-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                   SANS Critical Vulnerability Analysis
February 24, 2003 Vol. 2. No. 7
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:

Widely Deployed Software:
(1) HIGH: Oracle Database Server Username Buffer Overflow
(2) HIGH: Oracle Modified mod_dav Module Format String Vulnerability
(3) HIGH: IBM Lotus Domino Host Redirect Buffer Overflow
(4) HIGH: IBM Lotus Domino iNotes PresetFields Parameter Buffer
    Overflow
(5) MODERATE: Oracle Database Server Query Functions Buffer Overflows
(6) MODERATE: Lotus iNotes Client ActiveX Control Buffer Overflow
(7) MODERATE: HP-UX rpc.yppasswdd Buffer Overflow
(8) MODERATE: PHP Direct CGI Access Vulnerability

************************* Sponsored Links ****************************
Privacy notice: These links redirect to non-SANS web pages.

Need Security Policies? Get 1300+ ready-to-use policies by Charles
Cresson Wood, CISSP. Try it today!
http://www.sans.org/cgi-bin/sanspromo/CVA19
- ---------------------------
Instantly stop DDoS attacks and port scans.
Hands-on, online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA20
- ----------------------
Responsible for managing the security of your company's e-mails? For
NEW trustworthy solutions, FREE whitepaper.
http://www.sans.org/cgi-bin/sanspromo/CVA21
**********************************************************************

**************************************************************
Widely Deployed Software
**************************************************************

(1) HIGH: Oracle Database Server Username Buffer Overflow

Affected Products:
Oracle 9i Database (release 1 and 2)
Oracle 8i Database v. 8.1.7
Oracle 8 Database v. 8.06

Description:
Oracle's database server contains a buffer overflow in handling
over-long usernames supplied during the authentication handshake.
Remote unauthenticated attackers can exploit the flaw to execute
arbitrary code with the privileges of the vulnerable server process --
typically "Oracle" on Linux/UNIX and "Local System" on Windows.

Risk: Remote compromise of systems running Oracle database server at
the privilege level of the server process ("Local System" on Windows).

Deployment: Significant.
Oracle is known as the leader of the UNIX database market. Many
high-profile customers currently using Oracle server products are
listed at the Oracle web site.

Ease of Exploitation: Unknown.
This is a stack-based buffer overflow. The NGSSoftware advisory
suggests a method for triggering the overflow using an Oracle-supplied
client program. Attackers would need to build a custom client to
fully exploit the vulnerability.

Status: Vendor confirmed, patch available.

References:
http://www.kb.cert.org/vuls/id/953746
http://www.nextgenss.com/advisories/ora-unauthrm.txt
http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf

Council Site Actions:
The council site actions at sites with Oracle ports exposed to
the Internet were different from actions at sites where Oracle was
exposed only internally. Most of the council sites that had Oracle
installed, but not exposed to the Internet, planned to install the
patches during the normal maintenance cycle. Several of these sites
chose to consider this a low-risk vulnerability and simply notified
the Oracle support groups.

The council sites that had Oracle installed and exposed to the
Internet all choose to treat this as a critical problem and plan to
install patches prior to the next maintenance window. Several sites
installed the patches over the weekend. All sites that planned
to install the patches commented that due to the critical nature of
their Oracle applications, the patches would first be installed and
tested on development machines prior to the production roll-out.

Only one council site was not running an affected version of Oracle.

**************************************************************

(2) HIGH: Oracle Modified mod_dav Module Format String Vulnerability

Affected Products:
Oracle 9i Application Server (release 9.0.2 and 9.0.3)

Description:
The open source WebDAV Apache module mod_dav contains a format string
vulnerability in a function responsible for logging "bad gateway
response" messages. Fortunately, mod_dav never actually executes
the vulnerable code and thus cannot be exploited (Apache is not
vulnerable for this reason). However, Oracle modified the program
for the 9i Application Server in such a way that the Oracle version,
MOD_ORADEV, is remotely exploitable. By crafting a malicious format
string and sending it to a vulnerable server an attacker can overwrite
arbitrary locations in memory and gain control of the server.

SCO accidentally released a version of mod_dav for OpenLinux with
the same vulnerability on 2/17/03, and then withdrew it the next day.

Risk: Remote compromise of Oracle 9i Application Servers, at the
privilege level of the server process ("Local System" on Windows).

Deployment: Significant/Unknown.
At present, only the Oracle 9i Application Server has been confirmed
vulnerable (default configuration). Other vendors are said to be
checking their code for the problem.

Ease of Exploitation: Unknown.
The published advisories provide specific details regarding the
location of the vulnerable code and how to trigger the bug using the
WebDAV COPY method.

Status: Oracle has confirmed and suggested a workaround that involves
modifying a server configuration file.

References:
Format string vulnerability in Oracle 9i Application Server:
http://www.kb.cert.org/vuls/id/511194
http://www.nextgenss.com/advisories/ora-appservfmtst.txt
http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf

CERT Advisory about modified mod_dav implementations:
http://www.kb.cert.org/vuls/id/849993

SCO release and withdrawal:
http://archives.neohapsis.com/archives/bugtraq/2003-02/0194.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0215.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0216.html

mod_dav Vendor Web Site:
http://www.webdav.org/mod_dav/

Background information on WebDAV COPY method:
http://msdn.microsoft.com/library/en-us/wss/wss/_webdav_copy.asp

Council Site Actions:
Fewer council sites are running Oracle 9i applications. However,
the responses were similar to those for item (1) above. Council
sites that had Oracle 9i installed, but not exposed to the Internet
planned to install the patches during the normal maintenance cycle.
Several of these sites chose to consider this a low-risk vulnerability
and simply notified the Oracle support groups.

The council sites that had Oracle 9i installed and exposed to the
Internet all treated this as a critical problem and plan to install
patches prior to the next maintenance window. Several sites installed
the patches over the weekend. All sites that planned to install the
patches commented that due to the critical nature of their Oracle
applications, the patches would first be installed and tested on
development machines prior to the production roll-out.

***************************************************************

(3) HIGH: IBM Lotus Domino Host Redirect Buffer Overflow

Affected Products:
Lotus Domino version 6.0

Description:
Lotus Domino contains a remotely exploitable buffer overflow in the
code that performs HTTP redirects. An attacker can send a request to
the server that causes the server to issue a 302 Redirect response.
When building the Redirect message, the server processes the Host
header value supplied in the attacker's request. If this value is
set to an over-long malicious string, a buffer is overflowed and the
server can be made to execute arbitrary code.

Risk: Remote Domino server compromise at the privilege level of the
Domino process (typically "Local System" on Windows).

Deployment: Significant.
Lotus Notes and Domino are widely used in corporate environments.

Ease of Exploitation: Unknown.

Status: These vulnerabilities have been confirmed and fixed in
version 6.0.1.

References:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0080.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0084.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0086.html

Council Site Actions:
Only four of the reporting council sites are running the affected
version of Lotus Notes. Two of the sites plan to roll out the patches
during the next regularly scheduled patch update. The remaining two
sites have a very limited deployment of the affected software and
chose only to notify the appropriate support group and request that
they install the patches.

*************************************************************

(4) HIGH: IBM Lotus Domino iNotes PresetFields Parameter Buffer
    Overflow

Affected Products:
Lotus Domino iNotes version 6.0

Description:
The iNotes component of Lotus Domino contains a buffer overflow in
handling over-long parameter values supplied in a web-based mail
service request. Specifically, attackers can supply malicious values
for the s_Viewname/Foldername options of the PresetFields parameter
in order to exploit the vulnerability and execute arbitrary code on
the server.

Risk: Remote Domino server compromise at the privilege level of the
Domino process (typically "Local System" on Windows).

Deployment: Significant.
Lotus Notes and Domino are widely used in corporate environments.

Ease of Exploitation: Unknown.

Status: These vulnerabilities have been confirmed and fixed in
version 6.0.1.

References:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0081.html

Council Site Actions:
Only four of the reporting council sites are running the affected
version of Lotus Notes. Two of the sites plan to roll out the patches
during the next regularly scheduled patch update. The remaining two
sites have a very limited deployment of the affected software and
chose only to notify the appropriate support group and request that
they install the patches.

**************************************************************

(5) MODERATE: Oracle Database Server Query Functions Buffer Overflows

Affected Products:
Oracle 9i Database (release 1 and 2)
Oracle 8i Database v. 8.1.7
Oracle 8 Database v. 8.06

Description:
Oracle's database server provides several functions for use
within queries. Three of these functions (BFILENAME, TZ_OFFSET,
and TO_TIMESTAMP_TZ) contain buffer overflows in handling oversized
parameter values. Any user possessing valid login credentials can
exploit the flaws to execute arbitrary code with the privileges of
the vulnerable server process -- typically "Oracle" on Linux/UNIX and
"Local System" on Windows.

Risk: Remote compromise of systems running Oracle database server at
the privilege level of the server process ("Local System" on Windows).

Deployment: Significant.
Oracle is known as the leader of the database market. Many high-profile
customers currently using Oracle server products are listed at the
Oracle web site.

Ease of Exploitation: Varies/Unknown. The TZ_OFFSET and TO_TIMESTAMP_TZ
overflows are said to be stack-based.

Status: Vendor confirmed, patches available.

References:
Buffer overflow in DIRECTORY parameter of BFILENAME function:
http://www.kb.cert.org/vuls/id/663786
http://www.nextgenss.com/advisories/ora-bfilebo.txt
http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf

Buffer Overflow in TZ_OFFSET function:
http://www.kb.cert.org/vuls/id/743954
http://www.nextgenss.com/advisories/ora-tzofstbo.txt
http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf

Buffer Overflow in TO_TIMESTAMP_TZ function:
http://www.kb.cert.org/vuls/id/840666
http://www.nextgenss.com/advisories/ora-tmstmpbo.txt
http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf

Council Site Actions:
The council sites actions for this item were similar to items (1) and
(2) above. Council sites that had Oracle installed, but not exposed
to the Internet planned to install the patches during the normal
maintenance cycle. Several of these sites chose to consider this a
low-risk vulnerability and simply notified the Oracle support groups.

The council sites that had Oracle installed and exposed to the
Internet, all choose to treat this as a critical problem and plan to
install patches prior to the next maintenance window. Several sites
installed the patches over the weekend. All sites that planned to
install the patches, commented that due to the critical nature of
their Oracle applications, the patches would first be installed and
tested on development machines prior to the production roll-out.

**************************************************************

(6) MODERATE: Lotus iNotes Client ActiveX Control Buffer Overflow

Affected Products:
Lotus Domino iNotes client version 6.0

Description:
The Lotus iNotes client includes an ActiveX control which contains a
buffer overflow in the InitializeUsingNotesUserName method. A malicious
web page or email can exploit the vulnerability to execute arbitrary
code on the system running the client.

Risk: Compromise of systems running the Lotus iNotes client by a
malicious web page or email.

Deployment: Significant.
Lotus Notes and Domino are widely used in corporate environments.

Ease of Exploitation: Unknown.

Status: These vulnerabilities have been confirmed and fixed in
version 6.0.1.

References:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0082.html

Council Site Actions:
The council site actions for this item were the same as for items (3)
and (4) above. Two of the four affected sites plan to roll out the
patches during the next regularly scheduled patch update. The other
two sites have a very limited deployment of the affected software
and will only notify the appropriate support group and request them
to install the patches.

**************************************************************

(7) MODERATE: HP-UX rpc.yppasswdd Buffer Overflow

Affected Products:
HP 9000 Series 700 and 800 running HP-UX 10.10, 10.20, 11.00, 11.11,
11.22 using rpc.yppasswdd

Description:
HP has released an advisory indicating the rpc.yppasswdd daemon
contains a buffer overflow vulnerability. Remote attackers can exploit
the flaw to cause a denial of service or to execute arbitrary code with
the privileges of the rpc.yppasswdd daemon process (typically root).

Risk: Remote root compromise of HP systems running the NIS password
daemon.

Deployment: Moderate/Unknown.
It is not known whether the vulnerable service runs by default on the
affected HP-UX platforms.

Ease of Exploitation: Unknown.
The vulnerability advisory provided very little technical detail.

Status: Vendor confirmed, patches and/or workarounds are available.

References:
HP Advisory:
http://archives.neohapsis.com/archives/hp/2003-q1/0028.html

SecurityTracker Advisory:
http://securitytracker.com/alerts/2003/Feb/1006085.html

SecurityFocus Vulnerability Information:
http://www.securityfocus.com/bid/6835/discussion/

Council Site Actions:
Only five of the reporting council sites have HP implementations.
One site has the NIS daemons disabled on all systems so they are not
affected by this problem. One site is still investigating the impact
of the problem and will follow-up with remediation, if necessary.
A third site has only one affected system, but it is Internet-facing,
so they plan to load the patches as soon as possible. The remaining
two sites that have HP systems, are treating this a low risk since
the installed base is small and the systems are not accessible from
the Internet.

**************************************************************

(8) MODERATE: PHP Direct CGI Access Vulnerability

Affected Products:
PHP/CGI version 4.3.0

Description:
PHP version 4.3.0 contains a bug which causes the 'enable-force-cgi-
redirect' configuration options to be ignored. These options, when
working, prevent remote users from calling a PHP CGI executable
directly, which would allow the user to bypass any webserver-imposed
access controls. Remote attackers can exploit the flaw to gain access
to any file readable by the web server process, and possibly to trick
the server into executing attacker-supplied PHP code.

Risk: Remote compromise of web servers using the PHP CGI module.

Deployment: Widely Deployed.
According to the Netcraft January 2003 survey, PHP is in use at more
than one million web sites worldwide.

Ease of Exploitation: Arbitrary file read -- trivial.
The attacker only needs to craft a URL of the form
http://host/cgi-bin/php/secretdir/script.php
to bypass webserver-imposed access controls and access
http://host/secretdir/script.php.
In order to exploit the vulnerability to execute code the attacker
must be able to inject the code into a file accessible to the PHP
CGI program (example: the web server access logs).

Status: This vulnerability has been confirmed by PHP, and is fixed
in version 4.3.1.

References:
PHP Security Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0085.html

Netcraft PHP Usage Statistics:
http://www.php.net/usage.php

Background Information on enable-force-cgi-redirect:
http://www.php.net/manual/en/security.cgi-bin.php

Council Site Actions:
Only one of the reporting council sites is running the affected
software. Overall, very few of the council sites have PHP
implementations. The one affected sites has instructed its web support
team to upgrade to the latest version.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each review the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:
   
- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce
  servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?
 
Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+WhsG+LUG5KFpTkYRAhpaAKCXoGIJ5d1detMjpUiAfpCqAIOFxgCgmfcK
JRp9f/VgQpTeFmXjfnAVers=
=r9st
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]