-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
February 10, 2003 Vol. 2. No. 5
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents

Widely Deployed Software:
(1) HIGH: Internet Explorer Cross-Domain Code Execution Vulnerabilities
(2) MODERATE: Kerberos FTP Client Shell Execution Vulnerability
(3) MODERATE: Apache Tomcat Path Parsing Information Exposure
(4) LOW: Majordomo Mailing List Address Exposure

Other Software:
(5) LOW: 32bit and ByteCatcher FTP Client Banner Buffer Overflow
(6) LOW: Opera Web Browser Multiple Vulnerabilities

Exploit Code Information:
(7) Exploit for CVS Double-Free Vulnerability
(8) SPIKE 2.8 Released

**************************** Sponsored Links **************************
Privacy notice: These links redirect to non-SANS web pages.

Get your free security planning template. Download a free chapter
from Mission Critical Security Planner.
http://www.sans.org/cgi-bin/sanspromo/CVA13
- --------------------------------
Get a FREE Security Token -- Strong (Two-Factor) Authentication For
2/3 Less Than The Leading Competitor.
http://www.sans.org/cgi-bin/sanspromo/CVA14
- -------------------------------------
Instantly stop DDoS attacks and port scans.
Hands-on, online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA15
- --------------------------------------------------
ALERT: Web-basedViruses/Worms/Trojans: How to stop them
***FREE White Paper***
http://www.sans.org/cgi-bin/sanspromo/CVA16
***********************************************************************

*********************************************************
Widely Deployed Software
*********************************************************

(1) HIGH: Internet Explorer Cross-Domain Code Execution Vulnerabilities

Affected Products:
Internet Explorer 5.01, 5.5, 6.0

Description:
Microsoft has released a cumulative patch for Internet Explorer that
appears to address two previously disclosed vulnerabilities (reported
in the November 25th CVA). The vulnerabilities allow a malicious web
server to download arbitrary code to a client system and execute it
in the "Local System" context.

Risk: A malicious web server can execute arbitrary code on the client
system, with the privileges of the user running Internet Explorer.

Deployment: Huge.
The vulnerabilities affect all current versions of Internet Explorer.

Ease of Exploitation: Straightforward.
Example exploits have been posted. The biggest challenge in their
use is finding ways to trick users into visiting a malicious web site.

Status: Vendor confirmed, a cumulative IE patch containing fixes is
available: MS03-004.

References:
Microsoft Security Bulletin MS03-004:
http://www.microsoft.com/technet/security/bulletin/ms03-004.asp

Postings by Andreas Sandblad (showHelp Shortcut vulnerability):
http://archives.neohapsis.com/archives/bugtraq/2002-11/0041.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0114.html

IE dialogArguments Cross-Zone Access Vulnerability:
http://online.securityfocus.com/bid/6205/info/

Previous CVA report: November 25, 2002 (see article #3):
http://www.sans.org/newsletters/cva/cva1_18.php

Council Site Actions:
All reporting council sites plan to roll out the patch during the
next regularly scheduled patch update. Many of the sites will be
deploying multiple IE patches at the next update cycle. Several of
the council sites commented that their network configuration protects
their internal sites from this risk and that up-to-date anti-virus
software, web blocking/filtering and IDS implementations also help
mitigate these types of risks and help prevent any new malicious code
from being introduced.

*************************************************************

****************** Security Training Update ***************************
If you are coming to SANS2003 in San Diego, Wednesday, March 12 is
the last day to register without a late payment charge. It's the
first national SANS conference with hands-on training in all tracks.
http://www.sans.org/SANS2003/
***********************************************************************

(2) MODERATE: Kerberos FTP Client Shell Execution Vulnerability

Affected Products:
MIT Kerberos FTP Client (all versions)
Red Hat Linux 6.2, 7.0, 7.1, 7.2, 7.3, 8.0

Description:
The Kerberos FTP client is still vulnerable to a problem that was
reported several years ago. If the client downloads a remote file
having a filename starting with "|", the client passes the filename
(interpreted as a command) to the command shell, and supplies the
contents of the file as input to the command. A malicious FTP server
can exploit the vulnerability to execute arbitrary commands on the
client system.

Risk: FTP client compromise by a malicious FTP server, with the
privileges of the user running the client program.

Deployment: Significant.
The MIT Kerberos FTP client is bundled with the Kerberos 5 distribution
and is included with some versions of Linux, notably Red Hat. The
vulnerable MIT client is the default FTP client in standard Red Hat
installations.

Ease of Exploitation: Straightforward.
The attacker must build a malicious file and place it on an FTP server.
The biggest challenge comes in convincing victims running vulnerable
FTP clients to visit the server and download the file.

Status: Vendor confirmed, patches are currently under development by
MIT. Red Hat has released fixed krb5 RPMs.

References:
VulnWatch Posting by Hackademy:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0047.html

Red Hat Advisory:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0025.html

CERT VU#258721:
http://www.kb.cert.org/vuls/id/258721

Council Site Actions:
The affected software is only in use at two of the reporting council
sites. At the first site, they maintain their own code. The software
support group that does the maintenance is currently examining the
source code to see if they affected. If so, they plan to deploy the
patch as appropriate. The second site has an extensive implementation
of this software. They plan to update the software on all their
centrally support machines over the next few weeks. Their software
update process is automated so the task won't be that time-consuming.
The affected software is also deployed in various department or
end-user sites that provide their own support. At this time, they do
not plan to send notification to these sites. They feel that it would
be rare for the FTP client to be used to visit a malicious FTP server.

**************************************************************

(3) MODERATE: Apache Tomcat Path Parsing Information Exposure

Affected Products:
Apache Tomcat 3.x prior to 3.3.1a

Description:
Tomcat contains two bugs in parsing literal null characters and
backslashes contained in a URI. Remote attackers can exploit the
flaws to access restricted files, directory listings and the source
code of JSP files by submitting specially crafted HTTP requests.

Risk: Exposure of information to remote attackers that may be useful
in compromising the server.

Deployment: Significant.
Tomcat is a popular open source Java servlet container that can
operate as a standalone web server or integrate with other servers
such as Apache and IIS.

Ease of Exploitation: Trivial.
Exploit examples were posted with the advisory.

Status: Vendor confirmed. Version 3.3.1a contains the fixes.

References:
VulnWatch posting by Jouko Pynnonen:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0051.html

Debian Advisory:
http://archives.neohapsis.com/archives/vendor/2003-q1/0040.html

Vendor Web Site:
http://jakarta.apache.org/tomcat/

Council Site Actions:
The affected software is in use at several of the reporting council
sites. These sites commented that their implementations were very
small and not on Internet facing systems. One site has already patched
the systems that were affected. Two other sites are still investigating
exposure level. The remaining sites using the affected software feel
the risk level is low enough to not warrant action at this time.

**************************************************************

(4) LOW: Majordomo Mailing List Address Exposure

Affected Products:
Majordomo (all versions)

Description:
Under the default configuration of Majordomo, a remote attacker can
extract all the addresses on Majordomo mailing lists by sending a
simple query to the daemon. Spammers can use this method to obtain
large email address lists associated with specific interest groups.

Risk: Remote attackers can extract mailing lists from Majordomo servers.

Deployment: Significant.
Majordomo is a popular open source mailing list manager for Unix that
has been widely used since its introduction in 1992. The vulnerability
is present in Majordomo's default configuration.

Ease of Exploitation: Trivial.
An attacker only needs to send the command "which" with an argument
"" to a listening daemon (via email) and the daemon will return all
subscribed email addresses containing an "" character (matches all
addresses). The attacker does not need to be a list member to execute
this command.

Status: Vendor confirmed. The simplest solution is to change the
configuration settings. A patch for Majordomo 1.94.5 is included in
the advisory. The vendor has also released a new version of Majordomo 2
(alpha) that protects the mailing list information by default.

References:
Advisory by Marco van Berkum:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0030.html

Vendor Web Site:
http://www.greatcircle.com/majordomo/

Tutorial on Sending Commands to Majordomo:
https://lists.stanford.edu/majordomo_basics.html

Original 1992 Usenix paper by D. Brent Chapman on Majordomo:
http://www.greatcircle.com/majordomo/majordomo.lisa6.pdf

Council Site Actions:
The affected software is in use at two of the council sites.
The first site has already changed its majordomo configuration.
The second site has a small number of machines running the software,
all of which are supported by individual departments. They feel the
risk is low enough to not warrant action at this time. They believe
individual departments will update the software on their own.

*********************************************************
Other Software
*********************************************************

(5) LOW: 32bit and ByteCatcher FTP Client Banner Buffer Overflow

Affected Products:
32bit FTP client version p9.49.01
ByteCatcher FTP client version 1.04b

Description:
The "32bit" and "ByteCatcher" FTP clients each contain a buffer
overflow in the handling of large server banners. A malicious FTP
server can exploit the flaw to crash FTP clients, and potentially to
execute arbitrary code on client systems.

Risk: FTP client compromise by a malicious FTP server, with the
privileges of the user running the client program.

Deployment: Moderate.
According to statistics provided by download.com, the 32bit and
ByteCatcher FTP clients have been downloaded 19000+ times and 169000+
times, respectively. Both clients run on Windows.

Ease of Exploitation: Unknown, but likely to be straightforward.
By sending a server banner longer than 4096 bytes, the server can
crash either client. Further investigation is needed to determine
whether the flaws can be exploited to execute code.

Status: These vulnerabilities have not been confirmed, but the
advisory indicates that the vendors have been informed. 32bit FTP
client version p9.50.01 is said to contain fixes.

References:
VulnWatch Posting by Dennis Rand:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0054.html

Download.com 32bit FTP client:
http://download.com.com/3000-2160-10111687.html?tag=lst-0-2

Download.com ByteCatcher FTP client:
http://download.com.com/3000-2160-875183.html?tag=lst-0-1

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites. They reported that no action was necessary.

**************************************************************

(6) LOW: Opera Web Browser Multiple Vulnerabilities

Affected Products:
Opera Web browser (all versions)

Description:
The Opera Web browser contains multiple vulnerabilities that allow a
malicious web server to read arbitrary files on the client system,
steal cookies set by other sites, and extract a user's browsing
history.

Risk: A malicious web server can harvest sensitive information from
a client running Opera.

Deployment: Moderate.
The Opera browser is ranked third among browsers worldwide behind
Internet Explorer and Netscape. The software was designed to be
compact, making it a popular browser solution for embedded devices.
Opera runs on Windows, OS/2, Linux, BeOS, BelA, Symbian OS, and QNX.

Ease of Exploitation: Straightforward.
Example exploits have been posted for each vulnerability.

Status: These vulnerabilities have not been confirmed by Opera
Software.

References:
Security Advisories posted by GreyMagic:
http://security.greymagic.com/adv/gm002-op/
http://security.greymagic.com/adv/gm003-op/
http://security.greymagic.com/adv/gm004-op/
http://security.greymagic.com/adv/gm005-op/
http://security.greymagic.com/adv/gm006-op/

Vendor Web Site:
http://www.opera.com/

Background Information about Opera:
http://www.wave-report.com/tutorials/opera.htm

Council Site Actions:
The majority of the council sites reported the affected software was
not in production or widespread use, hence no action was necessary.
One site did have a small deployment, but none of the users had
installed the affected version.

***********************************************
Exploit Code Released
***********************************************

(7) Exploit for CVS Double-Free Vulnerability

Exploit code for the CVS double-free vulnerability (reported in the
January 27, 2003 issue of CVA) has been posted by Igor Dobrovitski.
This vulnerability allows a remote attacker with read-only CVS access
to execute arbitrary code on a CVS server with root privileges. The
posting provides a detailed explanation of how the exploitation
is accomplished.

Code posted to Bugtraq:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0001.html

Previous CVA report about the CVS vulnerability:
http://www.sans.org/newsletters/cva/vol2_3.php (article #2)

Council Site Actions:
Several of the council sites have CVS implementations. They reported
that most of the affected machines had been updated after the initial
vulnerability report. One site is still in the process of updating
machines. None of the sites felt the need for any new actions based
on the release of the exploit.

**************************************************************

(8) SPIKE 2.8 Released

A new version of the SPIKE network protocol analysis program has
been Released. The biggest change is the addition of a module for
"DCE-RPC over named pipes" fuzzing, which was initially developed for
researching the MS RPC Locator Service overflow. The code's author,
Dave Aitel, has discovered several vulnerabilities using the SPIKE
approach, including some problems with the Windows 2000 DCE-RPC stack
revealed by the new module. As a demonstration of one of these issues,
Mr. Aitel has additionally provided a standalone binary (named "plonk")
that remotely reboots a Windows 2000 system via port 445/tcp.

Announcement posted to Bugtraq:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0060.html

Download SPIKE and plonk:
http://www.immunitysec.com/spike.html

Paper about SPIKE (includes information about exploiting the MS RPC
Locator Service vulnerability):
http://www.immunitysec.com/downloads/advantages_of_block_based_analysis.html

Previous CVA reports about the MS RPC Locator Service overflow:
http://www.sans.org/newsletters/cva/vol2_3.php (article #1)
http://www.sans.org/newsletters/cva/vol2_4.php (article #5)

Council Site Actions:
Most of the council sites do not plan any action as a result of
the latest release of Spike. One site is currently using Spike
for internal analysis and another site is looking at the software to
determine appropriate uses (e.g., locating systems that are vulnerable
to the RPC located service bug).

***************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly five years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.

               ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+R61x+LUG5KFpTkYRAttaAJ0ZOQuBmRAO28MIf2DtMi7Evkm+HQCfVUDy
my4gUclwC3FcYbN75zchNHc=
=KQR1
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]