NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

SANS Critical Vulnerability Analysis Vol 2 No 18

From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon May 12 2003 - 08:28:17 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS Critical Vulnerability Analysis
May 12, 2003 Vol. 2. No. 18
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and provides
guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:
Widely Deployed Software
(1) HIGH: Windows Media Player Skin file Downloading Flaw
(2) MODERATE: Mirabilis ICQ Client Multiple Vulnerabilities
(3) MODERATE: Cisco VPN 3000 IPSec-over-TCP Vulnerability

Other Software
(4) HIGH: SLMail Multiple Buffer Overflows
(5) HIGH: SLWebMail Multiple Vulnerabilities
(6) HIGH: FTGatePro SMTP MAIL/RCPT Command Parameter Buffer Overflow
(7) HIGH: HappyMail e-Commerce CGI Command Execution
(8) MODERATE: Apache Module mod_auth_any Command Execution

************** This Issue Sponsored By VeriSign, Inc. *****************
Evaluating Managed Security Services: FREE White Paper Learn important
factors for properly and proactively securing your company's network
infrastructure, while reducing costs and improving security practices.
Click here for VeriSign's FREE White Paper on choosing Managed Security
Services:
https://www.verisign.com/cgi-bin/go.cgi?a=n38080126734776000

******************** Other Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

1. Are remote users leaving your network open to hackers? Find out in
PestPatrol's FREE whitepaper.
http://www.sans.org/cgi-bin/sanspromo/CVA49
- ----------------------------------------------
2. VanDyke Secure Shell solutions: strong security, interoperability,
and simplicity for the end user. VanDyke Software.
http://www.sans.org/cgi-bin/sanspromo/CVA50
***********************************************************************
Highlighted Training Program of the Week!
Monterey CA in June is simply spectacular - and this SANS program is
right on Fisherman's Wharf. SANS Computer Security Bootcamp 2003 is
the most intense learning environment that most people ever experience.
SANS pioneered immersion training for information security; this unique
process increases retention and comprehension, empowering you to put
what you are taught into practice. Tracks include SANS Security
Essentials and CISSP CBK, Firewalls, Intrusion Detection, Hacker
Techniques, Securing Windows, and the new best-seller, Auditing
Networks, Perimeters, and Systems.
http://www.sans.org/bootcamp03/
***********************************************************************

*******************************
Widely Deployed Software
*******************************

(1) HIGH: Windows Media Player Skin File Downloading Flaw

Affected Products:
Microsoft Windows Media Player 7.1
Microsoft Windows Media Player for Windows XP (Version 8.0)

Description:
Windows Media Player supports the use of skin files, which provide for
changing the look and feel of the player. When Media Player 7 or 8 is
installed, Internet Explorer automatically calls MediaPlayer to download
and open skin files when they are encountered in a web page. A malicious
web server can manipulate the automatic skin file download process and
attack a client. The vulnerability arises due to Media Player's insecure
handling of hex-encoded characters, and allows a malicious server to
write arbitrary files to the client's local filesystem. The flaw can be
leveraged to download and execute hostile code. The attack can also be
delivered in an HTML email message, but most mail clients will require
the user to click on a link before fetching the skin file and exposing
the vulnerability.

Council Site Actions:
Most of the reporting council sites are responding to this
vulnerability. They will deploy the patches during their next regularly
scheduled system maintenance cycle. Several sites have chosen not to
take any action at this time. They feel their perimeter security and
anti-virus controls adequately protect them from this vulnerability.
One site said they have downloaded and experimented with the exploit to
observe its behavior.

Risk: Remote compromise of web clients that have installed an affected
version of Windows Media Player.

Deployment: Widely deployed.
Windows Media Player 9.0 is not affected.

Ease of Exploitation: Straightforward.
Example code provided in the advisory attempts to write an attacker
supplied executable to a victim's startup directory.

Status: Vendor confirmed, patches available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/MS03-017.asp

Posting by Jouko Pynnonen
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0057.html

Posting by Jelmer (includes exploit code)
http://archives.neohapsis.com/archives/bugtraq/2003-05/0092.html

SecurityFocus BID
http://www.securityfocus.com/bid/7517

******************************************************************

(2) MODERATE: Mirabilis ICQ Client Multiple Vulnerabilities

Affected Products:
Mirabilis ICQ Pro client version 2003a and prior

Description:
The Mirabilis ICQ/POP3 client has been reported to contain multiple
remotely-exploitable vulnerabilities. The most serious flaws could allow
a malicious email message to execute arbitrary code on the system
running the Mirabilis POP3 client. Other problems allow a malicious
POP3 server to compromise the client, and allow an attacker to trick
the client into installing attacker-supplied code by manipulating the
"on-demand" software upgrade process.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. Most sites reported that no action was necessary.Two
sites notified the appropriate desktop support groups since they know
that, although the software is not officially supported, there are small
pockets of use. Risk: Remote compromise of systems running the
Mirabilis ICQ/POP3 client. Successful attackers gain the privileges of
the user running the vulnerable software.

Deployment: Widely deployed.
ICQ has hundreds of thousands of registered users.

Ease of Exploitation: Simple(DoS)/Unknown(Code Execution).
The advisory contains descriptions of how to trigger the flaws to crash
the client, but few details concerning code execution.

Status: These vulnerabilities have not been confirmed.

References:
Core Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0051.html

SecurityFocus BIDs
http://www.securityfocus.com/bid/7461
http://www.securityfocus.com/bid/7462
http://www.securityfocus.com/bid/7463
http://www.securityfocus.com/bid/7464
http://www.securityfocus.com/bid/7465
http://www.securityfocus.com/bid/7466

Vendor Background Deployment Information
http://company.icq.com/info/icqstory.html

**************************************************************

(3) MODERATE: Cisco VPN 3000 IPSec-over-TCP Vulnerability

Affected Products:
Cisco VPN 3000 series Concentrator
Cisco VPN 3002 Hardware Client

Description:
The Cisco VPN 3000 series concentrator can be configured to allow
IPSec-over-TCP traffic on a particular TCP port. A vulnerability has
been discovered where the device will allow arbitrary traffic, not just
IPSec traffic, to enter the protected network on the selected TCP port.

Council Site Actions:
Five of the reporting council sites use Cisco VPN 3000 concentrators,
albeit in very small numbers (1 or 2 per site). One site has already
patched all of their concentrators. Two sites use an external vendor to
provide support for their concentrators and they are working with the
vendors to get the patches installed. One of these sites is using the
recommended work-a-round during the interim.

Risk: Breach of network perimeter. A remote attacker may access the
protected network without authentication.

Deployment: Significant.
The VPN 3000 series products are designed to support a range of
enterprise customers, from small businesses with 100 or fewer remote
access users to large organizations with up to 10,000 simultaneous
remote users.

Ease of Exploitation: Straightforward.
The attacker must discover what port the vulnerable device has been
configured to use for IPSec-over-TCP. Then the attacker can access
machines on the protected network using that destination port, provided
the attack traffic can be routed through the concentrator. For example,
if the concentrator was configured to use port 10000 as the
IPSec-over-TCP port, the attacker could contact internal machines on
port 10000.

Status: Vendor confirmed, software upgrades are available.

References:
Cisco Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20030507-vpn3k.shtml
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0056.html

Cisco VPN 3000 Concentrator Product Page
http://www.cisco.com/warp/public/cc/pd/hb/vp3000/

SecurityFocus BID
http://www.securityfocus.com/bid/7516

*************************
Other Software
*************************

(4) HIGH: SLMail Multiple Buffer Overflows

Affected Products:
SLMail 5.1.0.4420 for Windows NT/2000

Description:
Remotely exploitable buffer overflow vulnerabilities have been
discovered in the SLMail SMTP, POP3 and POPPASSWD servers. The SMTP flaw
can be exploited by first greeting the server with EHLO and then sending
an ETRN command with an overlong argument. The POP3 vulnerability can
be exploited by supplying an overlong password during the authentication
process. The POPPASSWD server runs on port 106/tcp and may be exploited
by simply connecting to the server port and sending a very long string.
All overflows are stack-based and provide successful attackers with
Local System privileges.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: Remote compromise of Windows systems running SLMail SMTP, POP3,
or POPPASSWD servers. Successful attackers gain privileges equivalent
to those of the operating system.

Deployment: Moderate.
SLMail is designed to be an affordable, security conscious email
management solution capable of scaling to large numbers of users.

Ease of Exploitation: Straightforward.
An attacker must craft a stack-based buffer overflow exploit.

Status: Vendor confirmed, patches and software upgrades are available.
In addition, the NGSSoftware advisory suggests limiting Internet access
to the POP3 and POPPASSWD servers, disabling ESMTP (provides immunity
to the ETRN overflow), and reconfiguring SLMail to run with reduced
privileges.

References:
NGSSoftware Insight Security Research Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0054.html

Vendor Website:
http://www.slmail.com

SecurityFocus BID
http://www.securityfocus.com/bid/7519

************************************************************

(5) HIGH: SLWebMail Multiple Vulnerabilities

Affected Products:
SLWebMail3 for Windows NT/2000

Description:
SLWebMail is a web-based email management system that is implemented as
an ISAPI extension for Microsoft IIS. Several of the SLWebMail DLLs
contain buffer overflow vulnerabilities. Remote attackers can exploit
the flaws by sending HTTP requests for the vulnerable DLL files and
supplying overlong values for specific parameter arguments. In addition,
other DLL problems allow an attacker to read files outside the web root
and discover absolute path information.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: Remote compromise of IIS servers running SLWebMail at the
privilege level of the web server process. In the case of IIS running
on Windows NT, an attacker capable of exploiting a buffer overflow
condition would gain the privileges of the operating system.

Deployment: Moderate.
SLWebMail is a natural complement to SLMail, but also integrates with
other mail servers.

Ease of Exploitation: Unknown.
It has not been reported whether the buffer overflow vulnerabilities
can be exploited to execute attacker-supplied code.

Status: Vendor confirmed, software updates available.

References:
NGSSoftware Insight Security Research Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0055.html

Posting by HD Moore describing additional vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2003-05/0087.html

Vendor Website:
http://www.slmail.com

SecurityFocus BIDs:
http://www.securityfocus.com/bid/7511
http://www.securityfocus.com/bid/7513
http://www.securityfocus.com/bid/7524
http://www.securityfocus.com/bid/7527
http://www.securityfocus.com/bid/7528

******************************************************************

(6) HIGH: FTGatePro SMTP MAIL/RCPT Command Parameter Buffer Overflow

Affected Products:
Floosietek FTGatePro Mail Server v. 1.22 (1328)

Description:
The FTGatePro SMTP server contains a buffer overflow vulnerability in
handling large arguments in the 'MAIL FROM' and 'RCPT TO' SMTP commands.
A remote attacker could exploit the flaw to execute arbitrary code on
the server with Local System privileges.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: Remote compromise of Windows servers running FTGatePro. Successful
attackers gain privileges equivalent to those of the operating system.

Deployment: Moderate.
FTGatePro is a commercial mail server designed to meet the demanding
requirements of large organizations, ISPs, schools and charities. The
product has won several industry awards.

Ease of Exploitation: Unknown.
An attacker must craft a stack-based buffer overflow exploit.

Status: This vulnerability has been confirmed by the vendor, who has
released version 1.22 (Hotfix 1330).

References:
Security Advisory by Dennis Rand
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0052.html

SecurityFocus BID
http://www.securityfocus.com/bid/7508
http://www.securityfocus.com/bid/7506

Vendor Web Pages
http://www.ftgate.com/content/57.htm
http://www.ftgate.com/content/47.htm

**************************************************************

(7) HIGH: HappyMail e-Commerce CGI Command Execution

Affected Products:
HappyMail versions 4.3 and 4.4

Description:
The HappyMail e-Commerce software has been reported to contain user
input validation vulnerabilities in two CGI scripts. A remote attacker
can exploit the flaws to execute arbitrary command line commands with
the privileges of the web server process. The published advisory
contains examples of how to remotely execute shell commands using only
a web browser.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: Remote compromise of web servers running the HappyMail e-Commerce
software. Successful attackers gain the privileges of the web server
process.

Deployment: Moderate.
The product appears to have a significant deployed base in Korea.

Ease of Exploitation: Trivial.
The bugs can be exploited with a web browser and the advisory contains
examples showing how to execute commands.

Status: Vendor confirmed, patch available.

References:
Security Advisory from Korean CERT
http://securitytracker.com/alerts/2003/May/1006707.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0058.html

Vendor Webpage
http://happymall.happycgi.com/

Vendor Patch
http://happymall.happycgi.com/forum/forum_detail.cgi?thread=353

SecurityFocus BID
http://www.securityfocus.com/bid/7530

***************************************************************

(8) MODERATE: Apache Module mod_auth_any Command Execution

Affected Products:
mod_auth_any 1.2.2 included with
Red Hat Linux 7.2
Red Hat Linux 7.3

Description:
The mod_auth_any Apache module has been found to insecurely pass
user-supplied data to a command shell, allowing a remote attacker to
execute arbitrary command line commands under the privileges of the
webserver.

Council Site Actions:
Only two of the reporting council sites are affected by this
vulnerability. The first site has already forwarded the alert to the
appropriate support groups. The second site commented that the current
Apache configuration does not allow external programs to verify
passwords and their current network configuration protects production
internet facing systems.

Risk: Remote compromise of Apache servers running mod_auth_any. An
attacker can execute arbitrary shell commands with the privileges of
the web server process.

Deployment: Moderate.
This Apache module allows the Apache server to call arbitrary external
programs to verify passwords. This is not the standard configuration.

Ease of Exploitation: Straightforward.
The Red Hat advisory says that the vulnerabilities arise in how
mod_auth_any escapes shell characters (specifically ; and ") when
calling external programs(popen). An attacker could inspect the
mod_auth_any source code changes to gain further technical details.

Status: Vendor confirmed, updated packages available.

References:
Red Hat Linux Security Advisory
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0049.html

SecurityFocus BID
http://www.securityfocus.com/bid/7448

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org for
permission.

==end==

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD4DBQE+v4Gx+LUG5KFpTkYRAiAdAJ48DFcJZoZUHNJVWHhagZKV86QPiQCYpOX8
x9rmAz+fWrQaHd93ElTYkw==
=OZ7C
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]