|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Mon Feb 11 2002 - 11:43:05 CST
To: Security Express (SD397643)
Re: SANS Windows Security Digest Vol. 5 Num. 2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 5, Number 2
February 11, 2002
Jennifer Kolde, The SANS Institute
Editorial Board:
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (MTE Software, Inc.)
Steve Lewis (PROintelligent)
Dr. Gene Schultz (University of California, Berkeley Lab)
Copyright 2002 The SANS Institute. All Rights Reserved.
You may forward this issue to your co-workers.
We are now signing the Windows Security
Digest with PGP. The new SANS PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can also be accessed from the SANS web site (http://www.sans.org)
**********************************************************************
As always, please send comments and feedback to windowssans.org.
**********************************************************************
- ----------------------------------------------------------------------
- The Top 5 Best Selling Windows 2000 Admin Tools Are: -
- ----------------------------------------------------------------------
1) Double-Take: Real-time High Availability and Disaster Recovery
2) ELM: Uptime and Security Monitoring for NT/W2K and TCP/IP
3) UpdateEXPERT: Powerful Service Pack and Hotfix Management
4) ScriptLogic: Graphical Logon Scripting - not a single line of code
5) StorageCentral: Prevents being a victim of sloppy storage management
Data supplied by Sunbelt Software, the largest distributor of Windows
administration and productivity software. Check these tools out at:
http://www.w2knews.com/rd/rd.cfm?id=TopSellers
- ----------------------------------------------------------------------
Table of Contents
Section I: Articles and Features
1. Microsoft Security News
1.1 Bill Gates Announces New Focus on Security
1.2 Microsoft Releases New Version 3.3 of hfnetchk.exe
1.2 Microsoft Releases Security Rollup Package (SRP1) for Windows 2000
2. Tip of the Month: Hacking (and Securing) EFS
Section II: Security Alert Summary
3. Microsoft Security Bulletins
3.1 MS02-001: Trusting Domains Do Not Verify Domain Membership of
SIDs in Authorization Data (MODERATE RISK)
There were no critical, high, or low risk bulletins released this
month.
4. Additional Microsoft Software Issues
4.1 Internet Explorer Issues
4.1.1 Internet Explorer GetObject File Disclosure
4.1.2 Internet Explorer Modeless Dialog Denial of Service
4.1.3 Internet Explorer Clipboard Reading Vulnerability
4.1.4 Internet Explorer JavaScript File Enumeration Vulnerability
4.1.5 Internet Explorer Arbitrary Program Execution Vulnerability
4.1.6 Internet Explorer for MacOS File Execution Vulnerability
4.2 Microsoft Office Issues
4.2.1 PGP Plugin for Microsoft Outlook Stores Decrypted Copy of
Encrypted Messages
4.3 Other Microsoft Product Issues
4.3.1 Microsoft Backup for Windows 95 Buffer Overflow
4.3.2 Windows NT Inaccurate Logging Vulnerability
4.3.3 Internet Information Server 4.0 Log File Vulnerability
4.3.4 Microsoft Site Server 3.0 Multiple Vulnerabilities
5. Virus Alerts
5.1 W32/MyParty worm
5.2 W32/Donut
5.3 SWF.LFM.926, ACTS.LFM.926
6. Third-Party Software Issues
6.1 Buffer Overflows
6.1.1 Microsoft Backup for Windows 95 Buffer Overflow
6.1.2 AOL ICQ Mirabilis Buffer Overflow
6.1.3 Avirt Gateway Multiple Buffer Overflows
6.1.4 BlackMoon FTP Server Buffer Overflow
6.1.5 BrowseFTP Client Buffer Overflow
6.1.6 Real Media RealPlayer Buffer Overflow
6.1.7 ZBSoft ZBServer Buffer Overflow
6.2 AOLServer File Disclosure Vulnerability
6.3 Apache Remote File Disclosure Vulnerability
6.4 Avirt Gateway Telnet Remote Access Vulnerability
6.5 BEA Weblogic Denial of Service
6.6 Bugzilla Multiple Vulnerabilities
6.7 CyberStop Web Server Denial of Service
6.8 DaanSystems NewsReactor Password Encoding Vulnerability
6.9 DeleGate Proxy Cross-Site Scripting Vulnerability
6.10 EServ File Access Vulnerability
6.11 Legato Networker Plaintext Log File Vulnerability
6.12 Netopia Timbuktu Denial of Service
6.13 Netscape/iPlanet Web Server Vulnerabilities
6.14 Netscape/Mozilla Cookie Stealing Vulnerability
6.15 NTFS File System File Wipe Vulnerability (Multiple Vendors)
6.16 Oracle 9iAS Web Cache Multiple Vulnerabilities
6.17 Oracle SQL*Plus Unauthorized Shell Execution Vulnerability
6.18 Plumtree Corporate Portal Cross-Site Scripting Vulnerability
6.19 Savant web server Denial of Service
6.20 Snort Denial of Service
6.21 SpoonFTP FTP Bounce Vulnerability
7. Updates
7.1 Increased Scanning to Port 1433 - Users Urged to Install SQL
Server Patches
7.2 AOL Fixes AIM Buffer Overflow
7.3 w00w00-recommended Fix for AIM Buffer Overflow Contains Backdoors,
Spyware
**********************************************************************
Section I: Articles and Features
1. Microsoft Security News
1.1 Bill Gates Announces New Focus on Security
In an email message sent to all Microsoft employees, Bill Gates
outlines Microsoft's new strategy for "Trustworthy Computing",
emphasizing availability, security, and privacy. Gates states
that "great features won't matter unless customers trust
our software...now, when we face a choice between adding
features and resolving security issues, we need to choose
security". The full text of Gates' message is reprinted at
http://www.wired.com/news/business/0,1367,49826,00.html.
++++++++++
1.2 Microsoft Releases New Version 3.3 of hfnetchk.exe
On January 17, Microsoft released version 3.3 of its network hot
fix checker (hfnetchk.exe). The updated version fixes various bugs,
provides new command-line options, and installs support for the future
releases of .NET Server and IIS 6.0. Future versions of the tool
will add support for Exchange, Office, and other Microsoft products.
(Note: version 3.31 was released on January 21 to fix an issue with
hfnetchk and SQL Server 7.0.)
- Download location:
http://www.microsoft.com/downloads/release.asp?releaseid=31154
- KB Article Q303215: Microsoft Network Security
Hotfix Checker (Hfnetchk.exe) Tool is Available:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303215
++++++++++
1.3 Microsoft Releases Security Rollup Package (SRP1) for Windows 2000
In late January, Microsoft released Security Rollup Package 1 (SRP1)
for Windows 2000, the first cumulative patch released for the OS
since Service Pack 2 (SP2). The rollup uses a single patch to fix
various security vulnerabilities from 2000 and 2001, roughly up to and
including MS01-052. Security Rollup Packages are part of Microsoft's
Strategic Technology Protection Program, intended to provide periodic
rollups to simplify the installation of multiple patches. They are
not a replacement for Service Packs (SP3 for Win2K is still expected
during the first half of 2002).
- Microsoft announcement:
http://www.microsoft.com/technet/security/news/w2ksrp1.asp
- Download location:
http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp
- KB Article Q311401: Windows 2000 Security
Rollup Package 1 (SRP1), January 2002:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q311401
- KB Article Q315683: Windows 2000 Security Rollup
Package 1 (SRP1), January 2002, Release Notes:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315683
++++++++++
2. Tip of the Month: Hacking (and Securing) EFS
Microsoft's Encrypting File System (EFS), available with Windows 2000
and Windows XP, allows for transparent encryption and decryption
of files on an NTFS-formatted disk. How secure is EFS? Find out
in this month's article by noted Windows expert Roberta Bragg at
http://www.sans.org/newlook/digests/hacking_efs1.htm
**********************************************************************
Section II: Security Alert Summary
3. Microsoft Security Bulletins
3.1 MS02-001: Trusting Domains Do Not Verify Domain Membership of
SIDs in Authorization Data (30 January 2002)
Risk: **MODERATE
- Internet systems: LOW
- Intranet systems: MODERATE
- Client systems: n/a
Impact: privilege elevation
Systems Affected:
- Windows 2000
- Windows NT 4.0
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable
Summary:
A vulnerability exists in the authentication mechanism used by
Windows 2000 and Windows NT domain controllers when a trusting domain
authenticates a user from a trusted domain. The trusting domain
does not verify that the trusted domain is actually authoritative
for the user and group SIDs that are passed with the authentication
information. An attacker could include a SID that was not part of
the trusted domain, the trusting domain would still accept that SID,
allowing the attacker to elevate his privileges to those of any user
or group. The attacker would need to have Administrator privileges
in the trusted domain to carry out this attack. SID Filtering (see
below) can be used to screen out such attacks, but may have an impact
on normal operations.
Details:
* MS02-001 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-001.asp
* Knowledge Base Articles:
- Q311401, Windows 2000 Security Rollup Package 1 (SRP1), January
2002: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q311401
- Q289243, MS02-001: Forged SID Could Result
in Elevated Privileges in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q289243
- Q289246, MS02-001: Forged SID Could Result
in Elevated Privileges in Windows NT 4.0:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q289246
* CVE Information:
- CAN-2002-0018,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0018
* Additional references:
- Using SID Filtering to Prevent Elevation of Privilege Attacks:
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
- Aelita Software's security bulletin on this issue:
http://www.aelita.com/solutions/ADSecurity/SIDH_default.htm
+-+-+-+-+-+-+-+-+-+-+
4. Additional Microsoft Software Issues
4.1 Internet Explorer Issues
4.1.1 Internet Explorer GetObject File Disclosure
* Risk: Moderate
* Impact: information disclosure
* Summary: A flaw in the Jscript GetObject() function, when combined
with the ActiveX object 'htmlfile', could be used to allow an attacker
to read any file on the user's hard drive, if the file location was
known. The flaw could be exploited via a specially crafted script
placed on a web site. A workaround is to disable Active Scripting.
* More Information:
- Georgi Guninski advisory: http://www.guninski.com/getob3.html
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3767
* Discovered by: Georgi Guninski
++++++++++
4.1.2 Internet Explorer Modeless Dialog Denial of Service
* Risk: Low
* Impact: denial of service
* Summary: If showModelessDialog() function is included in an HTML
page and the file containing the function is passed as an argument to
the function itself, an endless loop is created that will cause 100%
CPU utilization, requiring a system reboot.
* More Information:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3789
* Discovered by: Lance Hitchcock, Jr.
++++++++++
4.1.3 Internet Explorer Clipboard Reading Vulnerability
* Risk: Low
* Impact: information disclosure
* Summary: The Internet Explorer object 'clipboardData' allows
access to clipboard information via scripts. A malicious web site
could use this object in a script to access information stored in
the Clipboard. Disabling "Allow paste operations via script" will
prevent this problem.
* More Information:
- Gilder advisory: http://tom.vpwsys.co.uk/clipboard/
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3862
* Discovered by: Tom Gilder
++++++++++
4.1.4 Internet Explorer JavaScript File Enumeration Vulnerability
* Risk: Low
* Impact: information disclosure
* Summary: The onError event handler can be used in conjunction with a
file request to determine whether or not the requested file exists,
including files on the local hard disk outside of the web root.
If the requested file does NOT exist, the onError event handler will
run if it is enabled. This could be used for reconnaissance purposes
to plan further attacks.
* More Information:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3779
* Discovered by: Tom Micklovitch
++++++++++
4.1.5 Internet Explorer Arbitrary Program Execution Vulnerability
* Risk: Moderate
* Impact: code execution
* Summary: Specially crafted objects embedded in an HTML page may be
used to run executable files that exist on the client system.
* More Information:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3867
* Discovered by: Pull
++++++++++
4.1.6 Internet Explorer for MacOS File Execution Vulnerability
* Risk: Moderate
* Impact: code execution
* Summary: A specially crafted URL on a web page or in an email message
can be used to run an executable file on the user's local system.
The exact path to the file must be known. MacOS X is not affected.
* More Information:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3935
* Discovered by: Jass Seljamaa
++++++++++
4.2 Microsoft Office Issues
4.2.1 PGP Plugin for Microsoft Outlook Stores Decrypted Copy of
Encrypted Messages
* Risk: Moderate
* Impact: information disclosure
* Summary: If a certain combination of options is configured on PGP
7.0, a decrypted copy of an encrypted email message is automatically
saved when a user replies to the message. PGP recommends upgrading
to v7.1.1.
* More Information:
- NTBugtraq:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0201&L=ntbugtraq&F=P&S=&P=528
* Discovered by: Mark Wiater
++++++++++
4.3 Other Microsoft Product Issues
4.3.1 Microsoft Backup for Windows 95 Buffer Overflow
* Risk: Moderate
* Impact: denial of service, arbitrary code execution
* Summary: If the Windows Backup software included in Windows 95 and
95 SR2 encounters a file with a very long file extension (greater
than 128 characters) during backup, a buffer overflow may occur that
will crash the application or could allow arbitrary execution of code.
* More Information:
- Strumpf Noir Society advisory: http://labs.secureance.com/
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3864
* Discovered by: Strumpf Noir Society
++++++++++
4.3.2 Windows NT Inaccurate Logging Vulnerability
* Risk: Moderate
* Impact: failure to log unauthorized access
* Summary: Under certain circumstances, an account which has been
locked out may still be used to unlock a local machine (that has
been locked using Ctrl-Alt-Del or a password-protected screen saver).
A flaw in the Windows logging process may result in only a *failed*
login event in the Event Viewer, allowing a successful login to
go undetected.
* More Information:
- Heyne advisory: http://www.heysoft.de/nt/lbh.htm
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3933
- MS KB Article Q188700, Screensaver
Password Works Even if Account is Locked Out:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q188700
* Discovered by: Frank Heyne
++++++++++
4.3.3 Internet Information Server 4.0 Log File Vulnerability
* Risk: Low
* Impact: unauthorized modification of log files
* Summary: Internet Information Server 4.0 (IIS 4.0) allows shared
(concurrent) access to the IIS log files. Default NTFS permissions on
the log files allow unprivileged users (specifically the IUSR account
and members of the Everyone group) to modify the files, which would
allow an attacker to modify log entries to cover his tracks.
* More Information:
- NMRC Advisory: http://www.nmrc.org/advise/logread1.txt
* Discovered by: NMRC
++++++++++
4.3.4 Microsoft Site Server 3.0 Multiple Vulnerabilities
* Risk: various
* Impact: various - information leak, cross-site scripting, ability
for users to upload files, denial of service
* Summary: rain forest puppy released an advisory outlining various
vulnerabilities in Site Server 3.0 and 3.0 Commerce Edition running
on Windows NT.
* More Information:
- rfp advisory: http://www.wiretrip.net/rfp/p/doc.asp/i2/d69.htm
* Discovered by: rain forest puppy
+-+-+-+-+-+-+-+-+-+-+
5. Virus Alerts
5.1 W32/MyParty worm
The W32/MyParty worm spread rapidly during late January. The worm is
a mass-mailing worm that propagates by sending itself to contacts in
the Windows address book and to addresses found in Outlook Express.
W32/MyParty also installs a backdoor Trojan that allows the author
to access the user's computer. The worm only propagates between
January 25 and January 29, but will remain active on the system at
other times. A variant (W32/MyParty.B) contains an identical payload
but will propagate between January 20 and January 24.
More information:
- CERT Incident Note:
http://www.cert.org/incident_notes/IN-2002-01.html
- Symantec writeup:
mm.html">http://www.symantec.com/avcenter/venc/data/w32.mypartymm.html,
mm.html">http://www.symantec.com/avcenter/venc/data/w32.myparty.bmm.html
++++++++++
5.2 W32/Donut virus
The W32/Donut virus was discovered in early January. The virus has no
destructive payload; it is a "concept virus" designed simply to display
a message stating "This cell has been infected by dotNET virus!".
Due to a bug in the code, the message does not display properly.
However, the virus is of interest because it specifically targets
Microsoft's .NET architecture.
More information:
- Symantec writeup:
http://securityresponse.symantec.com/avcenter/venc/data/w32.donut.html
++++++++++
5.3 SWF.LFM.926, ACTS.LFM.926
Another "proof of concept" virus, SWF.LFM.926 is the first known
virus to be carried by Macromedia Shockwave Flash files (*.swf).
The virus displays a Flash animation and will infect other *.swf
files found on the system. Many anti-virus products do not scan
*.swf files by default.
More information:
- Newsbites articles: http://www.newsbytes.com/news/02/173474.html;
http://www.newsbytes.com/news/02/173566.html
- Macromedia advisory:
http://www.macromedia.com/support/flash/ts/documents/swf_clear.htm
- Symantec writeup:
http://securityresponse.symantec.com/avcenter/venc/data/acts.lfm.926.html
+-+-+-+-+-+-+-+-+-+-+
6. Third-Party Software Issues
6.1 Buffer Overflows
* Risk: HIGH
Buffer overflows can generally be used to execute arbitrary code
on the victim host; as such, they should be considered HIGH risk.
Many buffer overflows are discovered each month. We report the ones
we know about here. In addition, we have tried to give you a little
more information in a concise format. To that end, certain items are
marked with an (F) and/or (E). (E) means that an exploit for this issue
is publicly available. (F) means that a fix is currently available.
++++++++++
6.1.1 Microsoft Backup for Windows Buffer Overflow (see 5.3.1, above)
++++++++++
6.1.2 AOL ICQ Mirabilis Buffer Overflow (F,E)
* Summary: A remotely exploitable buffer overflow exists in the Voice
and Video Games plug-in to the ICQ client for Windows. Users are
urged to update to version 2001B Beta v5.18 Build #3659.
* Details:
- CERT Advisory: http://www.cert.org/advisories/CA-2002-02.html
- CERT Vulnerability whitepaper: http://www.kb.cert.org/vuls/id/570167
- ICQ bulletin: http://web.icq.com/help/quickhelp/1,,117,00.html
- Patch availability: http://www.icq.com/download/
* Discovered by: Daniel Tan
++++++++++
6.1.3 Avirt Gateway Multiple Buffer Overflows
* Summary: Avirt Gateway 4.2, Gateway Suite 4.2, and SOHO 4.2 contains
buffer overflows in the HTTP proxy and telnet proxy services.
* Details:
- Strumpf Noir Society advisories: http://labs.secureance.com/
- Avirt Software: http://www.avirt.com/
* Discovered by: Strumpf Noir Society
++++++++++
6.1.4 BlackMoon FTP Server Buffer Overflow (F)
* Summary: A buffer overflow exists in BlackMoon FTP Server v1.5
Release 1 Build 1547 and earlier. Users should upgrade to v1.5
Release 2 Build 1115.
* Details:
- Strumpf Noir Society advisories: http://labs.secureance.com/
- BlackMoon software: http://www.blackmoon.filetap.com
* Discovered by: Strumpf Noir Society Research
++++++++++
6.1.5 BrowseFTP Client Buffer Overflow (E)
* Summary: The BrowseFTP client for Windows is susceptible to a
buffer overflow if a malicious FTP server sends a '220' response of
excessive length.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3781
- BrowseFTP download site:
http://download.desk.ne.jp/win/3/00030/1514.html
* Discovered by: Kanatoko
++++++++++
6.1.6 Real Media RealPlayer Buffer Overflow (F)
* Summary: Accessing a file with a specially malformed header can be
used to crash the RealPlayer client or possibly execute arbitrary code.
Versions including G2, 7.0, 8.0, and RealOne Player are vulnerable. G2
and 7.0 users should upgrade to a more recent version, as patches will
not be made available for older systems. Users of more recent versions
should download the patch using RealPlayer's AutoUpdate service.
* Details:
- Morgan advisory:
http://www.sentinelchicken.com/advisories/realplayer/
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3809
- Real Media web site: http://www.real.com
* Discovered by: Tim Morgan
++++++++++
6.1.7 ZBSoft ZBServer Buffer Overflow
* Summary: ZBServer contains an unchecked buffer in the code that
handles GET requests. This vulnerability was originally reported by
USSR Labs in 1999.
* Details:
- SecurityOffice advisory:
http://www.securityoffice.net/articles/zbserver/
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/889
- Original USSR Labs advisory:
http://www.securityfocus.com/advisories/2000
- ZBSoft web site: http://www.zbserver.com/
* Discovered by: Tamer Sahin, SecurityOffice
++++++++++
6.2 AOLServer File Disclosure Vulnerability
* Risk: Low
* Impact: information disclosure, unauthorized access
* Summary: AOLServer 3.4.2 for Windows allows an attacker to bypass
password protection controls on files if the attacker requests a file
using the file's full path.
* Details:
- SecurityOffice Advisory:
http://www.securityoffice.net/articles/aolserver/
- SecurityFocus BugTraq: http://www.securityfocus.com/bid/3791);
* Discovered by: Tamer Sahin, SecurityOffice
++++++++++
6.3 Apache Remote File Disclosure Vulnerability
* Risk: Moderate
* Impact: information disclosure, code execution
* Summary: The default configuration of the php.exe binary of Apache
for Win32 allows an attacker to access files on the server by appending
the file name to the end of the request for php.exe. This also makes
it possible for the attacker to run executables on the server.
* Details:
- SecuriTeam Advisory:
http://www.securiteam.com/windowsntfocus/5ZP030U60U.html
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3786
- Apache web site: http://www.apache.org
* Discovered by: Paul Brereton, SecuriTeam
++++++++++
6.4 Avirt Gateway Telnet Remote SYSTEM Access Vulnerability
* Risk: High
* Impact: command line access to system
* Summary: The telnet proxy in the Avirt Gateway software allows a
remote attacker to have command line access to the system via telnet
proxy if the attacker's IP address is within the range allowed by
the proxy.
* Details:
- Strumpf Noir Society advisory: http://labs.secureance.com/
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3905
- Avirt web site: http://www.avirt.com
* Discovered by: Strumpf Noir Society
++++++++++
6.5 BEA Weblogic Denial of Service
* Risk: Low
* Impact: denial of service
* Summary: It is possible to crash a BEA Systems Weblogic server
by submitting URL requests for an MS-DOS device name with a .jsp
extension. Upgrading to v6.1 SP2 resolves this problem.
* Details:
- KMPG Advisory: http://www.securityfocus.com/archive/1/248697
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3816
- BEA Systems web site: http://commerce.beasys.com
* Discovered by: Peter Grundl
++++++++++
6.6 Bugzilla Multiple Vulnerabilities
* Risk: Moderate
* Impact: various
* Summary: Mozilla has released a security update to its Bugzilla
bug tracking software to address numerous security vulnerabilities.
* Details:
- Bugzilla advisory:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html
- Bugzilla web site: http://bugzilla.mozilla.org
- Patch availability:
http://www.bugzilla.org/bugzilla2.14to2.14.1.patch
++++++++++
6.7 CyberStop Web Server Denial of Service
* Risk: Low
* Impact: denial of service
* Summary: It is possible to crash the CyberStop web server
application by requesting a URL for an MS-DOS device name or a
particularly long URL.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3929,
http://www.securityfocus.com/bid/3930
- CyberStop web site: http://www.cyberstop.com.sg/
* Discovered by: al3x hernandez
++++++++++
6.8 DaanSystems NewsReactor Password Encoding Vulnerability
* Risk: Low
* Impact: information disclosure
* Summary: DaanSystems NewsReactor stores news server configuration
information, including the password, in the NewsReactor.ini file.
Although the password is obfuscated, it is stored insecurely and can
easily be decoded.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3927
- DaanSystems web site: http://daansystems.com/newsreactor/
* Discovered by: SecuriTeam
++++++++++
6.9 DeleGate Proxy Cross-Site Scripting Vulnerability
* Risk: Moderate
* Impact: execution of code
* Summary: DeleGate does not filter HTML tags from links to error
pages. A malicious web site could include script code in a link to a
site running DeleGate. The code would be executed in the context of
the site running DeleGate. Users should upgrade to v7.8.
* Details:
- SNS Advisory:
http://www.lac.co.jp/security/english/snsadv_e/47_e.html
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3749
- DeleGate web site: http://www.delegate.org/delegate
* Discovered by: Satoshi Ishizuka, Keigo Yamazaki
++++++++++
6.10 EServ File Access Vulnerability
* Risk: Low
* Impact: information disclosure
* Summary: For Etype EServ versions 2.92 - 2.97, an attacker can
use a specially crafted URL to bypass password protection and access
files or folders in the web root.
* Details:
- SecurityOffice advisory:
http://www.securityoffice.net/articles/eserv/
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3838
- Etype web site: http://www.eserv.ru/
- Patch download: ftp://ftp.eserv.ru/pub/beta/2.98/Eserv3119.zip
* Discovered by: Tamer Sahin, SecurityOffice
++++++++++
6.11 Legato Networker Plaintext Log File Vulnerability
* Risk: Low
* Impact: information disclosure
* Summary: Legato Networker creates log files that are world-readable
by default. The logs may contain sensitive information, such as
authentication credentials, used in Networker's backup process.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3840,
http://www.securityfocus.com/bid/3842
- Legato web site: http://www.legago.com
* Discovered by: Venkatesh Babu Sira
++++++++++
6.12 Netopia Timbuktu Denial of Service
* Risk: Low
* Impact: denial of service
* Summary: Netopia's Timbuktu software will stop accepting new
connections if a large number of TCP connections are made to the
software.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3918
- Netopia web site: http://www.netopia.com
* Discovered by: Tekno pHReak
++++++++++
6.13 Netscape/iPlanet Web Server Vulnerabilities
* Risk: Moderate
* Impact: denial of service; information disclosure
* Summary: It is possible to cause a denial of service on Netscape
Enterprise and iPlanet web servers by submitting a URL containing the
'?wp-html-rend' web publishing command. It is also possible to launch
a brute force password guessing attempt using the '?wp-force-auth'
command.
* Details:
- ProCheckUp Advisories:
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0007.html and
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0008.html;
http://www.procheckup.com
- CERT advisories: http://www.kb.cert.org/vuls/id/191763,
http://www.kb.cert.org/vuls/id/985347
* Discovered by: ProCheckUp
++++++++++
6.14 Netscape/Mozilla Cookie Stealing Vulnerability
* Risk: Low
* Impact: information disclosure
* Summary: A flaw in the way Netscape and Mozilla browsers handle
null characters (%00) in a URL could allow an attacker to steal
cookies. Users should upgrade to Mozilla 0.9.7 or Netscape 6.2.1.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3925
- Mozilla web site: http://www.mozilla.org
- Netscape web site: http://home.netscape.com/download/index.html
* Discovered by: Marc Slemko
++++++++++
6.15 NTFS File System File Wipe Vulnerability (Multiple Vendors)
* Risk: Low
* Impact: information left on system
* Summary: Numerous file-wiping utilities used on the Windows NTFS
file system do not properly wipe data stored in alternate data streams.
Information stored in alternate streams may be left on the hard disk.
Affected applications include AccessData SecureClean, East-Tec Eraser,
Eraser Eraser, Jetico BCWipe, and PGP/PGP Wipe.
* Details:
- Seifried advisory: http://www.securityfocus.com/archive/1/251565
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3912
* Discovered by: Kurt Seifried
++++++++++
6.16 Oracle 9iAS Web Cache Multiple Vulnerabilities
* Risk:
* Impact: various
* Summary: Numerous vulnerabilities have been discovered in
the Oracle 9iAS Web Cache service, including denial of service,
information disclosure, and privilege elevation vulnerabilities.
Oracle has released a patch.
* Details:
- Oracle Security Alert:
http://otn.oracle.com/deploy/security/pdf/webcache2.pdf
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3760,
http://www.securityfocus.com/bid/3761,
http://www.securityfocus.com/bid/3762,
http://www.securityfocus.com/bid/3764
++++++++++
6.17 Oracle SQL*Plus Unauthorized Shell Execution Vulnerability
* Risk: Moderate
* Impact: code execution
* Summary: Under the default configuration of Oracle 8i and 9i,
any user connected via SQL*Plus can execute arbitrary commands on the
server. A workaround exists, but no patch is available at this time.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3900
- Oracle web site: http://www.oracle.com
* Discovered by: Jonathan Zdziarski
++++++++++
6.18 Plumtree Corporate Portal Cross-Site Scripting Vulnerability
* Risk: Moderate
* Impact: execution of code
* Summary: Plumtree Corporate Portal is vulnerable to cross-site
scripting attacks that could allow malicious code to be executed via
a link to the error.asp error information page. An advisory and fix
are available.
* Details:
- Advisory:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0300.html
- Plumtree web site:
http://www.plumtree.com/company/technical_support.htm
* Discovered by: Ed Moyle
++++++++++
6.19 Savant web server Denial of Service
* Risk: Low
* Impact: denial of service
* Summary: A specially crafted URL containing a large number of
arbitrary characters can be used to crash the Savant web server.
* Details:
- SecurityOffice advisory:
http://www.securityoffice.net/articles/savant/
- Savant web site: http://savant.sourceforge.net/
* Discovered by: Tamer Sahin, SecurityOffice
++++++++++
6.20 Snort Denial of Service
* Risk: Low
* Impact: denial of service
* Summary: A maliciously crafted ICMP packet can be used to crash
the Snort IDS. A patch is available.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3849
- Patch availability:
http://www.securityfocus.com/data/vulnerabilities/patches/snort-icmp.patch
- Snort web site: http://www.snort.org
* Discovered by: Sinbad
++++++++++
6.21 Pi-Soft SpoonFTP FTP Bounce Vulnerability
* Risk: Moderate
* Impact: unauthorized access
* Summary: SpoonFTP Server is vulnerable to FTP bounce attacks where
a user connected to the FTP server can use the FTP PORT command to
connect to an arbitrary port on a remote host. Users should upgrade
to v1.2.
* Details:
- SecurityFocus Bugtraq: http://www.securityfocus.com/bid/3910
- Pi-Soft web site: http://www.pi-soft.com
* Discovered by: Arne Vidstrom
+-+-+-+-+-+-+-+-+-+-+
7. Updates
7.1 Increased Scanning to Port 1433 - Users Urged to Install SQL
Server Patches. The Computer Incident Advisory Capability (CIAC -
http://www.ciac.org/ciac/) of the Department of Energy reports a
significant increase in scans for TCP port 1433, which is used by
Microsoft's SQL Server. Microsoft released security bulletin MS01-060
(reported in last month's Windows Digest), which outlined several
buffer overflows in SQL Server. The increase in scanning activity
implies that an exploit may exist in active circulation. Users are
urged to apply the appropriate patches. See MS01-060 for details,
http://www.microsoft.com/technet/security/bulletin/MS01-060.asp
7.2 AOL Fixes AIM Buffer Overflow
AOL has fixed a major buffer overflow problem in AOL Instant
Messenger (AIM) by patching the flaw on its AIM servers.
The vulnerability was originally discovered by w00w00
(http://www.w00w00.org/advisories/aim.html and was reported in last
month's Windows Digest.
7.3 w00w00-recommended Fix for AIM Buffer Overflow Contains Backdoors,
Spyware
In the original w00w00 advisory for the AIM Buffer Overflow
described above, w00w00 recommended the use of the AIM
Filter software as a temporary fix until a patch was issued
by AOL. AIM Filter was later discovered to contain backdoors
and spyware. Uninstalling AIM Filter resolves this problem.
See http://www.securiteam.com/securitynews/5JP052A60U.html for details.
=======================================================================
The SANS Windows Security Digest is available at no cost
to all system, network, and security professionals who work
with Windows. To subscribe, email digestsans.org with the
subject Windows Security Digest. Back issues are available at
http://www.sans.org/newlook/digests/ntdigest.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8Z/mf+LUG5KFpTkYRAtv5AJoCitagHWFzk9eU2rqDL7y4keLneACffbuB
bhpB5w84O7Y8TNkTTqiYZ2Y=
=kVRI
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]