|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ65949766441183926
sans.org)Date: Thu Jun 20 2002 - 14:33:50 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 024 (02.24)
Thursday, June 20, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
TechQuiz: Wireless LAN Security and Reliability
Put the little grey cells to work on our wireless woes TechQuiz. If
you're able to outsmart our editors and answer all the questions
correctly, we'll toss your name into the hat for a nifty NexiCam
(Nexian's digital camera for the HP iPAQ Pocket PC), compliments of
NetMotion Technologies.
http://www.nwc.com/techquiz/
----------------------------------------------------------------------
There are a handful of notable vulnerabilities this week. First and
foremost is a bug in Apache's handling of chunked encoding, which
leads to a denial of service in the best case and execution of code
in the worst case. Both the 1.3 and 2.0 series are affected, on all
platforms. More information is available under item {02.24.002}.
Microsoft also released a cluster of patches. IIS has another heap
overflow in the .HTR's handler of chunked encoding (item {02.24.008});
local users can execute arbitrary code under local system privileges
via the RAS phonebook (item {02.24.007}); and while Microsoft is still
working on gopher buffer overflow patches for IE, in the meantime it
has released patches for ISA and proxy server (item {02.22.041}).
Oracle shops should be weary of the Windows TNS listener overflow (item
{02.24.005}) and Reports Server CGI overflow (item {02.24.006}). Compaq
shops should know that the latest versions of Compaq Insight Manager
include the Microsoft MSDE SQL server with an open 'sa' account
(item {02.24.020}).
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.24.001} Win - Update {02.22.041}: IE gopher support buffer overflow
{02.24.005} Win - Oracle TNS listener SERVICE_NAME overflow
{02.24.007} Win - MS02-029: RAS phonebook buffer overflow
{02.24.008} Win - MS02-028: IIS .HTR chunked encoding heap overflow
{02.24.009} Win - MS02-030: SQLXML IIS ISAPI overflow
{02.24.011} Win - Update {02.19.009}: MS02-022: MSN chat control buffer
overflow
{02.24.020} Win - Compaq Insight Manager MSDE sa account access
{02.24.021} Win - CiscoSecure ACS Web CGI CSS vulnerability
{02.24.022} Win - nCipher Java classes can leak passphrase
{02.24.025} Win - MS SQL Server 2000 pwdencrypt() overflow
{02.24.026} Win - Lumigent Log Explorer stored procedure overflows
{02.24.032} Win - Metacart CGI direct database access
{02.24.034} Win - LiveStats HTTP header CSS vulnerabilities
{02.24.035} Win - 4D Webserver long request DoS
{02.24.003} Linux - Update {02.20.008}: fetchmail large e-mail index
overflow
{02.24.004} Linux - Update {02.22.044}: Ghostscript arbitrary command
execution
{02.24.024} Linux - simpleinit leaves open file descriptor
{02.24.019} SCO - Update {02.15.026}: Squid compressed DNS answer DoS
{02.24.023} SCO - pppd local vulnerability
{02.24.027} NApps - Fore/Marconi switches vulnerable to land DoS
{02.24.029} NApps - Cisco DOCIS/cable modem configuration alteration
{02.24.002} Cross - Apache chunked encoding DoS and overflow
{02.24.006} Cross - Oracle 9iAS reports server rwcgi60 CGI overflow
{02.24.010} Cross - csNews CGI multiple vulnerabilities
{02.24.012} Cross - MakeBook CGI CSS and SSI vulnerabilities
{02.24.013} Cross - Zeroboard _head.php CGI script execution
{02.24.014} Cross - Resin Webserver multiple vulnerabilities
{02.24.015} Cross - mmmail mmsyslog() format string vulnerability
{02.24.016} Cross - AnalogX SimpleSever:WWW malformed HTTP request DoS
{02.24.017} Cross - Active! Mail Webmail CSS vulnerability
{02.24.018} Cross - <Body>Builder user login SQL tampering
{02.24.028} Cross - WebMathematica CGI file reading
{02.24.030} Cross - PHPAddress CGI LangCookie script execution
{02.24.031} Cross - osCommerce CGI include_file script execution
{02.24.033} Cross - ColdFusion MX 404 page CSS vulnerability
{02.24.036} Cross - WebBBS CGI follow-up parameter execution
- --- Windows News -------------------------------------------------------
*** {02.24.001} Win - Update {02.22.041}: IE gopher support buffer
overflow
Microsoft released MS02-027, which contains a workaround for the
vulnerability discussed in {02.22.041} ("IE gopher support buffer
overflow").
The bulletin can be read at:
http://www.microsoft.com/technet/security/bulletin/MS02-027.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0058.html
*** {02.24.005} Win - Oracle TNS listener SERVICE_NAME overflow
The Oracle TNS listener shipped with Oracle 9i contains a buffer
overflow in the handling of large SERVICE_NAME elements, thereby
allowing a remote attacker to execute arbitrary code with local
system privileges.
Oracle confirmed this problem and released patch 2367681.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0096.html
*** {02.24.007} Win - MS02-029: RAS phonebook buffer overflow
Microsoft released MS02-029 ("RAS phonebook buffer overflow"). The
RAS phonebook service shipped with Windows NT, 2000 and XP systems
contains a buffer overflow that would allow users with 'log on locally'
access to execute arbitrary code with local system privileges.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0053.html
*** {02.24.008} Win - MS02-028: IIS .HTR chunked encoding heap overflow
Microsoft released MS02-028 ("IIS .HTR chunked encoding heap
overflow"). The .HTR script handler has a heap overflow in the handling
of client chunked encoding requests that could allow a remote attacker
to overwrite arbitrary values in memory, thereby leading to a system
compromise.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-028.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0055.html
*** {02.24.009} Win - MS02-030: SQLXML IIS ISAPI overflow
Microsoft released MS02-030 ("SQLXML IIS ISAPI overflow"). The SQLXML
ISAPI IIS add-in contains a remotely exploitable buffer overflow
that allows an attacker to execute arbitrary code. The client SQLXML
component also is vulnerable to cross-site scripting.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-030.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0054.html
*** {02.24.011} Win - Update {02.19.009}: MS02-022: MSN chat control
buffer overflow
Microsoft re-released updated packages that fix the vulnerability
discussed in {02.19.009} ("MS02-022: MSN chat control buffer
overflow"). The prior patches did not prevent the vulnerable component
from being re-installed.
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0051.html
*** {02.24.020} Win - Compaq Insight Manager MSDE sa account access
Compaq released an advisory indicating that the Compaq Insight Manager
suites version 7 and XE install the MSDE SQL server with a default
(blank) 'sa' password. This allows a remote attacker to access the
system and potentially to execute arbitrary commands. The vulnerability
is also heightened because automated worms exploit default MS SQL/MSDE
installations that have blank 'sa' passwords.
Instructions for changing the 'sa' account password are available at
the reference URL below.
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2002-q2/0111.html
*** {02.24.021} Win - CiscoSecure ACS Web CGI CSS vulnerability
CiscoSecure ACS version 3.0 reportedly contains a cross-site scripting
vulnerability in the included Web management CGIs.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0156.html
*** {02.24.022} Win - nCipher Java classes can leak passphrase
nCipher released an advisory detailing the potential for console
Java applications using the nCipher ConsoleCallBack class to leak
the user's passphrase to the command-line interpreter, if the user
aborts the application. This is caused by an incompatibility with
Window JRE version 1.4.0.
The recommended solution is to use a JRE prior to 1.4.0.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0172.html
*** {02.24.025} Win - MS SQL Server 2000 pwdencrypt() overflow
MS SQL Server 2000 reportedly contains a buffer overflow in the
pwdencrypt() stored procedure. The overflow could potentially allow
remote attackers capable of running SQL queries to execute arbitrary
code on the SQL server.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0145.html
*** {02.24.026} Win - Lumigent Log Explorer stored procedure overflows
Lumigent Log Explorer versions 3.x reportedly contain a buffer overflow
in various stored procedures, thereby allowing an attacker capable
of running SQL queries with dbo permissions to potentially execute
arbitrary code.
The vendor confirmed these vulnerabilities and will release an update
in a few weeks.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0146.html
*** {02.24.032} Win - Metacart CGI direct database access
The Metacart ASP CGI suite stores the databases in Web-accessible
directories, thereby allowing a remote attacker to download sensitive
information.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0200.html
*** {02.24.034} Win - LiveStats HTTP header CSS vulnerabilities
DeepMetrix LiveStats versions 6.2.1 and prior reportedly contain
cross-site scripting vulnerabilities in the handling of HTTP headers
embedded into LiveStats reports. Users who view the reports could
potentially execute malicious JavaScript code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0207.html
*** {02.24.035} Win - 4D Webserver long request DoS
4D Webserver prior to version 6.8 contains a buffer overflow in the
handling of large HTTP requests, which crashes the server (a denial
of service).
The advisory indicates that the problem is fixed in version 6.8.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0208.html
- --- Linux News ---------------------------------------------------------
*** {02.24.003} Linux - Update {02.20.008}: fetchmail large e-mail
index overflow
Caldera released updated fetchmail packages, which fix the
vulnerability discussed in {02.20.008} ("fetchmail large e-mail
index overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0027.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0027.html
*** {02.24.004} Linux - Update {02.22.044}: Ghostscript arbitrary
command execution
Caldera released updated Ghostscript packages, which fix the
vulnerability discussed in {02.22.044} ("Ghostscript arbitrary
command execution").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0025.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0025.html
*** {02.24.024} Linux - simpleinit leaves open file descriptor
A published advisory indicates that the simpleinit application, which
is used by various Linux distributions, in certain occasions passes
an open file descriptor to all spawned child processes, potentially
allowing them to execute arbitrary code with root privileges.
This vulnerability is not confirmed. An exploit was published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0105.html
- --- SCO News -----------------------------------------------------------
*** {02.24.019} SCO - Update {02.15.026}: Squid compressed DNS answer
DoS
Caldera/SCO released updated squid packages, which fix the
vulnerability discussed in {02.15.026} ("Squid compressed DNS answer
DoS").
Updated binaries are available at:
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.26
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0026.html
*** {02.24.023} SCO - pppd local vulnerability
Caldera/SCO released an advisory indicating that a local attacker
can gain root privileges via ppptalk if pppd is running.
Updated binaries are available at:
ftp://ftp.caldera.com/pub/updates/OpenUnix/CSSA-2002-SCO.27
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0028.html
- --- Network Appliances News --------------------------------------------
*** {02.24.027} NApps - Fore/Marconi switches vulnerable to land DoS
An advisory surfaced indicating that Fore/Marconi ATM switches running
FT versions 6.1.1 and 7.0.1 are vulnerable to the classic 'land'
IP packet denial of service attack. The attack causes the switch to
lock and reboot.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0163.html
*** {02.24.029} NApps - Cisco DOCIS/cable modem configuration alteration
Cisco released an advisory indicating the potential for users to
upload alternate cable modem configuration files to cable modem
routers, potentially removing bandwidth limitations. Cisco uBR7100
and uBR7200 series are vulnerable. Cisco also released software that
will mitigate the vulnerability in other brands of cable modems.
More information and a download matrix is available at the reference
URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0014.html
- --- Cross-Platform News ------------------------------------------------
*** {02.24.002} Cross - Apache chunked encoding DoS and overflow
Apache versions prior to 1.3.26 and 2.0.39 contain a bug in the
handling of chunked client requests, potentially allowing a remote
attacker to perform a denial of service or possibly execute arbitrary
code on some platforms.
Both versions 1.3.26 and 2.0.39 were released with fixes and are
available at:
http://www.apache.org/dist/httpd/
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q2/0060.html
Source: Apache, Debian
http://archives.neohapsis.com/archives/apache/2002/0010.html
http://archives.neohapsis.com/archives/apache/2002/0011.html
http://archives.neohapsis.com/archives/vendor/2002-q2/0060.html
*** {02.24.006} Cross - Oracle 9iAS reports server rwcgi60 CGI overflow
The rwcgi60 CGI shipped with Oracle 9iAS Reports Server contains
a buffer overflow in the handling of the database name parameter,
thereby allowing a remote attacker to execute arbitrary code on the
system. On Windows platforms, this code is executed with local system
privileges; on Unix platforms, the privileges are often restricted.
Oracle confirmed this problem and released patch 2356680.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0097.html
*** {02.24.010} Cross - csNews CGI multiple vulnerabilities
CGIscript.net's csNews.cgi script contains multiple vulnerabilities:
information disclosure; database retrieval; and access to
administrative pages/functions.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0091.html
*** {02.24.012} Cross - MakeBook CGI CSS and SSI vulnerabilities
The MakeBook CGI version 2.0 is vulnerable to cross-site scripting
and arbitrary command execution via server-side includes embedding
in user posts.
These vulnerabilities are confirmed. An updated version is available
from the vendor's site.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0094.html
*** {02.24.013} Cross - Zeroboard _head.php CGI script execution
Zeroboard versions 4.x reportedly contain a vulnerability in the
_head.php CGI script that would allow a remote attacker to execute
arbitrary PHP scripts if particular default configuration values
are used.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0161.html
*** {02.24.014} Cross - Resin Webserver multiple vulnerabilities
Multiple vulnerabilities were found in Resin Webserver version 2.1.1:
the view_source.jsp sample script allows arbitrary file viewing;
a denial of service results when requesting large malformed URLs;
and a denial of service results when requesting DOS device file names
on Windows platforms.
These vulnerabilities are confirmed and fixed in version 2.1.2.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0106.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0107.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0108.html
*** {02.24.015} Cross - mmmail mmsyslog() format string vulnerability
Various daemon components included in the mmmail suite contain a
remotely exploitable format string vulnerability that allows an
attacker to execute arbitrary code on the system.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0095.html
*** {02.24.016} Cross - AnalogX SimpleSever:WWW malformed HTTP request
DoS
The SimpleSever:WWW HTTP server version 1.16 (included with AnalogX)
crashes when a remote attacker submits a particular malformed HTTP
request, thereby leading to a denial of service attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0106.html
*** {02.24.017} Cross - Active! Mail Webmail CSS vulnerability
TransWARE Active! Mail prior to version 2.0.1.1 is vulnerable to
cross-site scritping in the handling of HTML mail headers.
This vulnerability is confirmed and fixed in version 2.0.1.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0108.html
*** {02.24.018} Cross - <Body>Builder user login SQL tampering
Ruslan <Body>Builder Java CGI application is vulnerable to SQL
tampering in the handling of user log-in information. This allows a
remote attacker to gain administrative log-in access as well as to
tamper with the database itself.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0120.html
*** {02.24.028} Cross - WebMathematica CGI file reading
The WebMathematica CGI suite allows a remote attacker to read arbitrary
files outside the Web root by submitting a particular MSPStoreID
URL parameter.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0174.html
*** {02.24.030} Cross - PHPAddress CGI LangCookie script execution
The PHPAddress CGI suite contains a vulnerability in the globals.php
script that allows a remote attacker to submit a particular malformed
LangCookie URL parameter, which could lead to the execution of
arbitrary PHP script code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0182.html
*** {02.24.031} Cross - osCommerce CGI include_file script execution
The osCommerce CGI suite contains a vulnerability in the
include_once.php script that could allow a remote attacker to execute
arbitrary PHP code by submitting a particular malformed include_file
URL parameter.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0188.html
*** {02.24.033} Cross - ColdFusion MX 404 page CSS vulnerability
ColdFusion MX version 6.0.0.46617 contains a cross-site scripting
error in the handling of 404 error responses.
The vendor confirmed this vulnerability and released an update,
which is available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0112.html
*** {02.24.036} Cross - WebBBS CGI follow-up parameter execution
WebBBS CGI suite version 5.0 does not properly filter the 'follow-up'
URL parameter before passing it to an open() function, thereby allowing
a remote attacker to execute arbitrary command-line commands under
the Web server's privileges.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0217.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9EiwU+LUG5KFpTkYRAooiAJ9DPmp7dDUhlSy6C3TnTcdgx7tA/gCdEXvF
BDWP25WYcch5nDypct/bXRM=
=6gn2
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
TechQuiz: Wireless LAN Security and Reliability
Put the little grey cells to work on our wireless woes TechQuiz. If
you're able to outsmart our editors and answer all the questions
correctly, we'll toss your name into the hat for a nifty NexiCam
(Nexian's digital camera for the HP iPAQ Pocket PC), compliments of
NetMotion Technologies.
http://www.nwc.com/techquiz/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]