OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ16798479380635134sans.org)
Date: Thu Jun 14 2001 - 15:02:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                       -- Security Alert Consensus --
                              Number 101 (01.24)
                           Thursday, June 14, 2001
                             Created for you by
                   Network Computing and the SANS Institute
                            Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below you
    should find information pertaining only to the categories you requested.
    If you have any problems or questions, please e-mail us at
    <consensusnwc.com>.

    ----------------------------------------------------------------------

    *** Sponsored by SurfControl, Inc. ***

    WARNING: Networks bottleneck and costs climb as workers squander hours
    online - casual surfing, downloading MP3s, video and other bandwidth
    hogs.

    Install SurfControl on your network and in 20 minutes you'll know
    exactly WHO is doing WHAT, WHEN and WHERE on the Internet. SurfControl
    monitors, records and manages all TCP/IP protocols.

    FREE 30-Day Trial: http://www.surfcontrol.com/promo/SSAC0614

    ----------------------------------------------------------------------

    We've recently expanded the SAC team and, over the coming weeks, we'll
    be in the process of rolling out some long-awaited improvements. While
    we've fielded a number of requests over the past several months, we'd
    like to open the floor for any content-specific suggestions. If there
    are any changes we can implement to make the SAC content more useful,
    please feel free to drop us a message at sacneohapsis.com.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.24.001} Win - PassWD insecure password storage
    {01.24.002} Win - MS01-030: Exchange OWA Script Execution
    {01.24.003} Win - Pragma InterAccess TelnetD character flood DoS
    {01.24.004} Win - MS01-031: Multiple vulnerabilities in Win2K telnet
                service
    {01.24.015} Win - TrendMicro virus control system CGI vulnerability
    {01.24.018} Win - Broker FTP Server DoS and directory traversal
    {01.24.006} Linux - Update {01.23.002}: gpg file name format string
                vulnerability
    {01.24.008} Linux - xinetd umask may cause world writable files
    {01.24.010} Linux - Update {00.54.012}: GTK+ code exec via GTK_MODULES
                env variable
    {01.24.011} Linux - Update {00.45.037}: Multiple tcpdump buffer
                overflows
    {01.24.012} Linux - Volution configuration could use rogue CCD server
    {01.24.013} Linux - Update {01.11.028}: POP/IMAP server user-privilege
                buffer overflows
    {01.24.026} BSD - fts-based programs can be made to recurse into wrong
                directories
    {01.24.027} HPUX - Update {01.23.019}: kmmodreg temp file mishandling
    {01.24.028} HPUX - Update {01.21.017}: iPlanet/Netscape large HTTP
                method buffer overflow
    {01.24.022} SCO - rtpm TERM env variable buffer overflow
    {01.24.007} NApps - NetGap inspecting/filtering bypass with URL encoding
    {01.24.016} NApps - WatchGuard firebox SMTP proxy allows files through
                filter
    {01.24.005} Cross - VirtualCart Shopping Cart Remote Command Execution
    {01.24.009} Cross - ispell vulnerable to symlink attacks
    {01.24.014} Cross - exim remote printf format attack
    {01.24.017} Cross - HP Openview NNM command execution via SNMP traps
    {01.24.019} Cross - su-wrapper command line argument buffer overflow
    {01.24.020} Cross - Potential buffer overflow in xinetd svc_logprint
                function
    {01.24.021} Cross - Scotty ntping host name buffer overflow
    {01.24.023} Cross - TIAtunnel auth_conn buffer overflow
    {01.24.024} Cross - File name case may bypass Apache restrictions
    {01.24.025} Svc - Gmx.net JavaScript filter bypass

    - --- Windows News -------------------------------------------------------

    *** {01.24.001} Win - PassWD insecure password storage

    PassWD2000 versions 2.x have been found to insecurely store user names
    and passwords using a weak encryption method. The advisory indicates
    vendor confirmation.

    No patches will be made available for PassWD2000 2.x versions; instead,
    version 3.0 (not yet released) will address this problem. Vendor home
    page:
    http://www.passwd2000.com

    Source: Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0016.html

    *** {01.24.002} Win - MS01-030: Exchange OWA Script Execution

    Microsoft has released MS01-030 ("Incorrect attachment handling in
    Exchange OWA can execute script"). Due to a flaw in the interaction
    between IE and Outlook Web Access, message attachments containing
    malicious code can be executed when the message is opened.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-030.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q2/0050.html

    *** {01.24.003} Win - Pragma InterAccess TelnetD character flood DoS

    Pragma InterAccess TelnetD release 4.0 build 5 contains a denial of
    service that allows a remote attacker to crash the telnet service by
    sending a large burst of characters to port 23.

    This vulnerability has not been confirmed. The advisory implies that
    upgrading to Pragma InterAccess release 4.0 build 6 will correct the
    problem.

    Source: Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0048.html

    *** {01.24.004} Win - MS01-031: Multiple vulnerabilities in Win2K
                    telnet service

    Microsoft has released MS01-031 ("Predictable name pipes could enable
    privilege elevation"). This advisory covers seven vulnerabilities in
    the Windows 2000 Telnet service: two vulnerabilities allow privilege
    elevation from predictable named pipes; four vulnerabilities are
    potential DoS attacks caused by a handle leak when a Telnet session is
    terminated -- a malformed logon command and a system call that can
    terminate a Telnet session; the last vulnerability, which is similar
    to an ftp vulnerability released in MS01-026, potentially allows an
    attacker to log into Telnet via Guest accounts.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-031.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q2/0049.html

    *** {01.24.015} Win - TrendMicro virus control system CGI vulnerability

    A potential vulnerability was found in a CGI program included in
    TrendMicro's VCS (Virus Control System) in which a remote user might be
    able to access the administrative program and data without
    authentication.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0065.html

    *** {01.24.018} Win - Broker FTP Server DoS and directory traversal

    A report was released indicating a buffer overflow in Broker FTP Server
    version 5.9.5.0. The buffer overflow, which is executed after a user
    logs in, can lead to a denial of service. A directory traversal problem
    also exists, which allows a remote attacker to access files outside the
    ftproot directory.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0088.html

    - --- Linux News ---------------------------------------------------------

    *** {01.24.006} Linux - Update {01.23.002}: gpg file name format string
                    vulnerability

    Multiple Linux vendors have released updated gpg packages that fix the
    vulnerability discussed in {01.23.002} ("gpg file name format string
    vulnerability ").

    Updated Connectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/
    0008.html

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0011.html

    Updated TurboLinux RPMs:
    http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
    0026.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0056.html

    Source: Connectiva, Caldera, TurboLinux, RedHat (SF Bugtraq)
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q2
    /0008.html
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0011.html
    http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2
    /0026.html
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0056.html

    *** {01.24.008} Linux - xinetd umask may cause world writable files

    RedHat and Mandrake have released updated versions of xinetd that fix
    a vulnerability in which xinetd's umask was improperly set. This could
    lead to applications spawned from xinetd creating world-writable files.

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0023.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0121.html

    Source: RedHat , Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0023.html
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0121.html

    *** {01.24.010} Linux - Update {00.54.012}: GTK+ code exec via
                    GTK_MODULES env variable

    TurboLinux has released updated packages that fix the vulnerability
    discussed in {00.54.012} ("GTK+ arbitrary code execution via GTK_MODULES
    environment variable").

    Updated RPMs:
    http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
    0027.html

    Source: TurboLinux
    http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
    0027.html

    *** {01.24.011} Linux - Update {00.45.037}: Multiple tcpdump buffer
                    overflows

    TurboLinux has released updated tcpdump packages that fix the
    vulnerability discussed in {00.45.037} ("Multiple tcpdump buffer
    overflows").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
    0029.html

    Source: TurboLinux
    http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
    0029.html

    *** {01.24.012} Linux - Volution configuration could use rogue CCD
                    server

    Caldera has released an advisory indicating a potential problem in the
    Volution version 1.0 client configuration. By default, the client will
    attempt to connect to a Volution CCD (Computer Creation Daemon) on the
    network. It's possible for a malicious user on the same network to
    launch a rouge CCD server, which could potentially handle requests from
    clients.

    Updated Caldera RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0012.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0012.html

    *** {01.24.013} Linux - Update {01.11.028}: POP/IMAP server
                    user-privilege buffer overflows

    Mandrake has released updated imap packages that fix the vulnerabilities
    discussed in {01.11.028} ("POP/IMAP server user-privilege buffer
    overflows").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0120.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0120.html

    - --- BSD News -----------------------------------------------------------

    *** {01.24.026} BSD - fts-based programs can be made to recurse into
                    wrong directories

    OpenBSD has released an advisory indicating that fts-based applications
    (such as rm, find, etc.) can be tricked into recursing into the wrong
    directory (for example, when used with the -R option), which could have
    a security impact (denial of service or worse).

    OpenBSD 2.8 patch:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/029_fts.patch

    OpenBSD 2.9 patch:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/002_fts.patch

    Source: OpenBSD
    http://archives.neohapsis.com/archives/openbsd/2001-06/0177.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.24.027} HPUX - Update {01.23.019}: kmmodreg temp file
                    mishandling

    HP has released patches for the vulnerability discussed in {01.23.019}
    ("kmmodreg temp file mishandling").

    Apply the appropriate patch:
    HPUX 11.00: PHCO_24112
    HPUX 11.04: PHCO_24197
    HPUX 11.11: PHCO_24147

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q2/0059.html

    *** {01.24.028} HPUX - Update {01.21.017}: iPlanet/Netscape large HTTP
                    method buffer overflow

    HP has released a patch for VVOS/HPUX 11.04 that fixes the vulnerability
    discussed in {01.21.017} ("iPlanet/Netscape large HTTP method buffer
    overflow").

    Apply patch PHSS_24108.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q2/0059.html

    - --- SCO News -----------------------------------------------------------

    *** {01.24.022} SCO - rtpm TERM env variable buffer overflow

    The rtpm application shipped with Unixware version 7.1.1 (and possibly
    others) is reported to contain a buffer overflow in the handling of the
    TERM environment variable. A local attacker could potentially use this
    to execute arbitrary code under uid bin.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0114.html

    - --- Network Appliances News --------------------------------------------

    *** {01.24.007} NApps - NetGap inspecting/filtering bypass with URL
                    encoding

    SpearHead's NetGap security appliances (models 200 and 300) running as
    HTTP proxies do not properly inspect (model 300) or block files (models
    200 and 300) when the HTTP request contains URL encoding.

    SpearHead has acknowledged the vulnerability and fixed the problem in
    build 78 of the NetGap firmware software.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0047.html

    *** {01.24.016} NApps - WatchGuard firebox SMTP proxy allows files
                    through filter

    Under certain conditions, the WatchGuard firebox's SMTP proxy might
    allow attachments, such as executables and active scripting, through
    the Mime-type filter.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0085.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.24.005} Cross - VirtualCart Shopping Cart Remote Command
                    Execution

    All versions of VirtualCart Shopping Cart contain a vulnerability in
    the CatalogMgr.pl CGI. A lack of validation checking allows a remote
    attacker to execute command line commands under the UID of the Web
    server.

    This vulnerability has been confirmed. A vendor patch is available
    (note: this patch is not hosted by the vendor) at:
    http://www.cgisecurity.net/advisory/patch/VirtualCatalog.tar.gz

    The vendor patch fixes other bugs, as well, although it is unknown if
    they are security related.

    Source: Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0067.html

    *** {01.24.009} Cross - ispell vulnerable to symlink attacks

    RedHat has released an advisory indicating that ispell utilizes mktemp()
    to open temporary files, which makes it vulnerable to local symlink
    attacks. Other OSes (besides RedHat Linux) also may be vulnerable.

    Updated RedHat RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0024.html

    Source: RedHat (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0024.html

    *** {01.24.014} Cross - exim remote printf format attack

    The exim MTA was found to contain a format string vulnerability in the
    checking of header syntax. This could lead to a local attacker executing
    arbitrary code under elevated privileges.

    This vulnerability has been confirmed. Debian has released updated
    packages to fix this problem.

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0087.html

    Source: Debian, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0041.html
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0087.html

    *** {01.24.017} Cross - HP Openview NNM command execution via SNMP traps

    A report was released indicating that a remote exploit in the ovactiond
    service shipped with HP Openview Network Node manager version 6.1. By
    sending a certain SNMP trap, a remote attacker can execute applications
    running as uid bin.

    The vulnerability has not been confirmed. HP patch PHSS_23779 should
    correct the problem.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0062.html

    *** {01.24.019} Cross - su-wrapper command line argument buffer overflow

    An exploit was released indicating a buffer overflow in the handling of
    command line arguments by su-wrapper version 1.1.1. The vulnerability
    allows a local attacker to execute arbitrary code under root privileges.

    This vulnerability has not been confirmed. An exploit has been
    published.

    Source: SecurityFocus BugTraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0057.html

    *** {01.24.020} Cross - Potential buffer overflow in xinetd
                    svc_logprint function

    An advisory has surfaced indicating the existence of a potential buffer
    overflow in xinetd 2.1.8.9pre11. This could allow a remote attacker to
    overflow a buffer in the svc_logprint function, which in turn could
    allow for the execution of arbitrary code under root privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0064.html

    *** {01.24.021} Cross - Scotty ntping host name buffer overflow

    The ntping utility included with Scotty visual network mapping software
    (version 2.1.0 and most likely prior) contains a buffer overflow in the
    handling of the supplied host name (command line argument). Since ntping
    is documented as being required to run suid root, this allows a local
    attacker to execute arbitrary code under root privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2001-q2/0579.html

    *** {01.24.023} Cross - TIAtunnel auth_conn buffer overflow

    The TIAtunnel IRC proxy version 0.9alpha2 contains a buffer overflow in
    the auth_conn function. This could allow a remote attacker to execute
    arbitrary code under the uid of the TIAtunnel service (typically root).

    The program author has confirmed this vulnerability and released version
    0.9alpha3.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0042.html
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0115.html

    *** {01.24.024} Cross - File name case may bypass Apache restrictions

    An advisory was posted indicating the possibility of bypassing
    particular Apache configurations/restrictions because the underlying
    file system is not case sensitive (such as on Windows and Mac HFS).

    This vulnerability has not been confirmed; however, we felt it important
    to make people aware of the potential vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0090.html

    - --- Services News ------------------------------------------------------

    *** {01.24.025} Svc - Gmx.net JavaScript filter bypass

    An advisory was recently released indicating that it's possible to
    bypass the JavaScript filtering done by the gmx.net Web mail service.
    This allows an attacker to embed malicious JavaScript into an e-mail,
    which is executed when viewed by the user.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0117.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7KRZG+LUG5KFpTkYRAmFnAJ4i9LkWVUFNB/D/8unEFMVsdGu0TQCeP5Cs
    4Smv0Eu7Ce0TIUiMxwnN34A=
    =uuSJ
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    *** Sponsored by SurfControl, Inc. ***

    WARNING: Networks bottleneck and costs climb as workers squander hours
    online - casual surfing, downloading MP3s, video and other bandwidth
    hogs.

    Install SurfControl on your network and in 20 minutes you'll know
    exactly WHO is doing WHAT, WHEN and WHERE on the Internet. SurfControl
    monitors, records and manages all TCP/IP protocols.

    FREE 30-Day Trial: http://www.surfcontrol.com/promo/SSAC0614

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed to
    you and you would like to begin receiving our security e-mail newsletter
    on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter with PGP. The new SANS PGP key
    is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
    can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information, we will
    no longer include personal URLs in our Consensus newsletter mailings.
    Instead, we have created a new form (http://www.sans.org/sansurl). On
    this form you can enter the SD number located near your name at the top
    of the newsletter. When you submit this form, an e-mail containing a
    URL will be sent to you at the e-mail address on record. With this URL
    you can make changes to your account (edit the content of your Consensus
    mailing, for example) without endangering the security of your personal
    URL. If you'd like to change your e-mail address or other information,
    or unsubscribe to this newsletter, please visit your new URL as
    described above. If you have any problems or questions, e-mail us at
    <consensusnwc.com>.

    Missed an issue? You can find all back issues of Security Alert
    Consensus (and Security Express) online. http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
    Rights Reserved. Distributed by Network Computing
    (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).