OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Feb 08 2001 - 15:50:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                          -- Security Alert Consensus --
                                 Number 083 (00.59)
                            Thursday, February 8, 2001
                                 Created for you by
                    Network Computing and the SANS Institute
                              Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below you
    should find information pertaining only to the categories you requested.
    If you have any problems or questions, please e-mail us at
    <consensusnwc.com>.

    ----------------------------------------------------------------------

    ----------------------------------------------------------------------

    This week lead to a lot (seven, to be exact) of Web servers that were
    found to be vulnerable to a reverse directory traversal attack. This is
    a classic Web server vulnerability: Someone can use URLs with '..' in
    them to gain access to files that are not necessarily meant for public
    consumption. Otherwise, there weren't an overwhelming number of
    security problems reported this week; perhaps everyone is still busy
    patching their BIND servers from last week's large bugs. We know we
    definitely welcome the chance to rest and catch up!

    Until next week,
    - Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.06.004} Win - MS01-007: Network DDE Agent request vulnerability
    {01.06.005} Win - MS01-006: Invalid RDP data vulnerability
    {01.06.006} Win - AOLServer reverse directory traversal vulnerability
    {01.06.007} Win - BiblioWeb Server reverse directory traversal and DoS
                vulnerabilities
    {01.06.008} Win - Picserver reverse directory traversal vulnerability
    {01.06.009} Win - SEDUM HTTP Server reverse directory traversal
                vulnerability
    {01.06.011} Win - HSWeb server directory browsing full path disclosure
    {01.06.018} Win - GoAhead Web server reverse directory traversal
                vulnerability
    {01.06.019} Win - Malicious applet network resource exhaustion
    {01.06.012} Linux - Update {00.56.004}: RESOLV_HOST_CONF/HOSTALIASES
                glibc vulnerability
    {01.06.016} Linux - Update {01.05.012}: kdesu password sniffing
                vulnerability
    {01.06.021} Linux - Update {00.56.034}: glibc incorrectly loads
                libraries from ld.so.cache for suid/sgid apps
    {01.06.015} BSD - Update {00.57.026}: tinyproxy httperr() buffer
                overflow
    {01.06.017} Sol - ximp40 library buffer overflow vulnerability
    {01.06.002} AIX - Syslogd one-byte buffer overflow
    {01.06.003} AIX - Improper permissions on
                /usr/sbin/cluster/.restore_routes
    {01.06.020} NApps - Cisco CSS/Arrowpoint command line interface
                vulnerabilities
    {01.06.001} Cross - Update {01.05.001}: Multiple Bind buffer overflows
                (TSIG/infoleak)
    {01.06.010} Cross - Free Java Web Server reverse directory traversal
                vulnerability
    {01.06.013} Cross - IBM NetCommerce/Net.Data macro SQL tampering
    {01.06.014} Cross - SSH 1.2.2X AFS/Kerberos patch buffer overflow
    {01.06.022} Cross - gnuserv/xemacs remote buffer overflow/code execution
    {01.06.023} Cross - XMail CTRLServer multiple buffer overflows
    {01.06.024} Cross - man -l format string vulnerability
    {01.06.025} Cross - cups httpGets() DoS

    - --- Windows News -------------------------------------------------------

    *** {01.06.004} Win - MS01-007: Network DDE Agent request vulnerability

    Microsoft has released MS01-007 ("Network DDE Agent request
    vulnerability"). The associated vulnerability allows an attacker who
    has access to the local system console (thus limiting this attack to
    workstation-oriented machines) to use the Network DDE Agent to execute
    code under local system privileges. The vendor has confirmed this
    vulnerability.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-007.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q1/0033.html

    *** {01.06.005} Win - MS01-006: Invalid RDP data vulnerability

    Microsoft has released MS01-006 ("Invalid RDP data vulnerability"). In
    the related vulnerability, a particular sequence of packets sent to
    Windows 2000 Terminal Service will cause the server to crash. Note that
    the remote attacker does not require valid authentication to exploit
    this vulnerability. The vendor has confirmed this vulnerability.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-006.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q1/0032.html

    *** {01.06.006} Win - AOLServer reverse directory traversal
                    vulnerability

    AOLServer version 3.2 has been found to be vulnerable to reverse
    directory traversal attacks, whereby an attacker uses '..' notation in
    a request URL to access files outside the Web document root. This
    vulnerability has not been confirmed. No patches have been made
    available.

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0059.html

    *** {01.06.007} Win - BiblioWeb Server reverse directory traversal and
                    DoS vulnerabilities

    BiblioWeb Server version 2.0 has been found to be vulnerable to a
    reverse directory traversal attack, whereby an attacker uses '..'
    notation in a request URL to access documents outside the Web document
    root. The server also contains a buffer overflow, which causes the
    service to crash when a long URL is received. These vulnerabilities are
    unconfirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0075.html

    *** {01.06.008} Win - Picserver reverse directory traversal
                    vulnerability

    Picserver Web server has been found vulnerable to a reverse directory
    traversal attack, whereby a remote attacker can use '..' notation in a
    request URL to access files outside the Web document root. This
    vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0073.html

    *** {01.06.009} Win - SEDUM HTTP Server reverse directory traversal
                    vulnerability

    SEDUM HTTP Server version 2.0 is vulnerable to a reverse directory
    traversal attack, whereby an attack uses '..' notation in a request URL
    to access files outside the Web document root. This vulnerability has
    not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0064.html

    *** {01.06.011} Win - HSWeb server directory browsing full path
                    disclosure

    The HSWeb version 2.0 Web server has been found to display full
    directory paths when directory browsing is enabled. The disclosed
    information may aid an attacker in other attacks. This vulnerability
    has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0052.html

    *** {01.06.018} Win - GoAhead Web server reverse directory traversal
                    vulnerability

    Versions 2.1 and prior of the GoAhead Web server have been found
    vulnerable to a reverse directory traversal attack. This vulnerability
    allows an attacker using '..' notation in a request URL to access files
    outside the Web document root. It is also possible to execute
    commandline commands. This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0022.html

    *** {01.06.019} Win - Malicious applet network resource exhaustion

    A report has surfaced indicating the possibility of a malicious Java
    applet, referenced in a Web page or HTML-based e-mail, which causes a
    denial of service against a user's system by opening a large amount of
    UDP network sockets. This vulnerability has not been confirmed, but it
    comes from a noted researcher.

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0060.html

    - --- Linux News ---------------------------------------------------------

    *** {01.06.012} Linux - Update {00.56.004}:
                    RESOLV_HOST_CONF/HOSTALIASES glibc vulnerability

    Conectiva has released updated glibc packages to fix the vulnerability
    discussed in {00.56.004} ("RESOLV_HOST_CONF/HOSTALIASES glibc
    vulnerability").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0010.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0010.html

    *** {01.06.016} Linux - Update {01.05.012}: kdesu password sniffing
                    vulnerability

    Mandrake has released updated kde packages to fix the vulnerability
    discussed in {01.05.012} ("kdesu password sniffing vulnerability").

    Update RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0043.html

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0043.html

    *** {01.06.021} Linux - Update {00.56.034}: glibc incorrectly loads
                    libraries from ld.so.cache for suid/sgid apps

    Due to a packaging problem, Immunix has released new glibc updates to
    fix the vulnerability discussed in {00.56.034} ("glibc incorrectly loads
    libraries from ld.so.cache for suid/sgid apps").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0053.html

    Source: Immunix
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0053.html

    - --- BSD News -----------------------------------------------------------

    *** {01.06.015} BSD - Update {00.57.026}: tinyproxy httperr() buffer
                    overflow

    FreeBSD has released an updated tinyproxy port to fix the vulnerability
    discussed in {00.57.026} ("tinyproxy httperr() buffer overflow").

    The ports collection as of January 22, 2001 contains the updated
    version. Individual packages available for download are listed at:
    http://archives.neohapsis.com/archives/freebsd/2001-01/0540.html

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2001-01/0540.html

    - --- Solaris News -------------------------------------------------------

    *** {01.06.017} Sol - ximp40 library buffer overflow vulnerability

    The ximp40 library contains a buffer overflow that can be used in
    conjunction with various suid/sgid applications by local attackers to
    gain root privileges. Solaris 2.6, 7 and 8 are reported vulnerable. This
    vulnerability has been confirmed by Sun, and the company is in the
    process of producing patches.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0517.html

    - --- AIX News -----------------------------------------------------------

    *** {01.06.002} AIX - Syslogd one-byte buffer overflow

    IBM has released APAR IY15146 for AIX. This fixes a one-byte buffer
    overflow in syslogd. Exploitation of this vulnerability has not been
    confirmed.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q1/0007.html

    *** {01.06.003} AIX - Improper permissions on
                    /usr/sbin/cluster/.restore_routes

    IBM has released APAR IY15235 to fix a vulnerability in the
    cl_swap_IP_address event script shipped with the cluster manager. The
    script sets improper file permissions on
    /usr/sbin/cluster/.restore_routes, which could allow a local user to
    tamper with the file.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q1/0007.html

    - --- Network Appliances News --------------------------------------------

    *** {01.06.020} NApps - Cisco CSS/Arrowpoint command line interface
                    vulnerabilities

    Cisco has released an advisory detailing two problems in its Content
    Services Switch (aka Arrowpoint). Users with command line access could
    cause the switch to reboot; users can also view file names and request
    the contents of files on the device.

    This vulnerability has been confirmed by Cisco, and the company has
    released partial updates in WebNS revisions 4.01(12s) and 3.10(71s).
    Full updates are forthcoming. Upgrade information is available at:
    http://archives.neohapsis.com/archives/cisco/2001-q1/0002.html

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2001-q1/0002.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.06.001} Cross - Update {01.05.001}: Multiple Bind buffer
                    overflows (TSIG/infoleak)

    Multiple vendors have released updated BIND/named packages to fix the
    vulnerability discussed in {01.05.001} ("Multiple Bind buffer overflows
    (TSIG/infoleak)").

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q1/0532.html

    FreeBSD has updated 4.2-STABLE and 3.5-STABLE as of January 30, 2001:
    http://archives.neohapsis.com/archives/freebsd/2001-01/0499.html

    OpenBSD patches for 2.7 and 2.8 are listed at:
    http://archives.neohapsis.com/archives/openbsd/2001-02/0191.html

    Updated AIX APARs are listed at:
    http://archives.neohapsis.com/archives/aix/2001-q1/0006.html

    Source: SuSE, FreeBSD, OpenBSD, IBM
    http://archives.neohapsis.com/archives/linux/suse/2001-q1/0532.html
    http://archives.neohapsis.com/archives/freebsd/2001-01/0499.html
    http://archives.neohapsis.com/archives/openbsd/2001-02/0191.html
    http://archives.neohapsis.com/archives/aix/2001-q1/0006.html

    *** {01.06.010} Cross - Free Java Web Server reverse directory
                    traversal vulnerability

    The Free Java Web Server version 1.0 (not to be confused with Sun's Java
    Web Server) has been found to be vulnerable to a reverse directory
    traversal vulnerability. This vulnerability allows an attacker to use
    '..' notation in a request URL to access files outside the Web document
    root. This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0061.html

    *** {01.06.013} Cross - IBM NetCommerce/Net.Data macro SQL tampering

    IBM's NetCommerce/Net.Data package has been found to allow remote
    attackers to tamper with SQL queries. This could allow them to query
    data from various tables of the supporting backend database. This
    vulnerability has been confirmed by a third party, but not by the
    vendor.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0072.html
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0102.html

    *** {01.06.014} Cross - SSH 1.2.2X AFS/Kerberos patch buffer overflow

    A remotely exploitable buffer overflow was found in the AFS/Kerberos v4
    patches for ssh 1.2.2x (by SSH Communications) sources. This
    vulnerability has been confirmed by the patch author; updated
    AFS/Kerberos patches for the 1.2.2x source by SSH Communications will
    not be made available. Instead, you should upgrade to ossh or openssh,
    both of which contain the fixes.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-01/0511.html

    *** {01.06.022} Cross - gnuserv/xemacs remote buffer overflow/code
                    execution

    Gnuserve (bundled with xemacs) prior to version 3.12 is vulnerable to
    a remotely exploitable buffer overflow as well as an authentication
    weakness, both of which allow a remote attacker to run arbitrary
    code/commands under the uid of the user running gnuserve. The vendor
    has confirmed this vulnerability and fixed the problem in version
    gnuserve 3.12 (bundled with xemacs version 21.1.14).

    The updated version can be downloaded from:
    http://www.xemacs.org/Releases/21.1.14.html

    Mandrake has also released updated RPMs:
    http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0044.html

    Source: Mandrake, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0044.html
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0030.html

    *** {01.06.023} Cross - XMail CTRLServer multiple buffer overflows

    The CTRLServer service included with the XMail package (versions 0.66
    and prior) contains multiple buffer overflows that would allow a remote
    attacker to execute arbitrary code on the system. Exploitation requires
    valid login information. This vulnerability has not been confirmed.
    However, an exploit has been published.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0047.html

    *** {01.06.024} Cross - man -l format string vulnerability

    A format string buffer overflow was found in the -l command line switch
    of man. Some distributions (such as SuSE and Debian) ship man suid man,
    which allows a local attacker to gain man privileges and then overwrite
    the man binary with a trojan version. SuSE has confirmed this
    vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0082.html

    *** {01.06.025} Cross - cups httpGets() DoS

    Cups prior to version 1.1.5 contains a denial of service in the
    httpGets() function that allows a remote attacker to cause the service
    to become unavailable by submitting a large request. Mandrake has
    confirmed this vulnerability.

    Updated Mandrake RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0046.html

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0046.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE6gxIm+LUG5KFpTkYRArmqAJ9/1GanAdZ6gpmornFr0tsUBWtwewCgmBQd
    tHFTxiqYFKwFN62Qkyogt0w=
    =1X17
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ----------------------------------------------------------------------

    If this e-mail was passed to you and you would like to begin receiving
    our security e-mail newsletter on a weekly basis, we invite you to
    subscribe today at http://www.networkcomputing.com/consensus/. Become
    a Security Alert Consensus member!

    We are signing the Consensus newsletter with PGP. The new SANS PGP key
    is posted at
    (http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46)
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information, we will
    no longer include personal URLs in our Consensus newsletter mailings.
    Instead, we have created a new form, located at
    http://www.sans.org/sansurl, where you can enter the SD number located
    near your name at the top of the newsletter. When you submit this form,
    an e-mail containing a URL will be sent to you at the e-mail address on
    record. With this URL you can make changes to your account (edit the
    content of your Consensus mailing, for example) without endangering the
    security of your personal URL. If you'd like to change your e-mail
    address or other information, or unsubscribe to this newsletter, please
    visit your new URL as described above. If you have any problems or
    questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of Security Alert
    Consensus (and Security Express) online at
    http://archives.neohapsis.com/.

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
    Rights Reserved.

    Distributed by Network Computing (http://www.networkcomputing.com) and
    The SANS Institute (http://www.sans.org).

    Powered by Neohapsis Inc., a Chicago-based security assessment and
    integration services consulting group. infoneohapsis.com |
    http://www.neohapsis.com/