|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ03265123858393473
sans.org)Date: Thu Sep 27 2001 - 14:32:29 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 116 (01.39)
Thursday, September 27, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Our thoughts and prayers remain with the victims and families affected
by the tragic events of September 11th. Our support also goes out to
all the brave individuals working in the recovery efforts.
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
With Cisco Storage Networking, you can store large amounts of data and
make it available over the network, so that retrieval is easy. And, with
Cisco AVVID architecture, you can enable large data transfers without
congestion. Click here to get a white paper now.
http://www.cisco.com/offer/tdm_home/newsletter/10041035/10061102
----------------------------------------------------------------------
A lot of discussion lately on all the Microsoft Windows lists
(including some of the general, full-disclosure lists) has been
about Microsoft's latest patches breaking production servers. The
most recent instance is the installation of Urlscan, Microsoft's
recommended mitigation for the Nimda worm, which leaves the IIS
service nonoperational.
While managing the plethora of vendor service packs, hot fixes,
patches, APARs, efixes, updates and software clusters can prove
daunting, also keep in mind that proper regression testing is essential
to a smooth operating environment. Proper testing includes staging
servers and a regression test plan. Taking the time to develop such a
plan ahead of time and to acquire the necessary nonproduction resources
to test system changes will save you much grief and downtime whenever
your corporation is forced to apply a critical (security) patch and
that patch leaves your system nonfunctional.
Of course, like anything else, this is all easier said than done. It
is, however, something that every corporation should consider
nonetheless.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.39.001} Win - Half-life client connect console command overflow
{01.39.002} Win - SpoonFTP server directory traversal attack
{01.39.018} Win - XCache Content-Pagename path disclosure
{01.39.019} Win - Checkpoint FW-1 GUI auth overflow
{01.39.003} Linux - Update {01.33.009}: WindowMaker window title buffer
overflow
{01.39.005} Linux - Update {01.37.015}: uucp user-supplied config file
privilege elevation
{01.39.006} Linux - man ultimate_source() overflow
{01.39.010} Linux - Update {01.21.003}: Apache 1.3.20 available
{01.39.023} BSD - OpenSSH libutil/capabilities file disclosure
{01.39.020} HPUX - Esoteric buffer overflow in 'cu'
{01.39.011} SCO - vi/ex/edit predictable temp file names
{01.39.022} SCO - lp utilities argument overflow
{01.39.004} NApps - Update {01.27.001}: Multiple IOS SSH vulnerabilities
{01.39.007} Cross - Update {01.38.018}: Oracle App Server file path
disclosure
{01.39.009} Cross - hylafax faxrm/faxalter format string attacks
{01.39.013} Cross - IBM Websphere predictable session IDs
{01.39.015} Cross - Squid FTP mkdir PUT DoS
{01.39.016} Cross - slrn auto-execute shell scripts
{01.39.017} Cross - PHP-Nuke file upload/viewing
{01.39.021} Cross - (Open)SSH restricted keypair scp/sftp command bypass
{01.39.008} Tools - RATS version 1.2 available
{01.39.012} Svc - icq.com CSS vulnerability
{01.39.014} Svc - ShopAOL CSS vulnerability
- --- Windows News -------------------------------------------------------
*** {01.39.001} Win - Half-life client connect console command overflow
Versions 1.1.0.8 and prior of the Windows Half-Life client contain a
buffer overflow in the parameters passed on to the 'connect' console
command. Since it's possible for a remote server to execute arbitrary
console commands on the client, a malicious half-life server can
execute arbitrary code on any client that connects to it.
The advisory indicates confirmation by the vendor, which will release
a fix in the next client update.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0178.html
*** {01.39.002} Win - SpoonFTP server directory traversal attack
SpoonFTP version 1.1 has been found to allow a remote FTP user to use
reverse directory traversal notation ('..') in various FTP commands
to access files outside the FTP root.
The vendor has confirmed this vulnerability and released version
1.1.0.1, which is available at:
http://www.pi-soft.com/spoonftp/sftp.exe
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0171.html
*** {01.39.018} Win - XCache Content-Pagename path disclosure
XCache version 2.1 has been found to display the full physical path
of the requested URL in the Content-Pagename header if the specified
URL is configured not to be cached by XCache.
The advisory indicates vendor confirmation; a patch is available by
contacting the vendor.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0182.html
*** {01.39.019} Win - Checkpoint FW-1 GUI auth overflow
A bug in the authentication portion of the Checkpoint Firewall-1
management server for Windows NT and 2000 allows an attacker
coming from an allowed administration station to perform a buffer
overflow. This causes a denial of service by crashing the GUI server
and possibly executing arbitrary code on the firewall system.
Checkpoint has confirmed this bug and released hot fixes, which are
available at:
http://www.checkpoint.com/techsupport/index.html
Source: Win2kSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0151.html
- --- Linux News ---------------------------------------------------------
*** {01.39.003} Linux - Update {01.33.009}: WindowMaker window title
buffer overflow
SuSE has released updated WindowMaker packages, which fix the
vulnerability discussed in {01.33.009} ("WindowMaker window title
buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q3/1243.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q3/1243.html
*** {01.39.005} Linux - Update {01.37.015}: uucp user-supplied config
file privilege elevation
Mandrake and Debian have released updated uucp packages, which fix
the vulnerability discussed in {01.37.015} ("uucp user-supplied config
file privilege elevation").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-09/0179.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q3/0043.html
Source: Mandrake, Debian (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-09/0179.html
http://archives.neohapsis.com/archives/vendor/2001-q3/0043.html
*** {01.39.006} Linux - man ultimate_source() overflow
RedHat has released an advisory indicating that an overflow exists
in the ultimate_source() function of the man application. This could
allow local attackers to execute arbitrary code as GID man. From there,
it may be possible to elevate to root privileges.
RedHat has released updated RPMs, which are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0046.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0046.html
*** {01.39.010} Linux - Update {01.21.003}: Apache 1.3.20 available
Mandrake has released updated Apache packages, which fix the
vulnerability discussed in {01.21.003} ("Apache 1.3.20 available").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-09/0155.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-09/0155.html
- --- BSD News -----------------------------------------------------------
*** {01.39.023} BSD - OpenSSH libutil/capabilities file disclosure
A report has been posted indicating that OpenSSH on FreeBSD (and
potentially other BSD systems) does not drop privileges before
displaying a capabilities-specified file. Local attackers could
potentially define their own .login_conf and, thus, display arbitrary
files on the system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0173.html
- --- HP-UX News ---------------------------------------------------------
*** {01.39.020} HPUX - Esoteric buffer overflow in 'cu'
HP has released an advisory indicating that a "buffer overflow in
the cu" could lead to a denial of service situation. We're not sure
if this is related to the bug discussed in {00.57.005} ("/usr/bin/cu
program name buffer overflow").
Apply the appropriate patch:
HPUX 11.11: PHCO_23909
HPUX 11.00: PHCO_22766
HPUX 11.04: PHCO_23424
HPUX 10.20: PHCO_22764
HPUX 10.10: PHCO_22765
HPUX 10.01: PHCO_22763
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0074.html
- --- SCO News -----------------------------------------------------------
*** {01.39.011} SCO - vi/ex/edit predictable temp file names
Caldera has released an advisory indicating that various file-editing
applications shipped with Caldera/SCO OpenServer generate predictable
temporary file names. This could allow a local attacker to perform a
symlink attack. Vi, ex, edit, vedit, view, expreserve and exrecover
are all vulnerable.
An update is available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.17/
Source: Caldera/SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-09/0164.html
*** {01.39.022} SCO - lp utilities argument overflow
An advisory released by Caldera/SCO for OpenServer and Unixware
indicates that the lp utilities (accept, reject, enable and
disable) contain buffer overflows in the handling of command-line
arguments. This vulnerability may allow a local attacker to gain
elevated privileges.
Caldera/SCO has confirmed this vulnerability and released updated
patches, which are available at:
ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.16/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0021.html
- --- Network Appliances News --------------------------------------------
*** {01.39.004} NApps - Update {01.27.001}: Multiple IOS SSH
vulnerabilities
Cisco has expanded the range of devices susceptible to the
vulnerability discussed in {01.27.001} ("Multiple IOS SSH
vulnerabilities").
The Cisco 11000 Content Service Switch family is also vulnerable. Users
should update to one of the following fixed versions:
R4.01 B42s
R4.10 B22s
R5.0 B11s
R5.01 B6s
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q3/0010.html
- --- Cross-Platform News ------------------------------------------------
*** {01.39.007} Cross - Update {01.38.018}: Oracle App Server file path
disclosure
Oracle has (previously) released fixes for the vulnerability discussed
in {01.38.018} ("Oracle App Server file path disclosure").
Updates are available at:
http://otn.oracle.com/deploy/security/alerts.htm
Source: Oracle (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-09/0193.html
*** {01.39.009} Cross - hylafax faxrm/faxalter format string attacks
The hylafax faxrm and faxalter applications have been found to
contain format string attacks in the handling of various command-line
parameters. If either of these binaries are setuid/setgid, it may be
possible for a local attacker to gain elevated privileges.
The vendor has not confirmed this vulnerability, but there have been
confirmation reports from various community members.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0198.html
*** {01.39.013} Cross - IBM Websphere predictable session IDs
A bug has been found in IBM Websphere server version 4.0; it seems the
session IDs are generated in a time-based, predictable fashion. This
may allow remote attackers to hijack Web user sessions.
IBM has confirmed the problem and released eFix PQ47663V302.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0161.html
*** {01.39.015} Cross - Squid FTP mkdir PUT DoS
A bug found in squid will cause it to crash when an attacker submits an
FTP mkdir-style PUT command. Both the 2.3 and 2.4 series are affected.
A fix was committed to the Squid CVS tree on Sept. 18, 2001. Debian
has also released updated Debian DEBs, which are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0041.html
Source: Debian, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vendor/2001-q3/0041.html
http://archives.neohapsis.com/archives/bugtraq/2001-09/0181.html
*** {01.39.016} Cross - slrn auto-execute shell scripts
Someone realized that the slrn newsreader was designed to automatically
execute any shell scripts found in an article in an attempt to decode
embedded binaries. This allows a malicious usenet posting to execute
arbitrary commands under the viewer's UID.
Debian has released updated DEBs, listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0042.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q3/0042.html
*** {01.39.017} Cross - PHP-Nuke file upload/viewing
PHP-Nuke versions 5.2 and prior (except 5.0RC1) contain a bug in the
handling of uploaded files in the file manager. This would let an
attacker upload arbitrary files or view arbitrary files readable by
the Web server. An attacker could use this vulnerability to view the
PHP-Nuke configuration file, which contains database authentication
information.
This bug has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0203.html
*** {01.39.021} Cross - (Open)SSH restricted keypair scp/sftp command
bypass
An advisory has surfaced indicating a bug in OpenSSH versions 2.9 and
2.9p2 (and prior). Configurations that use RSA/DSA keys to authenticate
and that put various 'command' restrictions on those keys are still
able to access the scp/sftp subsystem without restriction. Thus,
a remote attacker could scp/sftp in a new authorized_keys(2) file
and remove the restriction placed.
This vulnerability has been confirmed for OpenSSH. Other SSH servers
could potentially be vulnerable.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0153.html
- --- Tool Announcements News --------------------------------------------
*** {01.39.008} Tools - RATS version 1.2 available
RATS (Rough Auditing Tool for Security) version 1.2 has been
released. RATS is a source code analyzer for C, C++, Python, Perl
and PHP.
RATS is available at:
http://www.securesw.com/rats/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0196.html
- --- Services News ------------------------------------------------------
*** {01.39.012} Svc - icq.com CSS vulnerability
The icq.com Web portal has been reported vulnerable to Cross-Site
Scripting attacks, which could allow a malicious Web site or e-mail
to execute arbitrary JavaScript in a client's browser.
This vulnerability has not been confirmed.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0052.html
*** {01.39.014} Svc - ShopAOL CSS vulnerability
The ShopAOL, an online shopping venue hosted at aol.com, has been
reported vulnerable to Cross-Site Scripting, which allows a malicious
Web site or e-mail to execute arbitrary scripts in a client's browser.
This vulnerability has not been confirmed.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0053.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7s3x/+LUG5KFpTkYRAglfAKCbMtoexGBJphQMddOcY9Rm4aKZLgCfS+JQ
1EOtzq/7bKPnoeGfmQdGe3I=
=zxk/
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
With Cisco Storage Networking, you can store large amounts of data and
make it available over the network, so that retrieval is easy. And, with
Cisco AVVID architecture, you can enable large data transfers without
congestion. Click here to get a white paper now.
http://www.cisco.com/offer/tdm_home/newsletter/10041035/10061102
---------------------- From Network Computing ------------------------
Network Computing offers a way for you to help the businesses that
suffered disruptions in the lower Manhattan section of NYC on September
11. If you can provide services, supplies or expertise that would help
them in their recovery efforts, please post your name/business on our
"Business Assistance List".
http://www.nwc.com/helpamerica/index.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]