|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Tue Jul 31 2001 - 11:02:00 CDT
To: Security Express (SD397643)
Re: SANS Windows Security Digest Vol. 4 Num. 7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**********************************************************************
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 4, Number 7
July 31, 2001
Dr. Jesper M. Johansson (Boston University)
Editorial Board:
Dr. Matt Bishop (Univ. California, Davis)
Jeffrey W. Brown
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (MTE Software, Inc.)
Chris Lalka (ExxonMobil)
Steve Lewis (PROintelligent)
Eric Maiwald (Fortrex)
Rob Marchand (VoiceGenie Technologies),
Dr. Gene Schultz (University of California-Berkeley Lab)
Copyright 2001. The SANS Institute. All rights reserved.
You may forward this issue to your co-workers and encourage them
to subscribe. To do so, send a note with the subject "NT Digest"
to digestsans.org
We are now signing the Windows Security Digest
with PGP. The new SANS' PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can also be accessed from the SANS web site (http://www.sans.org)
**********************************************************************
This month has seen a relatively moderate level of activity on the
Windows security front. Six Microsoft bulletins were released, three
within hours of each other on July 26. We saw a more immediate threat
in the Code Red worm, which exploited the idq.dll buffer overflow
patched by Microsoft last month. This issue demonstrated the problem
of getting administrators to apply patches. Reports are now surfacing
that almost 400,000 unpatched systems were compromised. Fortunately,
this worm was relatively benign. We cannot hope to be so lucky next
time. You absolutely MUST either patch your systems, or remove unneeded
functionality. If you had done the latter, (assuming you do not need
indexing services) your systems were immune to the Code Red worm.
JMJ
********** Sponsored by VeriSign -The Internet Trust Company *********
Upgrade your server security to 128-bit SSL encryption! Get VeriSign's
FREE guide, "Securing Your Web Site for Business." You will learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions for serious online security.
Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n046610560014000
**********************************************************************
Table of Contents
1. Microsoft Security Bulletins
1.1. MS01-037 - Authentication Error in SMTP Service Could Allow
Mail Relaying
1.2. MS01-038 - Outlook View Control Exposes Unsafe Functionality
1.3. MS01-039 - Services for Unix 2.0 Telnet and NFS Services Contain
Memory Leaks
1.4. MS01-040 . Invalid RDP Data Can Cause Memory Leak in Terminal
Services
1.5. MS01-041 - Malformed RPC Request Can Cause Service Failure
1.6. MS01-042 - Windows Media Player .NSC Processor Contains Unchecked
Buffer
2. Virus warnings
2.1. Code Red worm exploits idq.dll buffer overflow
2.2. SirCam worm exposes personal files
3. Microsoft Software Issues
3.1. MSN and Hotmail Passport password attack possible
3.2. Denial of service vulnerability in Exchange 5.5
3.3. Windows NT 4.0 Security Rollup is available
3.4. Hardening tool for IIS 4.0
4. Third-party Software Issues
4.1. Buffer overflows discovered this month
4.2. Other Remote Denial of Service (DoS) Attacks discovered this month
4.3. Web and FTP server directory traversal vulnerabilities discovered
this month
4.4. Macromedia security bulletins
4.4.1. MPSB01-03 - JRun 3.1, 3.0, 2.3.3: Patch available for ability
to view jsp source code when replacing the "p" in "jsp" with
"%70" in the URI
4.4.2. MPSB01-04 - JRun 3.0: Patch available for re-generation of new
java, class, et al. files when adding a forward slash to a
previously run jsp, and accessing it through a browser
4.4.3. MPSB01-05 - JRun 3.0: Patch available for accessing a restricted
directory via web authentication when the case of the directory
mapping referenced in the URI is other than what is stored
in web.xml
4.4.4. MPSB01-06: JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting
vulnerability (a.k.a. JavaScript code execution vulnerability)
4.4.5. MPSB01-07: Macromedia releases patch that addresses ColdFusion
security issues.
4.5. Check Point Firewall-1 bypass vulnerability
4.6. Trend Micro Applet Trap may fail to filter script
4.7. ArGoSoft FTP Server 1.2.2.2 weak password obfuscation
4.8. Multiple vulnerabilities in various LDAP implementations
4.9. Sambar server stores decryptable passwords
4.10. ZoneAlarm MailSafe bypass vulnerability
=======================================================================
1. Microsoft Security Bulletins
1.1. MS01-037 - Authentication Error in SMTP Service Could Allow
Mail Relaying
This bulletin details a problem with the SMTP service in Windows
2000. The SMTP service is installed by default as part of the IIS
installation on Windows 2000 Server products. It may also be installed
on Windows 2000 Professional as part of installing IIS.
A flaw in the authentication routines of the SMTP service may allow
an unauthorized user to authenticate to the service and subsequently
use it to relay mail. Open mail relays, which allow anyone to send
mail using the vulnerable server to anyone else in the world, are a
prime target for spammers, who routinely use them to forward mail to
their victims.
This vulnerability only affects stand-alone computers. Domain members
are authenticated to the domain and use a different authentication
process which is not vulnerable.
A patch for this issue is available for all versions
of Windows 2000 except Datacenter Server at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31181
Datacenter Server patches are available from the original equipment
manufacturer.
This issue has received CVE candidate number CAN-2001-0504
For more information see:
* Microsoft Security Bulletin MS01-037
http://www.microsoft.com/technet/security/bulletin/MS01-037.asp
* Microsoft Knowledge Base (KB) article Q302755 “Authentication Error
in SMTP Service Could Allow Mail Relaying”
http://support.microsoft.com/support/kb/articles/q302/7/55.asp
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0504
1.2. MS01-038 - Outlook View Control Exposes Unsafe Functionality
This bulletin warns of a vulnerability in Outlook 98, 2000, and
2002. The original advisory was released by Georgi Guninski on July
12. Later the same day, Microsoft released to bulletin to warn users
of the problem and to provide a work-around until a patch is issued.
The problem stems from an ActiveX control that ships with Outlook
98-2002, called the Outlook View Control. The Outlook View Control is
used to display a web page view of an Outlook folder. The View Control
exposes a number of dangerous collections and properties. For example,
the “selection” property allows the control to access e-mail messages
in Outlook. The “item” collection of the “selection” property allows
each of those messages to be read or modified programmatically. The
View Control also exposes the Outlook Application object which provides
the ability to launch shell commands.
Microsoft has not yet issued a fix for this problem. However, users
who have installed the Outlook security patch, or Outlook 2002
(part of Office XP) are protected from an exploit via e-mail by
the default security settings of the security patch. Those settings
prohibit execution of script in an HTML e-mail, thus preventing the
control from being executed. However, the control may also be executed
from a web page. To protect against such attacks, you may prohibit
execution of ActiveX. If you are running Office 2000, you can also
prevent attacks using this control by renaming the DLL that provides
the control functionality. That DLL is located at:
* Office 2000
\Program Files\Microsoft Office\Office\outlctl.dll
Renaming this DLL will cause an error message to be displayed
when a hostile web page is viewed that attempts to execute the
control. Unfortunately, renaming it does not work in Office XP. The
built-in repair feature will restore the DLL if it is renamed.
This issue has received CVE candidate number CAN-2001-0538
For more information see:
* Microsoft Security Bulletin MS01-038
http://www.microsoft.com/technet/security/bulletin/MS01-038.asp
* Microsoft Knowledge Base (KB) article Q303833 “OL2000: The Outlook
View Control Exposes Unsafe Functionality”
http://support.microsoft.com/support/kb/articles/q303/8/33.asp
* Microsoft Knowledge Base (KB) article Q303835 “OL2002: The Outlook
View Control Exposes Unsafe Functionality”
http://support.microsoft.com/support/kb/articles/q303/8/35.asp
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0538
1.3. MS01-039 - Services for Unix 2.0 Telnet and NFS Services Contain
Memory Leaks
Peter Gründl discovered memory leaks in two of the services that ship
with Microsoft’s Services for Unix 2.0 (SFU). SFU comes with a telnet
server which has more features than the one included in Windows 2000,
and an NFS Server and Client. Both the telnet server and the NFS
server contain kernel memory leaks. An attacker could use those leaks
to gradually deplete kernel memory on the system hosting the services,
causing the system to fail.
Patches are available at:
* NFS vulnerability
o Windows NT 4.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31600
o Windows 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31592
* Telnet vulnerability
o Windows NT 4.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31601
o Windows 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31595
This issue has received CVE candidate number CAN-2001-0505
For more information see:
* Microsoft Security Bulletin MS01-039
http://www.microsoft.com/technet/security/bulletin/MS01-039.asp
* Microsoft Knowledge Base (KB) article Q301514 will be available at
http://support.microsoft.com/support/kb/articles/q301/5/14.asp
* Microsoft Knowledge Base (KB) article Q294380 “Denial-of-Service
Attack with SFU 2.0”
http://support.microsoft.com/support/kb/articles/q294/3/80.asp
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0505
1.4. MS01-040 – Invalid RDP Data Can Cause Memory Leak in Terminal
Services
Peter Gründl discovered a memory leak in the Terminal Services in
both Windows NT 4.0 and Windows 2000. When processing malformed
data, the services allocate kernel memory, but fail to release it
again. Therefore, by sending a very large number of malformed data
packets, an attacker can deplete the server’s kernel memory and crash
the server.
Patches are available at:
* Microsoft Windows NT 4.0, Terminal Server Edition
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31615
* Microsoft Windows 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30195
This issue has received CVE candidate number CAN-2001-0540
For more information see:
* Microsoft Security Bulletin MS01-040
http://www.microsoft.com/technet/security/bulletin/MS01-040.asp
* Microsoft Knowledge Base (KB) article Q292435 ”Kernel Mode Memory
Leak Caused by Invalid TCP Checksums on Port 3389 (RDP)”
http://support.microsoft.com/support/kb/articles/q292/4/35.asp
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0540
1.5. MS01-041 - Malformed RPC Request Can Cause Service Failure
The Bindview Razor team discovered a number of denial of service
vulnerabilities in various Microsoft products. All the vulnerabilities
have to do with RPC and may be exploited via RPC. The following
products were found vulnerable in one way or another:
* Windows 2000 Service Control Manager (services.exe)
* Windows 2000 License Logging Service
* Windows 2000 DHCP service
* Windows 2000 RPC endpoint mapper (this issue was fixed by the patch
issued with MS00-066)
* Windows NT 4.0 Service Control Manager (services.exe)
* Windows NT 4.0 Local Security Authority (lsass.exe)
* Windows NT 4.0 RPC endpoint mapper (Rpcss.exe)
* Windows NT 4.0 Spooler service
* Windows NT 4.0 License Logging Service
* SQL Server 7.0 and 2000
* Internet Information Services 5.0
* Microsoft Exchange 5.5 SP3 (STORE.exe)
* Microsoft Exchange 5.5 SP3 (MAD.exe)
The Razor team reported that sending an improperly formatted request
to the RPC server created by these products will cause the server
to crash. In some instances, such as IIS 5.0, the server will
automatically restart. In other services, a manual restart is required.
Patches are available at:
* Microsoft Exchange Server 5.5
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31517
* Microsoft Exchange Server 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31522
This patch is included in Exchange Server 2000 Service Pack 1
* Microsoft SQL Server 7.0
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31645
This patch is included in SQL Server 7.0 Service Pack 3
* SQL Server 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31644
This patch is included in SQL Server 2000 Service Pack 1
* Microsoft Windows NT 4.0 Workstation, Server, and Server, Enterprise
Edition
This patch is included in the Windows NT 4.0 Security Roll-up,
available at:
http://support.microsoft.com/support/kb/articles/q299/4/44.asp?ID=299444
* Microsoft Windows NT 4.0 Server, Terminal Server Edition
This fix will be included in the forthcoming security roll-up for NT
4.0 Term Server Edition
* Microsoft Windows 2000 Professional, Server and Advanced Server
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31434
* Microsoft Windows 2000 Datacenter Server fixes are available from
your OEM.
This issue has received CVE candidate number CAN-2001-0509
For more information see:
* Microsoft Security Bulletin MS01-041
http://www.microsoft.com/technet/security/bulletin/MS01-041.asp
* Microsoft Knowledge Base (KB) article Q298012 “Malformed RPC Request
Can Cause Service Problems”
http://support.microsoft.com/support/kb/articles/q298/0/12.asp
* The Razor team advisory:
http://razor.bindview.com/publish/advisories/adv_DCE-RPC_DoS.html
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0509
1.6. MS01-042 - Windows Media Player .NSC Processor Contains Unchecked
Buffer
In the May 2001 issue of the SANS Windows Security Digest we reported
on a buffer overflow in the Windows Media Player, discovered by Pauli
Ojanpera. This bulletin announces a patch for that buffer overflow.
The problem occurs in the processing of .NSC files, which are Windows
Media Services Station Format files. The problem affects Windows
Media Player 6.4, 7.0 and 7.1. Patches are available for Windows
Media Player 6.4 and 7.1 at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31459
Windows Media Player 7.0 users need to upgrade to version 7.1 and
then install that patch.
This issue has received CVE candidate number CAN-2001-0541
For more information see:
* Microsoft Security Bulletin MS01-042
http://www.microsoft.com/technet/security/bulletin/MS01-042.asp
* Microsoft Knowledge Base (KB) article Q304404 will be available at
http://support.microsoft.com/support/kb/articles/q304/4/04.asp
* The CVE Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0541
2. Virus warnings
2.1. Code Red worm exploits idq.dll buffer overflow
One of the biggest news stories this month was the proliferation of the
Code Red worm. The worm, so named by the eEye Security Team because
that’s what they were drinking while disassembling it, was written
to exploit the idq.dll vulnerability announced in June 2001. After
exploiting the buffer overflow, the worm would attempt to find new
hosts to exploit. On the 20th of the month, the worm switched from
finding new hosts to exploit to attempting a distributed denial
of service attack on one of the White House web servers. Although
this attack was largely a failure, the worm demonstrated with ample
clarity the damage that can be done by criminals exploiting known
vulnerabilties. Later, another version of the worm was discovered. It
was identical to the first, with the exception that it did not present
a defaced web page once a server was exploited.
Many people have pulled together to attempt to discover the
number of exploited hosts, and their distribution across
ISPs. John Kristoff published a host list containing 11,000
hosts that appeared to be infected. The BugTraq editors
(http://www.securityfocus.com) have notified the owners of over
300,000 compromised IP addresses. An analysis by CAIDA, available
at http://www.caida.org/analysis/security/code-red/, indicates that
375,000 host all over the world were infected.
It is important to note in this case that most of these compromises
could have been prevented without installing the patch. If the
administrators of the affected servers had simply removed the extension
mappings they do not need, most of them would probably have removed
the .ida and .idq extensions, thereby preventing the infection. For
the few that actually use that extension, the only prevention would
have been to patch the system.
There is significant concern that the worm is going to start infecting
hosts all over again on August 1. The eEye Security Team reported that
the worm was date based and went dormant on the 28th of July. Currently
it appears that the worm may start spreading again on August
1. Regardless of what happens, it is ABSOLUTELY IMPERATIVE that you
patch your systems immediately. The reason is not only Code Red. The
larger issue is that Code Red, for as much press as it has received, is
actually relatively benign. It is important to realize that exploiting
the Index Server/Indexing Services buffer overflow affords the attacker
SYSTEM-level privileges. Thus, without patching the vulnerability,
a new worm could take complete control of vulnerable hosts and do
significantly more damage than Code Red ever will. We implore everyone
running IIS on either Windows 2000 or Windows NT 4.0 to review MS01-033
(http://www.microsoft.com/technet/security/bulletin/MS01-033.asp)
and apply the patch immediately. If you are unsure of whether you
are running IIS you can still apply the patch. If it is not needed,
no harm will be done.
2.2. SirCam worm exposes personal files
Another fast-spreading worm, SirCam (W32/Sircam.Wormmm), is reported
to have infected thousands of users. NAI recently upgraded the virus
to high risk from medium, due to its prevalence in the wild.
The worm propagates through email as a message with attachments and a
randomly chosen subject line. When triggered, the virus emails itself
to recipients in the Windows Address Book and to email addresses
found in the browser cache. It also attaches random documents from
the My Documents folder (if one exists). Infection is evident by
the presence of Scam32.exe in the Windows system directory and the
presence of Run32.exe in the Windows directory. The body of an infected
message reads "Hi! How are you?" with several variations of body
text following this and closing with "See you later. Thanks." There
is also a Spanish version.
This virus poses a threat not only by tying up email servers, but
also by exposing random documents off of the victim's computer to
recipients over the Internet. An article appearing in the July 25
Wall Street Journal reported that the virus had exposed files marked
"official use only" from the FBI's National Infrastructure Protection
Center. In a few cases, SirCam has also been reported as deleting
files and folders on the victim's hard drive.
McAfee has provided detailed removal instructions at
http://www.mcafee.com/anti-virus/viruses/sircam/default.asp?cid=2371
A removal utility is available from Symantec at
mm.removal.tool.html">http://www.symantec.com/avcenter/venc/data/w32.sircam.wormmm.removal.tool.html
3. Microsoft Software Issues
3.1. MSN and Hotmail Passport password attack possible
Gregory Duchemin posted a warning on BugTraq
(http://www.securityfocus.com) warning about the authentication scheme
used in Microsoft Passport. Passport is an authentication service used,
among others, by MSN and Hotmail. It will also be included in Windows
XP. Duchemin discovered that during the challenge response phase,
the client receives a nonce from the server, prepends the nonce
to a clear-text password, and hashes the result using MD5. This
hash, which is then transmitted over the network, is crackable,
using a brute force attack, by an attacker who is able to capture
both the nonce and the hash. Due to the nature of the attack, an
increase in password complexity makes the attack significantly more
difficult. Users with short passwords are strongly advised to use
long passwords (at least 9 characters) and include other characters
than a-z and 0-9 in the password.
It is also possible to retrieve the client’s password hash if an
attacker is able to spoof a legitimate Passport site. The attacker
can send a null nonce, and the client will then produce a hash based
only on the password. We are unaware of any response from Microsoft
on this issue.
3.2. Denial of service vulnerability in Exchange 5.5
The CERT Coordination Center issued an advisory regarding multiple
vulnerabilities in a number of LDAP implementations from various
vendors. The remainders of these issues are discussed in section
4.7. The vulnerability discovered in Exchange 5.5 affects only the
LDAP service and would allow an attacker to remotely shut down that
functionality. All other services provided by Exchange 5.5 would
be unaffected by this problem. Microsoft is preparing a patch
for this problem. For more information, see the CERT advisory:
http://www.cert.org/advisories/CA-2001-18.html
3.3. Windows NT 4.0 Security Rollup is available
By now, most people are probably aware that Microsoft cancelled
Service Pack 7 for Windows NT 4.0. In lieu of the service pack,
Microsoft has now issued a Security Rollup fix for NT 4.0 Service
Pack 6a. The security rollup includes all security-related hotfixes
issued since Service Pack 6a. More information on the security rollup
is available from Microsoft knowledge base article Q299444:
http://support.microsoft.com/support/kb/articles/q299/4/44.asp?ID=299444
3.4. Hardening tool for IIS 4.0
NTBugTraq has released a hardening tool for IIS 4.0 to assist
administrators in configuring IIS 4.0 more securely. The tool
implements many of the recommendations in Microsoft’s IIS 4.0 security
checklist. The tool is available at:
http://ntbugtraq.ntadvice.com/download/SecuredIIS.zip
Microsoft’s IIS 4.0 security checklist is available at:
http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp
4. Third-party Software Issues
4.1. Buffer overflows discovered this month
Buffer overflows can generally be used to execute arbitrary code on
the victim host. Many buffer overflows are discovered each month. We
report the ones we know about here. In addition, we have tried to
give you a little more information in a concise format. To that end,
certain items are marked with an (F) and/or (E). (E) means that an
exploit for this issue is publicly available. (F) means that a fix
is available currently. We have also, in some cases, included a URL
after the item. That URL points to either a fix, if one is available,
or to the vendor’s web site, if we know it.
* (F) Oracle 8i Standard and Enterprise Editions Version 8.1.7 and
earlier (fixed in bug fix 1489683)
* (F) WS_FTP server 2.02 (fixed in 2.03:
http://www.ipswitch.com/Support/WS_FTP-Server/patch-upgrades.html)
* (F) TrendMicro InterScan VirusWall 3.51 smtpscan.dll (fix available
from Trend Micro)
* (F) TrendMicro InterScan VirusWall 3.51 httpsavec*p.dll (fix
available from Trend Micro)
* TrendMicro InterScan WebManager Version 1.2 HttpSave.dll (will be
fixed in the next version)
* CesarFTPd
* Cerberus FTPd
* NetWin Authentication Module 3.0b
4.2. Other Remote Denial of Service (DoS) Attacks discovered this month
Buffer overflows can also be used to perpetrate DoS attacks. In
addition, DoS attacks can also be launched in many other ways. In
this section, we report new DoS attacks that we are aware of. Some
are discussed in more detail below. (F) means that there is a
vendor-supplied fix available
* (F) Oracle 8i Standard and Enterprise Editions Version 8.1.7 (fixed
in bug fix 1656431)
* IBM DB2 for Windows
* Cisco IOS PPTP (affects 12.1 train, several
releases, and 12.2 train, all releases. See
http://www.cisco.com/warp/public/707/PPTP-vulnerability-pub.html for
more information)
4.3. Web and FTP server directory traversal vulnerabilities discovered
this month
So many directory traversal vulnerabilities were discovered this
month that we thought it appropriate to simply list them under this
heading. A directory traversal vulnerability allows an attacker
to break out of the designated web root directory and traverse the
remainder of the file system, potentially running applications and
commands unless these have been properly secured. As usual, items
marked with an (F) have a vendor supplied patch solving the problem.
* (F) McAfee Agent ASaP VirusScan (ships with a lightweight http
server listening on TCP port 6515, fix available via automatic update)
* (F) Tivoli SecureWay Policy Director versions 3.01, 3.6, 3.7,
and 3.7.1. (http://www.tivoli.com/support/downloads/)
* WFTPD v3.00 R5 (users are allowed to upload .LNK files to files
outside the ftp root, http://www.wftpd.com/)
* Broker 5.9.5.0 (same problem as WFTPD, http://www.transsoft.com)
* ArGoSoft 1.2.2.2 (same problem as WFTPD, http://www.argosoft.com)
* Bison FTP Server V4R1 (users can upload files linking to directories
outside the ftp root, http://www.bisonftp.com)
* Info-Zip's UnZip (archives can contain ..\ directives which are
executed when the archive is extracted, http://www.infozip.com)
* PKWare PKZip (same problem as UnZip above, http://www.pkware.com)
* RARsoft WinRAR (same problem as UnZip above, fixed in version 2.80,
http://www.rarsoft.com/)
* IBM alphaWorks TFTP Server for Java
(http://alphaworks.ibm.com/tech/TFTP)
* Sambar web server (http://www.sambar.com, this appears to be fixed
in a beta build. We are not aware of a time-frame for a production fix)
* Snapstream Personal Video Server (http://www.snapstream.com. This
product also stores plaintext passwords in a known location.)
4.4. Macromedia security bulletins
Macromedia’s Allaire unit released a number of security
bulletins this month. All the bulletins are linked from
http://www.allaire.com/security.
4.4.1. MPSB01-03 - JRun 3.1, 3.0, 2.3.3: Patch available for ability
to view jsp source code when replacing the "p" in "jsp" with "%70"
in the URI
This bulletin is available at:
http://www.allaire.com/handlers/index.cfm?ID=21495&Method=Full
4.4.2. MPSB01-04 - JRun 3.0: Patch available for re-generation of new
java, class, et al. files when adding a forward slash to a previously
run jsp, and accessing it through a browser
If an attacker modifies the URI of a requested jsp page, the server
will compile a new copy of the .class, .java, .int and .dep files. If
attackers requests numerous such pages, they could fill the server’s
hard disk with these new files.
This bulletin is available at:
http://www.allaire.com/handlers/index.cfm?ID=21496&Method=Full
4.4.3. MPSB01-05 - JRun 3.0: Patch available for accessing a restricted
directory via web authentication when the case of the directory
mapping referenced in the URI is other than what is stored in web.xml
When setting up restricted directories, JRun makes use of a file called
web.xml. However, requests in the URI are never canonicalized to a
standard form for comparison with the names stored in that file. Thus,
an attacker can request a page using a different uppercase/lowercase
combination, and the access will not be matched to the restrictions
in web.xml
This bulletin is available at:
http://www.allaire.com/handlers/index.cfm?ID=21497&Method=Full
4.4.4. MPSB01-06: JRun 3.1, JRun 3.0, JRun 2.3.3: Cross-site scripting
vulnerability (a.k.a. JavaScript code execution vulnerability)
An attacker can craft a URL with embedded script tags to a non-existent
jsp page on a JRun server. If they can then make a user access that
URL, through for example a link or a redirect, the script in the URL
will be passed back to the client and executed there.
This bulletin is available at:
http://www.allaire.com/handlers/index.cfm?ID=21498&Method=Full
4.4.5. MPSB01-07: Macromedia releases patch that addresses ColdFusion
security issues.
This bulletin announces a security patch that is applicable to
ColdFusion versions 2.0 through 4.51 Service Pack 2. The bulletin does
not elaborate on the specific problems, but according to Macromedia
they afforded an attacker read and write access to files on the Cold
Fusion server.
This bulletin is available at:
http://www.allaire.com/handlers/index.cfm?ID=21566&Method=Full
4.5. Check Point Firewall-1 bypass vulnerability
The default configuration of Firewall-1 allows Reliable Data Protocol
(RDP) traffic to pass through UDP port 259. This could be used by an
attacker to pass traffic through the firewall to any host on either
the inside or the outside by encapsulating a legitimate UDP packet
in a fake RDP header. Note that this attack cannot be used to pass
traffic to other ports.
A patch is available at:
http://www.checkpoint.com/techsupport/downloads.html
For more information, see Check Point’s advisory at:
http://www.checkpoint.com/techsupport/alerts/
4.6. Trend Micro Applet Trap may fail to filter script
eDvice Security Services reported that Trend Micro’s Applet Trap may
fail to filter script on incoming web pages. Applet Trap is designed
to detect and remove script from web pages. It can be configured to
detect and remove, among others, both JavaScript and VBScript. However,
if it is configured to remove either JavaScript or VBScript, but
not both, bypassing the filter is possible. The problem is that the
Applet Trap only checks the first script tag on a page. Since web
pages may contain scripts in different languages, if the first tag
is in a permissible language, subsequent tags on the same page using
a restricted language will not be filtered.
Trend Micro (http://www.trendmicro.com) has stated that these problems
will be resolved in version 2.5.
4.7. ArGoSoft FTP Server 1.2.2.2 weak password obfuscation
ArGoSoft FTP Server stores loosely obfuscated plain-text passwords,
according to a report by ByteRage. The passwords are encoded, and then
XORed with a fixed string and stored. This type of password obfuscation
scheme is simple to defeat and its use is highly discouraged.
4.8. Multiple vulnerabilities in various LDAP implementations
The Oulu University Secure Programming Group in Finland, as part of
the PROTOS project, conducted a comprehensive study of vulnerabilities
in various LDAP server implementations. Vulnerabilities discovered
ranged from denial of service (DoS) issues to buffer overflows. The
following products were found affected in some way:
* iPlanet Directory Server, version 5.0 Beta and versions up to and
including 4.13
* Certain versions of IBM SecureWay running under Solaris and
Windows 2000
* Lotus Domino R5 Servers (Enterprise, Application, and Mail), prior
to 5.0.7a
* Teamware Office for Windows NT and Solaris, prior to version 5.3ed1
* Qualcomm Eudora WorldMail for Windows NT, version 2
* Microsoft Exchange 5.5 LDAP Service, DoS only
* Network Associates PGP Keyserver 7.0, prior to Hotfix 2
* Oracle 8i Enterprise Edition
* OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8
For more information on the particular issues affecting each product,
see
* The CERT/CC Advisory
http://www.cert.org/advisories/CA-2001-18.html
* The PROTOS project
http://www.ee.oulu.fi/research/ouspg/protos/
4.9. Sambar server stores decryptable passwords
According to an advisory by “3APA3A” the Sambar Server web server
stores its passwords in a text file. The passwords are encrypted with
Blowfish, and the key is stored on the server. Thus, the work effort
required to decrypt these passwords is minimal. The Unix version of
Sambar Server has the ability to use the crypt() function instead,
but it is not clear whether that works on the Win32 version as well.
We should point out that “3APA3A” also posted a program to “recover”
encrypted Sambar passwords.
4.10. ZoneAlarm MailSafe bypass vulnerability
Zone Labs ZoneAlarm Pro includes a feature known as MailSafe. This
feature identifies possibly harmful e-mail attachments, based on their
file extensions, and disables them. According to a report, this feature
can be bypassed simply by giving the file a very long name. Such a file
would be allowed through intact. Zone Labs was notified in February,
however, we are unaware of a patch for the problem.
=======================================================================
The SANS Windows Security Digest is available at no cost
to all system, network, and security professionals who work
with Windows. To subscribe, email digestsans.org with the
subject Windows Security Digest. Back issues are available at
http://www.sans.org/newlook/digests/ntdigest.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7Zs1b+LUG5KFpTkYRAsVmAJwN2Z2wShfts3lO9klbwji0BDR01wCgizLS
hcs8R9k0Zas1hn1KAN7FKng=
=dW8/
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]