Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: The SANS Institute (CriticalVulnerabilityAnalysis_at_sans.org)
Date: Mon Feb 03 2003 - 09:26:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hash: SHA1

    In response to dozens of requests, we are opening up subscriptions
    to this weekly newsletter. Please forward it to any system
    administrators or security professionals who need to act on
    critical security vulnerabilities. They may subscribe at no cost at

    That is also where they may also subscribe to SANS' other two free
    security newsletters: the complete weekly summary of all security
    vulnerabilities (Security Alert Consensus) and the weekly summary of
    all important news stories on security (NewsBites).


                      SANS Critical Vulnerability Analysis
    February 3, 2003 Vol. 2. No. 4

    The weekly CVA prioritizes and summarizes the most important
    vulnerabilities and attacks identified during the past week and
    provides guidance on appropriate actions to protect your systems.


    Table of Contents
    - -----------------
    Widely Deployed Software:
    (1) HIGH: Solaris KCMS Library Service Daemon Vulnerability

    Other Software
    (2) LOW: Hypermail Attachment Name Buffer Overflow
    (3) LOW: SpamAssassin spamc BSMTP Buffer Overflow

    Exploit Code Information
    (4) Sapphire/Slammer SQL Worm: Vulnerable Non-Microsoft Products
    (5) Windows RPC Locator Service Buffer Overflow

    **************************** Sponsored Links **************************
    Privacy notice: These links redirect to non-SANS web pages.

    (1) Need to patch UNIX machines? Free SysUpdate v4.0 Download - an
           Anti-Vulnerability application.

    (2) Need expert assistance to recover from SQL Slammer? Click for
           specials on ISS professional services.

    (3) ALERT: Stop Viruses & Worms Before They Enter Your Network
           **Free Whitepaper**


    Widely Deployed Software

    (1) HIGH: Solaris KCMS Library Service Daemon Vulnerability

    Affected Products:
    Solaris 2.5.1, 2.6, 7, 8 and 9

    The KCMS library service daemon provides remote read-only access
    to KCMS library profiles on all versions of Solaris. The daemon
    contains a buffer overflow in the KCS_OPEN_PROFILE procedure, which
    allows a remote attacker to read arbitrary files on the system. The
    daemon runs as an RPC service with root privileges, and is installed
    and enabled by default.

    Risk: Exposure of information potentially leading to remote compromise
    (e.g. by stealing the encrypted passwords and cracking them).

    Deployment: Very large.
    The vulnerability affects all default installations of Solaris.

    Ease of Exploitation: Straightforward.
    The attacker must be able to create a subdirectory in a directory
    searched by the KCMS library service daemon. This task is easily
    accomplished by calling a ToolTalk (another default RPC service)
    procedure to create the subdirectory. The attacker can then request
    arbitrary files by referencing them from the subdirectory and using
    ../../../ characters in the path. An attacker could script this
    procedure and use it to harvest password files from large numbers of
    Solaris systems.

    Status: This vulnerability has been confirmed by SUN, but patches
    are not yet available. The KCMS library service can be disabled as
    a workaround.

    CERT Vulnerability Note VU#850785

    SUN Advisory:

    Entercept Advisory:

    Council Site Action:
    Most of the Council Sites reported that the KCMS service is turned
    off per policy or per their secure configuration requirements. Some
    of these sites run daily conformance checks on their Solaris
    machines. As a side note, the CIS (Center for Internet Security)
    Solaris Benchmark Tool can be used to identify and disable this
    service. (http://www.cisecurity.org)

    One site reported that they have several Solaris systems on their
    network running the kcms_server, exposed to the Internet, and other
    Solaris systems running rpc.ttdbserverd, exposed to the Internet. The
    exploitation scenario in the published information requires that both
    daemons be running on the same system, thus their exposure is low.
    Nevertheless, they are already in the process of notifying the owners
    of these systems, indicating that there is no patch and that that inetd
    service must be removed if the system is going to stay connected to
    the network.

    Most of the Council Sites reported that RPC services along with
    Portmapper are blocked at their perimeter control points/firewalls.

    Other Software

    (2) LOW: Hypermail Attachment Name Buffer Overflow

    Affected Products:
    Hypermail versions prior to 2.1.6

    Hypermail, an open-source program that converts email messages into
    cross-linked HTML pages, contains a buffer overflow that is exploitable
    by a malicious email. The problem arises in the handling of large
    attachment filenames when the 'progress' display option is set to 2
    (this is not the default).

    Risk: Compromise of systems running Hypermail with the privileges of
    the user running the program.

    Deployment: Small.
    The affected software is said to be in the Beta development stage,
    and the vulnerability is present only in a specific non-default
    configuration. However, the program is popular with Unix administrators
    providing web-based access to mailing list archives.

    Ease of Exploitation: Straightforward.
    An attacker sending a malicious email with an over-long attachment name
    can overflow a buffer on the stack and control Hypermail's execution.
    An example email that will trigger the overflow has been posted.

    Status: Vendor confirmed, version 2.1.6 contains the fixes.

    Vulnerability Advisory by Ulf Harnhammer:

    Example Email Message:

    Vendor Web Page:

    Council Site Actions:
    Only one Council Site reported use of the Hypermail application.
    They have about a dozen systems on their network running Hypermail on
    web servers that are exposed to the Internet. They think it is unlikely
    any of these systems have the vulnerable version and configuration,
    but they have sent inquiries to system owners.

    The remaining Council Sites reported the affected software is not in
    production or widespread use, thus no action was necessary.

    As a side note, be aware that attackers can locate a large number of
    potentially vulnerable servers by doing web searches for "hypermail".


    (3) LOW: SpamAssassin spamc BSMTP Buffer Overflow
    Affected Products:
    SpamAssassin 2.40 - 2.43

    The SpamAssassin spamc daemon contains a buffer overflow vulnerability
    when running in Batched SMTP (BSMTP) mode. Attackers can exploit the
    flaw to execute arbitrary code by sending a specially crafted email.

    Risk: Remote compromise of systems running SpamAssassin's spamc
    program, with the privileges of the user running spamc.

    Deployment: Moderate.
    SpamAssassin is a popular open-source email spam filter for Unix,
    but the vulnerability only arises in a specific configuration.

    Ease of Exploitation: Variable/Challenging.
    This off-by-one vulnerability is not exploitable on all platforms and
    distributions. To be most successful, an attacker would need to be
    able to identify victims that are running the vulnerable spam filter.

    Status: The vulnerability has been confirmed, a source code patch
    was posted with the advisory. Fixed software is not yet available
    from the vendor.

    Advisory by Timo Sirainen

    Vendor Web Page:

    Council Site Actions:
    Only one Council Site reported use of the affected software. They are
    using the SpamAssassin software on their IMAP servers that are used
    for mail reading by their active users. These systems are not running
    the vulnerable configuration, thus they have no plans for action at
    this time.

    The remaining Council Sites reported the affected software is not
    in production or widespread use, thus no action was necessary. A
    few sites do plan to send information on the vulnerability to the
    appropriate support groups as an FYI.

    Exploit Code Information

    (4) Sapphire/Slammer SQL Worm: Vulnerable Non-Microsoft Products

    Many non-Microsoft products are vulnerable to the Sapphire/ Slammer
    worm due to their use of SQL Server/MSDE components.

    An extensive list of potentially vulnerable products can be found at
    the following URL:

    Council Site Actions:
    All Council Sites reported they block SQL Server UDP and TCP ports
    at the perimeter control points/firewalls. Most sites reported zero
    infections, although their external gateways and firewalls experienced
    periods of heavy traffic. A few sites did report infections -- the
    highest rate was around 50 systems. These sites implemented outbound
    filtering of UPD port 1434, although they knew this might cause some
    UDP application to randomly fail since they may use this port as well.

    Some sites are actively using client inventory and scanning tools
    to identify all MSSQL and MSDE based applications, and updating
    vulnerable systems as they are identified. One site stated they have
    a policy that prohibits the use of Microsoft-based products for any
    mission critical services. All of their Microsoft Windows desktops
    are tightly controlled and behind very restrictive firewalls.


    (5) Windows RPC Locator Service Buffer Overflow

    Sample exploit code has been created by NGSSoftware but has not been
    released to the public. David Litchfield, one of the founders of
    NGSSoftware, writes that the company may post the exploit after a
    "grace period". This vulnerability is a stack-based buffer overflow
    that can be exploited over ports 139 and 445/tcp. An attacker can
    send an over-long name to the RPC locator service, causing a buffer
    overflow when the locator attempts to search for binding handles
    associated with the over-sized name.

    NGSSoftware has also released a tool that searches a network for
    systems offering the RPC Locator Service. Attackers can analyze the
    tool to learn how to interact with the vulnerable service remotely, and
    could conceivably extend the tool's source code to include an exploit.
    Exploitation is likely to be straightforward.

    This vulnerability was ranked HIGH in last week's CVA newsletter. The
    vulnerable service runs by default on Windows NT4/2000 Domain
    Controllers but can be configured to run on any Windows NT4/2000/XP
    system. The vulnerability yields SYSTEM privileges to successful

    Exploit Code:

    Advisory by David Litchfield:

    Tool to Find Vulnerable Systems from NGSSoftware (binary executable
    and source code available):

    Microsoft Security Bulletin MS03-001:

    Council Site Actions:
    Almost all Council Sites reported activity for this vulnerability.
    Many of the sites have already patched their systems, and others are
    scheduling the patch installation for the next regularly scheduled
    patch update. One site reported that the RPC Locator Service was set
    to manual on both the desktop and server systems.


    About the CVA Process and Council

    The CVA is produced in four phases:
    Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
    web sites as well as bugtraq and other sources of new vulnerability
    information and compile what they believe to be a complete list of all
    new vulnerabilities and major vulnerability announcements made during
    the week. The SANS Institute and Network Computing Magazine vet the
    list through the major system manufacturers and jointly publish it
    every week as the Security Alert Consensus. (SAC) Anyone may subscribe
    to the SAC at http://www.sans.org/newlook/digests/SAC.htm

    Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
    vulnerabilities and announcements that demand immediate action. This
    reduces the list from 30-50 each week down under 10. Vicki has been
    on the front lines of intrusion detection and vulnerability testing
    for nearly five years and her work in the field is legendary.

    Phase 3: Very technical security managers at fifteen of the largest
    user organizations in the United States each review the "immediate
    action" vulnerabilities and describe what they did or did not do
    to protect their organizations. Council members include banks and
    other financial organizations, government agencies, universities,
    major research laboratories, ISPs, health care, manufacturers,
    insurance companies and a couple more. The individual members have
    direct responsibility for security for their systems and networks. All
    were concerned that information about their security configuration
    would leak out, and agreed to serve only if their identities were
    not revealed.

    Phase 4: SANS compiles the responses and identifies the items on which
    the Council members took or are taking action, produces the weekly CVA,
    and distributes it via email to all eligible persons.

    Critical Vulnerability Analysis Scale Ratings

    In ranking vulnerabilities several factors are taken into account,
    such as:

    - - Is this a server or client compromise? At what privilege level?
    - - Is the affected product widely deployed?
    - - Is the problem found in default configurations/installations?
    - - Are the affected assets high value (e.g. databases, e-commerce
    - - Is the network infrastructure affected (DNS, routers, firewalls)?
    - - Is exploit code publicly available?
    - - Are technical vulnerability details available?
    - - How difficult is it to exploit the vulnerability?
    - - Does the attacker need to lure victims to a hostile server?

    Based on the answers to these questions, vulnerabilities are ranked
    as Critical, High, Moderate, or Low.

    CRITICAL vulnerabilities are those where essentially all planets
    align in favor of the attacker. These vulnerabilities typically
    affect default installations of very widely deployed software, result
    in root compromise of servers or infrastructure devices, and the
    information required for exploitation (such as example exploit code)
    is widely available to attackers. Further, exploitation is usually
    straightforward, in the sense that the attacker does not need any
    special knowledge about individual victims, and does not need to lure
    a target user into performing any special functions.

    HIGH vulnerabilities are usually issues that have the potential to
    become CRITICAL, but have one or a few mitigating factors that make
    exploitation less attractive to attackers. For example, vulnerabilities
    that have many CRITICAL characteristics but are difficult to exploit,
    do not result in elevated privileges, or have a minimally sized victim
    pool are usually rated HIGH. Note that HIGH vulnerabilities where the
    mitigating factor arises from a lack of technical exploit details will
    become CRITICAL if these details are later made available. Thus, the
    paranoid administrator will want to treat such HIGH vulnerabilities as
    CRITICAL, if it is assumed that attackers always possess the necessary
    exploit information.

    MODERATE vulnerabilities are those where the scales are slightly tipped
    in favor of the potential victim. Denial of service vulnerabilities
    are typically rated MODERATE, since they do not result in compromise
    of a target. Exploits that require an attacker to reside on the same
    local network as a victim, only affect nonstandard configurations
    or obscure applications, require the attacker to social engineer
    individual victims, or where exploitation only provides very limited
    access are likely to be rated MODERATE.

    LOW vulnerabilities usually do not affect most administrators, and
    exploitation is largely unattractive to attackers. Often these issues
    require the attacker to already have some level of access to a target
    (e.g. be able to execute arbitrary SQL queries, or be able to pop mail
    from a mail server), require elaborate specialized attack scenarios,
    and only result in limited damage to a target. Alternatively, a LOW
    ranking may be applied when there is not enough information to fully
    assess the implications of a vulnerability. For example, vendors often
    imply that exploitation of a buffer overflow will only result in a
    denial of service. However, many times such flaws are later shown
    to allow for execution of attacker-supplied code. In these cases,
    the issues are reported in order to alert security professionals to
    the potential for deeper problems, but are ranked as LOW due to the
    element of speculation.

    Remediation Timescale
    A vulnerability rating corresponds to the "threat level" of a
    particular issue. Critical threats must be responded to most quickly,
    as the potential for exploitation is high. Recommended response times
    corresponding to each of the ratings is below. These recommendations
    should be tailored according to the level of deployment of the affected
    product at your organization.

    CRITICAL: 48 hours
    HIGH: 5 business days
    MODERATE: 15 business days
    LOW: At the administrator's discretion

    Subscriptions: The CVA is distributed free of charge to people
    responsible for securing information systems and networks. You may
    forward this newsletter to any people with such responsibility inside
    or outside your organization.

    To subscribe, at no cost, go to https://www.sans.org/sansnews/
    where you may also request subscriptions to any of SANS other free

    To change your subscription, address, or other information, visit
    http://www.sans.org/sansurl and enter your SD number or email address
    (from the headers.) You will receive your personal URL via email.

    Copyright 2003. All rights reserved. No posting is allowed to any
    web site, internal or external, without written permission from the
    SANS Institute. Email sansrosans.org for permission.


    Version: GnuPG v1.2.1 (GNU/Linux)

    -----END PGP SIGNATURE-----