Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Security Express Archives: Network Computing Security Express #

Network Computing Security Express #022

Subject: Network Computing Security Express #022
From: Network Computing Express (expresslist.nwc.com)
Date: Thu Dec 02 1999 - 09:04:17 CST

Network Computing Security Express #022


-- Number 022 ------------------------------------------------------------

Welcome to the latest edition of Security Express! Below you'll find only the
information pertaining to the categories you requested.
Please bear in mind that you may have little or no information in
particular categories--this means no security problems pertaining to
those categories were found this week. If you have any problems or
questions, please e-mail us at expressnwc.com.

Enjoy Security Express!


Now you can get the scoop on the newest security products with Security
Express! Each week, you'll receive new security product announcements
from leaders in computer and information security. If you don't want
to receive this new source of security industry news, simply log in to
your existing Security Express newsletter profile page at:
http://www.0mm.com/express/login.html (that is zero-M-M ) and select the
"Check this box if you would NOT like to receive periodic product
announcements from security vendors" option.


Don't miss these exciting alerts on the latest security products!

If you have any problems or questions, please e-mail us at

If this e-mail was passed to you and you would like to begin receiving our
e-mail newsletter on a weekly basis, we invite you to subscribe today.
Just go to http://www.networkcomputing.com/express/ to become a Security
Express member.


Looking for the latest IT security news, trends and opinions...plus a
chance to discuss vital issues with other security experts like yourself?
Come to Planet IT's Security Technology Center. Planet IT is the
community for IT professionals. Visit the Security Tech Center at:


More confusion has risen concerning Service Pack 6a for Windows NT.
Microsoft has released a hot fix for SP6 users that will
bring the system to SP6a level. There was also an error in the
patch supplied for MS99-052 ("Legacy Credential Caching" vulnerability).
That puts Microsoft in the 'two out of four' category for recent patch
blunders. In the company's defense, it may be that there are just too many
vulnerabilities and patches to keep track of...

SuSE has developed a suite of open source tools, which include an FTP
proxy, firewall and utilities to audit and lock down linux
installations. http://www.suse.com

David Litchfield also has released the newest version of the free
NTInfoScan, now named Cerberus Internet Scanner.

Until next week,

-Security Express Team



Key Area: Windows
Key Element: Messaging

Gordano NTMail doesn't disable VRFY
Reports have indicated that Gordano's NTMail versions 4 and 5 do not
properly disable the VRFY command, even when instructed to do so by the
administration console. The VRFY command is typically abused to find
valid addresses for unsolicited commercial e-mail (spam).

-No patches have been made available. NTMail's home page:

Source: Bugtraq


Key Area: Windows
Key Element: Information Publishing

Denial of service in Bisonware FTP server
A denial of service has been found in BisonWare FTP Server version 3.5 that lets
an attacker send a long user name, which can cause the service to crash.

-No patches have been made available. Bisonware's homepage:

Source: Technotronic


Key Area: Windows
Key Element: Applications

Sun Netbeans/Forte allows file-system access
Sun Microsystem's Netbeans, recently renamed Forte, includes a Web
server for testing Java applets. However, it's been found that this
Web server lets a remote attacker access any file on the system.
Only the Windows NT version has been tested.

-No patches have been made available. A third party has recommended
setting the HTTP server "Enable" setting to "False" in the project
settings, or to remove the "HTTP Server" module in the global settings.

Source: Bugtraq


APC PowerChute denial of service APC PowerChute Plus version 5.1 for NT has been found to contain a denial of service, whereby an attacker can connect to Ports 6667 or 6668 and cause PowerChute to shut down.

-The problem has been fixed in version 5.2, due out in late December.

Source: NTBugtraq http://www.security-express.com/archives/ntbugtraq/0017.html


NT subst vulnerability A bug in Windows NT (tested with Workstation) lets an attacker remap drives with the "subst" command. The drive mappings remain in effect when the attacker logs off and when another user logs on. If the user has a login profile that maps to the same drive letter that the subst command has mapped, the login profile will silently fail. The end result is that the attacker can redirect drive usage to the local drive, and possibly capture data, and so on.

-No patches have been made available.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/0140.html


Patch available for "IE Task Scheduler" Vulnerability Microsoft has released a patch for the "IE Task Scheduler" vulnerability, which allows a local user to submit a scheduled job to be run with LOCAL_SYSTEM privilege.

-FAQ and patch:

http://www.microsoft.com/security/bulletins/MS99-051faq.asp Source: Microsoft http://www.security-express.com/archives/vendor/0144.html


User can bypass system policies in Win 95 It is possible for a user to bypass the enforcement of system policies by entering an invalid domain name during logon. It has also been reported that this activity is improperly logged in the Windows NT event logs.

-No patches have been made available.

Source: NTBugtraq http://www.security-express.com/archives/ntbugtraq/0005.html http://www.security-express.com/archives/ntbugtraq/0013.html


Users may be able to bypass general disk quotas Reports indicate that it is possible for users to disable disk space quotas for their home directory. If the user has full control over his or her home directory folder, he or she can remove access to everyone but him or herself--the end result is that quota managers and software will not have access to check/enforce the disk quota within the folder.

-This is a general bug in various disk quota services. You should check if your particular package is affected.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/0107.html


Information on SP6, SP6a, and the SP6 hot fix As reported, there was a regression error in SP6, which led Microsoft to produce SP6a. Microsoft also has provided a hot fix that will elevate SP6 machines to SP6a level.

-i386 hotfix: http://download.microsoft.com/download/winntsp/Patch/6.0a/NT4/EN-US/Q246009i.EXE Alpha hotfix: http://download.microsoft.com/download/winntsp/Patch/6.0a/ALPHA/EN-US/Q246009a.EXE

Source: NTBugtraq http://www.security-express.com/archives/ntbugtraq/0030.html


Buffer overflows in Alt-N's MDaemon and WorldClient A buffer overflow in Alt-N's WorldClient Server version and MDaemon version let a remote attacker crash the service and possibly execute arbitrary code.

-A fix is available at:

http://mdaemon.deerfield.com/helpdesk/hotfix.htm Source: Technotronic http://www.security-express.com/archives/hacker/0075.html http://www.security-express.com/archives/hacker/0076.html


Netscape buffer overflows and other vulnerabilities Many vulnerabilities have been uncovered in Netscape Navigator and Composer. Reports have indicated a buffer overflow in URL handling that may result in the execution of arbitrary code from a malicious Web site. Another bug lets frames access information contained within other frames, which may allow malicious Web sites to access user data. Lastly, Composer may crash or lead to execution to arbitrary code similar to the long URL vulnerability in Navigator.

The vulnerable versions reported have been 4.6, 4.7, and 4.01.

-No patches have been made available.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/0115.html http://www.security-express.com/archives/bugtraq/0106.html


Patch available for "Legacy Credential Caching" vulnerability Microsoft has released a patch that corrects the "Legacy Credential Caching" vulnerability. The vulnerability lets a local user of a Windows 95 or 98 machine gain the authentication information of previous users of that particular system. Also note that, because of an error on Microsoft's part, the patch supplied prior to December 1 was the wrong patch. If you have downloaded the patch for MS99-052 prior to 12/1/99, you should confirm that it is the appropriate patch (most likely not--the patch link mistakingly pointed to the patch for MS99-049).

-FAQ and patch:

http://www.microsoft.com/security/bulletins/MS99-052faq.asp Source: Microsoft http://www.security-express.com/archives/vendor/0145.html


Key Area: Solaris

Key Element: Applications

Buffer overflow in kcms_configure

A buffer overflow has been found in kcms_configure where a local attacker can gain elevated privileges by placing a long string in the NETPATH environment variable. Note that this is not the same buffer overflow recently found in kcms_configure, where an attacker can overflow the string supplied with the '-P' option. An exploit has been published.

-No patches have been made available.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/0133.html


dtmail, dtmailpr, and mailtool buffer overflows dtmail, dtmailpr and mailtool shipped with Solaris 7 (and believed 2.6 as well) are vulnerable to a buffer overflow that would let a local attacker elevate privileges to uid "mail." This means the attacker would have access to all user e-mail on the system. Exploits have been published.

-No patches have been made available.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/0122.html


Key Area: Linux and BSD Key Element: Applications

FreeBSD sysinstall follows symlinks A symlink race condition was found in FreeBSD's/stand/sysinstall utility in versions of FreeBSD, prior to 3.0. sysinstall creates /tmp/doc.tmp, which an attacker can symlink to any file on the system, causing the target file to be overwritten.

-FreeBSD 3.0 and above fix this problem.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/0062.html


Key Area: Other Key Element: Messaging

Patch available for sendmail local DoS via new aliases A patch for sendmail 8.9.3 has been released that will prevent a local denial of service whereby an attacker can corrupt the alias database, preventing sendmail from functioning.

-Patch is available here:

http://www.security-express.com/archives/bugtraq/0073.html Source: Sendmail (Bugtraq) http://www.security-express.com/archives/bugtraq/0073.html


qpop buffer overflow A buffer overflow has been found in qpop version 3.0b. Versions 2.52 and 2.53 are not vulnerable. The overflow lets an attacker gain remote access.

-No official patches have been made available. A third-party patch has been supplied; however, it is recommended that you use version 2.53 until a suitable (secure) version 3.0 is available.

http://www.security-express.com/archives/bugtraq/0135.html Source: Bugtraq http://www.security-express.com/archives/bugtraq/0135.html


Key Area: Other Key Element: Information Publishing

Oracle Web Listener allows access to restricted files A vulnerability in Oracle Web Listener version 2.1/1.20in2 on Solaris has been found that lets an attacker request restricted files. By substituting URL-encoded characters (e.g. %2E for a '.'), the server will allow access to a file that would otherwise require authentication. Other platforms and versions may also be vulnerable.

-No patches have been made available. A third party has recommended one solution:

http://www.security-express.com/archives/bugtraq/0129.html Source: Bugtraq http://www.security-express.com/archives/bugtraq/0108.html


inn denial of service A denial of service has been found in inn version 2.2.1 and below. An attacker can remotely crash the news service.

-SuSE has updated packages available: ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/inn-2.2.1-24.alpha.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/inn-2.2.1-24.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/inn-2.2.1-24.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/inn-2.2.1-23.i386.rpm You should check with your vendor for updates.

Source: SuSE



Key Area: Other Key Element: Applications

HP-US remote access to S/X/V console A vulnerability has been found in the HP9000 Series 800 S/X/V Class servers that lets a remote attacker access the S/X/V console via the Service Support Processor (SSP/Teststation).

-HP has a patch available:

ftp://us-ffs.external.hp.com/firmware_patches/hp/cpu/PF_CSXV1007 Source: Bugtraq http://www.security-express.com/archives/bugtraq/0085.html


SCO su vulnerability and patch SCO has released a patch for "su" that fixes a vulnerability where a local attacker can overflow the user name passed and gain root privileges.

-SCO has made SSE039 available:

ftp://ftp.sco.com/SSE/sse039.tar.Z Source: Technotronic, SCO http://www.security-express.com/archives/hacker/0078.html http://www.security-express.com/archives/bugtraq/0121.html


SCO Xsco and xlock buffer overflows Both Xsco and xlock contain buffer overflows that let a local attacker gain root privileges.

-No patches have been released. We suggest you remove the suid bits until a fix is available.

Source: Technotronic http://www.security-express.com/archives/hacker/0079.html http://www.security-express.com/archives/hacker/0080.html


FICS (Free Internet Chess Server) buffer overflow A buffer overflow has been found in the Free Internet Chess Server that may let an attacker gain remote access to the system.

-A patch has been made available:

http://www.security-express.com/archives/bugtraq/0132.html Source: Bugtraq http://www.security-express.com/archives/bugtraq/0132.html


Symantec Mail-Gear's web interface allows reading any file Symantec Mail-Gear version 1.0 includes a Web interface that lets attacker request on file on the system using the usual directory transversal notation ('../').

-Upgrade to Mail-Gear version 1.1 from:

http://www.symantec.com/urlabs/public/download/download.html Source: Technotronic http://www.security-express.com/archives/hacker/0081.html


Key Area: Network Hardware Key Element: Applications

Cobalt patches for sendmail Cobalt has released updated sendmail packages for all Qube and RaQ systems. It fixes a local denial of service vulnerability that could leave the aliases' database corrupted, preventing sendmail from working correctly.

--RaQ 3 ftp://ftp.cobaltnet.com/pub/experimental/security/i386/sendmail-8.9.3-C7.i386.rpm -RaQ 2 Qube 2 ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.9.3-C7.mips.rpm -RaQ 1 Qube 1 ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm

There are also installation notes for Qube 1 and RaQ 1 systems available at: http://www.security-express.com/archives/bugtraq/0093.html Source: Cobalt (Bugtraq) http://www.security-express.com/archives/bugtraq/0093.html


Key Area: Network Hardware Key Element: Network Level Security

Cabletron SmartSwitch denial of service The Cabletron SmartSwitch Router 8000 with firmware version 2.x has a bug in its ARP handler that is triggered when the SmartSwitch needs to handle more than 200 unique IP addresses in a second. This can easily be triggered by an attacker simply by sending many ICMP packets to different IP addresses. The result is that the SmartSwitch does not forward other traffic while attempting to handle the ARP requests/responses.

-Cabletron has released an updated (version 3.x) firmware which fixes this problem, available at:

http://www.cabletron.com/download/download.cgi?lib=ssr Source: Bugtraq http://www.security-express.com/archives/bugtraq/0094.html


Cisco NAT denial of service A bug has been found in IOS when used in conjuction with NAT. On some configurations, it is possible for an attacker to prevent access to the telnet configuration service of the router.

-Cisco is aware of the problem and in the process of making a patch.

Source: Bugtraq http://www.security-express.com/archives/bugtraq/0124.html

--------------------------------------------------------- If this e-mail was passed to you and you would like to begin receiving our e-mail newsletter on a weekly basis, we invite you to subscribe today. Just go to http://www.networkcomputing.com/express/ to become a Security Express member.

We'd like to know what you think about the newsletter and what information you'd like to see in future editions. E-mail your comments to mailto:expressnwc.com.

If you'd like to change your account information or unsubscribe from this newsletter please go to http://www.0mm.com/express/login.html.

Copyright 1999 CMP Media Inc. A service of Network Computing. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Network Computing, is prohibited.

Distributed by MessageMedia, Inc. -- http://www.messagemedia.com/

This archive was generated by hypermail 2b27 : Thu Dec 02 1999 - 09:04:21 CST