|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ16798479380635134
sans.org)Date: Thu Jun 14 2001 - 15:02:46 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 101 (01.24)
Thursday, June 14, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
*** Sponsored by SurfControl, Inc. ***
WARNING: Networks bottleneck and costs climb as workers squander hours
online - casual surfing, downloading MP3s, video and other bandwidth
hogs.
Install SurfControl on your network and in 20 minutes you'll know
exactly WHO is doing WHAT, WHEN and WHERE on the Internet. SurfControl
monitors, records and manages all TCP/IP protocols.
FREE 30-Day Trial: http://www.surfcontrol.com/promo/SSAC0614
----------------------------------------------------------------------
We've recently expanded the SAC team and, over the coming weeks, we'll
be in the process of rolling out some long-awaited improvements. While
we've fielded a number of requests over the past several months, we'd
like to open the floor for any content-specific suggestions. If there
are any changes we can implement to make the SAC content more useful,
please feel free to drop us a message at sacneohapsis.com.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.24.001} Win - PassWD insecure password storage
{01.24.002} Win - MS01-030: Exchange OWA Script Execution
{01.24.003} Win - Pragma InterAccess TelnetD character flood DoS
{01.24.004} Win - MS01-031: Multiple vulnerabilities in Win2K telnet
service
{01.24.015} Win - TrendMicro virus control system CGI vulnerability
{01.24.018} Win - Broker FTP Server DoS and directory traversal
{01.24.006} Linux - Update {01.23.002}: gpg file name format string
vulnerability
{01.24.008} Linux - xinetd umask may cause world writable files
{01.24.010} Linux - Update {00.54.012}: GTK+ code exec via GTK_MODULES
env variable
{01.24.011} Linux - Update {00.45.037}: Multiple tcpdump buffer
overflows
{01.24.012} Linux - Volution configuration could use rogue CCD server
{01.24.013} Linux - Update {01.11.028}: POP/IMAP server user-privilege
buffer overflows
{01.24.026} BSD - fts-based programs can be made to recurse into wrong
directories
{01.24.027} HPUX - Update {01.23.019}: kmmodreg temp file mishandling
{01.24.028} HPUX - Update {01.21.017}: iPlanet/Netscape large HTTP
method buffer overflow
{01.24.022} SCO - rtpm TERM env variable buffer overflow
{01.24.007} NApps - NetGap inspecting/filtering bypass with URL encoding
{01.24.016} NApps - WatchGuard firebox SMTP proxy allows files through
filter
{01.24.005} Cross - VirtualCart Shopping Cart Remote Command Execution
{01.24.009} Cross - ispell vulnerable to symlink attacks
{01.24.014} Cross - exim remote printf format attack
{01.24.017} Cross - HP Openview NNM command execution via SNMP traps
{01.24.019} Cross - su-wrapper command line argument buffer overflow
{01.24.020} Cross - Potential buffer overflow in xinetd svc_logprint
function
{01.24.021} Cross - Scotty ntping host name buffer overflow
{01.24.023} Cross - TIAtunnel auth_conn buffer overflow
{01.24.024} Cross - File name case may bypass Apache restrictions
{01.24.025} Svc - Gmx.net JavaScript filter bypass
- --- Windows News -------------------------------------------------------
*** {01.24.001} Win - PassWD insecure password storage
PassWD2000 versions 2.x have been found to insecurely store user names
and passwords using a weak encryption method. The advisory indicates
vendor confirmation.
No patches will be made available for PassWD2000 2.x versions; instead,
version 3.0 (not yet released) will address this problem. Vendor home
page:
http://www.passwd2000.com
Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0016.html
*** {01.24.002} Win - MS01-030: Exchange OWA Script Execution
Microsoft has released MS01-030 ("Incorrect attachment handling in
Exchange OWA can execute script"). Due to a flaw in the interaction
between IE and Outlook Web Access, message attachments containing
malicious code can be executed when the message is opened.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-030.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q2/0050.html
*** {01.24.003} Win - Pragma InterAccess TelnetD character flood DoS
Pragma InterAccess TelnetD release 4.0 build 5 contains a denial of
service that allows a remote attacker to crash the telnet service by
sending a large burst of characters to port 23.
This vulnerability has not been confirmed. The advisory implies that
upgrading to Pragma InterAccess release 4.0 build 6 will correct the
problem.
Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0048.html
*** {01.24.004} Win - MS01-031: Multiple vulnerabilities in Win2K
telnet service
Microsoft has released MS01-031 ("Predictable name pipes could enable
privilege elevation"). This advisory covers seven vulnerabilities in
the Windows 2000 Telnet service: two vulnerabilities allow privilege
elevation from predictable named pipes; four vulnerabilities are
potential DoS attacks caused by a handle leak when a Telnet session is
terminated -- a malformed logon command and a system call that can
terminate a Telnet session; the last vulnerability, which is similar
to an ftp vulnerability released in MS01-026, potentially allows an
attacker to log into Telnet via Guest accounts.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-031.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q2/0049.html
*** {01.24.015} Win - TrendMicro virus control system CGI vulnerability
A potential vulnerability was found in a CGI program included in
TrendMicro's VCS (Virus Control System) in which a remote user might be
able to access the administrative program and data without
authentication.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0065.html
*** {01.24.018} Win - Broker FTP Server DoS and directory traversal
A report was released indicating a buffer overflow in Broker FTP Server
version 5.9.5.0. The buffer overflow, which is executed after a user
logs in, can lead to a denial of service. A directory traversal problem
also exists, which allows a remote attacker to access files outside the
ftproot directory.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0088.html
- --- Linux News ---------------------------------------------------------
*** {01.24.006} Linux - Update {01.23.002}: gpg file name format string
vulnerability
Multiple Linux vendors have released updated gpg packages that fix the
vulnerability discussed in {01.23.002} ("gpg file name format string
vulnerability ").
Updated Connectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/
0008.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0011.html
Updated TurboLinux RPMs:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0026.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0056.html
Source: Connectiva, Caldera, TurboLinux, RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2
/0008.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0011.html
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2
/0026.html
http://archives.neohapsis.com/archives/bugtraq/2001-06/0056.html
*** {01.24.008} Linux - xinetd umask may cause world writable files
RedHat and Mandrake have released updated versions of xinetd that fix
a vulnerability in which xinetd's umask was improperly set. This could
lead to applications spawned from xinetd creating world-writable files.
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0023.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0121.html
Source: RedHat , Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-06/0023.html
http://archives.neohapsis.com/archives/bugtraq/2001-06/0121.html
*** {01.24.010} Linux - Update {00.54.012}: GTK+ code exec via
GTK_MODULES env variable
TurboLinux has released updated packages that fix the vulnerability
discussed in {00.54.012} ("GTK+ arbitrary code execution via GTK_MODULES
environment variable").
Updated RPMs:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0027.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0027.html
*** {01.24.011} Linux - Update {00.45.037}: Multiple tcpdump buffer
overflows
TurboLinux has released updated tcpdump packages that fix the
vulnerability discussed in {00.45.037} ("Multiple tcpdump buffer
overflows").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0029.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0029.html
*** {01.24.012} Linux - Volution configuration could use rogue CCD
server
Caldera has released an advisory indicating a potential problem in the
Volution version 1.0 client configuration. By default, the client will
attempt to connect to a Volution CCD (Computer Creation Daemon) on the
network. It's possible for a malicious user on the same network to
launch a rouge CCD server, which could potentially handle requests from
clients.
Updated Caldera RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0012.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0012.html
*** {01.24.013} Linux - Update {01.11.028}: POP/IMAP server
user-privilege buffer overflows
Mandrake has released updated imap packages that fix the vulnerabilities
discussed in {01.11.028} ("POP/IMAP server user-privilege buffer
overflows").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0120.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-06/0120.html
- --- BSD News -----------------------------------------------------------
*** {01.24.026} BSD - fts-based programs can be made to recurse into
wrong directories
OpenBSD has released an advisory indicating that fts-based applications
(such as rm, find, etc.) can be tricked into recursing into the wrong
directory (for example, when used with the -R option), which could have
a security impact (denial of service or worse).
OpenBSD 2.8 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/029_fts.patch
OpenBSD 2.9 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/002_fts.patch
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-06/0177.html
- --- HP-UX News ---------------------------------------------------------
*** {01.24.027} HPUX - Update {01.23.019}: kmmodreg temp file
mishandling
HP has released patches for the vulnerability discussed in {01.23.019}
("kmmodreg temp file mishandling").
Apply the appropriate patch:
HPUX 11.00: PHCO_24112
HPUX 11.04: PHCO_24197
HPUX 11.11: PHCO_24147
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q2/0059.html
*** {01.24.028} HPUX - Update {01.21.017}: iPlanet/Netscape large HTTP
method buffer overflow
HP has released a patch for VVOS/HPUX 11.04 that fixes the vulnerability
discussed in {01.21.017} ("iPlanet/Netscape large HTTP method buffer
overflow").
Apply patch PHSS_24108.
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q2/0059.html
- --- SCO News -----------------------------------------------------------
*** {01.24.022} SCO - rtpm TERM env variable buffer overflow
The rtpm application shipped with Unixware version 7.1.1 (and possibly
others) is reported to contain a buffer overflow in the handling of the
TERM environment variable. A local attacker could potentially use this
to execute arbitrary code under uid bin.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0114.html
- --- Network Appliances News --------------------------------------------
*** {01.24.007} NApps - NetGap inspecting/filtering bypass with URL
encoding
SpearHead's NetGap security appliances (models 200 and 300) running as
HTTP proxies do not properly inspect (model 300) or block files (models
200 and 300) when the HTTP request contains URL encoding.
SpearHead has acknowledged the vulnerability and fixed the problem in
build 78 of the NetGap firmware software.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0047.html
*** {01.24.016} NApps - WatchGuard firebox SMTP proxy allows files
through filter
Under certain conditions, the WatchGuard firebox's SMTP proxy might
allow attachments, such as executables and active scripting, through
the Mime-type filter.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0085.html
- --- Cross-Platform News ------------------------------------------------
*** {01.24.005} Cross - VirtualCart Shopping Cart Remote Command
Execution
All versions of VirtualCart Shopping Cart contain a vulnerability in
the CatalogMgr.pl CGI. A lack of validation checking allows a remote
attacker to execute command line commands under the UID of the Web
server.
This vulnerability has been confirmed. A vendor patch is available
(note: this patch is not hosted by the vendor) at:
http://www.cgisecurity.net/advisory/patch/VirtualCatalog.tar.gz
The vendor patch fixes other bugs, as well, although it is unknown if
they are security related.
Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0067.html
*** {01.24.009} Cross - ispell vulnerable to symlink attacks
RedHat has released an advisory indicating that ispell utilizes mktemp()
to open temporary files, which makes it vulnerable to local symlink
attacks. Other OSes (besides RedHat Linux) also may be vulnerable.
Updated RedHat RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0024.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-06/0024.html
*** {01.24.014} Cross - exim remote printf format attack
The exim MTA was found to contain a format string vulnerability in the
checking of header syntax. This could lead to a local attacker executing
arbitrary code under elevated privileges.
This vulnerability has been confirmed. Debian has released updated
packages to fix this problem.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0087.html
Source: Debian, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0041.html
http://archives.neohapsis.com/archives/bugtraq/2001-06/0087.html
*** {01.24.017} Cross - HP Openview NNM command execution via SNMP traps
A report was released indicating that a remote exploit in the ovactiond
service shipped with HP Openview Network Node manager version 6.1. By
sending a certain SNMP trap, a remote attacker can execute applications
running as uid bin.
The vulnerability has not been confirmed. HP patch PHSS_23779 should
correct the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0062.html
*** {01.24.019} Cross - su-wrapper command line argument buffer overflow
An exploit was released indicating a buffer overflow in the handling of
command line arguments by su-wrapper version 1.1.1. The vulnerability
allows a local attacker to execute arbitrary code under root privileges.
This vulnerability has not been confirmed. An exploit has been
published.
Source: SecurityFocus BugTraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0057.html
*** {01.24.020} Cross - Potential buffer overflow in xinetd
svc_logprint function
An advisory has surfaced indicating the existence of a potential buffer
overflow in xinetd 2.1.8.9pre11. This could allow a remote attacker to
overflow a buffer in the svc_logprint function, which in turn could
allow for the execution of arbitrary code under root privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0064.html
*** {01.24.021} Cross - Scotty ntping host name buffer overflow
The ntping utility included with Scotty visual network mapping software
(version 2.1.0 and most likely prior) contains a buffer overflow in the
handling of the supplied host name (command line argument). Since ntping
is documented as being required to run suid root, this allows a local
attacker to execute arbitrary code under root privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0579.html
*** {01.24.023} Cross - TIAtunnel auth_conn buffer overflow
The TIAtunnel IRC proxy version 0.9alpha2 contains a buffer overflow in
the auth_conn function. This could allow a remote attacker to execute
arbitrary code under the uid of the TIAtunnel service (typically root).
The program author has confirmed this vulnerability and released version
0.9alpha3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0042.html
http://archives.neohapsis.com/archives/bugtraq/2001-06/0115.html
*** {01.24.024} Cross - File name case may bypass Apache restrictions
An advisory was posted indicating the possibility of bypassing
particular Apache configurations/restrictions because the underlying
file system is not case sensitive (such as on Windows and Mac HFS).
This vulnerability has not been confirmed; however, we felt it important
to make people aware of the potential vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0090.html
- --- Services News ------------------------------------------------------
*** {01.24.025} Svc - Gmx.net JavaScript filter bypass
An advisory was recently released indicating that it's possible to
bypass the JavaScript filtering done by the gmx.net Web mail service.
This allows an attacker to embed malicious JavaScript into an e-mail,
which is executed when viewed by the user.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0117.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7KRZG+LUG5KFpTkYRAmFnAJ4i9LkWVUFNB/D/8unEFMVsdGu0TQCeP5Cs
4Smv0Eu7Ce0TIUiMxwnN34A=
=uuSJ
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** Sponsored by SurfControl, Inc. ***
WARNING: Networks bottleneck and costs climb as workers squander hours
online - casual surfing, downloading MP3s, video and other bandwidth
hogs.
Install SurfControl on your network and in 20 minutes you'll know
exactly WHO is doing WHAT, WHEN and WHERE on the Internet. SurfControl
monitors, records and manages all TCP/IP protocols.
FREE 30-Day Trial: http://www.surfcontrol.com/promo/SSAC0614
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form (http://www.sans.org/sansurl). On
this form you can enter the SD number located near your name at the top
of the newsletter. When you submit this form, an e-mail containing a
URL will be sent to you at the e-mail address on record. With this URL
you can make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information,
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online. http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]