftp root directory. FtpXQ Server 2.0.93 is
available from http://www.datawizard.net.
4.11. Directory traversal vulnerability in Transsoft Broker FTP
Server 5.0
Someone reported that Broker FTP 5.0 was also vulnerable to a
directory traversal attack. The Broker FTP server homepage is at
http://www.ftp-broker.com
4.12. Directory traversal vulnerability in JGAA War FTP 1.67b04
Someone reported that War FTP 1.67b04 was vulnerable to a
directory traversal attack. The War FTP server homepage is at
http://www.jgaa.com/. The exposure has been fixed in version 1.67b05,
available at http://support.jgaa.com/index.php?cmd=ShowProduct&ID=1.
===================================================================
The SANS Windows Security Digest is available at no cost
to all system, network, and security professionals who work
with Windows. To subscribe, email digestsans.org with the
subject Windows Security Digest. Back issues are available at
http://www.sans.org/newlook/digests/ntdigest.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6xSuU+LUG5KFpTkYRAvuTAJ9/fZZYPYTuFZaZLxB7NlODFvpnNgCfQxgf
pejUbTTIoEV7NySwhS8IVJ8=
=jbTN
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]