NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2002

From: Network Computing and The SANS Institute (sans+ZZ79957277759145436sans.org)
Date: Wed Jul 03 2002 - 15:28:22 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: Security Express (SD397643)
Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 026 (02.26)
                    Wednesday, July 3, 2002
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.

----------------------------------------------------------------------

IN-DEPTH TECHNICAL SECURITY TRAINING (AND SECURITY MANAGEMENT COURSES)
IN THE NEXT 120 DAYS
*If you are planning to attend any security conference this fall, make
    it SANS Network Security 2002 - the largest security conference.
    http://www.sans.org/NS2002
*More Large SANS Training programs: Denver, Marina Del Ray (CA),
    Ottawa, New York
*Smaller SANS programs: Detroit, San Antonio, Virginia Beach,
    St. Louis, San Diego, Vienna, VA, Omaha, London, Vancouver,
    Kuala Lumpur.
*Online and mentor-led programs starting up in August/September
    in 40 cities.
Details and registration information for all programs: www.sans.org

----------------------------------------------------------------------

Last week, we incorrectly titled item {02.25.023} as OpenBSD 3.4 when
it should have read OpenSSH 3.4. To clarify, OpenSSH versions prior
to 3.4 have a bug in the challenge-response code.

This week, even more big bugs are surfacing. ISC/BIND's libresolve
libraries, as well as the various BSD libc libraries, have a bug in the
resolver code that could let a malicious DNS server exploit a buffer
overflow in any application making the DNS query. Updating the shared
libraries may not be sufficient; applications that are statically
linked with the vulnerable libraries at compile time will also have
to be replaced.

Apache's mod_ssl module also was found to have an off-by-one error
that lets local users do nasty stuff to HTTP processes via Trojaned
.htaccess files. ISPs and virtual hosting shops that let users provide
their own .htaccess configurations should be wary. More information
is provided in item {02.26.003}.

Last, the official BitchX IRC client FTP site was found to be serving
Trojaned copies of the source tarball. Identical to both the irssi
and fragrouter Trojan backdoors recently reported, this backdoor was
inserted in the 'configure' script and lets a foreign server execute
arbitrary command-line commands as the user who compiled/built the
client. If you've FTP'd a copy of the BitchX source code in the last
month, consider checking to see if the configure script is Trojaned
and, if it is, take appropriate actions.

Until next week,
- Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{02.26.006} Win - AnalogX SimpleServer:Shout malformed HTTP request DoS
{02.26.011} Win - AnalogX Proxy malformed HTTP request DoS
{02.26.012} Win - Lil'HTTP server urlcount.cgi REPORT CSS vuln
{02.26.014} Win - Multiple vendor WEB-INF directory access
{02.26.015} Win - OmniHTTPd large HTTP request DoS
{02.26.020} Win - Update {02.19.005}: ISC DHCPD nsupdate format string
            vuln
{02.26.021} Win - MS02-033: Commerce server multiple buffer overflows
{02.26.022} Win - MS02-032: Windows Media Player cumulative patch
{02.26.005} Linux - Update {02.21.013}: Mailman multiple CSS vulns
{02.26.007} NW - IManage username field DoS
{02.26.025} HPUX - IPv6 dced/rpcd DoS
{02.26.013} NApps - Cisco SSH DoS
{02.26.001} Cross - Update {02.25.023}: OpenSSH version 3.4 available,
            security vulns
{02.26.002} Cross - DNS libresolve/resolver buffer overflow
{02.26.003} Cross - Apache mod_ssl off by one config directive overflow
{02.26.004} Cross - Update {02.24.002}: Apache chunked encoding DoS and
            overflow
{02.26.008} Cross - JRun character append reveals source code
{02.26.009} Cross - JRun admin server auth bypass
{02.26.010} Cross - Sitespring Server database engine DoS
{02.26.016} Cross - Betsie CGI suite CSS vulns
{02.26.017} Cross - Blackboard CGI suite multiple CSS vulns
{02.26.018} Cross - PHPAuction CGI arbitrary admin account creation
{02.26.019} Cross - Sendmail 8.12.5 released, with security fix
{02.26.023} Cross - HP/Sharity cifslogin multiple command-line param
            overflows
{02.26.024} Cross - Cisco Secure ACS Acme.server file disclosure

- --- Windows News -------------------------------------------------------

*** {02.26.006} Win - AnalogX SimpleServer:Shout malformed HTTP request
DoS

AnalogX SimpleServer:Shout version 1.0 has been found to contain a
denial- of-service vulnerability whereby a remote attacker can send a
particular malformed HTTP request to the service, eventually causing
it to stop responding.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0338.html

*** {02.26.011} Win - AnalogX Proxy malformed HTTP request DoS

AnalogX Proxy service version 4.07 has been found to contain a denial
of service. A remote attacker can submit a particular malformed HTTP
request to the proxy service, eventually causing the service to crash.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0006.html

*** {02.26.012} Win - Lil'HTTP server urlcount.cgi REPORT CSS vuln

Lil'HTTP server has been reported to include a default urlcount.cgi
CGI script that has been found to contain a cross-site scripting
vulnerability in the handling of the REPORT parameter.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0332.html

*** {02.26.014} Win - Multiple vendor WEB-INF directory access

An advisory has surfaced that indicates multiple vendor Java/JSP
Web servers have been found to allow remote access to the WEB-INF
directory, which typically contains sensitive files not suited to
be served to users. The vulnerability is triggered by appending
an extra '.' character after the directory name in the URL request.
Sybase EA server, Oracle OC4J, Orion, JRun, HP App Server, Paramati
and Jo Webserver have been reported as vulnerable.

A full list of vulnerable versions and appropriate patches is available
at the reference URL below.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0132.html

*** {02.26.015} Win - OmniHTTPd large HTTP request DoS

OmniHTTPd version 2.09 has been found to crash when a remote attacker
submits a large URL request, leading to a denial-of-service attack.

This vulnerability has not been confirmed.

Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0000.html

*** {02.26.020} Win - Update {02.19.005}: ISC DHCPD nsupdate format
string vuln

Caldera has released updated dhcpd packages that fix the vulnerability
discussed in {02.19.005} ("ISC DHCPD nsupdate format string vuln").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0029.html

Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0029.html

*** {02.26.021} Win - MS02-033: Commerce server multiple buffer
overflows

Microsoft has released MS02-033 ("Commerce server multiple buffer
overflows"). MS Commerce Server versions 2000 and 2002 contain multiple
buffer overflows in various components, including the profile service,
the OWC (Office Web Components) installer and the ISAPI handler.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-033.asp

Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0152.html

*** {02.26.022} Win - MS02-032: Windows Media Player cumulative patch

Microsoft has released MS02-032 ("Windows Media Player cumulative
patch"). Three new vulnerabilities found in the various versions
of Windows Media Player have been fixed in this cumulative patch.
The vulnerabilities include a remote information disclosure, a local
privilege escalation and a potential remote script execution bug.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-032.asp

Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0153.html

- --- Linux News ---------------------------------------------------------

*** {02.26.005} Linux - Update {02.21.013}: Mailman multiple CSS vulns

Red Hat has released updated mailman packages that fix the
vulnerability discussed in {02.21.013} ("Mailman multiple CSS vulns").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0112.html

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0112.html

- --- NetWare News -------------------------------------------------------

*** {02.26.007} NW - IManage username field DoS

The IManage service shipped with NetWare versions 6.0 and 6.0SP1 has
been found to contain a denial of service whereby a remote attacker
enters a string of characters in the username field, causing an ABEND.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0338.html

- --- HP-UX News ---------------------------------------------------------

*** {02.26.025} HPUX - IPv6 dced/rpcd DoS

HP has released an advisory that indicates the dced and rpcd services
shipped with HP-UX version 11.11 (only) are vulnerable to a remote
denial of service, letting an attacker cause them to crash.

Patches PHSS_27258 and PHSS_27259 fix the problem.

Source: HP
http://archives.neohapsis.com/archives/hp/2002-q3/0000.html

- --- Network Appliances News --------------------------------------------

*** {02.26.013} NApps - Cisco SSH DoS

Cisco has released an advisory that indicates all Cisco products with
SSH capability (anything running IOS, CatOS, PIX and the Content
Service Switch family) had a bug introduced that lets a remote
attacker cause a denial of service on the device, if the SSH service
is accessible.

A full matrix of affected versions and patches is available at:
http://archives.neohapsis.com/archives/cisco/2002-q2/0017.html

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0017.html

- --- Cross-Platform News ------------------------------------------------

*** {02.26.001} Cross - Update {02.25.023}: OpenSSH version 3.4
available, security vulns

Many vendors have released updated OpenSSH packages that fix the
vulnerability discussed in {02.25.023} ("OpenSSH version 3.4 available,
security vulns").

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q2/0076.html

Official Caldera workaround:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0033.html

Updated OpenPKG information:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0110.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0036.html

Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0353.html

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0000.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q3/0051.html

NetBSD CVS branches as of June 26, 2002 contain the fixes.

*** {02.26.002} Cross - DNS libresolve/resolver buffer overflow

A bug has been found in the various libc libraries (including all
BSD flavors) as well as in the ISC BIND libresolve libraries whereby
a malicious DNS server can respond with a malformed DNS response,
causing arbitrary code to be executed in the context of the application
making the DNS query. All applications statically linked against ISC
libresolve or vulnerable libc libraries are also vulnerable and will
have to be upgraded as well.

ISC has released updated BIND versions:
ftp://ftp.isc.org/isc/bind/src/8.2.6/bind-src.tar.gz
ftp://ftp.isc.org/isc/bind/src/8.3.3/bind-src.tar.gz
ftp://ftp.isc.org/isc/bind/src/4.9.9/bind-4.9.9-REL.tar.gz

OpenBSD patch:
http://archives.neohapsis.com/archives/openbsd/2002-06/2462.html

NetBSD branches as of June 26, 2002 contain the fix.
FreeBSD branches as of June 27, 2002 contain the fix.

Source: BIND, CERT, OpenBSD, NetBSD, FreeBSD
http://archives.neohapsis.com/archives/bind/2002/0012.html
http://archives.neohapsis.com/archives/bind/2002/0013.html
http://archives.neohapsis.com/archives/bind/2002/0014.html
http://archives.neohapsis.com/archives/cc/2002-q2/0012.html
http://archives.neohapsis.com/archives/openbsd/2002-06/2462.html
http://archives.neohapsis.com/archives/netbsd/2002-q2/0288.html
http://archives.neohapsis.com/archives/freebsd/2002-06/0589.html

*** {02.26.003} Cross - Apache mod_ssl off by one config directive
overflow

The Apache mod_ssl module has been found to contain an overflow in the
handling of configuration file directives. This could potentially let
a local attacker gain control of the Apache child processes (allowing
spoofed HTTP replies), create arbitrary log file entries and execute
arbitrary code under the Apache user's privileges (typically 'nobody').
Mod_ssl versions 2.4.9 and prior are vulnerable.

This vulnerability has been confirmed and fixed in version 2.4.10.

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0350.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q3/0000.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0000.html

Source: Conectiva, EnGarde, Debian, Trustix, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0318.html
http://archives.neohapsis.com/archives/bugtraq/2002-06/0350.html
http://archives.neohapsis.com/archives/vendor/2002-q3/0000.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0001.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0000.html

*** {02.26.004} Cross - Update {02.24.002}: Apache chunked encoding DoS
and overflow

Multiple vendors have released updated apache packages, which fix the
vulnerability discussed in {02.24.002} ("Apache chunked encoding DoS
and overflow").

Updated Red Hat Secure Web Server packages:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0109.html

HP has released patch HPTL_00023 for its Secure OS software for Linux,
available at:
http://itrc.hp.com

IBM has released an update for its AIX Toolbox for Linux, available at:
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

HP/Compaq has released updates for Tru64 CSWS, HP-UX and OpenVMS.
Full details are available at:
http://archives.neohapsis.com/archives/compaq/2002-q2/0131.html

Caldera/SCO updated OpenUnix, OpenServer and UnixWare binaries:
ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32

Source: Red Hat, HP/Compaq, IBM, Caldera/SCO
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0109.html
http://archives.neohapsis.com/archives/hp/2002-q2/0086.html
http://archives.neohapsis.com/archives/aix/2002-q2/0018.html
http://archives.neohapsis.com/archives/compaq/2002-q2/0131.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0000.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0001.html

*** {02.26.008} Cross - JRun character append reveals source code

JRun version 4.0 has been found to contain a vulnerability that would
result in the JRun server returning the unparsed JSP source code to
a remote attacker if the attacker appends particular characters to
the URL request.

This vulnerability has been confirmed by the vendor. A patch is
available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23164

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0138.html

*** {02.26.009} Cross - JRun admin server auth bypass

The administrative server included with JRun has been found to contain
a vulnerability that would let attackers perform administrative tasks
without needing to know the administrative login id and password.

This vulnerability has been confirmed by the vendor, which has
released a patch available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23164

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0135.html

*** {02.26.010} Cross - Sitespring Server database engine DoS

Sitespring server version 1.2.0(277.1) has been reported to be
vulnerable to a denial-of-service attack whereby a remote attacker
can directly access the database engine port and send malformed data,
causing the service to crash.

The advisory indicates vendor confirmation. No patches have been
made available.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0140.html

*** {02.26.016} Cross - Betsie CGI suite CSS vulns

The 'BBC Education Text to Speech Internet Enhancer' (Betsie)
CGI suite has been found to contain multiple cross-site scripting
vulnerabilities in the handling of various CGI parameters.

The advisory indicates confirmation by the vendor, which has released
version 1.5.12.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0002.html

*** {02.26.017} Cross - Blackboard CGI suite multiple CSS vulns

Blackboard.com's Blackboard CGI suite has been reported to contain
multiple cross-site scripting vulnerabilities in many of the supporting
CGIs handling of various URL parameters.

These vulnerabilities have not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0005.html

*** {02.26.018} Cross - PHPAuction CGI arbitrary admin account creation

The PHPAuction CGI suite has been found to let a remote attacker
create arbitrary administrative accounts through /admin/login.php,
letting them take over administration of the CGI service.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0014.html

*** {02.26.019} Cross - Sendmail 8.12.5 released, with security fix

Sendmail 8.12.5 was released. The new version contains bug fixes as
well as a security fix that prevents an obscure remotely exploitable
buffer overflow in the DNS map feature, which is likely to be unused
in most installations.

The latest source is available at:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.gz

Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2002-q2/0003.html

*** {02.26.023} Cross - HP/Sharity cifslogin multiple command-line
param overflows

The cifslogin application shipped with the HP-UX (and originally
written by Sharity) for Unix has been found to contain multiple
buffer overflows in the handling of various command-line parameters,
letting a local attacker execute arbitrary code under root privileges.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0300.html

*** {02.26.024} Cross - Cisco Secure ACS Acme.server file disclosure

Cisco Secure ACS for Unix platforms includes the Acme.server HTTP
service, which has been found to contain a remotely exploitable
directory browsing/file disclosure bug.

This vulnerability has been confirmed by Cisco. Contact your Cisco
representative for an available patch.

Source: Cisco (SecurityFocus Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-07/0017.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE9I1aL+LUG5KFpTkYRAtVBAJsEAYI2VwdGRT89AJSr0/8iLoorBACgmIYM
ncAOpE7KDLM0GNCgfsi8pqk=
=JQGZ
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

----------------------------------------------------------------------

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]