OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security Alert Consensus #045
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu May 18 2000 - 13:22:21 CDT



Re: Your personalized newsletter

                     -- Security Alert Consensus --
                            Number 045 (00.21)
                         Thursday, May 18, 2000
                           Created for you by
                Network Computing and the SANS Institute

------------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below you
should find only the information pertaining to the categories you
requested. If you have any problems or questions, please e-mail us at
<consensusnwc.com>.

-----------------------------------------------------------------------

This issue sponsored by Symantec Corp.

New Enterprise Security Web Site Launched!
Symantec provides content security solutions including antivirus,
Internet content/e-mail filtering and mobile code detection. For
up-to-the-minute information regarding enterprise security issues you
are facing, visit our Web site at:
http://www.symantec.com/specprog/sym/08302000.html

-----------------------------------------------------------------------

SecurityFocus has released some interesting statistics concerning the
vulnerabilities found in the past few years. If you have the time take
a peek at them.
http://www.securityfocus.com/frames/?content=/vdb/stats.html

In response to the I Love You virus, Microsoft is releasing the Outlook
Email Security Update, which will actually remove functionality for the
sake of security. It is available from
http://officeupdate.microsoft.com

Until next week,
Security Alert Consensus Team

------------------------------------------------------------------------

TABLE OF CONTENTS:

--> {00.21.005} MS00-031: Undelimited .HTR Request and File Fragment
                Reading via .HTR patch
--> {00.21.006} MS00-030: "Malformed Extension Data in URL"
                Vulnerability
--> {00.21.007} MS00-034: "Office 2000 UA Control" Vulnerability
--> {00.21.008} IIS IISADMPWD DoS
--> {00.21.009} NTmail unrestricted web proxy
--> {00.21.012} Netscape static /tmp file creation
--> {00.21.015} Win2K EFS decryption/compromise
--> {00.21.017} Outlook Express graphic filename buffer overflow
--> {00.21.019} Update to {00.18.011}: UDP source port 67 bypasses
                ZoneAlarm
--> {00.21.020} IE misinterpreted domain handling
--> {00.21.025} Remote command execution via calendar.pl
--> {00.21.027} Bypass EMURL authentication
--> {00.21.028} MS SQL server xp_sprintf buffer overflow
--> {00.21.029} Remote DoS in CProxy
--> {00.21.030} Delphi ICS HTTP arbitrary file retrieval
--> {00.21.004} ssh PAM authentication vulnerability
--> {00.21.001} FreeBSD libmytinfo TERMCAP buffer overflow
--> {00.21.002} golddig FreeBSD port allows overwriting of arbitrary
                local files
--> {00.21.018} netpr local buffer overflow
--> {00.21.010} Update to {00.19.004}: Cisco HTTP %% causes router to
                reload
--> {00.21.016} NetStructure/iPivot console backdoor administrative
                logins
--> {00.21.003} Netscape Navigator SSL authentication reuse
                vulnerability
--> {00.21.011} Environment information available via FormMail
--> {00.21.013} knapster/gnapster remote file retrieval
--> {00.21.014} Unchecked system() call in Bugzilla
--> {00.21.021} Update to {00.19.015}: FileMaker Pro unrestricted data
--> {00.21.022} Allmanage CGI vulnerabilities
--> {00.21.023} kscd SHELL local compromise
--> {00.21.024} Remote buffer overflow in AntiSniff
--> {00.21.026} Remote command execution via George Burgyan counter CGI

--- Windows News -------------------------------------------------------

--> {00.21.005} MS00-031: Undelimited .HTR Request and File Fragment
                Reading via .HTR patch

Microsoft has released MS00-031 ("Patch Available for Undelimited .HTR
Request and File Fragment Reading via .HTR Vulnerabilities") for IIS
versions 4 and 5; the patch corrects a denial of service situation and
a vulnerability that lets a malicious remote user view content fragments
of files.

Patch and FAQ:
http://www.microsoft.com/technet/security/bulletin/fq00-031.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q2/0021.html

--> {00.21.006} MS00-030: "Malformed Extension Data in URL"
                Vulnerability

Microsoft has released MS00-030 ("Patch Available for Malformed
Extension Data in URL Vulnerability"), which fixes a denial of service
situation in IIS versions 4 and 5. The vulnerability caused by improper
handling of subresource/path_segment identifiers (defined in RFC 2396).

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-030.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q2/0022.html

--> {00.21.007} MS00-034: "Office 2000 UA Control" Vulnerability

Microsoft has released MS00-034 ("Patch Available for Office 2000 UA
Control Vulnerability"). The vulnerability exists in all Office 2000
products. Basically, Office 2000 installs the Office UA control and
marks it safe for scripting. A malicious Web site or e-mail can make
use of this control to harm the user's computer.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/fq00-034.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2000-q2/0023.html

--> {00.21.008} IIS IISADMPWD DoS

Internet Information Server versions 4 and 5 come with a virtual
directory, named IISADMPWD, that is a mechanism for changing passwords
over the Web. If this directory is installed, it's possible to remotely
perform a denial of service on the system, causing the Web service to
reach 100 percent CPU utilization. A reboot is needed to correct the
problem.

Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20905

Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20903

Source: ISS
http://archives.neohapsis.com/archives/iss/2000-q2/0169.html

--> {00.21.009} NTmail unrestricted web proxy

NTmail version 5.x comes with an administrative Web interface, running
on Port 8000. This included Web server can be used as a unrestricted
HTTP proxy.

No patches have been made available.

Source: win2KSecAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0098.html

--> {00.21.012} Netscape static /tmp file creation

Netscape version 4.73 and prior create a statically named file
temporarily during the certificate import process. This could allow a
symlink attack to overwrite files based on the UID running the Netscape
process.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0126.html

--> {00.21.015} Win2K EFS decryption/compromise

Not necessarily a vulnerability, but more of a concern: When using EFS
on Windows 2000, the default action of SYSKEY is to store the system
key in the registry. It is possible for someone to compromise the
system, retrieve this key and decrypt the file system.

No patches have been made available. This is more of a configuration
issue than anything else. Concerned parties should use an alternate
SYSKEY storage method.

Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0112.html

--> {00.21.017} Outlook Express graphic filename buffer overflow

Outlook Express version 4.x has a remotely exploitable buffer overflow
caused by a long file name with a graphic (.gif, .jpg) extension.

No patches have been released.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0140.html

--> {00.21.019} Update to {00.18.011}: UDP source port 67 bypasses
                ZoneAlarm

ZoneLabs has released an update to {00.18.011} ("UDP source port 67
bypasses ZoneAlarm"). The update fixes a vulnerability where UDP packets
with a source port of 67 were not logged.

Download the update at:
http://www.zonelabs.com/download_ZA.htm

Source: ZoneLabs (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-05/0151.html

--> {00.21.020} IE misinterpreted domain handling

Internet Explorer has a bug in its processing of domain names: It can
be easily fooled into believing a URL can belong to any domain by
rewriting the URL to a different format that resembles:
http://malicious.com%2fpage.htm%3F.innocent.com

Here the URL is actually http://malicious.com/page.htm?.innocent.com
But IE will consider this to be in the .innocent.com domain, and will
apply security settings for that zone accordingly. This also allows for
a malicious Web site to gain access to a user's information for other
sites.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0135.html

--> {00.21.025} Remote command execution via calendar.pl

Matt Kruse's calendar.pl CGI script has been found to run arbitrary
commands when placed in the configuration file input field.

No patches have been made available. Vendor homepage:
http://www.mattkruse.com/scripts/calendar/

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0173.html

--> {00.21.027} Bypass EMURL authentication

Seattle Lab's EMURL Web-based e-mail interface version 2.0 uses
predictable session URL parameters that let a remote attacker read other
user's e-mail and possibly retrieve POP passwords.

Seattle Lab's has stated the problem will be resolved in the next
version.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0160.html

--> {00.21.028} MS SQL server xp_sprintf buffer overflow

Microsoft SQL Server prior to version 6.5 SP5 contains a buffer overflow
in the xp_sprintf procedure that could lead to a denial of service
(system crash) or execution of arbitrary code.

MS SQL SP5 corrects the problem.

Source: Security Focus
http://www.securityfocus.com/vdb/bottom.html?vid=1204

--> {00.21.029} Remote DoS in CProxy

CProxy version 3.3 SP2 has a remotely exploitable denial of service
buffer overflow in the included Web proxy, which runs on Port 8080. It
is possible for an attacker to crash the service.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0175.html

--> {00.21.030} Delphi ICS HTTP arbitrary file retrieval

The Delphi Internet Component Suite's HTTP server component by Francois
Piette allows for the retrieval of arbitrary files using '..' notation
in the request URL.

No patches have been made available. Vendor homepage:
http://www.rtfm.be/fpiette/indexuk.htm

Source: Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0614.html

--- Linux News ---------------------------------------------------------

--> {00.21.004} ssh PAM authentication vulnerability

The Red Hat Linux RPM ssh-1.2.27-8i.src.rpm has been found to contain
a faulty PAM patch that, when installed, would let any user authenticate
using any password.

If you have built SSH out of the ssh-1.2.27-8i.src.rpm, you should
remove your applications and rebuild from ssh-1.2.27-7i.src.rpm.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0122.html

--- BSD News -----------------------------------------------------------

--> {00.21.001} FreeBSD libmytinfo TERMCAP buffer overflow

A buffer overflow has been found in the TERMCAP environment variable
handling of FreeBSD's libmytinfo library. Any SUID/SGID linked against
this library is vulnerable. The vulnerability allows for the execution
of arbitrary code and is found only in FreeBSD version 3.x.

The current FreeBSD 3.4-STABLE corrects this issue.

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-05/0063.html

--> {00.21.002} golddig FreeBSD port allows overwriting of arbitrary
                local files

All versions of the FreeBSD port game golddig ship with a SUID-level
creator application. This application contains a security bug that lets
a local user overwrite any file on the system; however, the content is
not controllable.

Update your golddig package:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/games/golddig-2.0.tgz
                
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/games/golddig-2.0.tgz
                
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/games/golddig-2.0.tgz
                
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/games/golddig-2.0.tgz
                
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/games/golddig-2.0.tgz
                
We also suggest you remove SUID permissions from /usr/local/bin/makelev

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2000-05/0062.html

--- Solaris News -------------------------------------------------------

--> {00.21.018} netpr local buffer overflow

/usr/lib/lp/bin/netpr on Solaris versions 2.6, 7 and 8 has been found
to have a locally exploitable buffer overflow that results in root
privileges.

Patches are available as follows:

5.6 SPARC T106235-05 Intel T106236-05
5.7 SPARC T107115-04 Intel T107116-04
5.8 SPARC 109320-01 Intel T109321-01

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0141.html

--- Network Appliances News --------------------------------------------

--> {00.21.010} Update to {00.19.004}: Cisco HTTP %% causes router to
                reload

Cisco has released new IOS images that correct {00.19.004} (Cisco HTTP
%% causes router to reload).

An image upgrade matrix is available at:
http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml

Source: Cisco (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-05/0157.html

--> {00.21.016} NetStructure/iPivot console backdoor administrative
                logins

Both the NetStructure 7110 and 7180 (formerly iPivot products) have
undocumented logins that use a derivitive of the unit's MAC address as
the default password. It's possible to remotely exploit this
vulnerability on the 7180.

Source: L0pht (Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2000-05/0109.html
http://archives.neohapsis.com/archives/bugtraq/2000-05/0111.html

--- Cross-Platform News ------------------------------------------------

--> {00.21.003} Netscape Navigator SSL authentication reuse
                vulnerability

Netscape Navigator version 4.07 and Communicator versions 4.61 and 4.72
have been found vulnerable to a bug in the processing of server SSL
certificates. Netscape Navigator keeps track of current connections by
IP address; this means it is possible for a malicious Web site, using
the same IP as the target Web site, to interact with the client using
the victim's SSL certificate.

Virtually hosted Web sites and DNS direction are two methods where this
attack is possible.

Netscape suggests you install the Personal Security Manager. More
information is available at:
http://home.netscape.com/security/notes/index.html

Source: Win2KSecAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0093.html
http://archives.neohapsis.com/archives/cc/2000-q2/0003.html

--> {00.21.011} Environment information available via FormMail

The FormMail CGI applications available from Matt's Script Archive
contains a bug where a remote user can gain a listing of all environment
variables by requesting the env_report parameter.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0125.html

--> {00.21.013} knapster/gnapster remote file retrieval

Both knapster and gnapster clients contain vulnerabilities that let a
remote attacker request any arbitrary file from the user's system.

The lastest clients correct this problem:

http://download.sourceforge.net/gnapster/gnapster-1.3.9.tar.gz
http://knapster.netpedia.net/#DOWNLOAD

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0124.html
http://archives.neohapsis.com/archives/bugtraq/2000-05/0127.html

--> {00.21.014} Unchecked system() call in Bugzilla

Bugzilla version 2.8 contains a vulnerability in its process_bug.cgi
CGI Script: The user-submitted parameters are placed into an unchecked
system() call and run. This results in a remote attacker being able to
run arbitrary commands under the UID of the Web server.

A third-party patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2000-05/0128.html

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0128.html

--> {00.21.021} Update to {00.19.015}: FileMaker Pro unrestricted data
            retrieval

An update has been released that corrects the vulnerability discussed
in {00.19.015} ("FileMaker Pro unrestricted data retrieval").

Update is available at:
http://www.filemaker.com/support/webcompanion.html

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0164.html

--> {00.21.022} Allmanage CGI vulnerabilities

Multiple vulnerabilities were found in the Allmanage Web site
Administration Software version 2.6. The admin password is stored
plaintext in a file named "k," which a remote attacker could easily
retrieve. If the upload portion of the Allmange CGI is enabled, it is
possible for a remote user to browse, delete and upload files because
of a vulnerability in the authentication mechanism.

No patches have been made available. Vendor homepage:
http://www.prowebpages.com

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0167.html

--> {00.21.023} kscd SHELL local compromise

kscd is a XWindows CD player that is normally SUID "disk." It seems that
kscd will execute whatever is defined in the user's SHELL variable
without dropping privileges. This lets a local attacker gain UID disk,
which can then be used to gain root access.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0172.html

--> {00.21.024} Remote buffer overflow in AntiSniff

A buffer overflow has been found in l0pht's AntiSniff's DNS processing.
The overflow affects versions 1.01 and 1.0.

Versions 1.02 and 1.1 correct this problem, which are available for
download from www.l0pht.com.

Source: l0pht
http://www.l0pht.com/

--> {00.21.026} Remote command execution via George Burgyan counter CGI

George Burgyan's counter CGI has been found to allow a remote attacker
to execute arbitrary commands under the UID of the Web server, when the
commands are appended to the URL.

No patches have been made available.

Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2000-05/0159.html

------------------------------------------------------------------------

This issue sponsored by Symantec Corp.

New Enterprise Security Web Site Launched!
Symantec provides content security solutions including antivirus,
Internet content/e-mail filtering and mobile code detection. For
up-to-the-minute information regarding enterprise security issues you
are facing, visit our Web site at:
http://www.symantec.com/specprog/sym/08302000.html

-----------------------------------------------------------------------

Please join us in Washington, DC, July 5-10 to enhance your security
skills and prove you have mastered the material. SANS certifications
are the industry's most difficult to obtain, but the training is
extraordinary and those who make the grade are immediately recognized
as knowledgeable and skilled. The respect that comes along with that
recognition can help you get the support to improve security in your
organization.

Or if you can't come to Washington, try the online version.

Complete program details: http://www.sans.org/dc2000.htm

Certification information: http://www.sans.org/giactc.htm

------------------------------------------------------------------------
                
If this e-mail was passed to you and you would like to begin receiving
our security e-mail newsletter on a weekly basis, we invite you to
subscribe today at http://www.networkcomputing.com/consensus/. Become
a Security Alert Consensus member!

If you'd like to change your e-mail address or other information, or to
unsubscribe from this newsletter, please visit your personalized URL:

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2000 CMP Media Inc. A service of Network Computing. All
Rights Reserved.

Distributed by Network Computing (http://www.networkcomputing.com) and
the SANS Institute (http://www.sans.org).