From: The SANS Institute (CriticalVulnerabilityAnalysissans.org)
Date: Mon Jun 16 2003 - 13:38:21 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                  SANS Critical Vulnerability Analysis
June 16, 2003 Vol. 2. No. 23
***********************************************************************

The weekly CVA prioritizes and summarizes the most important
vulnerabilities and attacks identified during the past week and provides
guidance on appropriate actions to protect your systems.

***********************************************************************

Table of Contents:
Widely Deployed Software
(1) LOW: OpenSSH Client Address Restriction Bypass
(2) LOW: Multiple Graphical FTP Client Buffer Overflows

Other Software
(3) HIGH: Various Xpressions.com Software SQL Injection
(4) HIGH: Advanced TFTP Server (atftpd) Filename Buffer Overflow
(5) HIGH: Novell Netware iChain Login Buffer Overflow
(6) HIGH: mnoGoSearch Buffer Overflows
(7) HIGH: ZenTrack PHP Code Execution Vulnerability
(8) MODERATE: MaxWebPortal CGI Multiple Vulnerabilities
(9) MODERATE: SpeakFreely Buffer Overflows
(10) LOW: Nokia GGSN Invalid TCP Option DoS

*************** Sponsored Links For This Week *************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Instantly stop DDoS attacks. Prevent worm propagation. Hands-on, online
     demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/CVA62
- --------------------------------------------------------
(2) Simplify secure file transfer! Download a white paper and free
     evaluation software from VanDyke Software.
http://www.sans.org/cgi-bin/sanspromo/CVA63

***********************************************************************

Three Highlighted Training Programs!

(1) Nine Local Mentor Led Classes begin this week: SANS Security
Essentials + CISSP Domains (Track 1) in Boston, Houston, Raleigh,
Chicago and Johannesburg. Firewalls and Perimeter Protection (Track 2)
in Boston, Portland, St. Louis, and Singapore. These are evening
programs spread over several weeks, so you can fit them into even a very
busy schedule.
Course descriptions: http://www.sans.org/onlinetraining/mentor/
Contact sweilsans.org for registration instructions or more information.
- --------------------------------------------------------
(2)SANSFire 2003: The largest security training conference in Washington
this year. Nine great tracks, plus a major exposition, plus five extra
programs: Securing Apache, Honeypots, Business Law and Security,
Securing Windows With The Gold Standard, and Reverse Engineering
Malware, plus the National Information Assurance Leadership Conference
focusing on new development in security standards.
Details: http://www.sans.org/sansfire03/index.php
- --------------------------------------------------------
(3) London, June 23-28: Five of SANS most popular tracks right in London
at Hammersmith.
Details: http://www.sans.org/hammersmith03

***********************************************************************

*******************************
Widely Deployed Software
*******************************

(1) LOW: OpenSSH Client Address Restriction Bypass

Affected Products:
OpenSSH version 3.6.1 and prior (all available versions)

Description:
OpenSSH allows administrators to limit the set of IP addresses that are
permitted to connect to the SSH server. A vulnerability has been
discovered that allows attackers to bypass OpenSSH's IP-based access
controls and initiate an SSH connection from any remote address. To
exploit the flaw, an attacker must be able to control the reverse DNS
information for the attacking host -- the trick is to provide the IP
address of an allowed host as part of the reverse DNS hostname string.

Council Site Actions:
Most of the reporting council sites either do not use OpenSSH or if they
do use the product, they do not use the IP-based access controls within
OpenSSH, but rather at the network perimeters. Some of these sites still
choose to notify the appropriate administration groups.

One site that is using this product will initially enable the
VerifyReverseMapping option and then will patch the systems during the
next regular system update.

Another site has a few thousand systems that have the OpenSSH daemon
directly exposed to the Internet. They said that about a hundred of
these use the IP-based access control feature. However, they expect that
the likelihood of exploiting the vulnerability is low, and will not take
any action at this time. If a future OpenSSH version has a source-code
change that makes IP-based access control independent of DNS, they will
recommend that all systems be upgraded to that version.

Risk: An IP address that should be denied access to the SSH server will
be allowed to initiate a connection.

Deployment: Significant.
This vulnerability affects all installations of OpenSSH that utilize
the IP-based access control feature.

Ease of Exploitation: Straightforward.
A challenge arises in that the attacker must be able to control the
reverse DNS information for the attacking host. Further, if the target
server has "VerifyReverseMapping" enabled, the attacker must control
both the reverse and forward DNS information for the connecting client.
 
Status: Vendor confirmed. The OpenSSH developers recommend implementing
IP address-based filtering at the network perimeter to limit exposure
to attacks from the Internet. Further, enabling "VerifyReverseMapping"
(a server configuration setting that requires a client's forward and
reverse DNS information to match) makes exploitation more difficult.

References:
Welkyn Security Advisory
http://archives.neohapsis.com/archives/bugtraq/2003-06/0038.html

CERT Vulnerability Note
http://www.kb.cert.org/vuls/id/978316

OpenSSH Homepage
http://www.openssh.org/

SecurityFocus BID
http://www.securityfocus.com/bid/7831

****************************************************************

(2) LOW: Multiple Graphical FTP Client Buffer Overflows

Affected Products (versions prior to those listed below may also be
vulnerable):
  FlashFXP 2.0 build 905
  SmartFTP 1.0.973
  LeapFTP 2.7.3.600
  FTP Voyager 10.0.0.0

Description:
Multiple third-party graphical FTP clients contain various buffer
overflows that allow a malicious FTP server to execute arbitrary code
on the client system. The list below describes the type of server data
that triggers the overflow for each affected client application, and
indicates whether the overflow is stack-based or heap-based.

(1) FlashFXP 2.0 build 905
   - Server response to a client's PASV command (stack)
   - Overlong hostname provided by server (stack)

(2) SmartFTP 1.0.973
   - Server response to a client's PWD command (stack)
   - Server response to a client's LIST command (heap)

(3) LeapFTP 2.7.3.600
   - Server response to a client's PASV command (stack)

(4) FTP Voyager 10.0.0.0
   - Server response to a client's LIST command (stack)

Council Site Actions:
Only two of the reporting council sites are running the affected
software. Both sites commented that the product is not supported by
their central IT support departments; however they are aware that users
have downloaded and installed the software. One site notified their
systems support group, but no other action is planned since the software
is not supported. The other site is not taking any action.

Risk: Remote compromise of an FTP client system by a malicious FTP
server. Successful attackers gain the privileges of the user running
the client program.

Deployment: Significant.
According to CNet/Download.com on 6/12/03, the affected client software
has been collectively downloaded more than 7 million times.
  FlashFXP: 619,289 downloads
  SmartFTP: 2,361,990 downloads
  LeapFTP: 262,167 downloads
  FTP Voyager: 4,519,874 downloads

Ease of Exploitation: Straightforward.
Most overflows are stack-based, and sufficient details are available
for an attacker to begin crafting exploit code.

Status: In all cases the advisories indicate that the vendor has
released fixed versions of the affected software.

References:
FlashFXP 2.0 build 905
http://archives.neohapsis.com/archives/bugtraq/2003-06/0081.html
http://www.flashfxp.com/
http://www.securityfocus.com/bid/7857
http://www.securityfocus.com/bid/7859
http://download.com.com/3000-2160-8271891.html?tag=lst-0-1

SmartFTP 1.0.973
http://archives.neohapsis.com/archives/bugtraq/2003-06/0083.html
http://www.smartftp.com/
http://www.securityfocus.com/bid/7858
http://www.securityfocus.com/bid/7861
http://download.com.com/3000-2160-10190184.html?tag=lst-0-1

LeapFTP 2.7.3.600
http://archives.neohapsis.com/archives/bugtraq/2003-06/0080.html
http://www.leapware.com/
http://www.securityfocus.com/bid/7860
http://download.com.com/3000-2160-5846380.html

FTP Voyager 10.0.0.0
http://archives.neohapsis.com/archives/bugtraq/2003-06/0077.html
http://www.rhinosoft.com/
http://www.securityfocus.com/bid/7862
http://download.com.com/3000-2160-10202123.html?tag=lst-0-1

***************************
Other Software
***************************

(3) HIGH: Various Xpressions.com Software SQL Injection

Affected Software:
Various Xpressions.com software suites including eVision, FlowerLink,
TrueConnect, and Website Integration

Description:
Multiple Xpressions.com software suites have been reported vulnerable
to SQL injection attacks in the administrative login page. By supplying
a specially crafted value for the password, a remote attacker can trick
the server into granting administrative rights. Successful attackers
would be able to manage the Xpressions e-commerce/enterprise application
and gain control of the back end database.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Remote attackers can bypass authentication and gain administrative
control over the Xpressions application.

Deployment: Moderate.
Xpressions.com is a commercial provider of e-commerce and enterprise
software.

Ease of Exploitation: Trivial.
An example showing how to exploit the flaw to bypass a server's
authentication mechanism has been posted.

Status: This vulnerability has not been confirmed.

References:
Posting by Paul Craig
http://archives.neohapsis.com/archives/bugtraq/2003-06/0026.html

Vendor Product Page
http://www.xpressions.com/solutions/enterprise/

Login Page Demo
http://www.flowertools.com/manage/login.asp

SecurityFocus BID
http://www.securityfocus.com/bid/7804

****************************************************************

(4) HIGH: Advanced TFTP Server (atftpd) Filename Buffer Overflow

Affected Products:
atftpd 0.6.0
atftpd 0.6.1.1

Description:
The atftpd TFTP server contains a buffer overflow in the handling of
large filenames supplied in a client request. A remote attacker can
exploit the vulnerability to execute arbitrary code with the privileges
of the server process, possibly root. Proof of concept exploit code has
been posted for the version of atftpd distributed with Debian 3.0.

Council Site Actions:
Only one council site commented on this vulnerability. They do not have
any production installations, but there are some limited labs or
unsupported installations at their site. They have notified the
appropriate systems support group but do not plan further action at this
time. Risk: Remote compromise of systems running atftpd. Successful
attackers gain the privileges of the vulnerable daemon.

Deployment: Small.
The affected software is distributed with some versions of the Linux
operating system but is not enabled by default. Most networks do not
expose TFTP services to the Internet.

Ease of Exploitation: Simple.
Proof of concept exploit code has been posted.

Status: Vendor confirmed. Debian and Gentoo Linux have released updated
atftpd packages that fix the vulnerability.

References:
Posting by Rick Patel (discovered the bug)
http://archives.neohapsis.com/archives/vuln-dev/2003-q2/0232.html

Posting by gz (exploit)
http://archives.neohapsis.com/archives/bugtraq/2003-06/0056.html

SecurityFocus BID
http://www.securityfocus.com/bid/7819/info/

****************************************************************

(5) HIGH: Novell Netware iChain Login Buffer Overflow

Affected Products:
Novell Netware iChain versions 2.1 and 2.2

Description:
Novell's iChain server allows an administrator to centrally manage
individual user access privileges for multiple applications and
resources distributed throughout a network. The iChain server's
administrative interface contains a buffer overflow vulnerability in
handling large usernames presented during the authentication process.
Remote attackers can exploit the flaw to crash the iChain server or
possibly execute arbitrary code. Successful compromise would provide an
attacker with administrative access to the iChain server and hence full
access to the network's protected resources. Note that iChain 2.2 also
contains a second vulnerability: An unnecessary listening service bound
to port 6901 allows remote unauthenticated access to restricted/secure
documents.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Remote compromise of systems running iChain, and potential
compromise of network resources for which iChain provides access
control.

Deployment: Moderate.
According to the vendor website, iChain is a key component of Novell
Secure Access, Novell's comprehensive security suite.

Ease of Exploitation: Straightforward.
The discoverer of the bug states that the overflow is easily exploited,
and notes that only the login form (which can be modified by the client)
places a restriction on the length of the username.

Status: Vendor confirmed, patches available.

References:
Novell Announcement (iChain 2.1 Field Patch 3)
http://archives.neohapsis.com/archives/bugtraq/2003-06/0052.html

Novell Announcement (iChain 2.2 Field Patch 1a)
http://archives.neohapsis.com/archives/bugtraq/2003-06/0053.html

Posting by Axel Dunkel (discovered the bug)
http://lists.netsys.com/pipermail/full-disclosure/2003-June/010190.html
    
SecurityFocus BID: Username Buffer Overflow
http://www.securityfocus.com/bid/7839

SecurityFocus BID: Unauthorized Resource Access
http://www.securityfocus.com/bid/7840

Vendor Product Description
http://www.novell.com/products/ichain/quicklook.html

****************************************************************

(6) HIGH: mnoGoSearch Buffer Overflows

Affected Products:
mnoGoSearch 3.2.10 for Unix (current version)
mnoGoSearch 3.1.20 for Unix (older version)

Description:
Different but equally serious buffer overflows have been discovered in
two versions of mnoGoSearch for UNIX, a free search engine software
package for webservers. The flaws can be exploited by crafting a web
request for "search.cgi" that supplies overlong data in the "ul" or
"tmplt" parameters. The vulnerability allows for arbitrary code
execution with the privileges of the server process. Proof of concept
exploit code has been posted for both overflows.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Remote compromise of web servers running mnoGoSearch. Successful
attackers gain the privileges of the server process.

Deployment: Moderate.
The vendor website links to over 100 sites that are using mnoGoSearch
software, but it is unclear how many sites are using the UNIX version
versus the Windows version which was not reported vulnerable. However,
spot-checking multiple servers from the list only revealed machines
running UNIX, indicating that the vulnerability may be present in the
majority of installations.

Ease of Exploitation: Simple.
Proof of concept exploit code has been posted for Linux.

Status: The advisory indicates vendor confirmation, and that a fixed
version is available from the mnoGoSearch cvs tree at the vendor
website.

References:
Advisory and Exploit Code by pokleyzz
http://lists.netsys.com/pipermail/full-disclosure/2003-June/010221.html
http://lists.netsys.com/pipermail/full-disclosure/2003-June/010225.html

Vendor Product Page
http://www.mnogosearch.org/

SecurityFocus BIDs
http://www.securityfocus.com/bid/7866 (tmplt overflow)
http://www.securityfocus.com/bid/7865 (ul overflow)

****************************************************************

(7) HIGH: ZenTrack PHP Code Execution Vulnerability

Affected Products
ZenTrack 2.4.1 and prior

Description:
ZenTrack is an open source software package for tracking projects,
issues, customer requests, etc. The package provides a web-based user
interface written in PHP and relies on a back-end database. By sending
a specially crafted web request, an attacker can cause the server to
read and execute arbitrary PHP code supplied by a remote server under
the attacker's control.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Remote compromise of systems running ZenTrack with the privileges
of the web server process.

Deployment: Small.
ZenTrack is an actively maintained open source project that is
considered to be in the production/stable development phase.

Ease of Exploitation: Simple.
Sufficient details have been posted for an attacker to craft an exploit.

Status: Vendor confirmed, fixed software has been released.

References:
Posting by Farking
http://archives.neohapsis.com/archives/bugtraq/2003-06/0055.html

Posting by gr00vy
http://archives.neohapsis.com/archives/bugtraq/2003-06/0062.html

ZenTrack Home Page
http://zendocs.phpzen.net/bin/view/Zentrack/IndexPage

Vendor Security Patch
http://zendocs.phpzen.net/bin/view/Zentrack/SecurityConfigOverride

SecurityFocus BID
http://www.securityfocus.com/bid/7843

****************************************************************

(8) MODERATE: MaxWebPortal CGI Multiple Vulnerabilities

Affected Products:
MaxWebPortal CGI suite version 1.30

Description:
MaxWebPortal, an open source "online community" software application
for web servers, contains multiple vulnerabilities. The most severe
problem allows any user to reset the administrator password to a string
of their choosing. MaxWebPortal communities are typically open to the
public, meaning any person with malicious intent can typically register
as a user and take advantage of the vulnerability.

Council Site Actions:
One site has notified their web support group, but has no plans for
future action at this time. The remaining council sites are not running
the affected software; thus no action is necessary.

Risk: A remote attacker can gain administrative control of the
MaxWebPortal application.

Deployment: Moderate.
The MaxWebPortal website has over 17,000 registered users. The software
runs on both Windows and Linux and integrates with the MySql, Microsoft
Access and MS SQL Server databases.

Ease of Exploitation: Simple.
Sufficient details have been posted for an attacker to exploit the
vulnerability. The attacker must register as a user and then request a
forgotten password. The attacker is then directed to a password reset
page. The reset page may be modified offline to specify the
administrator's member ID rather than the user's own. The new password
submitted via the modified reset page is then assigned to the
administrator.

Status: Vendor appears to have confirmed. MaxWebPortal version 1.310,
a bug fix release thought to contain the fixes, was made available on
June 15, 2003.

References:
Posting by JeiAir
http://archives.neohapsis.com/archives/bugtraq/2003-06/0048.html

Vendor Product Page
http://www.maxwebportal.com/

SecurityFocus BID
http://www.securityfocus.com/bid/7837

****************************************************************

(9) MODERATE: SpeakFreely Buffer Overflows

Affected Products
SpeakFreely software suite versions prior to 7.6

Description:
SpeakFreely is an open source Internet telephony application that runs
on Linux and Windows and supports a variety of encryption options. The
application listens on UDP ports 2074 and 2075 (data and control
channels, respectively). A remote attacker can send a specially crafted
packet to either of these ports and trigger a buffer overflow that may
be exploited to execute arbitrary code. Other less severe
vulnerabilities have also been reported.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary. Risk:
Remote compromise of systems running SpeakFreely, at the privilege level
of the SpeakFreely server process.

Deployment: Small.
SpeakFreely is open source software developed by Fourmilab Switzerland
that appears to have an active and sizable user community.

Ease of Exploitation: Straightforward.
These are stack-based buffer overflows, and sufficient details are
available for an attacker to begin crafting an exploit.

Status: The advisory indicates vendor confirmation, and that the
problems are fixed in version 7.6-A2 and later.

References:
Posting by Fozzy of Hackademy
http://archives.neohapsis.com/archives/bugtraq/2003-06/0057.html

Technical Details (extracted from v. 7.6-A2 release notes, some
additional comments have been added by Hackademy)

http://archives.neohapsis.com/archives/bugtraq/2003-06/att-0057/speakfreely_advisory_atttachement.txt

Vendor Product Page
http://www.fourmilab.ch/speakfree/

SecurityFocus BID
http://www.securityfocus.com/bid/7846

(10) LOW: Nokia GGSN Invalid TCP Option DoS

Affected Products
Nokia GGSN (IP650 Based)

Description:
Nokia's GGSN platform serves as a gateway in connecting General Packet
Radio Service (GPRS) networks to external IP networks. GPRS is a
non-voice IP-based service that allows information to be sent and
received across mobile telephone networks. A remote attacker can cause
a GGSN gateway to crash, which may result in a loss of GPRS connectivity
throughout the mobile phone network. The attack is accomplished by
sourcing a packet with an invalid TCP option (0xFF) from the GPRS
network, such that the packet will be handled by the GGSN gateway.

Council Site Actions:
The affected software is not in production or widespread use at any of
the council sites. They reported that no action was necessary.

Risk: Denial of service caused by loss of external connectivity to an
entire GPRS mobile telephone network.

Deployment: Small.
The advisory indicates that all vulnerable operators have already been
contacted and have patched their systems accordingly.

Ease of Exploitation: Challenging.
While it is simple to craft the malformed TCP packets, the attacker
still must be able to connect to a mobile telephone network that
supports GPRS and be able to send packets that will be handled by a
vulnerable GGSN gateway.

Status: This vulnerability has been confirmed by the vendor and a fix
has been issued.

References:
Advisory by stake
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0098.html

SecurityFocus BID
http://www.securityfocus.com/bid/7854

Background on GPRS
http://www.gsmworld.com/technology/gprs/intro.shtml

Nokia GGSN Product Page
http://www.nokia.com/networks/product_catalog/pc_product_highlights/1,6929,,00.html?prod_id=NWS00032&path=tmcat&mcat=45781&scat=48249&tech_id=521

******************************************************************
Subscriptions: The CVA is distributed free of charge to people
responsible for securing information systems and networks. You may
forward this newsletter to any people with such responsibility inside
or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

Copyright 2003. All rights reserved. No copying, forwarding, or reuse
allowed, other than those listed in the preceding paragraph, without
written permission from the SANS Institute. Email sansrosans.org for
permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+7eLk+LUG5KFpTkYRAoUeAKCCM3sUWRWUoINtuaVYwL6NFWXoKACeO5G+
jpzPeaGsTAvxBZDfIQSUVGI=
=FlLP
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]