OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ53854021664284681sans.org)
Date: Thu Dec 27 2001 - 15:07:55 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                        -- Security Alert Consensus --
                              Number 129 (01.52)
                         Thursday, December 27, 2001
                             Created for you by
                    Network Computing and the SANS Institute
                            Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    Ask the Experts, Relaunched!
    To help you gain access to the wealth of knowledge trapped within the
    minds of both Network Computing editors and readers, we've relaunched
    our Ask the Experts service using an open discussion forum. So, if
    you've got a tough IT problem, post it here and simply await real-world,
    hands-on advice. Also, if you've already climbed the mountain and
    discovered a solution to a particularly sticky problem, be a hero and
    post it here. Your fellow IT professionals will thank you.
    http://www.nwc.com/forum/askexp

    ----------------------------------------------------------------------

    Seasons Greetings from the Security Alert Consensus Team! We wish to
    extend our sincerest wishes for a very happy holiday season to all
    of you and your families.

    Please note that we'll be taking a short holiday break. We will not
    be publishing a newsletter on Jan. 3, 2002. Look for the next edition
    of the Security Alert Consensus newsletter on Thursday, Jan. 10,
    2002. Happy Holidays!

    Last week, we included a quick last-minute blurb in the news section
    about a critical Microsoft vulnerability in the UPnP service. It's
    reported as item {01.52.005} this week. Essentially, the UPnP service
    is on by default in Windows XP installations, thereby leaving all
    systems open to local network attack (assuming you're fortunate enough
    to have a firewall between your local network and the Internet).

    Until next time,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.52.005} Win - MS01-059: UPnP service buffer overflow
    {01.52.006} Win - MS01-060: SQL Server string function buffer overflows
    {01.52.019} Win - IE improper SSL server name checking
    {01.52.001} Linux - Update {01.49.016}: mailman listinfo CGI CSS
                vulnerability
    {01.52.002} Linux - Update {01.51.024}: glibc glob()/globfree()
                vulnerability
    {01.52.003} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
                environment
    {01.52.004} Linux - Update {01.48.020}: libgtop_daemon syslog() format
                string vulnerability
    {01.52.007} Linux - Update {01.51.009}: /bin/login command line
                environment overflow
    {01.52.008} Linux - Update {01.34.020}: Sendmail -d parameter arbitrary
                memory writing
    {01.52.014} Linux - namazu CSS vulnerability
    {01.52.010} NW - Sewse viewcode.jse file disclosure
    {01.52.011} NApps - D-Link DWL-1000AP SNMP vulnerability
    {01.52.012} Cross - pfinger client/server format string vulnerabilities
    {01.52.013} Cross - Oracle PL/SQL Apache module vulnerabilities
    {01.52.015} Cross - AdRotate Pro SQL injection vulnerability
    {01.52.016} Cross - AdCycle SQL injection vulnerability
    {01.52.017} Cross - AdStreamer URL parameter command execution
    {01.52.018} Cross - perdition/vanessa_logger syslog() format string
                vulnerability
    {01.52.020} Cross - Exim local pipe forward/command execution
    {01.52.021} Cross - Magic Software Magic Enterprise multiple
                vulnerabilities
    {01.52.009} Svc - CCBill possible customer authentication information
                leak

    - --- Windows News -------------------------------------------------------

    *** {01.52.005} Win - MS01-059: UPnP service buffer overflow

    Microsoft has released MS01-059 ("UPnP service buffer overflow"). A
    buffer overflow in the Universal Plug-and-Play service allows a remote
    attacker to execute arbitrary code under local system privileges.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-059.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q4/0059.html

    *** {01.52.006} Win - MS01-060: SQL Server string function buffer
                    overflows

    Microsoft has released MS01-060 ("SQL Server string function buffer
    overflows"). MS SQL Server versions 7.0 and 2000 ship with string
    processing functions that do not check the size of the buffer passed
    to them. This results in a buffer overflow on the SQL server, thereby
    allowing a remote attacker to execute arbitrary code in the context
    of the SQL service.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-060.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q4/0060.html

    *** {01.52.019} Win - IE improper SSL server name checking

    An advisory indicates a potential problem in Internet Explorer and
    how it verifies/caches invalid SSL certificates. It may be possible
    to trick IE into caching an invalid certificate and then to use
    that certificate without the user knowing. This could result in the
    man-in-the-middle attack.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0077.html

    - --- Linux News ---------------------------------------------------------

    *** {01.52.001} Linux - Update {01.49.016}: mailman listinfo CGI CSS
                    vulnerability

    RedHat has released updated mailman packages, which fix the
    vulnerability discussed in {01.49.016} ("mailman listinfo CGI CSS
    vuln").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0163.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0164.html

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0163.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0164.html

    *** {01.52.002} Linux - Update {01.51.024}: glibc glob()/globfree()
                    vulnerability

    Multiple vendors have released updated glibc packages, which fix
    the vulnerability discussed in {01.51.024} ("glibc glob()/globfree()
    vulnerability").

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0220.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0230.html

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q4/0078.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q4/1688.html

    Source: Immunix, SuSE, Trustix, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0220.html
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0230.html
    http://archives.neohapsis.com/archives/linux/suse/2001-q4/1688.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q4/0078.html

    *** {01.52.003} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
                    environment

    Trustix has released updated openSSH packages, which fix the
    vulnerability discussed in {01.49.009} ("OpenSSH UseLogin unfiltered
    environment").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0221.html

    Source: Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0221.html

    *** {01.52.004} Linux - Update {01.48.020}: libgtop_daemon syslog()
                    format string vulnerability

    Mandrake has released updated libgtop packages, which fix the
    vulnerability discussed in {01.48.020} ("libgtop_daemon syslog()
    format string vulnerability").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0222.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0222.html

    *** {01.52.007} Linux - Update {01.51.009}: /bin/login command line
                    environment overflow

    Some unconfirmed posts indicate that certain Linux distributions are
    vulnerable to the bug discussed in {01.51.009} ("/bin/login command
    line environment overflow").

    More specifically, some Slakware and SuSE distributions have been
    reported to have SysV option handling enabled, which makes it
    vulnerable.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0206.html

    *** {01.52.008} Linux - Update {01.34.020}: Sendmail -d parameter
                    arbitrary memory writing

    HP has released updated sendmail packages for its HP Secure OS software
    for Linux, which fix the vulnerability discussed in {01.34.020}
    ("Sendmail -d parameter arbitrary memory writing").

    Patch HPTL_00007 is available from HP's resource center.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q4/0069.html

    *** {01.52.014} Linux - namazu CSS vulnerability

    RedHat has released updated namazu packages, which fix a cross-site
    scripting vulnerability. No further details were made available.

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0252.html

    Source: RedHat (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0252.html

    - --- NetWare News -------------------------------------------------------

    *** {01.52.010} NW - Sewse viewcode.jse file disclosure

    Netware version 5.1 prior to version 5.1sp3 contains a vulnerability
    in the viewcode.jse sample script, which would allow a remote attacker
    to view the contents of arbitrary files on the system.

    This vulnerability has been confirmed and is fixed in sp3.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0200.html
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0219.html

    - --- Network Appliances News --------------------------------------------

    *** {01.52.011} NApps - D-Link DWL-1000AP SNMP vulnerability

    D-Link's DWL-1000AP wireless access point ships with a default
    SNMP read-only community string ('public'). It's possible for a
    remote attacker to use the read-only string to gain access to the
    administrative/read-write string (which is available in the read-only
    MIB). Unfortunately, the D-Link management software does not provide
    a mechanism to change the read-only string, so odds are many people
    will leave it as the default.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0239.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.52.012} Cross - pfinger client/server format string
                    vulnerabilities

    The pfinger suite versions 0.7.7 and prior contain an error in the
    handling of finger responses, which could result in the execution
    of arbitrary code. Both the client and the server (finger daemon)
    using the <sitehost> directive are vulnerable.

    This vulnerability has been confirmed; version 0.7.8 has been released.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0224.html

    *** {01.52.013} Cross - Oracle PL/SQL Apache module vulnerabilities

    The Apache PL/SQL module shipped with Oracle 9iAS has been found
    to contain a buffer overflow in the handling of large requests to
    particular help files in the /admin_/ directory. This could lead to
    execution of arbitrary code by a remote attacker. The Windows NT/2000
    version also has a directory traversal problem.

    Oracle has confirmed these vulnerabilities. More information is
    available at:
    http://otn.oracle.com/deploy/security/pdf/modplsql.pdf

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0225.html

    *** {01.52.015} Cross - AdRotate Pro SQL injection vulnerability

    Vanbrunt.com's AdRotate Pro CGI reportedly does not properly filter
    incoming user data, which could potentially allow a remote attacker
    to inject arbitrary SQL commands into SQL queries via various URL
    parameters.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0247.html

    *** {01.52.016} Cross - AdCycle SQL injection vulnerability

    Adcycle.com's Adcycle CGI reportedly does not properly filter incoming
    user data, which could potentially allow a remote attacker to inject
    arbitrary SQL commands into SQL queries via various URL parameters.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0257.html

    *** {01.52.017} Cross - AdStreamer URL parameter command execution

    Sha-la-la.com's AdStreamer banner management CGIs have been found to
    not properly filter incoming user data, thereby allowing a remote
    attacker to execute arbitrary command line commands by using shell
    metacharacters in the 'cat' URL parameter.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0081.html

    *** {01.52.018} Cross - perdition/vanessa_logger syslog() format string
                    vulnerability

    The vanessa_logger library, included with the perdition POP/IMAP proxy,
    contains a format string vulnerability in which a remote attacker
    can execute arbitrary code on the server.

    This vulnerability has been confirmed. The latest version found on
    the site contains a fix.
    http://perdition.sourceforge.net/

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0082.html

    *** {01.52.020} Cross - Exim local pipe forward/command execution

    Exim 3.33 and prior contain a bug in the handling of e-mails that are
    forwarded to a local pipe alias, which could result in a malicious
    e-mail executing arbitrary commands.

    The vendor has confirmed this vulnerability and released Exim 3.34.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0198.html

    *** {01.52.021} Cross - Magic Software Magic Enterprise multiple
                    vulnerabilities

    Magic Software's Magic Enterprise Edition version 8.30 is reportedly
    vulnerable to multiple denial of service attacks, temporary file
    handling problems and incorrect directory/file permissions.

    These vulnerabilities have not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0074.html

    - --- Services News ------------------------------------------------------

    *** {01.52.009} Svc - CCBill possible customer authentication
                    information leak

    Multiple reports indicate that the CCBill customer database (which
    contains information on CCBill customers/vendors, not individual
    credit card users) may have been compromised and that attackers may
    be using the authentication information to log in and compromise
    customer systems (since CCBill maintains an SSH/telnet login to the
    customer's system to update files).

    This vulnerability has not been confirmed.

    Source: SecurityFocus Incidents
    http://archives.neohapsis.com/archives/incidents/2001-12/0208.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8K4vb+LUG5KFpTkYRAs5iAKCJCVtFBZYTFxxwmqW+khVrUJ/ibQCeKGGr
    elvfLA73KRwZcB/8AJvWikM=
    =m5C5
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Ask the Experts, Relaunched!
    To help you gain access to the wealth of knowledge trapped within the
    minds of both Network Computing editors and readers, we've relaunched
    our Ask the Experts service using an open discussion forum. So, if
    you've got a tough IT problem, post it here and simply await real-world,
    hands-on advice. Also, if you've already climbed the mountain and
    discovered a solution to a particularly sticky problem, be a hero and
    post it here. Your fellow IT professionals will thank you.
    http://www.nwc.com/forum/askexp

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).