|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ26866456110934379
sans.org)Date: Thu Aug 16 2001 - 14:20:08 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 110 (01.33)
Thursday, August 16, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
Reader Poll Results on Corporate Security
If security incidents such as the Code Red Worm have you feeling
vulnerable, you're not alone. Our survey of 5,000 Network Computing
readers reveal where they're spending security dollars and their plans
for deploying PKI, IDS and VPN solutions.
http://www.nwc.com/1217/1217f13.html
----------------------------------------------------------------------
This is, hopefully, the last week we will have to mention anything to
do with the Code Red worm -- at least until the next version rears its
ugly head, that is. First off, it seems there's a small bug in IIS
when it comes to Code Red and URL redirection. If Code Red requests
a redirected URL, IIS may crash cold.
http://archives.neohapsis.com/archives/incidents/2001-08/0218.html
Next, there seems to be a reappearance issue with the 'C' and 'D'
virtual IIS mappings. It has been debated whether this is some strange
interaction between the registry and the IIS metabase. Regardless,
Microsoft has released a tool that will help clean up all worm-sign.
http://archives.neohapsis.com/archives/bugtraq/2001-08/0127.html
We made two slips in the 01.31 issue. Item 01.31.017 ("Update
{01.30.021}: Multiple vendor telnetd option handling overflow")
indicates that Tru64 is vulnerable to the recent telnetd buffer
overflow; however, the advisory (viewable by the reference
URL) indicates that it is not. And, item 01.31.025 ("ColdFusion
CFRETHROW restarts Linux") is misleading -- the ColdFusion service
crashes/restarts, not the server itself.
Finally, a number of you wrote in about the Microsoft post-SP6a
security "rollup" patch we discussed in the last issue of SAC. It
appears that the "rollup" crashed a ton of systems and created a
fair amount of general chaos. We'd like to thank those who wrote in
and take this time to remind organizations that, whenever possible,
test patches should be tried on nonproduction machines before they
are rolled out. It would be nice not to have to patch in the first
place, but don't get us started....
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.33.003} Win - Update {01.32.016}: Identix BioLogon multimonitor
authentication bypass
{01.33.016} Win - Sambar proxy/telnet server connection flood and
password overflow DoS
{01.33.017} Win - WebSweeper JavaScript filtering bypass
{01.33.001} Linux - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
{01.33.004} Linux - Update {01.28.021}: xloadimage/faces reader buffer
overflow
{01.33.013} Linux - Update {01.30.014}: IMP local prefs.lang script
execution
{01.33.014} Sol - Xlock XFILESEARCHPATH env variable overflow
{01.33.018} NApps - ZyXEL Prestige default access and password
{01.33.015} Other - MacAdministrator hidden file exposure
{01.33.002} Cross - OpenLDAP invalid BER length DoS
{01.33.005} Cross - Fetchmail LIST response memory overwrite
{01.33.006} Cross - groff/pic format vulnerability circumvents -S
{01.33.007} Cross - TrollFTPD recursive directory listing buffer
overflow
{01.33.008} Cross - NetCode NCBook guestbook CGI command execution
{01.33.009} Cross - WindowMaker window title buffer overflow
{01.33.010} Cross - phpBB missing language file/eval code execution
{01.33.011} Cross - phpBB viewmail URL param SQL tampering
{01.33.012} Cross - SIX-Webboard CGI content URL param file disclosure
- --- Windows News -------------------------------------------------------
*** {01.33.003} Win - Update {01.32.016}: Identix BioLogon multimonitor
authentication bypass
Identix has confirmed the vulnerability discussed in {01.32.016}
("Identix BioLogon multimonitor authentication bypass"). The company's
recommended solution is to use Windows 2000 and the Windows 2000 version
of BioLogon.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2001-q3/0038.html
*** {01.33.016} Win - Sambar proxy/telnet server connection flood and
password overflow DoS
Sambar proxy/telnet server has been reported to contain two denial
of service attacks. A remote attacker can open multiple connections
to the service, which will eventually reach a limit and not allow
any more incoming connections until one of the open connections is
closed. And, a long password will cause an overflow. It is not known
if execution of arbitrary code is possible.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0160.html
*** {01.33.017} Win - WebSweeper JavaScript filtering bypass
Baltimore Technologies' WebSweeper content filter, version 4.02,
has been found to allow various JavaScript to bypass the content
filter if the JavaScript is slightly modified. Thus, it's possible
for a remote Web site to embed in a Web page malicious JavaScript,
which WebSweeper will not filter.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0164.html
- --- Linux News ---------------------------------------------------------
*** {01.33.001} Linux - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
Multiple vendors have released updated packages that fix the
vulnerability discussed in {01.30.021} ("Multiple vendor telnetd
option handling overflow").
As a side note, an advisory was released indicating that the telnetd
included in the Linux netkit versions prior to and including 0.17 is
also vulnerable (it was previously reported that netkit versions 0.14
and later were not vulnerable).
Updated RedHat krb5 (Kerberos-telnetd) RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0107.html
Updated RedHat telnetd RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0116.html
Updated Caldera Linux telnetd RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0013.html
Updated Debian telnetd RPMs:
http://archives.neohapsis.com/archives/vendor/2001-q3/0018.html
Updated Debian telnetd-ssl DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q3/0022.html
Updated Mandrake telnetd RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0178.html
Source: SecurityFocus Bugtraq, Caldera, Debian, Mandrake, RedHat
http://archives.neohapsis.com/archives/bugtraq/2001-08/0099.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0107.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0116.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0013.html
http://archives.neohapsis.com/archives/vendor/2001-q3/0018.html
http://archives.neohapsis.com/archives/vendor/2001-q3/0022.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0178.html
*** {01.33.004} Linux - Update {01.28.021}: xloadimage/faces reader
buffer overflow
Debian has released updated xloadimage packages that fix the
vulnerability discussed in {01.28.021} ("xloadimage/faces reader
buffer overflow").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0016.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q3/0016.html
*** {01.33.013} Linux - Update {01.30.014}: IMP local prefs.lang script
execution
Debian has released updated IMP packages that fix the vulnerability
discussed in {01.30.014} ("IMP local prefs.lang script execution").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0020.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q3/0020.html
- --- Solaris News -------------------------------------------------------
*** {01.33.014} Sol - Xlock XFILESEARCHPATH env variable overflow
A recently released advisory indicates that the xlock application
shipped with Solaris 2.6, 7 and 8 contains a buffer overflow in the
handling of the XFILESEARCHPATH and the XUSERFILESEARCHPATH environment
variables. Because xlock is setuid root, this allows a local attacker
to execute arbitrary code with root privileges.
The advisory indicates vendor confirmation. Sun will be releasing
the following patches:
SPARC x86
--------- ---------
Solaris 8 108652-38 108653-33
Solaris 7 108376-30 108377-26
Solaris 2.6 105633-60 106248-45
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0125.html
- --- Network Appliances News --------------------------------------------
*** {01.33.018} NApps - ZyXEL Prestige default access and password
The ZyXEL Prestige P642R and P642R-I ADSL routers have been found,
in their default configuration, to allow administrative telnet and
FTP access from the WAN (untrusted Internet). Combined with a default
password, this could leave users at risk of someone modifying a
configuration on the device.
This vulnerability has been confirmed. Various updated firmware images
seem to be available. For details, view:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0180.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0101.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0143.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0180.html
- --- Other News ---------------------------------------------------------
*** {01.33.015} Other - MacAdministrator hidden file exposure
This item is really to dispel any myths about MacAdministrator's
security through obscurity approach to hiding files on a local
Macintosh system. Basically, a recent advisory indicates that it's
possible to bypass MacAdministrator's use of hidden flags on files
by using older programs that ignore these flags. This means that a
lot of normally 'unseen' sensitive information will be visible and
available to users.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0115.html
- --- Cross-Platform News ------------------------------------------------
*** {01.33.002} Cross - OpenLDAP invalid BER length DoS
A denial of service was found in OpenLDAP's handling of invalid BER
lengths. This could allow a remote attacker to launch a denial of
service. Versions prior to 1.2.12 and 2.0.8 are vulnerable.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q3/0015.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0108.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0177.html
Source: Debian, RedHat, Mandrake (SecurityFocus Bugtraq)
http://archives.neohapsis.com/archives/vendor/2001-q3/0015.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0108.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0177.html
*** {01.33.005} Cross - Fetchmail LIST response memory overwrite
A remotely exploitable vulnerability has been found in fetchmail prior
to 5.8.17. If a user connects to a malicious IMAP or POP server, it's
possible for the server to send back a result that will overwrite
arbitrary memory addresses with specified values. This could allow
the server to execute arbitrary code under the privileges of the
running fetchmail.
This vulnerability has been confirmed.
Updated Debian Linux DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q3/0017.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2001-08/0118.html
http://archives.neohapsis.com/archives/vendor/2001-q3/0017.html
*** {01.33.006} Cross - groff/pic format vulnerability circumvents -S
The pic command shipped with the groff suite contains a format string
vulnerability that allows a trojaned file to execute arbitrary shell
commands, even if the -S (safe mode) option is used.
This vulnerability has been confirmed.
Updated Debian Linux DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q3/0019.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q3/0019.html
*** {01.33.007} Cross - TrollFTPD recursive directory listing buffer
overflow
A buffer overflow was found in versions of TrollTech's TrollFTPD
prior to 1.27. It's possible for a local attacker to cause a buffer
overflow and execute arbitrary code when the server attempts to run
a recursive directory listing.
This vulnerability has been confirmed. TrollFTPD version 1.27 fixes the
problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0167.html
*** {01.33.008} Cross - NetCode NCBook guestbook CGI command execution
Netcode.lgg.ru's NCBook guestbook CGI application has been found
to contain a vulnerability in the handling of the 'current' URL
parameter. This allows a remote attacker to execute arbitrary command
line commands under the privileges of the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0173.html
*** {01.33.009} Cross - WindowMaker window title buffer overflow
The WindowMaker X Windows manager has been found to contain a buffer
overflow in the handling of window titles. Because some applications
(such as Web browsers) set the window title to an arbitrarily supplied
value, this could allow remote attackers to execute arbitrary code
on the user's system.
Conectiva and Debian have confirmed this vulnerability.
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0002.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q3/0021.html
Source: Conectiva, Debian
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0002.html
http://archives.neohapsis.com/archives/vendor/2001-q3/0021.html
*** {01.33.010} Cross - phpBB missing language file/eval code execution
A recent report indicates a vulnerability in the phpBB Web application,
versions 1.4.0 and prior. It's possible for remote attackers to
specify an invalid language file, which will then allow them to submit
various URL parameters that would be passed to the eval() function,
thus executing arbitrary PHP code.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0123.html
*** {01.33.011} Cross - phpBB viewmail URL param SQL tampering
The phpBB Web application, versions 1.4.1 and prior, reportedly
contains a vulnerability in the handling of the viewmail URL
parameter. This potentially allows a remote attacker to tamper with
SQL statements and gain administrative access to the phpBB application.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0021.html
*** {01.33.012} Cross - SIX-Webboard CGI content URL param file
disclosure
Sixhead.com's SIX-Webboard CGI application version 2.01 (and possibly
others) contains a vulnerability in the handling of the 'content'
URL parameter. This would allow an attacker to use reverse directory
traversal ('..') notation and view arbitrary files on the system
readable by the Web server.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0022.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7fBqE+LUG5KFpTkYRAneoAKCTXZ7b2/gU0cgCw7aFxGr2kNkEJACfczVt
z8ABTazHiyEtR08//4Wb93k=
=NAeX
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Reader Poll Results on Corporate Security
If security incidents such as the Code Red Worm have you feeling
vulnerable, you're not alone. Our survey of 5,000 Network Computing
readers reveal where they're spending security dollars and their plans
for deploying PKI, IDS and VPN solutions.
http://www.nwc.com/1217/1217f13.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]