OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ22972235326713624sans.org)
Date: Thu Aug 30 2001 - 14:12:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                          -- Security Alert Consensus --
                                 Number 112 (01.35)
                            Thursday, August 30, 2001
                                Created for you by
                      Network Computing and the SANS Institute
                               Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. If you have any problems or questions, please e-mail us
    at <consensusnwc.com>.

    ----------------------------------------------------------------------

    FREE NETIQ SECURITY AUDIOCAST

    Go one-on-one with leading security analyst Frank Prince from Forrester
    Research and NetIQ security experts during our FREE audiocast, "Security
    in the Era of E-Business, An Analyst's Perspective." You'll gain
    insights on IT trends, business challenges and management issues.

    Register today!

    http://webevents.road-show.com/netiq/20010911/start/register.asp?origin=sans2

    ----------------------------------------------------------------------

    We'd like to point out a simple notion that, hopefully, everyone is
    aware of. When you ask an application -- be it your mail agent, Web
    browser, project-manager software or whatever -- to store your password
    (so you can be lazy and not have to type/remember it next time),
    odds are the password is stored in a retrievable format somewhere.

    Think about it: The application most likely has to send/use your
    plain-text password. If the app uses a cryptographic method to hash
    the password, it loses the ability to use the original password. Thus,
    any 'encryption' or obfuscation put on the password is most likely
    reversible. It doesn't matter if the app uses a home-brewed crypto
    scheme, an AES candidate or ROT13. All are reversible and still allow
    your password to be recovered.

    Now, yes, there are some fancy cryptographic storage facilities that
    help this problem. Many of these, however, just encrypt passwords
    with more passwords. In the end, if you're worried about your
    passwords being recovered, NEVER opt to have an application store
    them automatically for you.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.35.007} Win - WinWrapper Pro file retrieval
    {01.35.010} Win - BadBlue file source disclosure
    {01.35.021} Win - AVTronics InetServer authentication overflow and DoS
    {01.35.022} Win - Outlook Web access malformed user name DoS
    {01.35.018} Linux - Update {01.28.021}: xloadimage/faces reader buffer
                overflow
    {01.35.008} BSD - Update {01.29.015}: OpenSSL PRNG predictability
    {01.35.009} BSD - dump runs RCMD_CMD with privileges
    {01.35.014} AIX - Layout library GetLayoutInitFunc() LANG ENV variable
                overflow
    {01.35.015} AIX - CDE dtprintinfo/dthelpview buffer overflow
    {01.35.016} AIX - Vague security problem in lsmcode
    {01.35.006} HPUX - rlpdaemon remote buffer overflow
    {01.35.013} SCO - mana buffer overflow
    {01.35.017} SCO - Update {01.05.001}: Multiple Bind buffer overflows
                (TSIG/infoleak)
    {01.35.024} SCO - uidadmin -S parameter overflow
    {01.35.001} NApps - Update {00.50.016}: Multiple vulnerabilities in
                CBOS on Cisco 600 series routers
    {01.35.004} Other - Update {01.30.021}: Multiple vendor telnetd
                option-handling overflow
    {01.35.028} Other - Update {01.15.011}: Multiple vendor FTP glob
                functionality buffer overflow
    {01.35.002} Cross - Netscape installation insecure temp file creation
    {01.35.003} Cross - Update {01.34.020}: Sendmail -d parameter arbitrary
                memory writing
    {01.35.005} Cross - AOLserver long authorization header DoS
    {01.35.011} Cross - qpopper account existence confirmation bug
    {01.35.012} Cross - Adobe Acrobat/libCoolType creates world-writable
                AdobeFnt.lst file
    {01.35.019} Cross - Sage Software MAS200 network service DoS
    {01.35.020} Cross - Konqueror long URL DoS
    {01.35.023} Cross - BSCW groupware tar/symlink file access
    {01.35.025} Cross - JRE 1.3 with Java Plugin 1.4 ignores security
                certificates
    {01.35.026} Cross - PHProjekt authentication bypass
    {01.35.027} Cross - LPRng dvips backtick/command execution

    - --- Windows News -------------------------------------------------------

    *** {01.35.007} Win - WinWrapper Pro file retrieval

    WinWrapper Professional version 2.0 has been found to allow a remote
    attacker to download arbitrary files on the target system by using
    reverse directory traversal ('..') notation in an HTTP request.

    The vendor has confirmed this vulnerability and released a patch,
    which is available at:
    http://www.tsc.ant.co.jp/products/download.htm

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0310.html

    *** {01.35.010} Win - BadBlue file source disclosure

    The BadBlue HTTP server version 1.02 has been found to allow a remote
    attacker to download the files by appending '%00' to the requested
    URL. This may allow an attacker to access source code to dynamic
    CGIs/scripts.

    The advisory indicates vendor confirmation. Version 1.5 is supposed
    to contain a fix.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0314.html

    *** {01.35.021} Win - AVTronics InetServer authentication overflow and
                    DoS

    AVTronics' InetServer versions 3.2.1 and 3.1.1 have been found to
    contain a buffer overflow in the handling of the HTTP authentication
    header, which potentially could be used by a remote attacker to
    execute arbitrary code. There is also a denial of service in the
    server, whereby an attacker can cause the service to crash by sending
    a large amount of data.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0317.html

    *** {01.35.022} Win - Outlook Web access malformed user name DoS

    A few unconfirmed reports indicate a potential denial of service in
    the Outlook Web Access (OWA) component for Microsoft Exchange. If a
    remote attacker enters a particular malformed user name and password,
    IIS might become unavailable.

    No additional information or confirmation is available at this
    time. Some people have reported that requiring NTLM authentication
    (in IIS) will bypass the issue.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0323.html

    - --- Linux News ---------------------------------------------------------

    *** {01.35.018} Linux - Update {01.28.021}: xloadimage/faces reader
                    buffer overflow

    Conectiva has released updated xloadimage packages that fix the
    vulnerability discussed in {01.28.021} ("xloadimage/faces reader
    buffer overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0007.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0007.html

    - --- BSD News -----------------------------------------------------------

    *** {01.35.008} BSD - Update {01.29.015}: OpenSSL PRNG predictability

    NetBSD has released patches that fix the vulnerability discussed in
    {01.29.015} ("OpenSSL PRNG predictability").

    NetBSD-current as of July 10, 2001, and NetBSD-1.5 as of July 29,
    2001, contain the updated fix.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2001-q3/0150.html

    *** {01.35.009} BSD - dump runs RCMD_CMD with privileges

    NetBSD has released an advisory indicating that the dump and dump_lfs
    commands do not properly drop privileges before executing commands
    specified in the RCMD_CMD environment variable. This would allow
    a remote attacker to execute arbitrary programs with group 'tty'
    privileges.

    NetBSD-current and -1.5 as of Aug. 8, 2001, contain the fix. NetBSD-1.4
    will need to apply the patch detailed at:
    http://archives.neohapsis.com/archives/netbsd/2001-q3/0151.html

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2001-q3/0151.html

    - --- AIX News -----------------------------------------------------------

    *** {01.35.014} AIX - Layout library GetLayoutInitFunc() LANG ENV
                    variable overflow

    IBM has released APAR IY20867, which fixes a potential overflow in
    the GetLayoutInitFunc() function in a layout library used by setuid
    applications. The vulnerability may allow local attackers to trigger
    a buffer overflow in the handling of the LANG environment variable
    and execute arbitrary code.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q3/0003.html

    *** {01.35.015} AIX - CDE dtprintinfo/dthelpview buffer overflow

    IBM has released APAR IY21539, which fixes a buffer overflow in
    dthelpview that could have security concerns. No additional details
    have been released.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q3/0003.html

    *** {01.35.016} AIX - Vague security problem in lsmcode

    IBM has released APAR IY22255, which corrects a problem in the error
    messages reported by lsmcode. While IBM indicates that this problem
    may impact security, we're not quite sure how.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q3/0003.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.35.006} HPUX - rlpdaemon remote buffer overflow

    HP has released patches for a rlpdaemon buffer overflow, which may
    allow a remote attacker to execute arbitrary code on the system with
    root privileges.

    HP has released the following patches:
    HPUX 10.01: PHCO_24697
    HPUX 10.10: PHCO_24698
    HPUX 10.20: PHCO_24699
    HPUX 11.00: PHCO_24700
    HPUX 11.11: PHCO_24701
    HPUX 11.20: PHCO_24868

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q3/0047.html

    - --- SCO News -----------------------------------------------------------

    *** {01.35.013} SCO - mana buffer overflow

    The mana application has been found to contain a buffer overflow
    that would allow a local attacker to execute arbitrary code under
    root privileges.

    Caldera has confirmed this vulnerability. Patches are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0017.html

    Source: SCO/Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0017.html

    *** {01.35.017} SCO - Update {01.05.001}: Multiple Bind buffer
                    overflows (TSIG/infoleak)

    SCO/Caldera has released temporary bind upgrades that fix the
    vulnerability discussed in {01.05.001} ("Multiple Bind buffer overflows
    (TSIG/infoleak)").

    More information on this temporary upgrade is available at:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0019.html

    Source: SCO/Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0019.html

    *** {01.35.024} SCO - uidadmin -S parameter overflow

    SCO/Caldera has released SR847563 for Unixware 7 and OpenUnix 8. The
    patch fixes a buffer overflow in uidadmin's handling of the -S command
    line parameter, which could allow a local attacker to execute arbitrary
    code under root privileges.

    The patches are available at:
    ftp://ftp.sco.com/pub/security/openunix/sr847563/

    Source: SCO/Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0016.html

    - --- Network Appliances News --------------------------------------------

    *** {01.35.001} NApps - Update {00.50.016}: Multiple vulnerabilities in
                    CBOS on Cisco 600 series routers

    Cisco has released updated software that fixes the vulnerabilities
    discussed in {00.50.016} ("Multiple vulnerabilities in CBOS on Cisco
    600 series routers").

    Updated CBOS versions 2.4.2b and 2.4.3 are available at:
    http://www.cisco.com/

    Source: Cisco (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0344.html

    - --- Other News ---------------------------------------------------------

    *** {01.35.004} Other - Update {01.30.021}: Multiple vendor telnetd
                    option-handling overflow

    SGI has released patches that fix the vulnerability discussed in
    {01.30.021} ("Multiple vendor telnetd option-handling overflow").

    Patches are listed at:
    http://archives.neohapsis.com/archives/vendor/2001-q3/0032.html

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2001-q3/0032.html

    *** {01.35.028} Other - Update {01.15.011}: Multiple vendor FTP glob
                    functionality buffer overflow

    SGI has released patches for the vulnerability discussed in {01.15.011}
    ("Multiple vendor FTP glob functionality buffer overflow").

    IRIX versions 6.5 through 6.5.12 are vulnerable. Patches are listed at:
    http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0038.html

    Source: SGI (VulnWatch)
    http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0038.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.35.002} Cross - Netscape installation insecure temp file
                    creation

    A recent advisory indicates that the Netscape 6.01a installation
    process on Solaris (and possibly other platforms) creates an insecure
    temporary file that could allow a local attacker to perform a symlink
    attack.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0036.html

    *** {01.35.003} Cross - Update {01.34.020}: Sendmail -d parameter
                    arbitrary memory writing

    Multiple vendors have released fixes for the vulnerability discussed
    in {01.34.020} ("Sendmail -d parameter arbitrary memory writing").

    OpenBSD patches are listed at:
    http://archives.neohapsis.com/archives/openbsd/2001-08/2324.html

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0360.html

    Updated Caldera Linux RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0018.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0004.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q3/0722.html

    Source: Immunix, SuSE, Conectiva, OpenBSD, Caldera (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0360.html
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0004.html
    http://archives.neohapsis.com/archives/linux/suse/2001-q3/0722.html
    http://archives.neohapsis.com/archives/openbsd/2001-08/2324.html
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0018.html

    *** {01.35.005} Cross - AOLserver long authorization header DoS

    It has been reported that AOLserver version 3.0 stops responding when
    a large authorization header is included in an HTTP request. This
    allows a remote attacker to cause a denial of service situation.

    The vendor has not confirmed this vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0325.html

    *** {01.35.011} Cross - qpopper account existence confirmation bug

    qpopper version 4.0.1(installed from RPM on RedHat Linux 7.0) has been
    found to differ in responses to valid and invalid user accounts. This
    could potentially allow a remote attacker to use brute force to gain
    a list of valid account names.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0363.html

    *** {01.35.012} Cross - Adobe Acrobat/libCoolType creates
                    world-writable AdobeFnt.lst file

    On Unix platforms, Adobe Acrobat (and potentially other applications
    using Adobe's libCoolType library) has been found to create the
    AdobeFnt.lst file with world-writable permissions. This may allow
    local attackers to tamper with the file.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0313.html

    *** {01.35.019} Cross - Sage Software MAS200 network service DoS

    Safe Software's MAS200 accounting package has been found to contain a
    denial of service in the network remote access daemon. It's possible
    for a remote attacker to disable the service, causing any subsequent
    uses to fail.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0312.html

    *** {01.35.020} Cross - Konqueror long URL DoS

    It has been reported that Konqueror version 2.2 crashes whenever a
    malicious Web site sends an overly long URL. This can be used in a
    denial of service situation.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0493.html

    *** {01.35.023} Cross - BSCW groupware tar/symlink file access

    The BSCW groupware Web application has been found to contain a
    vulnerability that would allow a remote attacker, who has proper
    user access, to upload a particular tar file containing a symlink.
    The symlink could then allow the attacker to view arbitrary files on
    the system readable by the BSCW privileges.

    The advisory indicates that patches are available at:
    http://bscw.gmd.de/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0328.html

    *** {01.35.025} Cross - JRE 1.3 with Java Plugin 1.4 ignores security
                    certificates

    A report has surfaced indicating that the particular combination of
    JRE 1.3 and Java Plugin 1.4 allows applets without outdated security
    certificates to still execute with privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0359.html

    *** {01.35.026} Cross - PHProjekt authentication bypass

    The PHProjekt PHP Web application prior to version 2.4a has been
    found to allow remote attackers to access other user's data without
    needing any authentication information.

    The vendor has confirmed this vulnerability and released version 2.4a,
    which is available at:
    http://www.PHProjekt.com/download/phprojekt.tar.gz

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0373.html

    *** {01.35.027} Cross - LPRng dvips backtick/command execution

    A configuration bug was found in LPRng. It seems that LPRng will
    pass tex files to dvips for processing, without specifying the -R
    parameter (which is used to disable some insecure features). It's
    possible for an attacker who can access the lp daemon to execute
    command line commands under the privileges of the lp daemon.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-08/0375.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7jo3A+LUG5KFpTkYRAmBSAJ9k97fZU6/7cJkq9WzlatBI3QocLwCdFhjC
    wGSEbX6KxBzzAXeCH7Qnrx4=
    =cOkM
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    FREE NETIQ SECURITY AUDIOCAST

    Go one-on-one with leading security analyst Frank Prince from Forrester
    Research and NetIQ security experts during our FREE audiocast, "Security
    in the Era of E-Business, An Analyst's Perspective." You'll gain
    insights on IT trends, business challenges and management issues.

    Register today!

    http://webevents.road-show.com/netiq/20010911/start/register.asp?origin=sans2

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).