OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ92904046724594228sans.org)
Date: Thu Sep 13 2001 - 16:30:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                          -- Security Alert Consensus --
                                 Number 114 (01.37)
                            Thursday, September 13, 2001
                                 Created for you by
                      Network Computing and the SANS Institute
                                Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. If you have any problems or questions, please e-mail us
    at <consensusnwc.com>.

    ----------------------------------------------------------------------

    In a new edition of the Network Computing Shoot Out, our editors
    challenged network storage vendors and service providers to devise
    fault-tolerant storage solutions for two fictitious companies. This
    fall, the vendors will face off and present their solutions to you, live
    and in real-time. And with our wireless audience response system, you'll
    help decide which solution hits closest to the mark. It's an
    opportunity to compare products and strategies, while learning about
    the critical factors to consider when making your own storage decision.
    http://www.nwc.com/events/storeshoot.html

    ----------------------------------------------------------------------

    We wish to express our sincerest condolences to all those who were, and
    will be, affected by the horrible events that occurred on September
    11th. However, we understand the continuing need to protect and
    secure companies' resources, we are delivering our security newsletter
    as usual.

    Those of you running intrusion detection systems may want to
    contact your vendor for an update against the IIS %u unicode
    encoding bug. Essentially, a new method of encoding requests to
    IIS servers has surfaced. By encoding requests in this method,
    ID systems do not properly parse and alert on the incoming
    URLs. Cisco, ISS and Snort have already released updated
    versions of their products. More information is available at:
    http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0043.html

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.37.009} Win - MS01-047: OWA user enumeration
    {01.37.010} Win - MS01-048: Malformed data crashes RPC endmapper
    {01.37.003} Linux - Update {01.33.005}: Fetchmail LIST response memory
                overwrite
    {01.37.008} Linux - Update {01.36.028}: mod_auth_mysql SQL injection
    {01.37.012} Linux - Update {01.36.007}: Multiple xinetd vulnerabilities
    {01.37.013} Linux - Update {01.36.019}: Bugzilla confidential data
                access and other bugs
    {01.37.006} BSD - Multiple sysctl input validation vulnerabilities
    {01.37.011} BSD - Update {01.24.026}: fts-based programs can be made to
                recurse into wrong directories
    {01.37.020} BSD - NFS mount code overflow
    {01.37.001} AIX - Update {01.30.021}: Multiple vendor telnetd
                option-handling overflow
    {01.37.002} AIX - libdiag trace file symlink attack
    {01.37.014} HPUX - Update {01.11.017}: asecure improper file permissions
    {01.37.025} NApps - DLink 704 router malformed fragment DoS
    {01.37.030} Other - DEC Unix msgchk command line param overflow
    {01.37.004} Cross - Screen multi-attach vulnerability
    {01.37.005} Cross - mailman administration authentication bypass
    {01.37.007} Cross - Update {01.34.020}: Sendmail -d parameter arbitrary
                memory writing
    {01.37.015} Cross - uucp user-supplied config file privilege elevation
    {01.37.017} Cross - libnss-pgsql/pam-pgsql SQL injection
    {01.37.018} Cross - nss_postgresql/pam_pgsql SQL injection
    {01.37.019} Cross - pam-pgsql SQL injection
    {01.37.021} Cross - Gauntlet smap/smapd/csmap overflows
    {01.37.022} Cross - ShopPlus CGI file param command exec
    {01.37.023} Cross - Directory Manager CGI user file param command exec
    {01.37.024} Cross - WebSweeper URL filtering bypass
    {01.37.026} Cross - Merit RADIUS rladmin help file symlink attack
    {01.37.027} Cross - PowerUP HTML CGI file param file viewing
    {01.37.028} Cross - CheckPoint FW-1 temp policy compilation symlink
                attack
    {01.37.029} Cross - sglMerchant html_file param file viewing
    {01.37.031} Cross - CheckPoint FW-1 GUI permission bypass/file saves
    {01.37.016} Tools - Sendmail 8.12.0 available

    - --- Windows News -------------------------------------------------------

    *** {01.37.009} Win - MS01-047: OWA user enumeration

    Microsoft has released MS01-047 ("OWA user
    enumeration"). Enumerating/searching for user names normally requires
    authentication; however, it's possible for a remote attacker to gain
    access to the lists of available user names without any authentication
    credentials. Only e-mail names/aliases are exposed. This affects
    Outlook Web Access for Exchange 5.5.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-047.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q3/0035.html

    *** {01.37.010} Win - MS01-048: Malformed data crashes RPC endmapper

    Microsoft has released MS01-048 ("Malformed data crashes RPC
    endmapper"). It's possible for a remote attacker (who has access to
    port 139) to send a particular malformed request that would cause the
    RPC endmapper to crash, effectively disabling all RPC-based services
    until the computer is rebooted.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-048.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q3/0036.html

    - --- Linux News ---------------------------------------------------------

    *** {01.37.003} Linux - Update {01.33.005}: Fetchmail LIST response
                    memory overwrite

    RedHat and Conectiva have released updated fetchmail packages, which
    fix the vulnerability discussed in {01.33.005} ("Fetchmail LIST
    response memory overwrite").

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0014.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0040.html

    Source: Conectiva, RedHat
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0014.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0040.html

    *** {01.37.008} Linux - Update {01.36.028}: mod_auth_mysql SQL injection

    Conectiva and SuSE have released updated mod_auth_mysql packages,
    which fix the vulnerability discussed in {01.36.028} ("mod_auth_mysql
    SQL injection").

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0015.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q3/1070.html

    Source: Conectiva, SuSE
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0015.html
    http://archives.neohapsis.com/archives/linux/suse/2001-q3/1070.html

    *** {01.37.012} Linux - Update {01.36.007}: Multiple xinetd
                    vulnerabilities

    RedHat has released updated xinetd packages, which fix the
    vulnerability discussed in {01.36.007} ("Multiple xinetd
    vulnerabilities").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0037.html

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0037.html

    *** {01.37.013} Linux - Update {01.36.019}: Bugzilla confidential data
                    access and other bugs

    RedHat has released updated bugzilla packages, which fix the
    vulnerability discussed in {01.36.019} ("Bugzilla confidential data
    access and other bugs").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0075.html

    Source: RedHat (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0075.html

    - --- BSD News -----------------------------------------------------------

    *** {01.37.006} BSD - Multiple sysctl input validation vulnerabilities

    NetBSD has released an advisory indicating multiple potential problems
    because the kernel does not correctly check data submitted to it via
    sysctl calls. This is similar to vulnerability {01.08.017}.

    NetBSD-current as of Aug. 5, 2001, and -1.5 as of Aug. 16, 2001,
    contain the patches.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2001-q3/0203.html

    *** {01.37.011} BSD - Update {01.24.026}: fts-based programs can be
                    made to recurse into wrong directories

    NetBSD has released updates for the vulnerability discussed in
    {01.24.026} ("fts-based programs can be made to recurse into wrong
    directories").

    NetBSD-current as of July 9, 2001, and -1.5 as of Aug. 22, 2001,
    contain the updates.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2001-q3/0204.html

    *** {01.37.020} BSD - NFS mount code overflow

    OpenBSD has committed a fix for a buffer overflow in the handling of
    NFS options to the mount command. If local attackers have privileges
    to use mount, it's possible for them to gain root privileges.

    This vulnerability has been confirmed. A patch is available at:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/012_nfs.patch

    Source: OpenBSD
    http://archives.neohapsis.com/archives/openbsd/2001-09/0036.html

    - --- AIX News -----------------------------------------------------------

    *** {01.37.001} AIX - Update {01.30.021}: Multiple vendor telnetd
                    option-handling overflow

    IBM has released APAR IY22029, which fixes the vulnerability discussed
    in {01.30.021} ("Multiple vendor telnetd option-handling overflow").

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q3/0004.html

    *** {01.37.002} AIX - libdiag trace file symlink attack

    IBM has released APAR IY22256, which fixes a vulnerability that
    allows a local attacker to use a symlink attack and overwrite files
    on the system.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q3/0003.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.37.014} HPUX - Update {01.11.017}: asecure improper file
                    permissions

    HP has released patches for the vulnerability discussed in {01.11.017}
    ("asecure improper file permissions").

    Install the appropriate patch:
    HPUX 10.10: PHSS_24534
    HPUX 10.20: PHSS_24534
    HPUX 11.00: PHSS_24608

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q3/0062.html

    - --- Network Appliances News --------------------------------------------

    *** {01.37.025} NApps - DLink 704 router malformed fragment DoS

    The DLink 704 home router with firmware prior to version 2.56b6
    contains a vulnerability in the handling of malformed fragmented
    packets. As a result, the device will neither respond to nor route
    any further incoming traffic.

    The vendor has confirmed this vulnerability and made updated firmware
                    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0034.html

    - --- Other News ---------------------------------------------------------

    *** {01.37.030} Other - DEC Unix msgchk command line param overflow

    The msgchk application shipped with Digital/DEC Unix version
    4.0 contains a buffer overflow in the handling of command line
    parameters. This would allow a local attacker to execute arbitrary
    code with elevated privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0064.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.37.004} Cross - Screen multi-attach vulnerability

    Screen versions prior to 3.9.10 contain a vulnerability in the
    multi-attach handling code that allows a local attacker to gain root
    privileges (since screen is typically setuid root to function).

    The author has confirmed this vulnerability and released version
    3.9.10.

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q3/0924.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2001-q3/0924.html

    *** {01.37.005} Cross - mailman administration authentication bypass

    A bug was found in the mailman HTTP administration interface. If the
    admin password is blank, any password can be used to authenticate. A
    lesser bug could allow list administrators to access subscriber
    passwords.

    The author has confirmed this vulnerability.

    Conectiva Linux has also released updated RPMs.
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0013.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0013.html

    *** {01.37.007} Cross - Update {01.34.020}: Sendmail -d parameter
                    arbitrary memory writing

    NetBSD and RedHat have released updated sendmail packages, which fix
    the vulnerability discussed in {01.34.020} ("Sendmail -d parameter
    arbitrary memory writing").

    Updated NetBSD information:
    http://archives.neohapsis.com/archives/netbsd/2001-q3/0205.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0034.html

    Source: NetBSD, RedHat
    http://archives.neohapsis.com/archives/netbsd/2001-q3/0205.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0034.html

    *** {01.37.015} Cross - uucp user-supplied config file privilege
                    elevation

    The Taylor UUCP package contains a vulnerability in the handling of
    user-supplied configuration files. This would allow a local attacker to
    gain uid/gid 'uucp,' which could potentially be used to gain further
    root privileges.

    This vulnerability has been confirmed.

    Caldera has also released updated Linux RPMs.
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0020.html

    Source: SecurityFocus Bugtraq, Caldera
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0053.html
    http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0020.html

    *** {01.37.017} Cross - libnss-pgsql/pam-pgsql SQL injection

    The libnss-pgsql PAM module versions 0.9.0 and prior, as well as
    pam-pgsql versions 0.9.2 and prior, both by Joerg Wendland, contain
    vulnerabilities in the handling of authentication data. It's possible
    for an attacker to inject arbitrary SQL commands to be executed on
    the backend Postgres database.

    RUS-CERT has confirmed these vulnerabilities.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0071.html

    *** {01.37.018} Cross - nss_postgresql/pam_pgsql SQL injection

    The nss_postgresql PAM module versions 0.6.1 and prior, as well as
    the pam_pgsql module versions 0.0.3 and prior, both by Alessandro
    Gardich, contain a vulnerability in the handling of authentication
    data. This could allow an attacker to execute SQL commands on the
    backend Postgres database.

    RUS-CERT has confirmed these vulnerabilities.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0071.html

    *** {01.37.019} Cross - pam-pgsql SQL injection

    Leon Breedt's pam-pgsql PAM module versions 0.5.1 and prior contain a
    vulnerability in the handling of user authentication data. This could
    allow an attacker to execute SQL commands on the backend Postgres
    SQL database.

    RUS-CERT has confirmed this vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0071.html

    *** {01.37.021} Cross - Gauntlet smap/smapd/csmap overflows

    NAI has released an advisory indicating a remote buffer overflow in
    Gauntlet firewall versions 5.x and 6.0 for Unix, as well as various
    versions of PGP e-ppliance, McAfee e-ppliance and McAfee WebShield.

    Full information is available at:
    http://www.pgp.com/support/product-advisories/csmap.asp

    Source: Vulnwatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0042.html

    *** {01.37.022} Cross - ShopPlus CGI file param command exec

    Ksofttech.com's ShopPlus CGI shopping cart application contains
    a vulnerability in the handling of the file URL parameter. The
    vulnerability allows a remote attacker to execute arbitrary
    command-line commands under the privileges of the Web server.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0012.html

    *** {01.37.023} Cross - Directory Manager CGI user file param command
                    exec

    The Directory Manager CGI version 0.9 contains a vulnerability in the
    handling of the userfile/userfile_name URL parameters. This allows
    a remote attacker to execute arbitrary command-line commands under
    the privileges of the Web server.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0013.html

    *** {01.37.024} Cross - WebSweeper URL filtering bypass

    Baltimore Technologies' WebSweeper version 4.02 has been found to not
    canonicalize HTTP URLs. This allows attackers to bypass any configured
    URL filtering by using various forms of URL encoding.

    The vendor has acknowledged this vulnerability and released the
    following technote.
    http://www.mimesweeper.com/support/technotes/notes/1043.asp

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0019.html

    *** {01.37.026} Cross - Merit RADIUS rladmin help file symlink attack

    The rladmin application shipped with the Merit RADIUS package versions
    3.8M and 5.01 commercial contains a vulnerability in the handling of
    user-specified configuration directories. It's possible for a local
    attacker to view arbitrary files on the system.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0036.html

    *** {01.37.027} Cross - PowerUP HTML CGI file param file viewing

    The PowerUP HTML CGI application version 0.8033beta contains a
    vulnerability in the handling of the file URL parameter. This allows
    a remote attacker to view the contents of files readable by the
    Web server.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0042.html

    *** {01.37.028} Cross - CheckPoint FW-1 temp policy compilation symlink
                    attack

    An advisory released this week indicates a temporary file-handling
    problem in Checkpoint Firewall-1 versions 3.0b through 4.0SP1: An
    attacker with local access to the firewall system could gain root
    privileges. Since access to the firewall system itself should be
    highly restricted, this problem should be limited to individuals who
    do not have access/root privileges but who do have firewall policy
    modification access to gain root access to the system.

    The vendor has confirmed this vulnerability, which has been fixed in
    version 4.1 or 4.0SP2.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0046.html

    *** {01.37.029} Cross - sglMerchant html_file param file viewing

    SeaGlass Technologies' sglMerchant CGI version 1.0 contains a
    vulnerability in the handling of the html_file URL parameter. This
    could allow a remote attacker to view arbitrary files readable by
    the Web server.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0047.html

    *** {01.37.031} Cross - CheckPoint FW-1 GUI permission bypass/file saves

    An advisory has surfaced indicating that users of the CheckPoint
    Firewall-1 GUI are able to save arbitrary files on the firewall system,
    regardless of their assigned permissions (read-only, monitor, user-edit
    and so on). All versions of FW-1 appear to be vulnerable.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0051.html

    - --- Tool Announcements News --------------------------------------------

    *** {01.37.016} Tools - Sendmail 8.12.0 available

    Sendmail version 8.12.0 has been released. This is the first official
    8.12.x release. An overview of new features is available at the
    reference URL below.

    Source: Sendmail
    http://archives.neohapsis.com/archives/sendmail/2001-q3/0004.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7oSMw+LUG5KFpTkYRAj7RAKCJ2um29WBZ0nA5faqM+jsfGvoU+QCgmLw8
    XBIm6ckXWKMPP2mEFLj+SQs=
    =ByLD
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    In a new edition of the Network Computing Shoot Out, our editors
    challenged network storage vendors and service providers to devise
    fault-tolerant storage solutions for two fictitious companies. This
    fall, the vendors will face off and present their solutions to you, live
    and in real-time. And with our wireless audience response system, you'll
    help decide which solution hits closest to the mark. It's an
    opportunity to compare products and strategies, while learning about
    the critical factors to consider when making your own storage decision.
    http://www.nwc.com/events/storeshoot.html

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).