|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ56656463330204077
sans.org)Date: Thu May 31 2001 - 14:07:33 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 099 (01.22)
Thursday, May 31, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
WEB PERFORMANCE MANAGEMENT NETSEMINAR
On June 13 at 11:00 a.m. Pacific Time, Network Computing's Bruce
Boardman teams up with Gomez to bring you this NetSeminar on how the
Web's transformation into a business-critical application makes
service-based performance management a strategic consideration for some
companies.
Sign up today!
http://www.nwc.com/redirects/nets-perf.html
----------------------------------------------------------------------
An interesting research paper by Michal Zalewski of Bindview was
released this week detailing various problems in the signal handler
design of Unix applications. We expected to see some vulnerability
advisories based on this problem in the near future; however, they've
already started -- Sendmail (a widely deployed mail server on Unix) has
released an updated version to fix the problems outlined in the paper.
More information on the Sendmail update can be found in this issue under
item {01.22.016} (Cross-Platform category). For the true geeks in the
crowd, read the specific details of signal handler vulnerabilities at:
http://archives.neohapsis.com/archives/bugtraq/2001-05/0274.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.22.010} Win - Specter honeypot port scan DoS
{01.22.011} Win - MS00-079: (another) HyperTerminal buffer overflow
{01.22.012} Win - MS01-029: Windows Media Player multiple
vulnerabilities
{01.22.014} Win - DynFX POPd long username DoS
{01.22.019} Win - WFTPD directory traversal and long directory name DoS
{01.22.020} Win - Local privilege elevation via debug register
exceptions
{01.22.021} Win - OmniHTTPd script source disclosure
{01.22.022} Win - GuildFTPD directory traversal and weak password
storage
{01.22.023} Win - CesarFTPD directory traversal and weak password
storage
{01.22.030} Win - Freestyle HTTP server directory traversal
vulnerability
{01.22.001} Linux - Update {01.18.034}: OpenSSL 0.9.6a released
{01.22.002} Linux - Update {01.13.004}: Malicious embedded VIM control
codes
{01.22.003} Linux - Update {01.18.017}: kdesu creates world-readable
temp file to hold authentication info
{01.22.004} Linux - Update {00.45.041}: ncurses library buffer overflows
{01.22.005} Linux - Update {01.16.002}: Pine/pico insecure temp file
handling
{01.22.007} Linux - Update {01.13.019}: Multiple OpenSSH vulnerabilities
{01.22.025} Linux - InocculateIT update_signature ftpdownload.log tmp
race
{01.22.026} Linux - pmake incorrectly set suid root
{01.22.028} BSD - Update {01.11.026}: Icecast/libshout multiple buffer
overflows
{01.22.017} Sol - mailtool OPENWINHOME env variable buffer overflow
{01.22.024} Sol - yppasswdd RPC service buffer overflow
{01.22.033} NW - iChain SP1 available
{01.22.031} HPUX - CDE module buffer overflows
{01.22.006} NApps - Spearhead NetGap file type filter bypass
{01.22.008} NApps - Cisco CBOS multiple vulnerabilities
{01.22.009} NApps - Cisco IOS reloads on port scan
{01.22.018} Other - IPCChip embedded IP services vulnerabilities
{01.22.013} Cross - Mimanet viewsrc.cgi file disclosure
{01.22.015} Cross - Directorypro.cgi show parameter remote file
retrieval
{01.22.016} Cross - Sendmail signal handler heap vulnerability
{01.22.027} Cross - Update {01.17.001}: Samba insecure temp file
handling
{01.22.029} Cross - TWIG Web mail SQL tampering via ID parameter
{01.22.032} Cross - HP OpenView ecsd -restore_config parameter buffer
overflow
- --- Windows News -------------------------------------------------------
*** {01.22.010} Win - Specter honeypot port scan DoS
Specter honeypot software versions 4.5 and 5.0 contain a denial of
service that allows a remote attacker to cause the software to consume
all available memory simply by port scanning the server. The software
also doesn't alert administrators to various stealth port scan methods,
and the administrator's e-mail inbox potentially could be flooded with
alerts triggered by a remote attacker.
These vulnerabilities have not been confirmed.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0071.html
*** {01.22.011} Win - MS00-079: (another) HyperTerminal buffer overflow
Microsoft has reissued MS00-079, which contains an updated patch that
fixes a related buffer overflow in the handling of session files by
HyperTerminal.
Windows 98, ME, NT 4.0 and 2000 are affected.
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q2/0044.html
*** {01.22.012} Win - MS01-029: Windows Media Player multiple
vulnerabilities
Microsoft has released MS01-029 ("Windows Media Player multiple
vulnerabilities"). The Windows Media Player has a buffer overflow in
the handling of ASX files, as previously reported in {01.19.029}
("MediaPlayer ASX file banner tag buffer overflow"). WMP also stores
temporary files with a predictable file name, potentially allowing a
malicious Web site to execute active scripting content in the user's
local security zone, which could allow that site to access arbitrary
files. A privacy concern was fixed, too.
Users of WMP version 6.4 can apply the provided patch; otherwise, they
should upgrade to version 7.1.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-029.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q2/0042.html
*** {01.22.014} Win - DynFX POPd long username DoS
DynFX POPd server prior to build 2.10.3604.2 contains a denial of
service that allows a remote attacker to crash the service by sending
an overly long user name.
The vendor has confirmed this vulnerability and released build
2.10.3604.2 to fix the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0278.html
*** {01.22.019} Win - WFTPD directory traversal and long directory name
DoS
WFTPD version 3.00 R5 contains two vulnerabilities: A remote attacker
can gain access to files outside the restricted ftp root by using '...'
notation in an FTP command. A remote attacker also can potentially
execute arbitrary code on the system by creating a long concatenation
of directory and file names.
The advisory indicates confirmation by the vendor and a workaround.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0454.html
*** {01.22.020} Win - Local privilege elevation via debug register
exceptions
Windows contains a vulnerability that allows local attackers to elevate
their privileges by using the global debug registers, which cause a
process to terminate. The attacker then takes the place of the process
and impersonates it. This vulnerability is limited to Windows 2000.
This vulnerability has been confirmed by Microsoft and is fixed by
Windows 2000 SP2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0232.html
*** {01.22.021} Win - OmniHTTPd script source disclosure
OmniHTTPd has been found to contain a source disclosure vulnerability
that allows a remote attacker to gain access to various source codes of
the hosted scripts. The advisory indicates a particular problem with
the PHP CGI, but it may be extended to any CGI extension.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0248.html
*** {01.22.022} Win - GuildFTPD directory traversal and weak password
storage
GuildFTPD version 0.97 contains four vulnerabilities: A remote attacker
can access files outside the FTP root by using '..' notation in FTP
commands. Authentication information is stored insecurely (in plain
text) on the local machine. There is a buffer overflow in the handling
of the SITE command. There is a memory leak when a remote user submits
an encoded NULL character.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0250.html
http://archives.neohapsis.com/archives/bugtraq/2001-05/0254.html
*** {01.22.023} Win - CesarFTPD directory traversal and weak password
storage
CesarFTPD version 0.98b contains two vulnerabilities: A remote attacker
can access files outside the FTP root by a particular encoding in FTP
commands. Authentication information is stored insecurely (in plain
text) on the local machine.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0252.html
*** {01.22.030} Win - Freestyle HTTP server directory traversal
vulnerability
Freestyle HTTP chat server version 3.73 contains a vulnerability that
allows a remote attacker to access files outside the Web root by using
reverse directory traversal ('..') notation in a URL request.
The advisory indicates vendor confirmation, and an updated version is
available.
Vendor homepage:
http://www.faust-net.de/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0241.html
- --- Linux News ---------------------------------------------------------
*** {01.22.001} Linux - Update {01.18.034}: OpenSSL 0.9.6a released
TurboLinux has released updated OpenSSL packages that fix the
vulnerability discussed in {01.18.034} ("OpenSSL 0.9.6a released ").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2
/0023.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2
/0023.html
*** {01.22.002} Linux - Update {01.13.004}: Malicious embedded VIM
control codes
TurboLinux has released updated VIM packages that fix the vulnerability
discussed in {01.13.004} ("Malicious embedded VIM control codes").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0025.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0025.html
*** {01.22.003} Linux - Update {01.18.017}: kdesu creates
world-readable temp file to hold authentication info
Mandrake has released updated kde packages that fix the vulnerability
discussed in {01.18.017} ("kdesu creates world-readable temp file to
hold authentication info").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-05/0246.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-05/0246.html
*** {01.22.004} Linux - Update {00.45.041}: ncurses library buffer
overflows
Mandrake has released updated ncurses packages that fix the
vulnerability discussed in {00.45.041} ("ncurses library buffer
overflows").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-05/0247.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-05/0247.html
*** {01.22.005} Linux - Update {01.16.002}: Pine/pico insecure temp
file handling
EnGarde has released updated pine packages that fix the vulnerability
discussed in {01.16.002} ("Pine/pico insecure temp file handling").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0004.html
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0004.html
*** {01.22.007} Linux - Update {01.13.019}: Multiple OpenSSH
vulnerabilities
TurboLinux has released updated openSSH packages that fix the
vulnerability discussed in {01.13.019} ("Multiple OpenSSH
vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0020.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0020.html
*** {01.22.025} Linux - InocculateIT update_signature ftpdownload.log
tmp race
Computer Associates' InocculateIT for Linux has been reported to contain
a vulnerability in the handling of temporary files. This vulnerability
could allow a local attacker to overwrite arbitrary files on the file
system because the update_signature script writes information to a
static log file name in the /tmp/ directory.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0245.html
*** {01.22.026} Linux - pmake incorrectly set suid root
TurboLinux has released an advisory indicating that pmake incorrectly
has setuid root permissions. This could allow a local attacker to
execute arbitrary commands under root privileges.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0024.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0024.html
- --- BSD News -----------------------------------------------------------
*** {01.22.028} BSD - Update {01.11.026}: Icecast/libshout multiple
buffer overflows
FreeBSD has released an updated icecast port that fixes vulnerabilities
related to the vulnerability discussed in {01.11.026} ("Icecast/libshout
multiple buffer overflows").
The FreeBSD ports collection as of April 20, 2001, contains the
corrected version. Individual packages available for download are listed
at: http://archives.neohapsis.com/archives/freebsd/2001-05/0448.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-05/0448.html
- --- Solaris News -------------------------------------------------------
*** {01.22.017} Sol - mailtool OPENWINHOME env variable buffer overflow
A vulnerability found in the mailtool application shipped with Solaris
8 SPARC and x86 allows a local attacker to gain gid mail by exploiting
a buffer overflow in the handling of the OPENWINHOME environment
variable.
The advisory indicates vendor confirmation. No patches have been made
available at this time.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0258.html
*** {01.22.024} Sol - yppasswdd RPC service buffer overflow
A buffer overflow was found in the rpc.yppassword service (yppasswdd)
that could allow a remote attacker to execute arbitrary code on the
system under root privileges. The vulnerability affects Solaris 2.6 and
7 (SPARC and x86).
Sun has confirmed this vulnerability, which currently has been found
exploited in the wild. No patches have been made available at this time.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0273.html
- --- NetWare News -------------------------------------------------------
*** {01.22.033} NW - iChain SP1 available
Novell has released the iChain version 1.5 Support Pack 1. The pack
contains numerous bug fixes that can be used to stop various ABENDS,
authentication bugs and memory leaks, which can be used in a denial of
service fashion.
The support pack can be downloaded at:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2958795.htm
Source: Novell
http://archives.neohapsis.com/archives/novell-technews/2001-q2/0001.html
- --- HP-UX News ---------------------------------------------------------
*** {01.22.031} HPUX - CDE module buffer overflows
HP has released another vague advisory indicating that local attackers
can elevate their privileges by using a buffer overflow in various CDE
modules.
Apply the appropriate HP-UX patch:
10.10: PHSS_23355
10.20: PHSS_23796
10.24: PHSS_24097
11.00: PHSS_23797
11.04: PHSS_24098
11.11: PHSS_24087 and PHSS_24091
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q2/0044.html
- --- Network Appliances News --------------------------------------------
*** {01.22.006} NApps - Spearhead NetGap file type filter bypass
Spearhead's NetGap appliance has been found to not properly filter file
types if a submitted file name is URL encoded. This allows an attacker
to gain access to files specifically restricted by the administrator.
The advisory indicated vendor confirmation. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0256.html
*** {01.22.008} NApps - Cisco CBOS multiple vulnerabilities
Cisco has released an advisory detailing multiple security problems with
the Cisco CBOS firmware found on Cisco 600 routers. The vulnerabilities
include predictable TCP sequence numbers, denial of service attacks
involving ICMP echo packets and insecurely stored device passwords in
NVRAM.
Cisco has released CBOS versions 2.3.9, 2.4.1 and 2.4.2, which fix the
problem.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q2/0003.html
*** {01.22.009} NApps - Cisco IOS reloads on port scan
Cisco has released an advisory indicating that IOS versions 12.1(2)T
and 12.1(3)T (and derivatives) have been found to reload when they are
port scanned (by, we are assuming, the popular nmap utility).
For a complete list of vulnerable and fixed versions, go to:
http://archives.neohapsis.com/archives/cisco/2001-q2/0004.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q2/0004.html
- --- Other News ---------------------------------------------------------
*** {01.22.018} Other - IPCChip embedded IP services vulnerabilities
The IPCChip embedded IP service integrated circuit by Beck GmbH
contains multiple firmware flaws that allow a remote attacker to create
various denial of service situations, potentially log in via telnet or
ftp, and gain configuration information via HTTP.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0233.html
- --- Cross-Platform News ------------------------------------------------
*** {01.22.013} Cross - Mimanet viewsrc.cgi file disclosure
A vulnerability in Mimanet's viewsrc.cgi version 2.0 allows a remote
attacker to view arbitrary files on the system that are readable by the
Web server by using reverse directory traversal ('..') syntax in a URL
request.
The advisory indicated vendor confirmation of this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0231.html
*** {01.22.015} Cross - Directorypro.cgi show parameter remote file
retrieval
A handling vulnerability in the show URL parameter in directorypro.cgi
(vendor unknown) allows a remote attacker to view arbitrary files
readable by the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0261.html
*** {01.22.016} Cross - Sendmail signal handler heap vulnerability
Sendmail version 8.11.4 has been released. In addition to bug fixes, it
fixes a particularly interesting vulnerability centered on signal
handlers and heap corruption. At least, the vulnerability yields a
denial of service; at most, it's a local root compromise.
Sendmail version 8.11.4 can be downloaded at:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.4.tar.Z
Those running 8.12 betas can download 8.12.0.beta10 at:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta10.tar.Z
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2001-q2/0001.html
*** {01.22.027} Cross - Update {01.17.001}: Samba insecure temp file
handling
FreeBSD and Trustix have updated their samba packages to fix the
vulnerability discussed in {01.17.001} ("Samba insecure temp file
handling").
The FreeBSD ports collection as of May 9, 2001, contains the corrected
versions. Individual packages for download are listed at:
http://archives.neohapsis.com/archives/freebsd/2001-05/0446.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-05/0242.html
Source: FreeBSD, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/freebsd/2001-05/0446.html
http://archives.neohapsis.com/archives/bugtraq/2001-05/0242.html
*** {01.22.029} Cross - TWIG Web mail SQL tampering via ID parameter
TWIG Web mail PHP script version 2.6.2 (and prior) contains a
vulnerability that allows a remote attacker to tamper with the backend
database because of improper handling/filtering of the ID URL parameter.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0260.html
*** {01.22.032} Cross - HP OpenView ecsd -restore_config parameter
buffer overflow
HP OpenView version 6.1 (tested on Solaris 8) has been found to contain
a buffer overflow in the handling of the -restore_config parameter. This
allows a local attacker to execute arbitrary code under root privileges.
The advisory indicates vendor confirmation; no patches have been
released at this time.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0226.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7FpQi+LUG5KFpTkYRAgc9AJ43mZxqU7EUtRWpYXPb5L0gdo089wCeN2uU
sW05Pwj+wUvlssuXqQYbazk=
=+paB
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
WEB PERFORMANCE MANAGEMENT NETSEMINAR
On June 13 at 11:00 a.m. Pacific Time, Network Computing's Bruce
Boardman teams up with Gomez to bring you this NetSeminar on how the
Web's transformation into a business-critical application makes
service-based performance management a strategic consideration for some
companies.
Sign up today!
http://www.nwc.com/redirects/nets-perf.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form (http://www.sans.org/sansurl). On
this form you can enter the SD number located near your name at the top
of the newsletter. When you submit this form, an e-mail containing a
URL will be sent to you at the e-mail address on record. With this URL
you can make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information,
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online. http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]