|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Wed Mar 27 2002 - 20:07:17 CST
To: Security Express (SD397643)
Re: SANS Windows Security Digest Vol. 5 Num. 1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 5, Number 3
March 27, 2002
Jennifer Kolde, The SANS Institute
Editorial Board:
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (MTE Software, Inc.)
Steve Lewis (PROintelligent)
Dr. Gene Schultz (University of California, Berkeley Lab)
Copyright 2002 The SANS Institute. All Rights Reserved.
You may forward this issue to your co-workers.
We are now signing the Windows Security
Digest with PGP. The new SANS PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can also be accessed from the SANS web site (http://www.sans.org)
**********************************************************************
It's been a bumper month for Microsoft security bulletins
(hence the delay in this month's Digest) with the release
of no fewer than 13 bulletins in the past six weeks - and
that does not include the re-release of some bulletins due
to updates or changes. According to Government Computer News
(http://www.gcn.com/vol1_no1/daily-updates/17874-1.html), Microsoft
halted all new software development for a month to debug existing code.
Is the flurry of security bulletins the result of some much-needed
repair work? We'd like to think so...but reading the fine print
of many of this month's bulletins shows Microsoft crediting outside
sources such as eEye Digital Security, Bindview RAZOR, HD Moore, and
others for bringing the flaws to Redmond's attention. Perhaps we'll
see the results of Microsoft's "spring cleaning" in the next Security
Rollup.
As always, please send comments and feedback to windowssans.org.
JEK
**********************************************************************
Jason Fossen's Securing Windows class is the top ranked Windows
security hands-on program in US. That's based on actual student
ratings and surveys. If your managers care deeply about security,
try to get them to send you to Washington, Boston, or Denver to take
the course. http://www.sans.org
Table of Contents
Section I: Articles and Features
1. Microsoft Security News
1.1 Multiple SNMP Vulnerabilities Announced
1.2 IETF Receives Draft Proposal for Responsible Vulnerability
Disclosure
1.3 Microsoft Developing Baseline Security Analyzer
1.4 Controversy over Visual Studio .NET Security
2. Tip of the Month: Securing EFS, Part 2 by Roberta Bragg
++++++++++
Section II: Security Alert Summary
3. Microsoft Security Bulletins
****CRITICAL risk bulletins
3.1 MS02-005: 11 February 2002 Cumulative Patch for Internet Explorer
3.2 MS02-008: XMLHTTP Control Can Allow Access to Local Files
3.3 MS02-009: Incorrect VBScript Handling in IE can Allow Web Pages
to Read Local Files
3.4 MS02-010: Unchecked Buffer in ISAPI Filter Could Allow Commerce
Server Compromise
3.5 MS02-013: Java Applet Can Redirect Browser Traffic
*** HIGH risk bulletins
There were no HIGH risk bulletins released in the past month.
** MODERATE risk bulletins
3.6 MS02-004: Unchecked Buffer in Telnet Server Could Lead to Arbitrary
Code Execution
3.7 MS02-006: Unchecked Buffer in SNMP Service Could Enable Arbitrary
Code to be Run
3.8 MS02-007: SQL Server Remote Data Source Function Contain Unchecked
Buffers
3.9 MS02-014: Unchecked Buffer in Windows Shell Could Lead to Code
Execution
* LOW risk bulletins
3.10 MS02-002: Malformed Network Request can cause Office v.X for
Mac to Fail
3.11 MS02-003: Exchange 2000 System Attendant Incorrectly Sets Remote
Registry Permissions
3.12 MS02-011: Authentication Flaw Could Allow Unauthorized Users To
Authenticate To SMTP Service
3.13 MS02-012: Malformed Data Transfer Request can Cause Windows SMTP
Service to Fail
4. Additional Microsoft Software Issues
4.1 Other Microsoft Product Issues
4.1.1 Microsoft Windows 2000 Password Policy Bypass Vulnerability
4.1.2 Windows NT Security Policy Bypass Vulnerability
4.1.3 Microsoft Windows NTFS File Hiding Vulnerability
4.1.4 Outlook Express Attachment Vulnerability
4.1.5 Microsoft IIS Authentication Method Disclosure
4.1.6 Microsoft MSDTC Service Denial of Service
4.1.7 Microsoft Site Server Multiple Vulnerablities
5. Virus Alerts
5.1 Yarner Worm
5.2 Gibe Worm
5.3 MyLife/MyLife.B Worm
6. Third-Party Software Issues
6.1 Buffer Overflows
6.1.1 Internet Security Systems BlackICE and RealSecure Buffer Overflow
(F,E)
6.1.2 CNet CatchUp Remote Arbitrary Code Execution Vulnerability (F)
6.1.3 mIRC Nick Buffer Overflow Vulnerability (F,E)
6.1.4 BBShareware.com Phusion Webserver Long URL Buffer Overflow (E)
6.1.5 SAS SASTCPD Command Line Argument Buffer Overflow Vulnerability
(F)
6.1.6 TalentSoft Web+ Multiple Buffer Overflows (F)
6.2 Other Third Party Software Issues
6.2.1 BBShareware.com Phusion Webserver Multiple Vulnerabilities
6.2.2 BindView NETinventory Password Retrieval
6.2.3 Castelle Faxpress Plaintext Password Disclosure
6.2.4 Coolsoft PowerFTP Server Multiple Vulnerabilities
6.2.5 Dino's Webserver Denial of Service
6.2.6 Endymion MailMan Alternate Templates File Disclosure
6.2.7 Endymion Sake Mail Null Character File Disclosure
6.2.8 Essentia Web Server Multiple Vulnerabilities
6.2.9 Etype EServ Multiple Vulnerabilities
6.2.10 FastTrack P2P Technology Multiple Vulnerabilities
6.2.11 Galacticomm Worldgroup Multiple Denial of Service
Vulnerabilities
6.2.12 Gator Digital Wallet Vulnerability
6.2.13 Hosting Controller Information Disclosure Vulnerability
6.2.14 John Roy Pi3Web Multiple Vulnerabilities
6.2.15 MailServer by SH39 Denial of Service Vulnerability
6.2.16 mIRC DCC Nick Disclosure Vulnerability
6.2.17 Novell GroupWise Web Root Disclosure
6.2.18 Oracle TNS Listener Arbitrary Library Call Execution
6.2.19 PGPFire Desktop Firewall ICMP Fingerprinting Vulnerability
6.2.20 Rit Research Labs The Bat! MS DOS Device Name Denial Of Service
6.2.21 SAS SASTCPD Command Format String Vulnerability
6.2.22 Sybex E-Trainer Software Relative Path Filtering Directory
Traversal
6.2.23 Symantec Norton AntiVirus Multiple Vulnerabilities
6.2.24 Working Resources BadBlue Multiple Vulnerabilities
6.2.25 Xerver Multiple Vulnerabilities
**********************************************************************
Section I: Articles and Features
1. Microsoft Security News
1.1 Multiple SNMP Vulnerabilities Announced
The PROTOS project at the Oulu University Secure Programming Group
(OUSPG) released research findings detailing numerous vulnerabilities
in the SNMP protocol. The protocol is widely implemented across
numerous vendors and products, affecting a wide array of systems
(including Microsoft - see item 3.7 below).
- OUSPG Findings:
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/
- CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol (SNMP):
http://www.cert.org/advisories/CA-2002-03.html
- CERT Vulnerability Note VU#107186, Multiple Vulnerabilities in
SNMPv1 Trap Handling: http://www.kb.cert.org/vuls/id/107186
- CERT Vulnerability Note VU#854306, Multiple Vulnerabilities in
SNMPv1 Request Handling: http://www.kb.cert.org/vuls/id/854306
- SANS Institute Flash Alert: http://www.sans.org/alerts/SNMP.php
- ISS Alert: http://www.iss.net/security_center/alerts/advise110.php
- ISS Additional Information:
http://www.iss.net/security_center/static/8115.php
++++++++++
1.2 IETF Receives Draft Proposal for Responsible Vulnerability
Disclosure
Steve Christey of MITRE and Chris Wysopal of Stake have issued a
27-page draft proposal for a Responsible Vulnerability Disclosure
Process (RVDP). The draft has been posted by the Internet Engineering
Task Force (IETF) for comment in hopes that it will become an RFC
standard.
- Draft proposal:
http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt
++++++++++
1.3 Microsoft Developing Baseline Security Analyzer
Microsoft announced that it is developing a new tool to assist
administrators in scanning and securing systems called the Microsoft
Baseline Security Analyzer (MBSA). A replacement for the Microsoft
Personal Security Advisor (MPSA), the MBSA will run locally on Windows
2000 or XP systems and will be able to scan Windows NT, 2000, XP,
and .NET systems, along with IIS, SQL Server, Internet Explorer,
and Microsoft Office.
- ENT News story:
http://www.entmag.com/news/article.asp?EditorialsID=5245
++++++++++
1.4 Controversy over Visual Studio .NET Security
Security consulting firm Cigital claims that code introduced in
Microsoft's Visual Studio .NET to help prevent buffer overflows
actually contains a buffer overflow, making code compiled with the
faulty software unsafe. Microsoft denies the claims.
- Cigital press release: http://www.cigital.com/news/mscompiler.html
- ENT News story:
http://www.entmag.com/news/article.asp?EditorialsID=5209
- Security Administrator story:
http://www.secadministrator.com/articles/index.cfm?articleid=24179
- Bugtraq: http://www.securityfocus.com/bid/4108
++++++++++
2. Tip of the Month: Securing EFS, Part 2
In Part 2 of her article on the Windows Encrypting File System (EFS),
Roberta Bragg outlines steps you can take to increase the security
of EFS on your Windows 2000 systems.
- Story: http://www.sans.org/newlook/digests/hacking_efs2.htm
**********************************************************************
Section II: Security Alert Summary
3. Microsoft Security Bulletins
3.1 MS02-005: 11 February 2002 Cumulative Patch for Internet Explorer
- released 11 February 2002
Risk: **CRITICAL
- Internet systems: CRITICAL
- Intranet systems: CRITICAL
- Client systems: CRITICAL
Impact: various, including run code of attacker's choice
Systems Affected:
- Internet Explorer 6.0
- Internet Explorer 5.5
- Internet Explorer 5.01
- Earlier versions are no longer supported, were not tested, and
may or may not be vulnerable.
Summary:
This bulletin and its associated patch are intended to address all
known vulnerabilities to date with Internet Explorer 5.01, 5.5, and
6.0. This includes six newly discovered vulnerabilities (including a
buffer overflow) in addition to previously disclosed vulnerabilities.
The newly discovered issues are:
1. Buffer overflow. HTML includes an <EMBED> tag that allows a
document to be incorporated into a web page. The SRC information
in the <EMBED> tag gives the location of the content to be embedded.
A flaw in the way IE parses the SRC information makes it possible for
an attacker to craft a specially formatted SRC string that allows him
to run arbitrary code on the user's system. The code would execute
with the privileges of the Internet Explorer application (i.e.,
the user). The attack would NOT work if the "Run ActiveX Controls
and Plugins" security option were disabled for the security zone in
which the page was opened (this option is disabled by default only
in the Restricted Sites Zone). For email-based HTML attacks, Outlook
2002 and Outlook Express 6 open mail in the Restricted Sites Zone by
default. Outlook 98 and Outlook 2000 with the Email Security Update
patch applied also open mail in the Restricted Sites Zone by default.
IE 5.01 is not affected by this vulnerability.
2. File reading via GetObject. This vulnerability was reported in
last month's Windows Digest (Volume 5, number 2, item 4.1.1). A flaw
in the Jscript GetObject() function, when combined with the ActiveX
object 'htmlfile', could be used to allow an attacker to create a
malicious web page or HTML email that could read any file on the
user's hard drive, if the file location was known. The flaw could
be exploited via a specially crafted script placed on a web site.
The attack is blocked if Active Scripting is disabled, which is the
default in the Restricted Sites Zone.
3. File download spoofing. An error in the way IE handles the
Content-Type and Content-Disposition fields allows an attacker to
misrepresent the name of a file that a user was downloaded through IE.
This could be used to trick a user into downloading what he thought
was a "safe" file type but that was actually dangerous.
4. Application invocation. A flaw in the way IE handles the
Content-Type field allows an attacker to specify the application
that should be used to open a file on a web site. IE should only use
registered, safe applications to open files (i.e., using Word for a
.doc file), but an attacker can bypass those restrictions. Depending
on the file being downloaded and the applications available on the
system, the attacker could take various actions such as modifying or
deleting data on the hard drive.
5. Script execution. When IE loads a web page, it performs security
checks such as determining whether a page contains scripts, and
whether or not the scripts should be allowed to execute based on
the user's security settings. Certain HTML tags can allow objects
such as scripts to be triggered after the page is initially loaded.
Because the script is not present during the initial security check
and IE performs no further checks, the script could execute even if
the user had disabled scripting. IE 5.01 is not affected by this
vulnerability.
6. Frame domain verification. This is a variant of an issue originally
discussed in MS01-058. An attacker could create a malicious web page
that opens two browser windows, one to the web server's domain and one
to the user's local system. The Document.open function can then be
used to pass information from the local window to the domain window,
allowing the attacker to read any file on the local system whose name
and location were known. IE 5.01 is not affected by this vulnerability.
Details:
* MS02-005 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/MS02-005.asp
* Knowledge Base Articles:
- Q316059, MS02-005: February 11, 2002,
Cumulative Patch for Internet Explorer,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q316059
- Q317727, MS02-005: Patch Is Available for the Application
Invocation via Content-Type Field Vulnerability,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317727
- Q317726, MS02-005: Patch Is Available for the
GetObject() Scripting Function Vulnerability,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317726
- Q317745, MS02-005: Patch Is Available for
File Download Dialog Box Spoofing Vulnerability,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317745
- Q317729, MS02-005: Patch Is Available for a New
Variant of the "Frame Domain Verification" Vulnerability,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317729
- Q317742, MS02-005: Patch Is Available
for the Script Execution Vulnerability,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317742
* CVE Information:
- Buffer overflow: CAN-2002-0022,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0022
- File reading via GetObject: CAN-2002-0023,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0023
- File download spoofing: CAN-2002-0024,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0024
- Application invocation: CAN-2002-0025,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0025
- Script execution: CAN-2002-0026,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0026
- Frame domain verification: CAN-2002-0027,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0027
* Additional references:
- Security.NNOV Bulletin (buffer overflow): Buffer overflow in
mshtml.dll, http://www.security.nnov.ru/advisories/mshtml.asp
- CERT Bulletin (buffer overflow): CA-2002-04,
Buffer Overflow in Microsoft Internet Explorer,
http://www.cert.org/advisories/CA-2002-04.html
- CERT Vulnerability Note (buffer overflow): VU#932283,
Microsoft Internet Explorer HTML rendering engine contains
buffer overflow processing SRC attribute of HTML EMBED directive,
http://www.kb.cert.org/vuls/id/932283
- ISS Advisory (buffer overflow), ie-html-directive-bo (8116),
http://www.iss.net/security_center/static/8116.php
- ISS Alert (buffer overflow), #111 Buffer
Overflow in Microsoft Internet Explorer,
http://www.iss.net/security_center/alerts/advise111.php
++++++++++
3.2 MS02-008: XMLHTTP Control Can Allow Access to Local Files
- released 21 February 2002
- updated patch information 27 February 2002
- updated patch information 5 March 2002
- updated patch information 11 March 2002
Risk: ****CRITICAL
- Internet systems: MODERATE
- Intranet systems: MODERATE
- Client systems: CRITICAL
Impact: information disclosure
Systems Affected:
- Systems using Microsoft XML Core Services v2.6, 3.0 and 4.0,
which include:
* Windows XP
* Internet Explorer 6.0
* SQL Server 2000
Summary:
Microsoft XML Core Services provide functions for working with XML
documents. This includes the XMLHTTP ActiveX control that uses HTTP
to transfer XML documents over the Internet. Because XMLHTTP does
not correctly obey the restrictions of the IE Security Zones, an
attacker can create a malicious web site with a specially formatted
XMLHTTP GET request that would redirect the request to the user's
local system and read any file whose name and location was known.
Details:
* MS02-008 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-008.asp
* Knowledge Base Articles:
- Q318202, MS02-008: XMLHTTP Control in
MSXML 2.0 Can Allow Access to Local Files,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q318202
- Q318203, MS02-008: XMLHTTP Control in
MSXML 3.0 Can Allow Access to Local Files,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q318203
- Q317244, MS02-008: XMLHTTP Control in
MSXML 4.0 Can Allow Access to Local Files,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317244
* CVE Information:
- CAN-2002-0057,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0057
* Additional references:
- This issue was first discussed in the December 2001 Windows Digest
(Volume 4, Number 12, item 5.1.2.
++++++++++
3.3 MS02-009: Incorrect VBScript Handling in IE can Allow Web Pages
to Read Local Files
- released 21 February 2002
- updated 13 March 2002 (issues with third party software,
modified patch)
Risk: ****CRITICAL
- Internet systems: MODERATE
- Intranet systems: MODERATE
- Client systems: CRITICAL
Impact: information disclosure
Systems Affected:
- Internet Explorer 6.0
- Internet Explorer 5.5
- Internet Explorer 5.01
- Earlier versions are no longer supported, have not been tested,
and may or may not be vulnerable.
Summary:
A flaw exists in the way that Internet Explorer handles VBScript when
checking for cross-domain access. This flaw allows scripts contained
in a frame from one domain to access the contents of a frame in a
different domain - an action that should be prohibited. This could
allow an attacker to construct a malicious web site or HTML email that
could read any file on the local system that can be displayed in a
browser and whose name and location were known. It could also allow
the attacker to access information displayed in the user's browser
after the user left the attacker's web site, including usernames,
passwords, or credit card information. Outlook 2002, Outlook Express
6, and Outlook 98/2000 with the Email Security Update patch installed
are not affected by email versions of this attack.
Details:
* MS02-009 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-009.asp
* Knowledge Base Articles:
- Q318089, MS02-009: Incorrect VBScript Handling in
Internet Explorer Can Allow Web Pages to Read Local Files,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q318089
* CVE Information:
- CAN-2002-0052,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0052
++++++++++
3.4 MS02-010: Unchecked Buffer in ISAPI Filter Could Allow Commerce
Server Compromise
- released 21 February 2002
Risk: ****CRITICAL
- Internet systems: CRITICAL
- Intranet systems: CRITICAL
- Client systems: n/a
Impact: run code of attacker's choice
Systems Affected:
- Commerce Server 2000
Summary:
Microsoft Commerce Server includes an ISAPI filter called
AuthFilter that is used to manage various authentication methods.
A buffer overflow exists in the code that handles certain types of
authentication requests. Overflowing the buffer could cause the
server to crash, or possibly allow an attacker to run arbitrary
code on the system. Because Commerce Server runs in the context of
LOCALSYSTEM, this could give the attacker full control of the server.
Note that while the AuthFilter ISAPI filter is installed by default,
it must be specifically enabled for a given web site. Also, if the
URLScan tool is installed using the default rule set for Commerce
Server, it would restrict the type of data that could be input during
authentication, and prevent the execution of arbitrary code; however,
it would still be possible to crash the server.
Details:
* MS02-010 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-010.asp
* Knowledge Base Articles:
- Q317615, MS02-010: Unchecked Buffer in ISAPI
Filter May Allow Commerce Server Compromise,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317615
* CVE Information:
- CAN-2002-0050,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0050
++++++++++
3.5 MS02-013: Java Applet Can Redirect Browser Traffic
- released 4 March 2002
- re-released 18 March 2002 (second vulnerability discovered)
Risk: ****CRITICAL
- Internet systems: MODERATE
- Intranet systems: MODERATE
- Client systems: CRITICAL
Impact: information disclosure; run code of attacker's choice
Systems Affected:
- Microsoft Virtual Machine (VM) through build 3802. VM is included
in Internet Explorer. Versions of the VM shipping with IE 5.0 and
later were tested and found vulnerable.
- The version of VM installed can be determined by running the command
"jview" (without the quotes) at a command prompt; the version appears
at the far right of the first line of output.
Summary:
Microsoft Virtual Machine, included as part of Internet Explorer,
contains a flaw in the way a Java applet handles proxy requests.
An attacker could use a malicious Java applet to re-route all traffic
from the user's browser to the applet's host. The attacker could then
perform any action on the captured traffic: discard it (denial of
service), monitor the traffic for sensitive information (usernames,
passwords, credit card information), record the session for later use
(replay attack), or create bogus responses to the traffic (session
hijacking, man-in-the-middle). IE is only vulnerable when it is
used in conjunction with a proxy server. Because the flaw lies in
the underlying Java technology (implemented in VM), other systems
that use Java technology may also be vulnerable, including Netscape
Communicator 4.79 and earlier.
A second vulnerability was discovered and released in the revised
bulletin of 18 March. This vulnerability is a variant of the Virtual
Machine Verifier issue first discussed in MS99-045. A flaw exists in
the security checks that are performed on casting operations, which
can be used to convert data types, for example. It is possible for
a specially crafted malicious Java applet to execute code outside
the Java sandbox, potentially taking any action on the system that
could be taken by the current user.
Details:
* MS02-013 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-013.asp
* Knowledge Base Articles:
- Q300845, MS02-013: Java Applet Can Redirect Browser Traffic,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q300845
* CVE Information:
- CAN-2002-0058 (proxy vulnerability),
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0058
- CAN-2002-0076 (virtual machine verifier vulnerability),
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0076
* Additional references:
- Sun Microsystems Security Bulletin #00216, HttpURLConnection,
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216
- Netscape Security Bulletin, Sun JVM (Java Virtual Machine) Issue,
http://home.netscape.com/security/
++++++++++
3.6 MS02-004: Unchecked Buffer in Telnet Server Could Lead to Arbitrary
Code Execution
- released 2 February 2002
Risk: **MODERATE
- Internet systems: MODERATE
- Intranet systems: MODERATE
- Client systems: MODERATE
Impact: denial of service; run code of attacker's choice
Systems Affected:
- telnet server service in Windows 2000
- telnet daemon in Microsoft Interix 2.2
- Microsoft Services for Unix 2.0 is NOT affected by this
vulnerability
Summary:
A buffer overflow exists in the code that handles protocol options in
the Microsoft telnet server/daemon. An attacker who sent a specially
malformed packet to the telnet server could cause the service to crash,
or potentially run arbitrary code on the server. The code would
execute in the context of the telnet service (SYSTEM on Windows 2000;
can be set by the administrator on Interix 2.2). By default, the
telnet server is installed but disabled on Windows 2000. The telnet
daemon is not installed by default with Interix 2.2. Blocking requests
to TCP port 23 at the perimeter will mitigate this vulnerability.
Details:
* MS02-004 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-004.asp
* Knowledge Base Articles:
- Q307298, MS02-004: Telnet Server Is
Vulnerable to a Denial-of-Service Attack,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307298
* CVE Information:
- CAN-2002-0020,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0020
* Additional references:
- ISS Bulletin, ms-telnet-option-bo (8094),
http://www.iss.net/security_center/static/8094.php
++++++++++
3.7 MS02-006: Unchecked Buffer in SNMP Service Could Enable Arbitrary
Code to be Run
- released 12 February 2002
- re-released 15 February 2002 (patch availability for Win2K/XP)
- re-released 5 March 2002 (patch availability for NT)
- re-released 11 March 2002 (patch availability for NT TSE)
- re-released 13 March 2002 (fix for NT TSE patches released
11 March)
Risk: **MODERATE
- Internet systems: LOW
- Intranet systems: MODERATE
- Client systems: MODERATE
Impact: denial of service; possible buffer overflow
Systems Affected:
- Windows XP
- Windows 2000
- Windows NT, including Terminal Server Edition (TSE)
- Windows 95/98/98SE
Summary:
A buffer overflow exists in the implementation of the Simple Network
Management Protocol (SNMP) in all versions of Windows. An attack can
send a malformed management request to an SNMP system to cause denial
of service, or possibly execute code in the LOCAL SYSTEM context.
Although SNMP is included in all versions of Windows except for
Windows Me, it is not installed by default. Blocking SNMP ports at
your perimeter will mitigate external attacks. See item 1.1 above
for additional information.
Details:
* MS02-006 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-006.asp
* Knowledge Base Articles:
- Q314147, MS02-006: An Unchecked Buffer in the SNMP Service May
Allow Code to Run
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q314147
* CVE Information:
- CAN-2002-0053 (Microsoft SNMP vulnerability),
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0053
- CAN-2002-0012 (general SNMP trap handling),
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
- CAN-2002-0013 (general SNMP request handling),
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
* Additional references:
- See item 1.1 above for additional links.
++++++++++
3.8 MS02-007: SQL Server Remote Data Source Function Contain Unchecked
Buffers - released 20 February 2002
Risk: **MODERATE
- Internet systems: MODERATE
- Intranet systems: MODERATE
- Client systems: MODERATE
Impact: run code of attacker's choice
Systems Affected:
- SQL Server 2000
- SQL Server 7.0
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable.
Summary:
The Structured Query Language (SQL) implementation in SQL Server 7.0
and 2000 allows queries to be created that establish on-the-fly ("ad
hoc") connections to remote data sources by naming a specific OLE
DB provider within the query. A buffer overflow exists in the code
that handles the OLE DB provider names. This could allow someone
with the ability to construct and submit a malicious query to cause
denial of service or execute code in the context of the SQL Server
(by default, a domain user).
Details:
* MS02-007 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-007.asp
* Knowledge Base Articles:
- Q317979, FIX: Unchecked Buffer May Occur
When You Connect to Remote Data Source,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317979
* CVE Information:
- CAN-2002-0056,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0056
++++++++++
3.9 MS02-014: Unchecked Buffer in Windows Shell Could Lead to Code
Execution
- released 7 March 2002
Risk: **MODERATE
- Internet systems: LOW
- Intranet systems: MODERATE
- Client systems: MODERATE
Impact: denial of service, run code of attacker's choice
Systems Affected:
- Windows 2000
- Windows NT and NT Terminal Server Edition
- Windows 98 and 98 Second Edition
Summary:
eEye Digital Security has discovered a buffer overrun in the Windows
Shell on several Windows systems. The buffer overflow exists in the
code that locates applications that have not been completely removed
when the application is uninstalled. In most cases, an attacker would
require local access to the system to exploit this vulnerability.
However, if an application using custom URL handlers (that allowed
an application to be launched via a specially formatted URL) was
uninstalled and did not uninstall completely, there is a slight
possibility that the vulnerability could be exploited via a malicious
web page or HTML email.
Details:
* MS02-014 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-014.asp
* Knowledge Base Articles:
- Q313829, Unchecked Buffer in Windows Shell Could Lead to Code
Running
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q313829
* CVE Information:
- CAN-2002-0070,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0070
* Additional references:
- eEye Digital Security advisory:
http://www.eeye.com/html/Research/Advisories/AD20020308.html
++++++++++
3.10 MS02-002: Malformed Network Request can cause Office v.X for
Mac to Fail - released 6 February 2002
Risk: **LOW
- Internet systems: n/a
- Intranet systems: n/a
- Client systems: LOW
Impact: denial of service
Systems Affected:
- Microsoft Office v.X for Macintosh
- Microsoft Office 98 for Macintosh is NOT vulnerable
- Microsoft Office 2001 for Macintosh is NOT vulnerable
- Other versions are no longer supported, were not tested, and may
or may not be vulnerable.
Summary:
Microsoft Office v.X for Macintosh includes an anti-piracy mechanism
called the Network Product ID (PID) Checker. This feature causes
systems running Office v.X for Macintosh to periodically broadcast
their Product Identifier (PID) and to listen for other systems on the
network with the same PID. If a duplicate PID is detected, Office
will shut down. A specially malformed announcement can be used to
crash the Network PID Checker, which will crash the running Office
v.X application.
Details:
* MS02-002 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-002.asp
* Knowledge Base Articles:
- Q317879, MacOFFX: Microsoft Office
v. X Network Security Updater ReadMe,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q317879
* CVE Information:
- CAN-2002-0021,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0021
++++++++++
3.11 MS02-003: Exchange 2000 System Attendant Incorrectly Sets Remote
Registry Permissions
- released 7 February 2002
Risk: **LOW
- Internet systems: LOW
- Intranet systems: LOW
- Client systems: n/a
Impact: insecure default settings
Systems Affected:
- Microsoft Exchange 2000
- Microsoft Exchange 5.5 is NOT vulnerable
- Previous versions are no longer supported, were not tested, and
may or may not be vulnerable
Summary:
The Microsoft Exchange System Attendant is one of the core services
in Microsoft Exchange. As one of its functions, the System Attendant
facilitates remote administration of Exchange servers by modifying
permissions on the "winreg" key in the Windows registry to allow
Exchange Administrators to modify Exchange configuration settings that
are stored in the registry from a remote system. The System Attendant
erroneously grants the "Everyone" group permissions to the winreg key,
which gives any user or group permission to connect remotely to the
registry. An attacker could potentially make changes to the registry,
depending on the permissions set on other registry keys. The attacker
must be able to use SMB to establish the remote connection, so blocking
TCP ports 139 and 445 at the perimeter would mitigate external attacks.
Details:
* MS02-003 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-003.asp
* Knowledge Base Articles:
- Q316056, XGEN: Exchange 2000 Server
Post-Service Pack 2 Admin Fixes Available,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q316056
* CVE Information:
- CAN-2002-0049,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0049
++++++++++
3.12 MS02-011: Authentication Flaw Could Allow Unauthorized Users To
Authenticate To SMTP Service
- released 27 February 2002
- revised 12 March 2002 (joint patch for MS02-011 and MS02-012)
Risk: **LOW
- Internet systems: LOW
- Intranet systems: LOW
- Client systems: LOW
Impact: mail relaying
Systems Affected:
- Windows 2000
- Microsoft Exchange 5.5
- Microsoft Exchange 2000 is NOT vulnerable
- Windows NT 4.0 is NOT vulnerable
- Other systems were not tested, are no longer supported, and may
or may not be vulnerable.
Summary:
The SMTP service that is installed by default with Windows 2000 Server,
and installed with the Internet Mail Connector (IMC) of Exchange 5.5,
contains a flaw in the security checks that should be performed before
granting access to the SMTP service. Once the SMTP service or the
IMC are notified that a user has been granted access to the server
(via NTLM authentication), they should perform additional checks
to determine whether the user has permission to access the SMTP
service/IMC itself. These checks are not performed, which could
result in unauthorized access to the SMTP service.
Details:
* MS02-011 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-011.asp
* Knowledge Base Articles:
- Q313450, MS02-012: A Malformed Data Transfer Request
May Cause the Windows SMTP Service to Stop Working,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q313450
- Q289258, XGEN: Exchange Server 5.5 Post-Service
Pack 4 Internet Mail Service Fixes Available,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q289258
* CVE Information:
- CAN-2002-0054,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0054
++++++++++
3.13 MS02-012: Malformed Data Transfer Request can Cause Windows SMTP
Service to Fail
- released 27 February 2002
- revised 12 March 2002 (joint patch for MS02-011 and MS02-012)
Risk: **LOW
- Internet systems: LOW
- Intranet systems: LOW
- Client systems: LOW
Impact: denial of service
Systems Affected:
- Windows 2000
- Windows XP Professional
- Microsoft Exchange 2000
- Windows NT 4.0, Exchange 5.5 and Windows XP Home are NOT vulnerable
- Other versions are no longer supported, were not tested, and may
or may not be vulnerable.
Summary:
By sending a specially malformed command to the SMTP service on
vulnerable systems, an attacker could cause the SMTP service to crash.
The SMTP service is installed with Windows 2000 Server by default, and
Exchange 2000 uses the Windows 2000 SMTP service. The SMTP service is
included with Windows 2000 Professional and Windows XP Professional,
but not installed by default.
Details:
* MS02-012 (including patch information and availability):
http://www.microsoft.com/technet/security/bulletin/ms02-012.asp
* Knowledge Base Articles:
- Q313450, MS02-012: A Malformed Data Transfer Request
May Cause the Windows SMTP Service to Stop Working,
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q313450
* CVE Information:
- CAN-2002-0055,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0055
+-+-+-+-+-+-+-+-+-+-+
4. Additional Microsoft Software Issues
4.1 Other Microsoft Product Issues
4.1.1 Microsoft Windows 2000 Password Policy Bypass Vulnerability
* Risk: LOW
* Impact: password reuse
* Summary: Windows 2000 password policy can be set to prohibit reuse
of previous passwords (password history). If a user changes his or
her password before it expires (and s/he is prompted by Windows to
change the password), the password history check is not performed.
Passwords must still meet all other security requirements.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4256
* Discovered by: Leonid Mamtchenkov
++++++++++
4.1.2 Windows NT Security Policy Bypass Vulnerability
* Risk: LOW
* Impact: unauthorized account modification/access
* Summary: Windows NT 4.0 users whose accounts have been set to
"User cannot change password" can change their password via the
remotely accessible IISADMPWD directory, installed by default on an
IIS 4.0 server.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4236
* Discovered by: Syed Mohammad
++++++++++
4.1.3 Microsoft Windows NTFS File Hiding Vulnerability
* Risk: LOW
* Impact: creation of hidden/inaccessible data
* Summary: Microsoft Windows operating systems enforce a 256 character
limit on any path/file name. However, using a drive mapped to a
directory created with the SUBST command, it is possible to create
directories/subdirectories such that the absolute path name exceeds
255 characters. Utilities such as anti-virus software will fail
to scan these long paths; if the drive mapping to the directory is
deleted, the files may become completely inaccessible.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/3989
* Discovered by: Hans Somers
++++++++++
4.1.4 Outlook Express Attachment Vulnerability
* Risk: LOW
* Impact: bypass mail filters
* Summary: It is possible to send data - including attachments -
in the subject line of an Outlook Express email by encapsulating
the data within carriage return (<CR>) tags. Outlook Express will
interpret information following the carriage return as the data
portion of the email. Because mail filtering tools do not parse the
subject line for malicious content, this could allow an attacker to
send malicious code that would bypass filters.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4092
* Discovered by: Valentijn Sessink
++++++++++
4.1.5 Microsoft IIS Authentication Method Disclosure
* Risk: LOW
* Impact: information disclosure
* Summary: It is possible to determine the types of authentication
(Basic, Integrated Windows/NTLM) that are enabled on an IIS web server,
based on error messages returned when requests containing different
types of user credentials are submitted to the IIS server.
* More Information:
- NGS Software Advisory:
http://www.nextgenss.com/advisories/iisauth.txt
- Bugtraq: http://www.securityfocus.com/bid/4235
* Discovered by: David Litchfield
++++++++++
4.1.6 Microsoft MSDTC Service Denial of Service
* Risk: LOW
* Impact: denial of service
* Summary: The Microsoft Distributed Transaction Service Coordinator
(MSDTC), which is installed by default on Windows 2000 Server and
Microsoft SQL Server, will crash or become unstable if 1024 bytes of
random data are sent the service's listening port.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4006
++++++++++
4.1.7 Microsoft Site Server Multiple Vulnerablities
* Risk: MODERATE
* Impact: various
* Summary: Microsoft Site Server 3.0 and 3.0 Commerce Edition contain
several vulnerabilities, including the ability for anonymous LDAP
users to obtain LDAP passwords stored in clear text; and the ability
for remote users to insert SQL commands due to the failure of Site
Server's default web applications to properly validate user input.
* More Information:
- RFP Advisory: http://www.wiretrip.net/rfp/p/doc.asp/i7/d69.htm
- Bugtraq: http://www.securityfocus.com/bid/4000,
http://www.securityfocus.com/bid/4009
* Discovered by: Rain Forest Puppy
+-+-+-+-+-+-+-+-+-+-+
5. Virus Alerts
5.1 Yarner Worm
The Yarner worm arrives via email disguised as a new release of
the YAW software from the German Trojaner-Info web site. If the
executable is run, the worm will email itself to addresses in the
Outlook Address book. It will also overwrite the Notepad application
(notepad.exe) with a Trojan copy. The worm may also attempt to delete
all files on the drive where Windows is installed.
More information:
- Symantec writeup:
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.yarner.amm.html
++++++++++
5.2 Gibe Worm
The Gibe worm arrives as an executable attachment in what appears to
be a Microsoft Security Bulletin. If the executable is run, the worm
will email itself to addresses in the Outlook Address book. It also
loads a Trojan backdoor (GfxAcc.exe) that listens on port 12378.
More information:
- Symantec writeup:
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.gibemm.html
++++++++++
5.3 MyLife/MyLife.B Worm
The MyLife worm arrives as an attachment called "My Life.scr."
If the file is run, the worm will email itself to all addresses in
the Outlook Address Book and will attempt to delete files with the
following extensions: .com, .sys, .ini, .exe, .sys, .vxd, and .dll.
A variant, MyLife.B (also known as the "Caric" worm) arrives as
the file "cari.scr". The worm's payload will only trigger if the
system time is between 8:00 AM and 9:00 AM. If triggered, it will
email itself to addresses in the Outlook Address Book, and attempt
to delete all files on drives C:\ through F:\, as well as files with
extensions *.sys, *.vxd, *.ocx, and *.nls.
More information:
- Symantec writeup (MyLife):
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.mylifemm.html
- Symantec writeup (MyLife.B):
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.mylife.bmm.html
+-+-+-+-+-+-+-+-+-+-+
6. Third-Party Software Issues
6.1 Buffer Overflows
* Risk: HIGH
Buffer overflows can generally be used to execute arbitrary code
on the victim host; as such, they should be considered HIGH risk.
Many buffer overflows are discovered each month. We report the ones
we know about here. In addition, we have tried to give you a little
more information in a concise format. To that end, certain items are
marked with an (F) and/or (E). (E) means that an exploit for this issue
is publicly available. (F) means that a fix is currently available.
6.1.1 Internet Security Systems BlackICE and RealSecure Buffer Overflow
(F,E)
* Summary: Versions of BlackICE Defender, BlackICE Agent, and
RealSecure Server Sensor running on various Windows platforms are
subject to denial of service attacks through a "ping flood" where
large ICMP Echo Request (ping) packets are sent to the target system.
The attacker can crash the target system; specially crafted packets
can execute code in the context of the target system's kernel.
Blocking ICMP Echo Requests at the perimeter will mitigate external
attacks; ISS has also provided a workaround to block ICMP Echo Requests
on the agents themselves, though a patch is also available.
* More Information:
- eEye Advisory:
http://www.eeye.com/html/Research/Advisories/AL20020208.html
- Bugtraq: http://www.securityfocus.com/bid/4025
- ISS patch: http://www.iss.net/support/consumer/BI_downloads.php
- ISS Alerts: http://www.iss.net/security_center/static/8058.php,
http://www.iss.net/security_center/alerts/advise109.php
* Discovered by: Matt Taylor
++++++++++
6.1.2 CNet CatchUp Remote Arbitrary Code Execution Vulnerability (F)
* Summary: CNet CatchUp version 1.3 contains a security vulnerability
that may allow an attacker to launch CacthUp remotely and/or execute
arbitrary code on the host. CNet did not release details of the
vulnerability. Users should disable the "Start scan on execute"
option, or upgrade to version 1.3.1.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/3975
- CNet CatchUp web site:
http://catchup.cnet.com/catchup/cu/index/index.html
- Newsbytes article: http://www.newsbytes.com/news/02/173906.html
* Discovered by: CNet
++++++++++
6.1.3 mIRC Nick Buffer Overflow Vulnerability (F,E)
* Summary: mIRC versions 2.1 and higher contains a flaw in the code
that handles "nicknames." An overly long nickname (200+ characters)
can be used to overflow the buffer and execute arbitrary code on
the client. Users should upgrade to mIRC 6.0.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4027
- MIRC web site: http://www.mirc.com/index.html
* Discovered by: James Martin
++++++++++
6.1.4 BBShareware.com Phusion Webserver Long URL Buffer Overflow (E)
* Summary: A buffer overflow condition exists in the Phusion Webserver
code that handles HTTP GET requests. An attacker can use this
condition to execute arbitrary code in the context of the web server
(usually SYSTEM). There is currently no patch available.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4119
- Phusion web site: http://www.bbshareware.com/phusion/
* Discovered by: Alex Hernandez
++++++++++
6.1.5 SAS SASTCPD Command Line Argument Buffer Overflow Vulnerability
(F)
* Summary: SAS Base and SAS Integration Technologies modules v8.0 and
8.1 include the SASTCPD "job spawner." A buffer overflow can occur
if the program is given a command line argument of 1200 characters.
Users should upgrade to v8.2.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/3979
- SAS Alert:
http://www.sas.com/service/techsup/unotes/SN/004/004201.html
* Discovered by: Woodahs Latigid
++++++++++
6.1.6 TalentSoft Web+ Multiple Buffer Overflows (F)
* Summary: TalentSoft Web+ v4.6 and 5.0 contain two buffer overflow
conditions. The first exists in the Web+ executable; an over-long URL
may be used to overwrite the stack and execute code on the server.
The second buffer overflow occurs when an over-long request is made
for a Web Markup Language (wml) file. Both can be used to execute
code in the context of the web server (usually SYSTEM). Users should
install the TalentSoft patches to address this issue.
* More information:
- NGS Software Advisories:
http://www.nextgenss.com/advisories/webplus.txt,
http://www.nextgenss.com/advisories/webplus2.txt
- Bugtraq: http://www.securityfocus.com/bid/4233,
http://www.securityfocus.com/bid/4282
- TalentSoft alert:
http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943
- TalentSoft patches:
ftp://ftp.talentsoft.com/download/webplus/windows/webplus_46_security_patch2.exe
ftp://ftp.talentsoft.com/download/webplus/windows/webplus_50_security_patch.exe
* Discovered by: Mark Litchfield, David Litchfield
++++++++++
6.2.1 BBShareware.com Phusion Webserver Multiple Vulnerabilities
* Risk: MODERATE
* Impact: information disclosure; denial of service; execution of
arbitrary code
* Summary: Multiple vulnerabilities have been discovered in
BBShareware's Phusion web server. The software is vulnerable to
directory traversal attacks using "triple dot slash" (.../) when
using encoded variations of the forward slash (/) and backward slash
(\) characters. Phusion is also subject to denial of service attacks
by submitting an overly-long web request. This second condition may
also be exploitable as a buffer overflow. See also item 6.1.4, above.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4117,
http://www.securityfocus.com/bid/4118,
http://www.securityfocus.com/bid/4119
- BBShareware Phusion site: http://www.bbshareware.com/phusion/
* Discovered by: Alex Hernandez
++++++++++
6.2.2 BindView NETinventory Password Retrieval
* Risk: LOW
* Impact: information disclosure
* Summary: BindView NETinventory stores configuration information,
including passwords, in the HOSTCFG._NI file. While this file is
normally protected, if the file is deleted and a new audit is run,
configuration information may be temporarily stored in clear text in
the HOSTCFG.INI file.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/3957
- BindView NETinventory site:
http://www.bindview.com/products/Control/netinv.cfm
* Discovered by: Brent Barker
++++++++++
6.2.3 Castelle Faxpress Plaintext Password Disclosure
* Risk: LOW
* Impact: information disclosure
* Summary: If a print job is submitted to Castelle Faxpress with
a bad login name, Faxpress will return an error message showing the
login name and password in clear text.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4030
- Castelle Faxpress site:
http://www.castelle.com/products/faxpress/default.htm
* Discovered by: Leon Ward
++++++++++
6.2.4 Coolsoft PowerFTP Server Multiple Vulnerabilities
* Risk: LOW
* Impact: information disclosure
* Summary: Two vulnerabilities have been discovered in CoolSoft's
PowerFTP Server. In the first, PowerFTP will display the full
(absolute) path in response to a PWD (print working directory) command,
instead of a relative path. In the second, PowerFTP stores account
information in clear text in the ftpserver.ini file. It may be
possible for an attacker to obtain this information remotely through
a known directory traversal vulnerability.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4072,
http://www.securityfocus.com/bid/4074,
http://www.securityfocus.com/bid/3593
- CoolSoft PowerFTP site: http://www.cooolsoft.com/powerftp.htm
* Discovered by: Strumpf Noir Society
++++++++++
6.2.5 Dino's Webserver Denial of Service
* Risk: LOW
* Impact: denial of service
* Summary: It is possible to cause a denial of service condition by
submitting multiple over-long GET requests to the server. This may
cause the server to lock up or crash.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4123
- Dino's Webserver site: http://funsoft.101main.com/
++++++++++
6.2.6 Endymion MailMan Alternate Templates File Disclosure
* Risk: LOW
* Impact: information disclosure
* Summary: It is possible to conduct a directory traversal attack
against Endymion MailMan by supplying a specially crafted request
to the ALTERNATE_TEMPLATES CGI variable. An attacker can request a
known file name using "dot dot slash" (../) characters and placing
a null character (%00) at the end of the file name.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4222
- Endymion MailMan site: http://www.endymion.com/products/mailman/
* Discovered by: Rudi Carrell
++++++++++
6.2.7 Endymion Sake Mail Null Character File Disclosure
* Risk: LOW
* Impact: information disclosure
* Summary: It is possible to conduct a directory traversal attack
against Endymion Sake Mail by supplying a specially crafted web
request. An attacker can request a known file name using "dot dot
slash" (../) characters and placing a null character (%00) at the
end of the file name.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4223
- Endymion Sake Mail site:
http://www.endymion.com/products/sake/mail/index.htm
* Discovered by: Rudi Carrell
++++++++++
6.2.8 Essentia Web Server Multiple Vulnerabilities
* Risk: LOW
* Impact: denial of service; information disclosure
* Summary: Two vulnerabilities have been discovered in Essentia
Web Server. Essentia is vulnerable to a denial of service attack
if an attacker submits an over-long URL (>2000 bytes). Essentia is
also vulnerable to directory traversal attacks using "dot dot slash"
(../) characters.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4159,
http://www.securityfocus.com/bid/4160
- Sahin advisory: http://www.securityoffice.net/articles/essentia1/
- Essentia patch:
http://www.essencomp.com/Products/Essentia/Essentia.exe
- Essential web site: http://www.essencomp.com
* Discovered by: Tamer Sahin
++++++++++
6.2.9 Etype EServ Multiple Vulnerabilities
* Risk: LOW
* Impact: denial of service; relay attack
* Summary: Two vulnerabilities have been discovered n Etype's EServ
FTP server. EServ is vulnerable to a denial of service condition
by sending multiple "PASV" commands and consuming available ports on
the system. EServ is also vulnerable to FTP Bounce attacks by using
the "PORT" command to connect to an arbitrary port on the system.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/3983,
http://www.securityfocus.com/bid/3986
- EServ patch: ftp://ftp.eserv.ru/pub/beta/2.98/Eserv3123.zip
- EServ site: http://www.eserv.ru/eserv/
* Discovered by: Arne Vidstrom
++++++++++
6.2.10 FastTrack P2P Technology Multiple Vulnerabilities
* Risk: LOW
* Impact: identity spoofing; denial of service
* Summary: FastTrack P2P technology forms the basis for various file
sharing clients such as FastTrack KaZaA, Grokster, and Music City
Networks Morpheus. Two vulnerabilities have been discovered in the
underlying FastTrack components. In the first, it is possible to
spoof the identity of another user by crafting an HTTP GET request
with bogus authentication information in the header. FastTrack is
also vulnerable to denial of service attacks caused by sending multiple
message requests to a vulnerable client to starve system resources.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4121,
http://www.securityfocus.com/bid/4122
- KaZaA site: http://www.kazaa.com/en/index.htm
- Grokster site: http://www.grokster.com/
- Morpheus site: http://www.musiccity.com/
* Discovered by: mrjade 2k2
++++++++++
6.2.11 Galacticomm Worldgroup Multiple Denial of Service
Vulnerabilities
* Risk: LOW
* Impact: denial of service
* Summary: Two denial of service conditions have been discovered
in Galacticomm Worldgroup's FTP and Web Server software. The first
affects the FTP server and can be triggered by sending an over-long
"LIST" command to the server that contains multiple "slash dot dot
slash" (/../) characters. The second affects the web server and can
be triggered by sending an over-long HTTP GET request composed of
arbitrary characters.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4185,
http://www.securityfocus.com/bid/4186
- Limpid Byte advisory:
http://online.securityfocus.com/archive/1/258641
- Galacticomm home page: http://www.gcomm.com/index.htm
* Discovered by: Limpid Byte/Security.NNOV
++++++++++
6.2.12 Gator Digital Wallet Vulnerability
* Risk: HIGH
* Impact: arbitrary execution of code
* Summary: The ActiveX plugin used to install the Gator digital wallet
uses an HTML page to point to the Gator executable to be downloaded
and installed. A malicious HTML page could be used to point to a
Trojan installation file and install code of the attacker's choice
on the victim's computer.
* More Information:
- Obscure advisory:
http://eyeonsecurity.net/advisories/gatorieplugin.htm
- Gator home page: http://www.gator.com
* Discovered by: Obscure
++++++++++
6.2.13 Hosting Controller Information Disclosure Vulnerability
* Risk: LOW
* Impact: information disclosure
* Summary: When an invalid username is submitted to the Hosting
Controller application, an error message is returned stating that "the
user name could not be found." This information could aid an attacker
in determining valid vs. invalid usernames for further attacks.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/3971
- Alper advisory: http://online.securityfocus.com/archive/1/252645
- Hosting Controller site: http://www.hostingcontroller.com/
* Discovered by: Ahmet Sabri Alper
++++++++++
6.2.14 John Roy Pi3Web Multiple Vulnerabilities
* Risk: LOW
* Impact: information disclosure
* Summary: Two vulnerabilities have been discovered in the John Roy
Pi3Web server software. The first is a path disclosure vulnerability;
a request for a non-existent web page will return the absolute path to
the web server root. The second is a file disclosure vulnerability;
an attacker can request a list of specific file types on the web
server by submitting a request containing the wildcard character (*)
followed by the specific file extension.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4261,
http://www.securityfocus.com/bid/4262
- John Roy Pi3Web site: http://pi3web.sourceforge.net/pi3web/
* Discovered by: Tekno pHReak
++++++++++
6.2.15 MailServer by SH39 Denial of Service Vulnerability
* Risk: LOW
* Impact: denial of service
* Summary: SH39's MailServer software is subject to a denial of service
attack by submitting a large amount of arbitrary data to port 25.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4232
- SH39 MailServer site:
http://sh39.net/norcont/content.asp?ID=192&GN=Software
* Discovered by: Rense Buijen
++++++++++
6.2.16 mIRC DCC Nick Disclosure Vulnerability
* Risk: LOW
* Impact: information disclosure
* Summary: It is possible to obtain the current nickname of a mIRC
user by submitting the command "100 testing" when a connection is
initiated using the DCC protocol.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4247
- mIRC site: http://www.mirc.com/index.html
* Discovered by: James Evans
++++++++++
6.2.17 Novell GroupWise Web Root Disclosure
* Risk: LOW
* Impact: information disclosure
* Summary: Submitting a specially formatted request to the GroupWise
GWWEB.EXE CGI process will return an error message that includes the
full path to the script.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4206
- Sahin advisory: http://www.securityoffice.net/articles/groupwise/
- Novell GroupWise site: http://www.novell.com/products/groupwise/
* Discovered by: Tamer Sahin
++++++++++
6.2.18 Oracle TNS Listener Arbitrary Library Call Execution
* Risk: HIGH
* Impact: arbitrary execution of code
* Summary: The PL/SQL language used in Oracle can call external
functions using the Oracle Listener. Because no authentication occurs
between PL/SQL and the Listener, an attacker who is able to connect
to the Listener can request any library call, potentially including
the execution of shell commands.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4033
- NGS Software Advisory:
http://www.nextgenss.com/advisories/oraplsextproc.txt
- CERT Advisory CA-2002-008:
http://www.cert.org/advisories/CA-2002-08.html
* Discovered by: David Litchfield
++++++++++
6.2.19 PGPFire Desktop Firewall ICMP Fingerprinting Vulnerability
* Risk: LOW
* Impact: information disclosure
* Summary: When installed, the PGPFire Desktop Firewall replaces the
standard TCP stack on a Windows system with its own custom stack.
Due to the unique responses of the custom stack, the underlying
operating system can be easily "fingerprinted" or identified.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/3961
- PGP site: http://www.pgp.com/
* Discovered by: Ofir Arkin
++++++++++
6.2.20 Rit Research Labs The Bat! MS DOS Device Name Denial Of Service
* Risk: LOW
* Impact: denial of service
* Summary: The Bat! email client is subject to a denial of service
condition. If the software is configured to store attachments
separately from email messages, the system can be made to stop
responding if an MS-DOS device name is included in the file name of
the attachment.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4187
- The Bat! site: http://www.ritlabs.com/index.html
* Discovered by: 3APA3A
+++++++++
6.2.21 SAS SASTCPD Command Format String Vulnerability
* Risk: MODERATE
* Impact: privilege elevation
* Summary: The SASTCPD "job spawner" included with the SAS Base
software is vulnerable to format string attacks. If the spawner is
given a command line argument containing a format string, it may be
possible to overwrite memory, resulting in the arbitrary execution
of code that could be used to gain administrator level access.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/3980
- SAS Advisory:
http://www.sas.com/service/techsup/unotes/SN/004/004201.html
* Discovered by: Wodahs Latigid
++++++++++
6.2.22 Sybex E-Trainer Software Relative Path Filtering Directory
Traversal
* Risk: LOW
* Impact: information disclosure
* Summary: Sybex E-Trainer uses an HTTP interface for users to access
the computer based training (CBT) software. E-Trainer will allow a
user to view known files with the permission of the HTTP daemon by
submitting a URL containing a relative path.
* More Information:
- Bugtraq: http://www.securityfocus.com/bid/4071
- Sybex E-Trainer site: http://www.sybexetrainer.com
* Discovered by: Zero Break
++++++++++
6.2.23 Symantec Norton AntiVirus Multiple Vulnerabilities
* Risk: MODERATE
* Impact: bypass antivirus protection
* Summary: Multiple vulnerabilities have been discovered in the
Norton AntiVirus 2002 incoming email scanning component that may
allow malicious code to bypass antivirus protection. This can be
accomplished by: 1. crafting an email and inserting NULL characters
into the MIME type; 2. embedding non-RFC compliant MIME formats
within an email message; 3. renaming malicious attachments with a
.dbx or .nch extension (these file types are excluded from scanning by
default); or 4. using a file name/type that is excluded from scanning
in the Content-Type field and using the actual file name/type in the
Content-Disposition field.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4242,
http://www.securityfocus.com/bid/4243,
http://www.securityfocus.com/bid/4245,
http://www.securityfocus.com/bid/4246
- Edvice Advisory: http://online.securityfocus.com/archive/1/260271
- Symantec Norton AntiVirus site:
http://www.symantec.com/nav/nav_9xnt/
* Discovered by: Edvice Security Services
+++++++++
6.2.24 Working Resources BadBlue Multiple Vulnerabilities
* Risk: MODERATE
* Impact: information disclosure; execution of code
* Summary: Two vulnerabilities have been discovered in Working
Resources' BadBlue web server. BadBlue is vulnerable to directory
traversal attacks using "triple dot slash" (.../) characters.
In addition, BadBlue is subject to cross site scripting attacks,
where user input containing scripting commands will execute in the
context of the displayed page, including administrative pages.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4179,
http://www.securityfocus.com/bid/4180
- Working Resources BadBlue site: http://www.badblue.com/index.htm
* Discovered by: Strumpf Noir Society
++++++++++
6.2.25 Xerver Multiple Vulnerabilities
* Risk: LOW
* Impact: denial of service; information disclosure
* Summary: Two vulnerabilities have been discovered with the Xerver
web server. Xerver is subject to a denial of service condition that
can be triggered by sending a large number of requests for "C:\" on
port 32123. In addition, Xerver is subject to directory traversal
attacks using "dot dot slash" (../) sequences.
* More information:
- Bugtraq: http://www.securityfocus.com/bid/4254,
http://www.securityfocus.com/bid/4255
- Xerver site: http://www.javascript.nu/xerver/
* Discovered by: Alex Hernandez
=======================================================================
The SANS Windows Security Digest is available at no cost
to all system, network, and security professionals who work
with Windows. To subscribe, email digestsans.org with the
subject Windows Security Digest. Back issues are available at
http://www.sans.org/newlook/digests/ntdigest.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8om5E+LUG5KFpTkYRAghtAJ0SFEXeHS0i8wsiK/kyAR88TZ/fywCgoEDJ
1T0W7FE1X37suEUqxkqOBC4=
=/KUE
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]