|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Tue Jan 08 2002 - 21:26:37 CST
To: Security Express (SD397643)
Re: SANS Windows Security Digest Vol. 5 Num. 1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 5, Number 1
January 8, 2002
Jennifer Kolde, The SANS Institute
Editorial Board:
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (MTE Software, Inc.)
Vicki Irwin (incidents.org)
Steve Lewis (PROintelligent)
Dr. Gene Schultz (University of California, Berkeley Lab)
Copyright 2002 The SANS Institute. All Rights Reserved.
You may forward this issue to your co-workers.
We are now signing the Windows Security
Digest with PGP. The new SANS PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can also be accessed from the SANS web site (http://www.sans.org)
**********************************************************************
As always, please send comments and feedback to windowssans.org.
**********************************************************************
A Quiz on Searching for Security Information
1. Where can you find more than 2,000 unique, peer-reviewed research
papers on security topics ranging from 31 papers on Windows 2000
security, 8 on attacking attackers, 95 on security basics, and on
and on?
2. Where can you find a daily summary of the ten top new security
news stories?
The answer to both questions is at SANS Reading Room. More than 25,000
people use it every day. Give it a try. It's free.
**********************************************************************
Table of Contents
Section I: Articles and Features
1. Microsoft Security News
1.1 Microsoft Releases Office XP Service Pack 1.
1.2 Russ Cooper Releases "NoHTML" tool for Microsoft Outlook.
1.3 Foundstone Releases Whitepaper on .NET Security.
2. Tool of the Month
Due to the holidays, Tool of the Month will return in January.
3. Security in Depth
Due to the holidays, Tool of the Month will return in January.
Section II: Security Alert Summary
4. Microsoft Security Bulletins
****CRITICAL Risk Bulletins
4.1 MS01-058: 13 December 2001 Cumulative Patch for IE
4.2 MS01-059: Unchecked Buffer in Universal Plug and Play can Lead
to System Compromise
*** HIGH Risk Bulletins
There were no HIGH risk bulletins issued this month.
** MODERATE Risk Bulletins
4.3 MS01-057: Specially Formed Script in HTML Mail Can Execute in
Exchange 5.5 OWA
4.4 MS01-060: SQL Server Text Formatting Functions Contain Unchecked
Buffers
* LOW Risk Bulletins
There were no LOW risk bulletins issued this month.
5. Additional Microsoft Software Issues
5.1 Internet Explorer Issues
5.1.1 Cumulative patch issued for Internet Explorer 5.5 and 6.0.
5.1.2 Internet Explorer XMLHTTP File Disclosure
5.1.3 Multiple Internet Explorer JavaScript vulnerabilities
5.2 Microsoft Office Issues
5.2.1 Microsoft Office XP Service Pack 1 Released.
5.3 Other Microsoft Product Issues
5.3.1 Outlook Express for Macintosh Buffer Overflow
5.3.2 Windows 2000 Internet Key Exchange (IKE) Denial of Service
5.3.3 IIS 5.0 Possible Denial of Service
5.3.4 Windows XP Hotkey vulnerability
6. Virus Alerts
6.1 Goner worm
6.2 Gokar worm
6.3 Shoho worm
6.4 Reeezak (Zacker, Maldal) worm
7. Third-Party Software Issues
7.1 Buffer Overflows
7.1.1 Valicert Enterprise Validation Authority buffer overflow
7.1.2 AOL Instant Messenger buffer overflow
7.1.3 Oracle PL/SQL Apache Module buffer overflow
7.2 Allaire JRun for IIS information disclosure
7.3 Xitami web server information disclosure
7.4 Persits ASPUpload sample scripts vulnerability
7.5 Valicert Enterprise Validation Authority vulnerabilities
7.6 Lotus Domino denial of service
7.7 Denicomp WinSock RSHD denial of service
7.8 Oracle PL/SQL Apache Module directory traversal
**********************************************************************
Section I: Articles and Features
1. Microsoft Security News
1.1 Microsoft Releases Office XP Service Pack 1.
On December 12, Microsoft released Service Pack 1 for Office XP
(Office 2002). The Service Pack includes both security fixes and
performance enhancements to enable the software to work better with
Windows XP. The Service Pack includes a registry change that, when
made, will allow Outlook 2002 users to read non-digitally signed
and/or non-encrypted e-mail as plain text.
- Overview of SP1: KB Article Q307843, OFFXP: Overview of the Office
XP Service Pack 1:
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;q307843
- KB Article Q307594, OL2002: Users
Can Read Nonsecure E-mail As Plain Text
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;q307594
- To download: http://office.microsoft.com/downloads/2002/oxpsp1.aspx
- To order on CD-ROM:
http://www.microsoft.com/office/ork/xp/journ/Oxpsp1cd.html
++++++++++
1.2 Russ Cooper Releases "NoHTML" tool for Microsoft Outlook.
Russ Cooper of NTBugtraq and TruSecure, has released NoHTML, a
.dll file that works with Outlook 2000 and Outlook 2002 to convert
HTML-based email to Rich Text Format (Outlook 2000) or Plain Text
(Outlook 2002). NoHTML is intended to protect users against malicious
email messages. Note that the tool only engages after messages are
displayed in the Preview Pane; users are encouraged to disable the
Preview Pane. Office XP SP1 includes this functionality (including
changing the contents of the Preview Pane), but NoHTML is still a
useful solution for Outlook 2000.
- See http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=55&did=38
- incidents.org's Handler's Diary writeups:
http://www.incidents.org/diary/diary.php?id=100
http://www.incidents.org/diary.php?id=106
++++++++++
1.3 Foundstone Releases Whitepaper on .NET Security.
Foundstone and CORE Security technologies released a 16-page whitepaper
outlining application security in Microsoft's new .NET architecture.
See http://www.foundstone.com/pdf/dotnet-security-framework.pdf
++++++++++
2. Tool of the Month - Due to the holidays, this feature will return
in January.
++++++++++
3. Security in Depth - Due to the holidays, this feature will return
in January.
**********************************************************************
Section II: Security Alert Summary
4. Microsoft Security Bulletins
****CRITICAL RISK Bulletins
4.1: MS01-058: 13 December 2001 Cumulative Patch for IE (13 December
2001)
Risk: CRITICAL
- Internet systems: CRITICAL
- Intranet systems: CRITICAL
- Client systems: CRITICAL
NOTE: Microsoft rates the individual vulnerabilities noted in this
bulletin as MODERATE or CRITICAL risk. However, the combination of
all vulnerabilities addressed by the patch is rated as a CRITICAL risk.
Impact: Run arbitrary code with the privileges of the current user
Systems Affected:
- Internet Explorer 5.5
- Internet Explorer 6.0
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable.
Summary:
In addition to addressing the three new problems listed below, this
cumulative patch fixes all previous security vulnerabilities with IE
5.5 annd IE 6.0.
1. File Execution Vulnerability (IE 6.0 ONLY). Because of a flaw in
the way IE 6.0 handles the HTML Content-Disposition and Content-Type
header fields, an attacker could modify the header information to
make an executable file appear as a different type of file. If the
executable was disguised as a "harmless" file (one that IE would
open without prompting the user first) the attacker could cause the
executable to run automatically on the user's system using a malicious
web page or HTML e-mail.
2. Frame Domain Verification variant (IE 5.5 and IE 6.0). This is
a variant of the vulnerabilities discussed in MS01-015, MS00-093,
MS00-055, and MS00-033. This vulnerability could allow an attacker
who hosted a malicious HTML page to open two browser windows, one
in the attacker's web site's domain, and one on the user's local
file system. By passing information from one browser window to the
other, the attacker could read any file on the user's computer that
could be opened by a browser. The attacker would have to know the
exact name and location of the file to be read.
3. File Name Spoofing Vulnerability (IE 5.5 and IE 6.0). An attacker
could cause a bogus file name to be displayed in the File Download
dialog box invoked from a web page or HTML e-mail in order to trick
a user into downloading an unsafe file type.
Details:
* MS01-058 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms01-058.asp
* Knowledge Base Article: Q313675, File Vulnerability
Patch for Internet Explorer 5.5 and Internet Explorer 6.0:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q313675
* CVE Information:
- File Execution Vulnerability: CAN-2001-0727
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0727
- Frame Domain Verification Variant: CAN-2001-0874
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0874
- File Name Spoofing Vulnerability: CAN-2001-0875
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0875
* Additional references:
- Oy Online Solutions' vulnerability bulletins related to this
advisory:
http://www.solutions.fi/index.cgi/news_2001_11_26?lang=eng,
http://www.solutions.fi/index.cgi/news_2001_12_14?lang=eng
- CERT Advisory CA-2001-36: Microsoft Internet Explorer Does
Not Respect Content-Disposition and Content-Type MIME Headers
http://www.cert.org/advisories/CA-2001-36.html
- incidents.org's Handler's Diary writeup:
http://www.incidents.org/diary.php?id=121
- MS01-015: IE Can Divulge Location of Cached Content
http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
- MS00-093: Patch Available for 'Browser Print
Template' and 'File Upload via Form' Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/MS00-093.asp
- MS00-055: Patch Available for 'Scriptlet Rendering' Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-055.asp
- MS00-033: Patch Available for "Frame Domain Verification",
"Unauthorized Cookie Access", and "Malformed Component Attribute"
Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/MS00-033.asp
++++++++++
4.2: MS01-059: Unchecked Buffer in Universal Plug and Play can Lead
to System Compromise (originally released 20 December 2001;
revised 26 December 2001; revised 31 December 2001)
Risk: CRITICAL
- Internet systems: n/a
- Intranet systems: n/a
- Client systems: CRITICAL
NOTE: Microsoft rates this vulnerability as CRITICAL for Windows XP
and MODERATE for Windows Me and Windows 98/98SE. Only Windows XP is
vulnerable in its default configuration. For Windows Me and 98/98SE,
Universal Plug and Play (UPnP) support is NOT installed and running
by default.
Impact: run arbitrary code with the privileges of the current user;
denial of service
Systems Affected:
- Windows XP (Home and Professional)
- Windows Me
- Windows 98 and 98SE that have the Internet Connection Sharing
client from Windows XP installed on them
Summary:
This bulletin addresses two vulnerabilities with the Universal Plug
and Play (UPnP) service. Both relate to the NOTIFY directive that
UPnP devices use to broadcast their presence on the network.
1. Buffer Overflow Vulnerability.
Due to an unchecked buffer in one of the components that handles
NOTIFY directives, an attacker could send a specially malformed NOTIFY
directive that would run arbitrary code with system-level privileges.
2. Denial of Service Vulnerability.
NOTIFY directives tell computers where to obtain information about the
devices in question. Two denial of service scenarios are possible.
In the first, an attacker could send a NOTIFY directive that indicated
that information should be downloaded from a particular server/port.
If the echo service (for example) was running on the port in question,
the victim would enter a download loop that could consume some
or all of the system resources. In the second, an attacker could
send a NOTIFY directive to multiple systems at once, directing them
all to obtain their information from a particular victim server.
If the volume of requests was sufficiently high, they could act as
a distributed denial of service attack against the victim server.
Details:
* MS01-059 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms01-059.asp
* Knowledge Base Articles:
- Q314757, Unchecked Buffer in Universal Plug and
Play can Lead to System Compromise for Windows Me:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q314757
- Q314941, Unchecked Buffer in Universal Plug and
Play can Lead to System Compromise for Windows 98:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q314941
- Q315000, Unchecked Buffer in Universal Plug and
Play Can Lead to System Compromise for Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315000
- Q315056, Preventing Distributed Denial-of-Service
Attacks that Use the Universal Plug-and-Play Service:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315056
* CVE Information:
- Buffer Overun: CAN-2001-0876
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876
- Denial of Service: CAN-2001-0877
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877
* Additional references:
- eEye Security's original bulletin:
http://www.eeye.com/html/press/PR20011220.html
- incidents.org's Handler's Diary writeups:
http://www.incidents.org/diary.php?id=129,
http://www.incidents.org/diary.php?id=136
- CERT Advisory CA-2001-37: Buffer Overflow in UPnP Service On
Microsoft Windows
http://www.cert.org/advisories/CA-2001-37.html
- CERT Vulnerability Notice VU#411059: Microsoft Windows Universal
Plug and Play (UPNP) fails to limit the data returned in response
to a NOTIFY message: http://www.kb.cert.org/vuls/id/411059
- CERT Vulnerability Notice VU#951555: Microsoft Windows Universal
Plug and Play (UPNP) vulnerable to buffer overflow via malformed
advertisement packets: http://www.kb.cert.org/vuls/id/951555
- ISS Alert: http://xforce.iss.net/alerts/advise106.php
- Gartner Group commentary on the vulnerability:
http://news.cnet.com/news/0-1003-201-8254545-0.html?tag=prntfr
- Gibson Research Corporation's tool to detect, enable and/or disable
UPnP: http://grc.com/UnPnP/UnPnP.htm
++++++++++
*** HIGH RISK Bulletins
There were no high risk bulletins issued this month.
++++++++++
** MODERATE RISK Bulletins
4.3: MS01-057: Specially Formed Script in HTML Mail Can Execute
in Exchange 5.5 OWA (6 December 2001; revised 7 December 2001
to address problems with the original patch; revised a second
time on 7 December 2001)
Risk: MODERATE
- Internet systems: MODERATE
- Intranet systems: MODERATE
- Client systems: n/a
Impact: run arbitrary code with the privileges of the current user
Systems Affected:
- Exchange 5.5 with Outlook Web Access (OWA)
- Exchange 2000 is NOT affected
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable
NOTE: the original patch released on 6 December 2001 caused problems
if the server hosting Outlook Web Access (OWA) had a version of
Internet Explorer older than 5.0. You must upgrade to at least IE
5.0 to install this patch; Microsoft recommends upgrading to IE 5.5
SP2 or IE 6.0 as previous versions of IE are no longer supported.
Summary:
When Outlook Web Access is used with Internet Explorer, a flaw exists
in the way OWA handles inline scripts within HTML messages. If an HTML
message containing a specially formatted script is opened from OWA
using Internet Explorer, the script will execute automatically. This
would allow an attacker to perform any action on the user's Exchange
mailbox, including sending, reading, or deleting messages. The flaw
cannot send messages to the user's address book, so it can not be
used for mass-mailing attacks.
Details:
* MS01-057 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms01-057.asp
* Knowledge Base Articles:
- Q313576, XGEN: Exchange Server 5.5 Post-SP4 Outlook Web Access
Fixes: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q313576
* CVE Information:
- CAN-2001-0726
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0726
* Additional references:
- WhiteHat Security's original bulletin:
http://www.whitehatsec.com/labs/advisories/WH-Security_Advisory-12082001.html
- indidents.org's Handler's Diary writeup:
http://www.incidents.org/diary.php?id=108
++++++++++
4.4: MS01-060: SQL Server Text Formatting Functions Contain Unchecked
Buffers (20 December 2001; revised 4 January 2002)
Risk: MODERATE
- Internet systems: MODERATE
- Intranet systems: MODERATE
- Client systems: MODERATE
NOTE: Microsoft rates the SQL Server vulnerability as MODERATE on
all systems, and the C Runtime vulnerability as LOW on all systems.
Impact: run arbitrary code with the privileges of the SQL Server
service; denial of service
Systems Affected:
- SQL Server 7.0
- SQL Server 2000
- Windows NT 4.0, 2000, and XP (C Runtime vulnerability)
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable
Summary:
This bulletin addresses two vulnerabilities. Both relate to SQL
Server's use of various functions that enable database queries to
generate text messages. Either vulnerability could be exploited
by directly loading and running a specially crafted database query,
or by submitting the query through a front-end web server.
1. SQL Server vulnerability. Several functions do not perform proper
bounds checking on the resulting text message, which would allow a
buffer overflow to either crash the SQL Server service, or run code
of the attacker's choice in the context of the SQL Server service.
By default, the service runs as a domain user, though this can
be changed.
2. C Runtime vulnerability. A format string vulnerability in the
C runtime environment that ships with Windows NT 4.0, 2000, and XP
could be used in conjunction with a SQL Server query to overwrite
program code and cause a denial of service by crashing the SQL
Server service. This particular vulnerability could not be used to
execute arbitrary code. The SQL Server would need to be running on
a vulnerable version of the OS.
Details:
* MS01-060 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms01-060.asp
* Knowledge Base Articles:
- Q304850, FIX: SQL Server Text Formatting
Functions Contain Unchecked Buffers:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q304850
- Q304851, FIX: SQL Server Text Formatting
Functions Contain Unchecked Buffers:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q304851
- Q305601, (NOTE: this article was not
available at the time of this writing):
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q305601
* CVE Information:
- SQL Server vulnerability: CAN-2001-0542
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0542
- C Runtime vulnerability: CAN-2001-0879
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0879
* Additional references:
- Stake's original bulletin:
http://www.atstake.com/research/advisories/2001/a122001-1.txt
- incidents.org's Handler's Diary writeup:
http://www.incidents.org/diary.php?id=133
++++++++++
* LOW RISK Bulletins
There were no low risk bulletins issued this month.
+-+-+-+-+-+-+-+-+-+-+
5. Additional Microsoft Software Issues
5.1 Internet Explorer Issues
5.1.1 Cumulative patch issued for Internet Explorer 5.5 and 6.0.
See item 4.1 above.
++++++++++
5.1.2 Internet Explorer XMLHTTP File Disclosure
* Risk: LOW
* Impact: information disclosure
* Summary: A flaw in the way Microsoft's XMLHTTP ActiveX component
handles redirects may allow a redirect to access and read a file on
the user's local hard drive. The attacker would need to know the
exact location and name of the file. A workaround is to disable
Active Scripting.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/3699
* Discovered by: jelmer
++++++++++
5.1.3 Multiple Internet Explorer JavaScript vulnerabilities
* Risk: LOW
* Impact: information disclosure
* Summary: A flaw in the way Internet Explorer handles the JavaScript
document.open() call could allow a malicious web site to access users'
cookies, access files on the local hard drive, or "spoof" a trusted
web site to trick a user into entering sensitive information.
* More information:
- original advisories: http://www.osioniusx.com/
- Bugtraq:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0209.html
- incidents.org's Handler's Diary writeup:
http://www.incidents.org/diary.php?id=131
* Discovered by: the pull
++++++++++
5.2 Microsoft Office Issues
5.2.1 Microsoft Office XP Service Pack 1 Released
See item 1.1 above.
++++++++++
5.3 Other Microsoft Product Issues
5.3.1 Outlook Express for Macintosh Buffer Overflow
* Risk: MODERATE
* Impact: denial of service; execution of code in the context of
the user
* Summary: Outlook Express for Macintosh versions 5.0 - 5.0.2 contains
a buffer overflow where a specially crafted email message with a very
long line in the message body could cause Outlook Express to crash
or possibly execute arbitrary code. Users should upgrade to Outlook
Express 5.0.3 for MacOS.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/3611
* Discovered by: shikapyk.rim.or.jp
++++++++++
5.3.2 Windows 2000 Internet Key Exchange (IKE) Denial of Service
* Risk: MODERATE
* Impact: denial of service
* Summary: The Windows 2000 Internet Key Exchange service will stop
responding (100% CPU usage) if an attacker connects to UDP port 500
and floods the connection with UDP packets of 800 bytes or greater.
An exploit is publicly available. Blocking access to UDP port 500
will mitigate the problem.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/3652
* Discovered by: Chris Burri
++++++++++
5.3.3 IIS 5.0 Possible Denial of Service
* Risk: LOW
* Impact: denial of service
* Summary: If an IIS 5.0 web server is sent a GET request containing
a specially malformed "Content-Length" field, the server will keep the
connection open but will not time out. No other response is sent.
This behavior could potentially be exploited to carry out a denial
of service attack on the server.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/3667
* Discovered by: Ivan Hernandez Puga
++++++++++
5.3.4 Windows XP Hotkey vulnerability
* Risk: LOW
* Impact: unauthorized program execution
* Summary: If a Hotkey combination is associated with a given program
on a Windows XP system, an attacker may be able to use the Hotkey
sequence to launch a program, bypassing a locked console.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/3703
* Discovered by: Charles Chear
+-+-+-+-+-+-+-+-+-+-+
6. Virus Alerts
6.1 Goner worm
The Goner worm (also known as Pentagone) spread rapidly during the
early part of December. The worm is written in Visual Basic and
arrives disguised as a screen saver file (*.scr). The worm propagates
via email, sending itself to all entries in the Outlook address book.
The worm also attempts to disable popular anti-virus software by
terminating and deleting files. The worm can also propagate via ICQ.
The worm included functionality that would allow infected systems to
be used via IRC for distributed denial of service attacks, but the IRC
channel used to control the worm has been deactivated. Four Israeli
youths have been arrested for writing and distributing the worm.
More information:
- Symantec writeup:
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.amm.html
- ISS Alert: http://xforce.iss.net/alerts/advise104.php
- incidents.org's Handler's Diary writeups:
http://www.incidents.org/diary.php?id=102,
http://www.incidents.org/diary.php?id=107,
http://www.incidents.org/diary.php?id=111
++++++++++
6.2 Gokar worm
The Gokar worm is another mass-mailer worm that spreads via the Outlook
address book. The worm arrives as an attachment with a .pif, .scr,
.exe, .bat, or .com extension. The worm also attempts to propagate
via IRC and by creating a default web page (default.htm) if the system
is running a web server; the web page asks visitors to download an
executable copy of the worm.
More information:
- Symantec writeup:
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.gokar.amm.html
- incidents.org's Handler's Diary writeup:
http://www.incidents.org/diary.php?id=119
++++++++++
6.3 Shoho worm
The Shoho worm is also a mass-mailer worm. It arrives as an executable
.pif file disguised as a text (.txt) file. The worm searches for email
addresses in files with .wab, .mbx, .eml, .mbx, .xls, .xlt and .mdb
extensions, then sends itself to those addresses. The worm attempts
to take advantage of the IFRAME vulnerability discussed in MS01-020
which allows an executable attachment to be executed automatically
from an HTML message viewed on an unpatched system.
More information:
- Symantec writeup:
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.shohomm.html
- Microsoft Security Bulletin MS01-020:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
++++++++++
6.4 Reeezak (Zacker, Maldal) worm
The Reeezak worm (also known as Zacker or Maldal) is a Visual Basic
worm that arrives disguised as a Christmas greeting (christmas.exe).
The worm propagates by sending itself to names in the Outlook address
book. It modifies the registry so that the worm launches each time the
computer is started, then disables the keyboard. The keyboard cannot
be used until the computer can be started without launching the worm.
Reeezak also modifies the Internet Explorer home page to point to a
malicious web page containing another Visual Basic script which is
copied to the local hard drive and executed. The script will infect
.htm, .html, and .asp files; delete various anti-virus products;
overwrite numerous file types; and attempt to further propagate
via IRC.
More information:
- Symantec writeup:
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.maldal.dmm.html
+-+-+-+-+-+-+-+-+-+-+
7. Third-Party Software Issues
7.1 Buffer Overflows
* Risk: HIGH
Buffer overflows can generally be used to execute arbitrary code
on the victim host; as such, they should be considered HIGH risk.
Many buffer overflows are discovered each month. We report the ones
we know about here. In addition, we have tried to give you a little
more information in a concise format. To that end, certain items are
marked with an (F) and/or (E). (E) means that an exploit for this issue
is publicly available. (F) means that a fix is currently available.
++++++++++
7.1.1 Valicert Enterprise Validation Authority buffer overflow (F,E)
* Summary: Valicert Enterprise Validation Authority versions 3.3 -
4.2.1 contains multiple buffer overflows in forms.exe. Upgrading to
version 4.2.2 eliminates the vulnerability. See also item 7.5 below.
* Details:
- - Nomad Mobile Research Center (NMRC) Advisory:
http://www.nmrc.org/advise/valicert1.txt
- Valicert Advisory:
http://www.valicert.com/support/security_advisory_eva.html
- Valicert Home Page: http://www.valicert.com
* Discovered by: NMRC
++++++++++
7.1.2 AOL Instant Messenger buffer overflow (E)
* Summary: A buffer overflow exists in the code used to process game
requests in AOL Instant Messenger (AIM) versions 4.3 through 4.7.2480
for Windows, including version 4.8.2616 beta. Earlier versions may
also be vulnerable. An exploit is publicly available, though no fix
is available at the time of this writing. Users are encouraged to
configure AIM to only allow users on their "buddy list" to contact
them to help mitigate the risk until a fix is available.
* Details:
- w00w00 advisory: http://www.w00w00.org/advisories/aim.html
- ISS advisory: http://xforce.iss.net/alerts/advise107.php
* Discovered by: w00w00
++++++++++
7.1.3 Oracle PL/SQL Apache Module buffer overflow (E,F)
* Summary: The Oracle 9iAS web service contains a buffer overflow
in the PL/SQL module used to remotely administer the database and
access help pages. An overlong "help" request would cause a buffer
overflow and could execute code in the context of the web service,
which runs with SYSTEM privileges by default.
* Details:
- David Litchfield's original advisory:
http://www.nextgenss.com/advisories/plsql.txt
- Oracle's advisory:
http://otn.oracle.com/deploy/security/pdf/modplsql.pdf
- Bugtraq:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0225.html
- incidents.org's Handler's Diary writeup:
http://www.incidents.org/diary.php?id=134
- Patch availability: http://metalink.oracle.com/
* Discovered by: David Litchfield
++++++++++
7.2 Allaire JRun for IIS information disclosure
* Risk: MODERATE
* Impact: Information disclosure
* Summary: A vulnerability in Allaire's JRun for IIS 4.0 and 5.0
version 2.3.3 and higher could allow an attacker to read any file
located in the web root by appending "%3f.jsp" to the request.
* Patch available: Yes
* Exploit available: Yes (only requires web browser)
* Details:
- Allaire's security bulletin MPSB01-13:
http://www.allaire.com/Handlers/index.cfm?ID=22236&Method=Full&Cache=Off
++++++++++
7.3 Xitami web server information disclosure
* Risk: MODERATE
* Impact: information disclosure
* Summary: The Xitami web server by Imatix (v2.4 and higher) stores
administrator username and password information in clear text in the
'default.aut' file. The default permissions on the file make it
world readable and writeable.
* Patch available: No
* Exploit available: No
* Details:
- Bugtraq: http://www.securityfocus.com/bid/3582
- Imatix web site: http://www.imatix.com
* Discovered by: Larry Cashdollar
++++++++++
7.4 Persits ASPUpload sample scripts vulnerability
* Risk: MODERATE
* Impact: information disclosure; file modification
* Summary: Persits ASPUpload allows users to upload files through
HTML forms. Sample scripts included with the software allow an
attacker to upload files to any location on the C:\ drive using ../
directory traversal, or to browse directories and to download any
file on the server.
* Patch Available: No; workaround is to delete the sample scripts
located in C:\Program Files\Persits Software\AspUpload\Samples.
* Exploit Available: n/a, requires web browser
* Details:
- Bugtrag: http://www.securityfocus.com/bid/3608
- Persits Software home page: http://www.aspupload.com/index.html
* Discovered by: brettsoftwarecreations.co.nz
++++++++++
7.5 Valicert Enterprise Validation Authority vulnerabilities
* Risk: HIGH
* Impact: information disclosure; execution of arbitrary code; weak
key generation
* Summary: Valicert Enterprise Validation Authority versions 3.3 -
4.2.1 contains numerous security weaknesses, including multiple buffer
overflows, weak key generation, a cross-site scripting issue, and
error messages that will divulge the installation path of the software.
* Patch Available: Yes (upgrade to v4.2.2)
* Exploit Available: requires web browser
* Details:
- Nomad Mobile Research Center (NMRC) Advisory:
http://www.nmrc.org/advise/valicert1.txt
- Valicert Advisory:
http://www.valicert.com/support/security_advisory_eva.html
- Valicert Home Page: http://www.valicert.com
* Discovered by: NMRC
++++++++++
7.6 Lotus Domino denial of service
* Risk: MODERATE
* Impact: denial of service
* Summary: For Lotus Domino versions 5.0 - 5.0.8 running HTTP and SSL,
the nhttp process will crash upon receiving a SunRPC NULL command on
port 443.
* Patch available: yes (upgrade to v5.0.9)
* Exploit available: n/a (requires packet generating software)
* Details:
- Bugtraq: http://www.securityfocus.com/bid/3607
- Patch download: http://www.notes.net/qmrdown.nsf/qmrwelcome
* Discovered by: Ninke Westra
++++++++++
7.7 Denicomp WinSock RSHD denial of service
* Risk: MODERATE
* Impact: denial of service
* Summary: Denicomp WinSock RSHD (remote shell daemon) v2.20 and 2.21
can cause a denial of service if an invalid port number is submitted
as part of a connection request.
* Patch available: no
* Exploit available: yes
* Details:
- Bugtraq: http://www.securityfocus.com/bid/3659
- Denicomp home page: http://www.denicomp.com
* Discovered by: Martin Rakhmanoff
++++++++++
7.8 Oracle PL/SQL Apache Module directory traversal
* Risk: MODERATE
* Impact: information disclosure
* Summary: The Oracle 9iAS web service contains a directory traversal
vulnerability in the PL/SQL module on Windows NT/2000. A URL decoding
problem would allow an attacker to craft a specially formatted URL
that could request files outside the web root.
* Details:
- David Litchfield's original advisory:
http://www.nextgenss.com/advisories/plsql.txt
- Oracle's advisory:
http://otn.oracle.com/deploy/security/pdf/modplsql.pdf
- Bugtraq:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0225.html
- incidents.org's Handler's Diary writeup:
http://www.incidents.org/diary.php?id=134
- Patch availability: http://metalink.oracle.com/
* Discovered by: David Litchfield
=======================================================================
The SANS Windows Security Digest is available at no cost
to all system, network, and security professionals who work
with Windows. To subscribe, email digestsans.org with the
subject Windows Security Digest. Back issues are available at
http://www.sans.org/newlook/digests/ntdigest.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8O7LY+LUG5KFpTkYRAhkPAJ9UDos+lBKhvqGtlT/OkOSFcRWt8ACgmY/s
GlpSyqmxtIR2Dke2EjwWIAw=
=oxrQ
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]