From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Apr 14 2003 - 08:10:57 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A request to CVA Readers:

This weekly digest is unique because it contains a summary of the
actions taken by a dozen large organizations to protect their systems.
We've been honing the process for nine months, and it's time find out
how well it is working. If the "Council Site Actions" sections of the
CVA have been useful to you or frustrating, could you take a moment to
tell us how they have been helpful and/or how they should be improved?
Also, if your organization has more than 10,000 systems and you feel
you could add value by joining the Council, let us know. Send comments
to sansrosans.org with subject CVA feedback. Thanks in advance.

And just as a heads up, 300,000 brochures for the large July security
training conference in Washington (SANSFire) will be hitting people's
mailboxes this week or next. It has ten tracks, including the new
intensive program for security managers. SANSFire courses have always
filled up early. You can get ahead of the rush by using the online
brochure and registration at http://www.sans.org/sansfire03/index.php

There's also a program in London for our readers who live in Europe:
http://www.sans.org//hammersmith03

                                    Alan

***********************************************************************
                  SANS Critical Vulnerability Analysis
April 14, 2003 Vol. 2. No. 14
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and
provides guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:

Widely Deployed Software
(1) CRITICAL: Samba call_trans2open() Buffer Overflow
(2) MODERATE: Apache Memory Consumption DoS
(3) MODERATE: Microsoft JVM Bytecode Verifier Vulnerability
(4) MODERATE: Ikonboard Code Execution Vulnerability

Other Software
(5) HIGH: AutomatedShops WebC Buffer Overflow
(6) MODERATE: Hyperion FTP Server Buffer Overflow
***********************************************************************

*************************** Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

1. Upgrade to 128 Bit SSL Encryption! Get Verisign's Free Guide!
     Sponsored by VeriSign - The Value of Trust
http://www.sans.org/cgi-bin/sanspromo/CVA38
- ----------------------------------------------
2. Stop spam, viruses and attacks before they reach vulnerable mail
     servers ***white paper/online demo***
http://www.sans.org/cgi-bin/sanspromo/CVA39
- -----------------------------------------------
3. Simplifying security for your network, while cutting costs and
     improving management flexibility. **FREE WHITEPAPER**
http://www.sans.org/cgi-bin/sanspromo/CVA40
***********************************************************************

************************
Widely Deployed Software
************************

(1) CRITICAL: Samba call_trans2open() Buffer Overflow

Affected Products:
Samba versions up to and including version 2.2.8

Description:
Samba is the Unix server standard for providing file and print
services to CIFS/SMB clients. The Samba smbd daemon contains a buffer
overflow vulnerability that can be exploited by remote attackers
to execute arbitrary code with root privileges. The overflow can
be triggered by an SMB transaction2 request containing an excessive
number of parameters. Multiple exploit codes have been released that
work against most distributions of Linux, Solaris, FreeBSD, NetBSD
and OpenBSD running Samba 2.2.x. Digital Defense reports that the
vulnerability is being actively exploited in the wild.

Risk: Remote root compromise of systems running Samba.

Deployment: Significant.
Many organizations configure their firewalls to deny Internet access
to SMB ports (139 and 445/tcp) but are still vulnerable to attack
from internal networks.

Ease of Exploitation: Trivial.
Exploit code that provides a root shell to a remote attacker has
been posted. The exploits are very effective against many current
operating system distributions.

Status: Vendor confirmed, the problem is fixed in Samba version 2.2.8a.

References:
Digital Defense Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0008.html

SecurityFocus BID
http://www.securityfocus.com/bid/7294

Public Exploits
http://downloads.securityfocus.com/vulnerabilities/exploits/sambal.c
http://archives.neohapsis.com/archives/bugtraq/2003-04/0130.html

Another exploit was briefly posted to this link (see News Article)
http://www.digitaldefense.net/labs/tools/trans2root.pl

News Article
http://news.zdnet.co.uk/story/0,,t269-s2133095,00.html

Council Site Actions:
Most council sites are treating this as a high priority problem and
they are anxiously awaiting patches from the vendors. Patches will be
rolled out on a high priority basis for most sites. One major site
commented that they had about 40 systems that were directly exposed
to the Internet and vulnerable to compromise via the trans2root.pl
exploit. They were able to download the exploit on April 7th and used
it to test their Linux and FreeBSD systems for the vulnerability.
For the exploitable systems, they advised the system administrators
to immediately stop running the vulnerable daemons, and install an
updated package when it became available from their vendor (or use
the unpackaged 2.2.8a release).

Several sites reported they will wait to patch until the next regularly
scheduled system update since they are blocking SMB ports at the
perimeter points.

Several sites commented that the remediation process will be
challenging and lengthy due to the wide-spread and sometimes
specialized use of Samba.

*****************************************************************

(2) MODERATE: Apache Memory Consumption DoS

Affected Products:
Apache versions prior to 2.0.45 for Windows and Unix

Description:
Apache contains a resource exhaustion DoS vulnerability in the
handling of large numbers of consecutive newline characters. The server
allocates an 80-byte buffer for each newline character received, and
does not properly free the memory once allocated. A remote attacker
can exploit the flaw by sending requests containing thousands of
newline characters in to the server. A successful attack causes
Apache's performance to degrade significantly.

Risk: Remote attackers can cause severe performance degradation on
servers running Apache.

Deployment: Widely deployed. According to the March 2003 Netcraft
survey, 62% of Internet web servers run Apache.

Ease of Exploitation: Trivial.
Exploit code is available. The published exploits send thousands of
CRLF (carriage-return line-feed) sequences.

Status: Vendor confirmed. The problem is fixed in version 2.0.45.

References:
iDefense Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-04/0126.html

Vendor Announcement
http://www.apache.org/dist/httpd/Announcement2.html

Exploit Codes
http://archives.neohapsis.com/archives/bugtraq/2003-04/0133.html
http://downloads.securityfocus.com/vulnerabilities/exploits/apache-massacre.c
http://downloads.securityfocus.com/vulnerabilities/exploits/th-apachedos.c

SecurityFocus BID
http://www.securityfocus.com/bid/7254

Netcraft March 2003 Web Server Survey
http://news.netcraft.com/archives/2003/03/25/march_2003_web_server_survey.html

Council Site Actions:
Only two of the reporting council sites are using the affected version
of the software. For one site, online business plays a critical role
in the success of the company. They received vendor-supplied custom
versions of apache software on Monday and deployed the patches
to the affected DMZ hosts the same day. The second site has a
few dozen systems running Apache 2.x that are directly exposed to
the Internet. However, none of these systems plays a significant
role for the business. Because of their limited support resources,
they are not taking any action at this time.

****************************************************************

(3) MODERATE: Microsoft JVM Bytecode Verifier Vulnerability

Affected Products:
Microsoft Windows 95/98/98SE/ME/NT4/2000/XP
Microsoft Internet Explorer 4.0 - 6.0

Description:
The Microsoft Java Virtual Machine (JVM) is used to run Java applets
on Windows in a controlled sandbox environment. The JVM contains a
vulnerability in handling certain sequences of bytecode that allows
security restrictions to be bypassed. A malicious applet could exploit
the flaw to execute arbitrary code with the privileges of the user
running the applet. An attacker could create a malicious applet and
host it on a web page or send it to a victim in an HTML-enabled email
message. However, many mail clients do not allow Java applets received
in email messages to execute automatically, providing some protection
against the email-based attack vector.

This vulnerability is evidently the same bytecode verifier
vulnerability disclosed by the Last Stage of Delirium (LSD) research
group at the Asia Black Hat Briefings conference, October 2002.

Risk: Remote system compromise by a malicious Java applet, with the
privileges of the user running the applet.

Deployment: Widely deployed.
This vulnerability affects nearly all versions of Windows and Internet
Explorer.

Ease of Exploitation: Trivial.
LSD has made exploit code available along with a technical presentation
and research paper describing this and several other vulnerabilities.

Status: Vendor confirmed, patch available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp

LSD Exploit Code
http://www.lsd-pl.net/projects.html

LSD Paper/Presentation
http://www.lsd-pl.net/java_security.html

Council Site Actions:
All council sites plan to install the patches during their next
regularly scheduled system maintenance window. In addition, one
site is planning to implement a proactive web malware filter at its
network perimeters in response to the growing number of web-based
malware problems. Another site plans to ensure that all users' HTML
mail is viewed in the "Restricted Zone" and that users with Outlook 98
and 2000 have the Outlook Email Security Update installed. (Q262631)
They are also requesting that users set their web browser security
to disable the execution of script code or active content.

*************************************************************

(4) MODERATE: Ikonboard Code Execution Vulnerability

Affected Products:
Ikonboard 3.1.1 and possibly earlier versions

Description:
Ikonboard is a web-based bulletin board system implemented as
a Perl CGI program. The program contains an input sanitization
vulnerability that allows remote attackers to execute arbitrary perl
code. Exploitation is accomplished by sending a web request with a
specially crafted language cookie (Cookie:lang=) value to the server.

Risk: Remote compromise of web servers running Ikonboard with the
privileges of the web server process.

Deployment: Significant.
According to the vendor website, there are over 1 million active
Ikonboard bulletin boards worldwide.

Ease of Exploitation: Straightforward.
Many exploitation details have been posted.

Status: This vulnerability has not been confirmed, a third party
patch was provided in the security advisory.

References:
Security Advisory by Nick Cleaton
http://archives.neohapsis.com/archives/bugtraq/2003-04/0027.html

Vendor Website
http://www.ikonboard.com/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

**************************************************************

***************
Other Software
***************

(5) HIGH: AutomatedShops WebC Buffer Overflow

Affected Products:
Automated Shops WebC 2.0
Automated Shops WebC 5.0
ShopZone versions 3.0+ (contain WebC 5.0)

Description:
ShopZone is a suite of software tools for building professional
ecommerce-enabled web sites. A stack-based buffer overflow
vulnerability exists in a ShopZone component, named WebC, which
could allow remote attackers to execute arbitrary code on ShopZone
servers. An exploit has been posted that is said to provide a remote
shell. The buffer overflow is triggered by an overlong URL provided
in a web request.

Risk: Remote compromise of servers running ShopZone, with the
privileges of the web server process.

Deployment: Moderate.
The vendor website links to a number of ecommerce sites said to be
running ShopZone.

Ease of Exploitation: Trivial.
Exploit code has been posted. The published exploit uses the
"Accept-Encoding" HTTP header field to load shellcode into the victim's
memory, and an overlong URL to trigger the overflow. (Request: GET
/cgi-bin/webc.cgi/g/..many chars...).

Status: Vendor confirmed. Upgraded versions of WebC fix the problem.

References:
SecurityFocus BID
http://www.securityfocus.com/bid/7268

Exploit Code
http://archives.neohapsis.com/archives/bugtraq/2003-04/0064.html

Vendor Website
http://www.automatedshops.com/

Upgrades for WebC
http://www.securityfocus.com/bid/7268/solution/

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

************************************************************

(6) MODERATE: Hyperion FTP Server Buffer Overflow

Affected Products:
Hyperion FTP Server version 3.0 for Windows 95/98/NT/2000/XP

Description:
The Hyperion FTP server is reported to contain a buffer overflow
vulnerability in handling long strings presented by the client when
the USER command is expected. A remote attacker can trigger the
overflow by connecting to the server port and immediately sending
more than 931 characters. The advisory indicates that the flaw may
be exploitable to execute attacker-supplied code.

Risk: Potential remote compromise of systems running Hyperion FTP
server, with the privileges of the server process.

Deployment: Small.
Hyperion is a shareware FTP server for Windows with many user-friendly
features.

Ease of Exploitation: Standard.
Vulnerability details have been provided, but an attacker must still
research and build a buffer overflow exploit.

Status: The advisory indicates vendor confirmation, and that the
problem has been fixed in the Hyperion FTP version currently available
for download from the vendor website. Users who installed Hyperion
FTP prior to April 4, 2003 are advised to upgrade.

References:
DataSEC Security Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-04/0143.html

Vendor Website
http://www.mollensoft.com/product2.htm

SecurityFocus BID
http://www.securityfocus.com/bid/7307

Council Site Actions:
The affected software is not in production or widespread use at any
of the council sites.

************************************************************

About the CVA Process and Council

The CVA is produced in four phases:
Phase 1: Neohapsis (www.neohapsis.com) director of research, Jeff
web sites as well as bugtraq and other sources of new vulnerability
information and compile what they believe to be a complete list of all
new vulnerabilities and major vulnerability announcements made during
the week. The SANS Institute and Network Computing Magazine vet the
list through the major system manufacturers and jointly publish it
every week as the Security Alert Consensus. (SAC) Anyone may subscribe
to the SAC at http://www.sans.org/newlook/digests/SAC.htm

Phase 2: TippingPoint's Vicki Irwin culls the SAC list to extract the
vulnerabilities and announcements that demand immediate action. This
reduces the list from 30-50 each week down under 10. Vicki has been
on the front lines of intrusion detection and vulnerability testing
for nearly six years and her work in the field is legendary.

Phase 3: Very technical security managers at fifteen of the largest
user organizations in the United States each reviews the "immediate
action" vulnerabilities and describe what they did or did not do
to protect their organizations. Council members include banks and
other financial organizations, government agencies, universities,
major research laboratories, ISPs, health care, manufacturers,
insurance companies and a couple more. The individual members have
direct responsibility for security for their systems and networks. All
were concerned that information about their security configuration
would leak out, and agreed to serve only if their identities were
not revealed.

Phase 4: SANS compiles the responses and identifies the items on which
the Council members took or are taking action, produces the weekly CVA,
and distributes it via email to all eligible persons.

**********************************************************************
Critical Vulnerability Analysis Scale Ratings

In ranking vulnerabilities several factors are taken into account,
such as:

- - Is this a server or client compromise? At what privilege level?
- - Is the affected product widely deployed?
- - Is the problem found in default configurations/installations?
- - Are the affected assets high value (e.g. databases, e-commerce servers)?
- - Is the network infrastructure affected (DNS, routers, firewalls)?
- - Is exploit code publicly available?
- - Are technical vulnerability details available?
- - How difficult is it to exploit the vulnerability?
- - Does the attacker need to lure victims to a hostile server?

Based on the answers to these questions, vulnerabilities are ranked
as Critical, High, Moderate, or Low.

CRITICAL vulnerabilities are those where essentially all planets
align in favor of the attacker. These vulnerabilities typically
affect default installations of very widely deployed software, result
in root compromise of servers or infrastructure devices, and the
information required for exploitation (such as example exploit code)
is widely available to attackers. Further, exploitation is usually
straightforward, in the sense that the attacker does not need any
special knowledge about individual victims, and does not need to lure
a target user into performing any special functions.

HIGH vulnerabilities are usually issues that have the potential to
become CRITICAL, but have one or a few mitigating factors that make
exploitation less attractive to attackers. For example, vulnerabilities
that have many CRITICAL characteristics but are difficult to exploit,
do not result in elevated privileges, or have a minimally sized victim
pool are usually rated HIGH. Note that HIGH vulnerabilities where the
mitigating factor arises from a lack of technical exploit details will
become CRITICAL if these details are later made available. Thus, the
paranoid administrator will want to treat such HIGH vulnerabilities as
CRITICAL, if it is assumed that attackers always possess the necessary
exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped
in favor of the potential victim. Denial of service vulnerabilities
are typically rated MODERATE, since they do not result in compromise
of a target. Exploits that require an attacker to reside on the same
local network as a victim, only affect nonstandard configurations
or obscure applications, require the attacker to social engineer
individual victims, or where exploitation only provides very limited
access are likely to be rated MODERATE.

LOW vulnerabilities usually do not affect most administrators, and
exploitation is largely unattractive to attackers. Often these issues
require the attacker to already have some level of access to a target
(e.g. be able to execute arbitrary SQL queries, or be able to pop mail
from a mail server), require elaborate specialized attack scenarios,
and only result in limited damage to a target. Alternatively, a LOW
ranking may be applied when there is not enough information to fully
assess the implications of a vulnerability. For example, vendors often
imply that exploitation of a buffer overflow will only result in a
denial of service. However, many times such flaws are later shown
to allow for execution of attacker-supplied code. In these cases,
the issues are reported in order to alert security professionals to
the potential for deeper problems, but are ranked as LOW due to the
element of speculation.

Remediation Timescale
===================================
A vulnerability rating corresponds to the "threat level" of a
particular issue. Critical threats must be responded to most quickly,
as the potential for exploitation is high. Recommended response times
corresponding to each of the ratings is below. These recommendations
should be tailored according to the level of deployment of the affected
product at your organization.

CRITICAL: 48 hours
HIGH: 5 business days
MODERATE: 15 business days
LOW: At the administrator's discretion

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://www.sans.org/sansnews/
where you may also request subscriptions to any of SANS other free
newsletters.

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number or email address
(from the headers.) You will receive your personal URL via email.

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.
                         ==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+mqkP+LUG5KFpTkYRAgv7AJ9qfQlbw5B6isEo9F/MqmBuQO0CpQCfdcKS
IE2M4yhG6PymDuZpPd0G/mo=
=8fSO
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]