From: Alan Paller, Director of Research, The SANS Institute
Subject: Improvement/Replacement for the Windows Security Digest

The SANS Critical Vulnerability Analysis report is replacing the SANS
Windows Security Digest, immediately. As you'll see in yesterday's
issue, below, the CVA is more timely and provides more authoritative
action information. Every Monday morning it prioritizes and summarizes
the new vulnerabilities and automated attacks discovered the previous
week, and describes the actions taken by security and systems managers
at fifteen very large organizations (the Council) to protect their
computers and networks from the automated attacks and from exploits
of the reported vulnerabilities.

The CVA is SANS most sought after digest, in part because its mailing
list is the one we use first for Flash Alerts when the Internet Storm
Center or the FBI uncovers major attacks, and we need to get the
word out fast. If there are other people in your organization who
should also receive the CVA and be on the Flash Alert warning list,
this is open enrollment week. Forward this to them or sign them up
before Sunday evening at https://server2.sans.org/cvaregister

As always with SANS mailings, you may unsubscribe simply by replying
with the subject 'unsubscribe CVA' or 'unsubscribe all'.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

**********************************************************************
                SANS Critical Vulnerability Analysis
October 13, 2002 Vol. 1. No. 12
**********************************************************************

TABLE OF CONTENTS:
Widely Distributed Software
- ----------------------------
(1) CRITICAL: Microsoft SQL Server "Hello" Authentication Buffer
    Overflow
(2) HIGH: Microsoft Help Center ActiveX Control Buffer Overflow
(3) MODERATE: Microsoft Compiled Help File Shortcut Restriction Bypass

Other Software
- ---------------
(4) HIGH: Jetty CGIServlet Arbitrary Command Execution Vulnerability
(5) MODERATE: SurfControl SuperScout WebFilter Multiple Vulnerabilities
(6) LOW: PowerFTP Server Buffer Overflow

Worms and Other Exploit Codes
- ------------------------------
(1) Sendmail Trojan
(2) BugBear Worm

***********************************************************************

#################################
# Widely Distributed Software #
#################################

(1) CRITICAL: Microsoft SQL Server "Hello" Authentication Buffer
    Overflow

Affected Products:
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000: a database engine that is based
on SQL Server technology and ships with several MS products, including
Visual Studio and Office Developer.

Description:
An MS SQL Server function that handles remote login authentication
contains an exploitable buffer overflow vulnerability. According
to Microsoft, an unauthenticated remote attacker sending a maliciously
crafted login request can execute arbitrary code with the privileges
of the server process (typically domain user).

An independent advisory asserts that the vulnerability will most often
be exploited to gain full LOCAL/SYSTEM access.

Risk: MS SQL server remote compromise.
A successful attack provides an intruder with full control over the
database, and potentially LOCAL/SYSTEM privileges.

Deployment: Significant.
This vulnerability affects all MS SQL Server 2000 installations and
any software utilizing MSDE 2000.

Ease of Exploitation: Straightforward.
Few technical details were provided with the Microsoft advisory, but
an attacker would need only to experiment with sending mal-formatted
data during the login process to gain insight. Further, a proof of
concept exploit showing how to trigger the bug has been released, and
other postings indicate that at least one compromise exploit currently
exists.

Status: Vendor confirmed, patch available.
Servers can also be protected by blocking access to the MS SQL server
port (1433/tcp by default).

References:
Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp
http://archives.neohapsis.com/archives/microsoft/2002-q4/0001.html

Additional Information:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0011.html

Immunity Security Advisory (Dave Aitel):
http://www.immunitysec.com/vulnerabilities/Immunity_mssql_hello.txt

Proof of Concept Exploit Code:
http://www.immunitysec.com/vulnerabilities/mssql_hello_overflow.nasl
Note: Immunity's website indicates that further vulnerability
details may be available to Immunity Research Club members.

A statement by Dave Aitel can be found at:
        http://www.immunitysec.com/dailydave/10.7.2002.html

His assertion, posted to VulnWatch on 10/03/02, but not currently
archived at Neohapsis:

   "People in Immunity's Vulnerability Disclosure Club or people
   who have purchased CORE Impact or people who have written their
   own SQL Server Hello exploit can verify that the statement from
   the Microsoft Advisory is, in fact, completely untrue.

   The default install, in fact, every install I've run into,
   gives you LOCAL/SYSTEM. LOCAL/SYSTEM usually has significant
   privileges.”

Council Site Actions:
The council sites running MS SQL immediately patched the affected
servers. The affected council sites expressed concern that the
patch potentially does not correct the underlying problems per Dave
Aitel's postings. One of the affected sites said that Dave Aitel's
nessus plug-in tagged their SQL 7 servers as vulnerable, even those
with SP4 and the lastest MS patch. All of the affected council sites
reported that they are not running any MS SQL servers on external
networks.

The remaining council sites who responded said they are not running MS
SQL -- one site said they do not allow the application on their network.
**************************************************************

(2) HIGH: Microsoft Help Center ActiveX Control Buffer Overflow

Affected Products:
Microsoft Windows 95/98/98SE/ME/2000/XP/NT4/NT4TerminalServer

Description:
The Windows HTML help facility relies heavily on an ActiveX control
that has an exploitable buffer overflow vulnerability. Attacker-
supplied code can be delivered by a malicious website or HTML-
formatted email, and will be executed with the privileges of
the user viewing the malicious content.

Risk: Client compromise.
Execution of arbitrary code with the privileges of the user viewing a
malicious website or HTML-formatted email.

Deployment: Huge.
The vulnerability affects all current versions of Windows.

Ease of Exploitation: Straightforward.
A malicious HTML page needs only to pass a long argument to the
showHelp() function to trigger the overflow. Proof-of-concept exploit
code, that crashes a vulnerable browser, has been posted.

Status: Vendor confirmed, patch available.
The vendor’s fix patches the flawed ActiveX control rather than
 replacing it with an entirely new control. Thus, it is possible
that a user may unwittingly re-install the original vulnerable control
and override the patched version. Worse, it is possible for an attacker
to force installation of the faulty control by setting up a malicious
website or HTML email that automatically downloads the control when viewed.
Thus, users must disable IE's "Download Signed ActiveX Controls" option
to be completely protected.
 
References:
Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-055.asp
http://archives.neohapsis.com/archives/microsoft/2002-q4/0002.html

PIVX Advisory and Sample Exploit Code:
http://www.pivx.com/larholm/adv/TL004/

NGSSecurity Advisory:
http://www.nextgenss.com/advisories/ms-winhlp.txt

SecurityFocus Vulnerability Information:
http://online.securityfocus.com/bid/5874

Council Site Actions:
Most of the reporting council sites plan to deploy the patch during
their next regularly scheduled patch updates. These sites stated that
their current perimeter security controls (e.g. ActiveX references
blocked at network perimeter, up-to-date AV and IDS implementations)
prevent internal exposure. One of the council sites reported they do
not plan to install the patch since they have installed the latest
Outlook security update.

*************************************************************

(3) MODERATE: Microsoft Compiled Help File Shortcut Restriction Bypass

Affected Products:
Microsoft Windows 98/98SE/ME/2000/XP/NT4/NT4TerminalServer

Description:
The Windows Help Facility is responsible for appropriately restricting
actions that a compiled HTML Help (.chm) file may take on a user's
computer. Specifically, if the Help file is delivered by an untrusted
website or HTML email, the file should not be allowed to use shortcuts.
However, a vulnerability exists that allows a malicious website or
HTML email to bypass the restrictions and deliver a Help file that,
when opened, allows shortcuts to execute. The shortcut is then able to
take any action according to the victim user's privilege level.

Assessment:
Risk: Client compromise.
Execution of arbitrary code with the privileges of the user opening
the compiled Help file.

Deployment: Huge.
The vulnerability affects all current versions of Windows.

Ease of Exploitation: Non-standard.
Simple conceptually, but potentially challenging to execute. This
vulnerability must be exploited in concert with some other
vulnerability that allows the downloaded Help file to be opened
automatically by the malicious website or HTML email (vulnerabilities
that could perform this function have been discovered in the past).

Status: Vendor confirmed, patch available.

References:
Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-055.asp
http://archives.neohapsis.com/archives/microsoft/2002-q4/0002.html

Council Site Actions:
The council sites reported the same action for this problem as they
did for the ActiveX problem (2) above: deploy the patch during
their next regularly scheduled patch updates. These sites stated that
their current perimeter security controls (e.g. ActiveX references
blocked at network perimeter, up-to-date AV and IDS implementations)
prevent internal exposure. One of the council sites reported they do
not plan to install the patch since they have installed the latest
Outlook security update.

**************************************************************

##########################
# Other Software #
##########################

(4) HIGH: Jetty CGIServlet Arbitrary Command Execution Vulnerability

Affected Products:
The Jetty HTTP server prior to version 4.1.0

Description:
The Jetty HTTP server has been reported to contain a bug in the
CGIServlet handler which lets a remote attacker execute arbitrary
command-line commands on the system.

Risk: Remote system compromise.
Remote attackers may execute arbitrary commands from the command-line
With the privileges of the server process.

Deployment: Small.

Ease of Exploitation: Trivial.
An example showing how to exploit the bug was included with the
advisory.

Status: Vendor confirmed, fixed software available.

References:
Security Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0006.html

Vendor Security Advisory:
http://groups.yahoo.com/group/jetty-announce/message/45

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

*************************************************************

(5) MODERATE: SurfControl SuperScout WebFilter Multiple Vulnerabilities

Affected Products:
SurfControl SuperScout WebFilter (versions not stated).

Description:
SuperScout Web Reports server has been reported to contain multiple
vulnerabilities: recovery of application usernames and passwords;
access to files outside the Webroot; weak password encryption;
denial of service attack vectors; SQL injection.

Risk: Remote compromise.
Remote attackers may compromise the host on which SuperScout is
installed and modify or remove information from the database it uses.

Deployment: Moderate.

Ease of Exploitation: Straightforward.
The advisory included examples of how to retrieve usernames and
encrypted passwords, how to decrypt passwords, and how to access
arbitrary files and reports.

Status: Vendor confirmed, no patch available.
The recommended workaround is to disable the web-based reports server
and instead use a terminal session to access reports.

References:
Security Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0005.html

Vendor website:
http://www.surfcontrol.com/products/web/default.aspx

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

**************************************************************

(6) LOW: PowerFTP Server Buffer Overflow

Affected Products:
PowerFTP Server (all versions)

Description:
PowerFTP server has been reported to contain a buffer overflow in
the handling of large USER strings. It is unknown at this time whether
arbitrary code execution is possible.

Risk: Denial of Service.
Denial of service and potential server compromise with the privileges
of the FTP server process.

Deployment: Small.

Ease of Exploitation: Unknown.
The advisory contained an example exploit that sends a very long user
string which is said to trigger a denial of service.

Status: Vendor has not confirmed, no patch available.

References:
Security Advisory and Proof of Concept DoS Exploit:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0075.html

PowerFTP Vendor Website:
http://www.cooolsoft.com/powerftp.htm

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

**************************************************************

#####################
# Exploit Codes #
#####################

(1) Sendmail Trojan

Trojaned copies of the Sendmail source code package were inadvertently
distributed by ftp.sendmail.org between the approximate dates of Sep
28, 2002 and Oct 6, 2002. The Trojan horse program is invoked when the
source code is compiled and sets up a backdoor on the machine performing
the compilation. Specifically, the Trojan makes an outbound connection
to a particular remote address and allows intruders to connect back
across the established channel and gain shell access at the privilege
level of the user performing the compilation.

Interestingly, the maintainers of Sendmail believe it was the FTP server
itself that was modified rather than the stored Sendmail source code
files. The compromised FTP server evidently created and handed out a
Trojaned version of Sendmail to roughly every 10th download customer.

References:
http://www.cert.org/advisories/CA-2002-28.html
http://news.com.com/2100-1001-961469.html

Council Site Actions:
Most of the reporting council sites do use Sendmail distributions from
sendmail.org. However, none were affected by this problem. A few of
the sites had recently upgraded, and stated they had requested the
appropriate support group(s) to verify the MD5 checksums of the sendmail
files that were downloaded.. Several of the reporting council sites
have groups of self-managed users who may potentially use the software.
A notice was sent to these users.

**************************************************************

(2) SPIKE 2.7 Released

Immunity has released a new version of SPIKE, a powerful protocol
analysis and stress testing tool. SPIKE "fuzzes" a target server by
sending it many different kinds of mal-formed or bogus messages.
Researchers can use the tool to discover new vulnerabilities by
watching for odd server behavior (e.g. a crash or hang) that occurs in
response to the SPIKE traffic.

This new release has been said to demonstrate potentially previously
undisclosed bugs in IIS, MSRPC, and SunRPC on Solaris (e.g. rpcbind,
cmsd, ttdb). The package also includes the proof-of-concept exploit
for the Windows 2000/XP PPTP vulnerability reported in last week's
newsletter.

Tool Announcement from Dave Aitel:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0089.html

SPIKE Home Page:
http://www.immunitysec.com/spike.html

Council Site Actions:
Only one of the reporting council sites was affected by the release
of SPIKE. After seeing the announcement on bugtraq, they immediately
tested their Solaris systems to see if rpcbind was vulnerable. They
were able to cause the daemon to crash and produce a core dump. They
were unable to verify if the core dump would lead to shell access.
At post time, they were still in the process of trying to determine if
a local fix can be deployed as they have numerous vulnerable Solaris
systems.

**************************************************************

(2) BugBear Mass Mailer Worm (aka Tanatos)

The most severe virus attack this year is currently being waged by a
program called BugBear. First detected on Sep 29th in an email from
Malaysia, the malware (which has both worm and virus characteristics)
has infected computers in more than 180 countries and has been seen
crossing the Internet more than 450,000 times as of October 10th. See
the MessageLabs VirusEye link below for updated statistics.

The worm propagates via email and network shares, disables security
software, sets up a backdoor, and logs user's keystrokes thereby
capturing passwords and credit card information. Further, the worm has
caused such a panic that email hoaxters have succeeded in tricking
some people into deleting a real system file in a desperate attempt to
protect themselves (see email hoax link below).

The various functions of the malware are outlined below.

Email Propagation: BugBear sends itself as an email attachment and
typically requires the email recipient to open the attachment before
infection occurs (virus characteristic). However, the program is
careful to craft its messages to take advantage of the "Incorrect MIME
Header can cause IE to Execute Email Attachment" vulnerability patched
in MS01-020. This vulnerability, which was also exploited by Nimda,
causes unpatched IE 5.01 and 5.5 browsers to automatically execute the
email attachment when the message is viewed in Outlook (worm
characteristic).

All BugBear attachment files have variable names with double extensions,
where the second extension is one of .exe, .scr, or .pif. The worm
obtains new victim email addresses from the Windows address book, and
can create entirely new messages, or may resend previously sent messages
to new recipients (thereby potentially disclosing private emails to
third parties). BugBear also uses variable subject lines and can spoof
the "From" email header value, causing further confusion.

Network Share Propagation: BugBear is network aware and will enumerate
all network shares and then try to copy itself to each found resource.
Printers cannot be infected, but will often respond to attack by attempting to print out pages and pages of the worm binary.

Setting up Residence: The malware creates executable copies of itself
with variable names in Windows System and Startup folders, and installs
a keystroke logging program. It also sets a registry key that ensures
BugBear is restarted upon reboot.

Disabling Security Software: BugBear seeks out and disables many
common antivirus and firewall programs including ZoneAlarm, BlackIce,
Norton Antivirus, F-Secure and many others. See the Sophos site for a
complete program list.

Keystroke Logging: The worm's keystroke logger is known as PWS-Hooker.
This program captures all of the user's keystrokes and periodically
sends captured data to several email addresses. Please see the Sophos
link for a list of addresses.

Backdoor: The worm listens on port 36794/tcp for commands, where the
commands available to a remote intruder include:
     - retrieve cached passwords in an encrypted form
     - download and execute a file
     - find/delete/execute/copy/write files
     - list/terminate processes
     - retrieve user account/hardware/software inventory
     - start an HTTP server on port 80 that provides access to
       the local filesystem and shared network resources

While the spread of the virus is beginning to slow, experts are
concerned that many users will remain infected well into the coming
year, since it is relatively easy for an infection to go unnoticed.

References:
MessageLabs VirusEye Updated Statistics
http://www.messagelabs.com/viruseye/

Email Hoax
http://www.msnbc.com/news/815117.asp?0cl=cR

Sophos Report (email and security program lists)
http://www.sophos.com/virusinfo/analyses/w32bugbeara.html

General Background:
http://www.usatoday.com/tech/news/2002-10-06-bugbear-worm_x.htm
https://www.europe.f-secure.com/bugbear/
http://www.itsecure.com.au/alerts/alert.htm?alertID=105
http://news.zdnet.co.uk/story/0,,t281-s2123098,00.html
http://www.smallbusinesscomputing.com/webmaster/article.php/1473261
http://www.vnunet.com/News/1135578
http://www.extremetech.com/article2/0,3973,590349,00.asp
http://vil.nai.com/vil/content/v_99728.htm

Council Site Actions:
All of the reporting council sites responded to this worm on some level.
All sites stated they have extensive AV defenses and ensured their
virus definitions were updated as soon as possible. Although none of
the reporting council sites had any confirmed infections, most were
actively monitoring for potential attacks. One site implemented a new
IDS signature on the perimeter network.

One site reported they discovered a few systems on their network
listening to port 36794. They are still in the process of determining
how to send commands to the worm service (if it is what is running on
the port) that listens on the port. Their plan was to first determine
if systems had been compromised via Bugbear and if so, disconnect them
from the network to be cleaned. If they were unable to determine that
the systems had been compromised, they planned to ask the owners to run
a full virus scan.

**************************************************************

About the CVA Process and Council
=================================
The CVA is produced in four phases:

Phase 1: Neohapsis (www.neohapsys.com) lab director Jeff Forristal and
the Neohapsis team scour all of the major vendor web sites as well as
bugtraq and other sources of new vulnerability information and compile
what they believe to be a complete list of all new vulnerabilities and
major vulnerability announcements made during the week. The SANS
Institute and Network Computing Magazine vet the list through the major
system manufacturers and jointly publish it every week as the Security
Alert Consensus. (SAC) Anyone may subscribe to the SAC at
http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been on
the front lines of intrusion detection and vulnerability testing for
nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do to
protect their organizations. Council members include banks and other
financial organizations, government agencies, universities, major
research laboratories, ISPs, health care, manufacturers, insurance
companies and a couple more. The individual members have direct
responsibility for security for their systems and networks. All were
concerned that information about their security configuration would
leak out, and agreed to serve only if their identities were not
revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

CRITICAL: Vulnerabilities are rated CRITICAL if the impact of
exploiting the vulnerability can disrupt critical or large segments
of a network (e.g. Internet facing services) or if the impact
involves a remote exploit that provides root access to the host.
Typically, for CRITICAL vulnerabilities, the vulnerability is easy
or trivial to exploit and/or exploit code is available. Critical
vulnerabilities usually involve server systems and/or high-value
assets. Re-mediation for alerts of this nature should begin within
48 hours, and in some cases, immediately depending on the widespread
use of the technology within your organization.

HIGH: Vulnerabilities are rated HIGH if the impact of exploiting
the vulnerability is not as severe as CRITICAL alerts and the
affected software/platforms are generally not critical services
within the organization. A HIGH vulnerability may be something
that effects the client side (user hosts) and not a services such
as Mail, DNS, Web ,etc. Typically, there is a higher degree of
difficulty in exploiting HIGH vulnerabilities. Exploit code may
not be available or the attacker must entice the victim (e.g. visit
a server or run an attachment) to exploit the code. Re-mediation for
alerts of this nature should begin within five business days. If
there is widespread use of the technology at your organization or
critical hosts are involved, the re-mediation effort should begin
sooner.

MODERATE: Vulnerabilities are rated MODERATE if the probable impact
of exploiting the vulnerability is considered low due to the limited
severity of the vulnerability, or there is a very high degree of
difficulty in exploiting the vulnerability, and an exploit is not
available in the wild. Moderate vulnerabilities may require to
attacker to have some type of user privileges or entice the victim
in order to exploit the problem. Re-mediation for alerts of this
nature should begin within 15 business days. If there is widespread
use of this technology at your organization or you run the affected
software on critical hosts, the re-mediation efforts should begin
sooner.

******************************************************************
Subscriptions: The CVA is distributed free of charge to chief
information security officers and technical security managers of
organizations with at least 1000 systems, to GIAC certified security
professionals, and to recent alumni of SANS courses. Eligible
recipients may forward this report to other employees of their
organizations, but not to people outside their organizations.

Copyright 2002. No copying or forwarding allowed except by registered
subscribers.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9rFl3+LUG5KFpTkYRAli8AJ0YB2oDBkTN9zv3TrqkcAcP7RoiKACeIkmu
vm5uQJ8u48i+kJbce35eF0I=
=TsMb
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]