OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ55523890718674530sans.org)
Date: Wed Jul 03 2002 - 14:01:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 026 (02.26)
                        Wednesday, July 3, 2002
                           Created for you by
                Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    TechQuiz: SSL Security
    How sharp are you when it comes to securing corporate resources? Find
    out by trying to outsmart our editors. If you succeed, you could win a
    nifty security token from our sponsor, Rainbow Technologies.
    http://www.nwc.com/techquiz/

    ----------------------------------------------------------------------

    Last week, we incorrectly titled item {02.25.023} as OpenBSD 3.4 when
    it should have read OpenSSH 3.4. To clarify, OpenSSH versions prior
    to 3.4 have a bug in the challenge-response code.

    This week, even more big bugs are surfacing. ISC/BIND's libresolve
    libraries, as well as the various BSD libc libraries, have a bug in the
    resolver code that could let a malicious DNS server exploit a buffer
    overflow in any application making the DNS query. Updating the shared
    libraries may not be sufficient; applications that are statically
    linked with the vulnerable libraries at compile time will also have
    to be replaced.

    Apache's mod_ssl module also was found to have an off-by-one error
    that lets local users do nasty stuff to HTTP processes via Trojaned
    .htaccess files. ISPs and virtual hosting shops that let users provide
    their own .htaccess configurations should be wary. More information
    is provided in item {02.26.003}.

    Last, the official BitchX IRC client FTP site was found to be serving
    Trojaned copies of the source tarball. Identical to both the irssi
    and fragrouter Trojan backdoors recently reported, this backdoor was
    inserted in the 'configure' script and lets a foreign server execute
    arbitrary command-line commands as the user who compiled/built the
    client. If you've FTP'd a copy of the BitchX source code in the last
    month, consider checking to see if the configure script is Trojaned
    and, if it is, take appropriate actions.

    Until next week,
    - Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.26.006} Win - AnalogX SimpleServer:Shout malformed HTTP request DoS
    {02.26.011} Win - AnalogX Proxy malformed HTTP request DoS
    {02.26.012} Win - Lil'HTTP server urlcount.cgi REPORT CSS vuln
    {02.26.014} Win - Multiple vendor WEB-INF directory access
    {02.26.015} Win - OmniHTTPd large HTTP request DoS
    {02.26.020} Win - Update {02.19.005}: ISC DHCPD nsupdate format string
                vuln
    {02.26.021} Win - MS02-033: Commerce server multiple buffer overflows
    {02.26.022} Win - MS02-032: Windows Media Player cumulative patch
    {02.26.005} Linux - Update {02.21.013}: Mailman multiple CSS vulns
    {02.26.007} NW - IManage username field DoS
    {02.26.025} HPUX - IPv6 dced/rpcd DoS
    {02.26.013} NApps - Cisco SSH DoS
    {02.26.001} Cross - Update {02.25.023}: OpenSSH version 3.4 available,
                security vulns
    {02.26.002} Cross - DNS libresolve/resolver buffer overflow
    {02.26.003} Cross - Apache mod_ssl off by one config directive overflow
    {02.26.004} Cross - Update {02.24.002}: Apache chunked encoding DoS and
                overflow
    {02.26.008} Cross - JRun character append reveals source code
    {02.26.009} Cross - JRun admin server auth bypass
    {02.26.010} Cross - Sitespring Server database engine DoS
    {02.26.016} Cross - Betsie CGI suite CSS vulns
    {02.26.017} Cross - Blackboard CGI suite multiple CSS vulns
    {02.26.018} Cross - PHPAuction CGI arbitrary admin account creation
    {02.26.019} Cross - Sendmail 8.12.5 released, with security fix
    {02.26.023} Cross - HP/Sharity cifslogin multiple command-line param
                overflows
    {02.26.024} Cross - Cisco Secure ACS Acme.server file disclosure

    - --- Windows News -------------------------------------------------------

    *** {02.26.006} Win - AnalogX SimpleServer:Shout malformed HTTP request
                    DoS

    AnalogX SimpleServer:Shout version 1.0 has been found to contain a
    denial- of-service vulnerability whereby a remote attacker can send a
    particular malformed HTTP request to the service, eventually causing
    it to stop responding.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0338.html

    *** {02.26.011} Win - AnalogX Proxy malformed HTTP request DoS

    AnalogX Proxy service version 4.07 has been found to contain a denial
    of service. A remote attacker can submit a particular malformed HTTP
    request to the proxy service, eventually causing the service to crash.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0006.html

    *** {02.26.012} Win - Lil'HTTP server urlcount.cgi REPORT CSS vuln

    Lil'HTTP server has been reported to include a default urlcount.cgi
    CGI script that has been found to contain a cross-site scripting
    vulnerability in the handling of the REPORT parameter.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0332.html

    *** {02.26.014} Win - Multiple vendor WEB-INF directory access

    An advisory has surfaced that indicates multiple vendor Java/JSP
    Web servers have been found to allow remote access to the WEB-INF
    directory, which typically contains sensitive files not suited to
    be served to users. The vulnerability is triggered by appending
    an extra '.' character after the directory name in the URL request.
    Sybase EA server, Oracle OC4J, Orion, JRun, HP App Server, Paramati
    and Jo Webserver have been reported as vulnerable.

    A full list of vulnerable versions and appropriate patches is available
    at the reference URL below.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0132.html

    *** {02.26.015} Win - OmniHTTPd large HTTP request DoS

    OmniHTTPd version 2.09 has been found to crash when a remote attacker
    submits a large URL request, leading to a denial-of-service attack.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2002-q3/0000.html

    *** {02.26.020} Win - Update {02.19.005}: ISC DHCPD nsupdate format
                    string vuln

    Caldera has released updated dhcpd packages that fix the vulnerability
    discussed in {02.19.005} ("ISC DHCPD nsupdate format string vuln").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0029.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0029.html

    *** {02.26.021} Win - MS02-033: Commerce server multiple buffer
                    overflows

    Microsoft has released MS02-033 ("Commerce server multiple buffer
    overflows"). MS Commerce Server versions 2000 and 2002 contain multiple
    buffer overflows in various components, including the profile service,
    the OWC (Office Web Components) installer and the ISAPI handler.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-033.asp

    Source: Microsoft (NTBugtraq)
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0152.html

    *** {02.26.022} Win - MS02-032: Windows Media Player cumulative patch

    Microsoft has released MS02-032 ("Windows Media Player cumulative
    patch"). Three new vulnerabilities found in the various versions
    of Windows Media Player have been fixed in this cumulative patch.
    The vulnerabilities include a remote information disclosure, a local
    privilege escalation and a potential remote script execution bug.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-032.asp

    Source: Microsoft (NTBugtraq)
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0153.html

    - --- Linux News ---------------------------------------------------------

    *** {02.26.005} Linux - Update {02.21.013}: Mailman multiple CSS vulns

    Red Hat has released updated mailman packages that fix the
    vulnerability discussed in {02.21.013} ("Mailman multiple CSS vulns").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0112.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0112.html

    - --- NetWare News -------------------------------------------------------

    *** {02.26.007} NW - IManage username field DoS

    The IManage service shipped with NetWare versions 6.0 and 6.0SP1 has
    been found to contain a denial of service whereby a remote attacker
    enters a string of characters in the username field, causing an ABEND.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0338.html

    - --- HP-UX News ---------------------------------------------------------

    *** {02.26.025} HPUX - IPv6 dced/rpcd DoS

    HP has released an advisory that indicates the dced and rpcd services
    shipped with HP-UX version 11.11 (only) are vulnerable to a remote
    denial of service, letting an attacker cause them to crash.

    Patches PHSS_27258 and PHSS_27259 fix the problem.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q3/0000.html

    - --- Network Appliances News --------------------------------------------

    *** {02.26.013} NApps - Cisco SSH DoS

    Cisco has released an advisory that indicates all Cisco products with
    SSH capability (anything running IOS, CatOS, PIX and the Content
    Service Switch family) had a bug introduced that lets a remote
    attacker cause a denial of service on the device, if the SSH service
    is accessible.

    A full matrix of affected versions and patches is available at:
    http://archives.neohapsis.com/archives/cisco/2002-q2/0017.html

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q2/0017.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.26.001} Cross - Update {02.25.023}: OpenSSH version 3.4
                    available, security vulns

    Many vendors have released updated OpenSSH packages that fix the
    vulnerability discussed in {02.25.023} ("OpenSSH version 3.4 available,
    security vulns").

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q2/0076.html

    Official Caldera workaround:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0033.html

    Updated OpenPKG information:
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0110.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0036.html

    Updated Slackware tarballs:
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0353.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0000.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q3/0051.html

    NetBSD CVS branches as of June 26, 2002 contain the fixes.

    Source: CERT, Debian, NetBSD, Caldera, Red Hat, Conectiva, Slackware,
    EnGarde, SuSE, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/cc/2002-q2/0010.html
    http://archives.neohapsis.com/archives/vendor/2002-q2/0076.html
    http://archives.neohapsis.com/archives/netbsd/2002-q2/0285.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0033.html
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0335.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0110.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0036.html
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0353.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0000.html
    http://archives.neohapsis.com/archives/linux/suse/2002-q3/0051.html

    *** {02.26.002} Cross - DNS libresolve/resolver buffer overflow

    A bug has been found in the various libc libraries (including all
    BSD flavors) as well as in the ISC BIND libresolve libraries whereby
    a malicious DNS server can respond with a malformed DNS response,
    causing arbitrary code to be executed in the context of the application
    making the DNS query. All applications statically linked against ISC
    libresolve or vulnerable libc libraries are also vulnerable and will
    have to be upgraded as well.

    ISC has released updated BIND versions:
    ftp://ftp.isc.org/isc/bind/src/8.2.6/bind-src.tar.gz
    ftp://ftp.isc.org/isc/bind/src/8.3.3/bind-src.tar.gz
    ftp://ftp.isc.org/isc/bind/src/4.9.9/bind-4.9.9-REL.tar.gz

    OpenBSD patch:
    http://archives.neohapsis.com/archives/openbsd/2002-06/2462.html

    NetBSD branches as of June 26, 2002 contain the fix.
    FreeBSD branches as of June 27, 2002 contain the fix.

    Source: BIND, CERT, OpenBSD, NetBSD, FreeBSD
    http://archives.neohapsis.com/archives/bind/2002/0012.html
    http://archives.neohapsis.com/archives/bind/2002/0013.html
    http://archives.neohapsis.com/archives/bind/2002/0014.html
    http://archives.neohapsis.com/archives/cc/2002-q2/0012.html
    http://archives.neohapsis.com/archives/openbsd/2002-06/2462.html
    http://archives.neohapsis.com/archives/netbsd/2002-q2/0288.html
    http://archives.neohapsis.com/archives/freebsd/2002-06/0589.html

    *** {02.26.003} Cross - Apache mod_ssl off by one config directive
                    overflow

    The Apache mod_ssl module has been found to contain an overflow in the
    handling of configuration file directives. This could potentially let
    a local attacker gain control of the Apache child processes (allowing
    spoofed HTTP replies), create arbitrary log file entries and execute
    arbitrary code under the Apache user's privileges (typically 'nobody').
    Mod_ssl versions 2.4.9 and prior are vulnerable.

    This vulnerability has been confirmed and fixed in version 2.4.10.

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0350.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0000.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0000.html

    Source: Conectiva, EnGarde, Debian, Trustix, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0318.html
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0350.html
    http://archives.neohapsis.com/archives/vendor/2002-q3/0000.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0001.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0000.html

    *** {02.26.004} Cross - Update {02.24.002}: Apache chunked encoding DoS
                    and overflow

    Multiple vendors have released updated apache packages, which fix the
    vulnerability discussed in {02.24.002} ("Apache chunked encoding DoS
    and overflow").

    Updated Red Hat Secure Web Server packages:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0109.html

    HP has released patch HPTL_00023 for its Secure OS software for Linux,
    available at:
    http://itrc.hp.com

    IBM has released an update for its AIX Toolbox for Linux, available at:
    http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

    HP/Compaq has released updates for Tru64 CSWS, HP-UX and OpenVMS.
    Full details are available at:
    http://archives.neohapsis.com/archives/compaq/2002-q2/0131.html

    Caldera/SCO updated OpenUnix, OpenServer and UnixWare binaries:
    ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31
    ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32

    Source: Red Hat, HP/Compaq, IBM, Caldera/SCO
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0109.html
    http://archives.neohapsis.com/archives/hp/2002-q2/0086.html
    http://archives.neohapsis.com/archives/aix/2002-q2/0018.html
    http://archives.neohapsis.com/archives/compaq/2002-q2/0131.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0000.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0001.html

    *** {02.26.008} Cross - JRun character append reveals source code

    JRun version 4.0 has been found to contain a vulnerability that would
    result in the JRun server returning the unparsed JSP source code to
    a remote attacker if the attacker appends particular characters to
    the URL request.

    This vulnerability has been confirmed by the vendor. A patch is
    available at:
    http://www.macromedia.com/v1/handlers/index.cfm?ID=23164

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0138.html

    *** {02.26.009} Cross - JRun admin server auth bypass

    The administrative server included with JRun has been found to contain
    a vulnerability that would let attackers perform administrative tasks
    without needing to know the administrative login id and password.

    This vulnerability has been confirmed by the vendor, which has
    released a patch available at:
    http://www.macromedia.com/v1/handlers/index.cfm?ID=23164

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0135.html

    *** {02.26.010} Cross - Sitespring Server database engine DoS

    Sitespring server version 1.2.0(277.1) has been reported to be
    vulnerable to a denial-of-service attack whereby a remote attacker
    can directly access the database engine port and send malformed data,
    causing the service to crash.

    The advisory indicates vendor confirmation. No patches have been
    made available.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0140.html

    *** {02.26.016} Cross - Betsie CGI suite CSS vulns

    The 'BBC Education Text to Speech Internet Enhancer' (Betsie)
    CGI suite has been found to contain multiple cross-site scripting
    vulnerabilities in the handling of various CGI parameters.

    The advisory indicates confirmation by the vendor, which has released
    version 1.5.12.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0002.html

    *** {02.26.017} Cross - Blackboard CGI suite multiple CSS vulns

    Blackboard.com's Blackboard CGI suite has been reported to contain
    multiple cross-site scripting vulnerabilities in many of the supporting
    CGIs handling of various URL parameters.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0005.html

    *** {02.26.018} Cross - PHPAuction CGI arbitrary admin account creation

    The PHPAuction CGI suite has been found to let a remote attacker
    create arbitrary administrative accounts through /admin/login.php,
    letting them take over administration of the CGI service.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0014.html

    *** {02.26.019} Cross - Sendmail 8.12.5 released, with security fix

    Sendmail 8.12.5 was released. The new version contains bug fixes as
    well as a security fix that prevents an obscure remotely exploitable
    buffer overflow in the DNS map feature, which is likely to be unused
    in most installations.

    The latest source is available at:
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.gz

    Source: Sendmail
    http://archives.neohapsis.com/archives/sendmail/2002-q2/0003.html

    *** {02.26.023} Cross - HP/Sharity cifslogin multiple command-line
                    param overflows

    The cifslogin application shipped with the HP-UX (and originally
    written by Sharity) for Unix has been found to contain multiple
    buffer overflows in the handling of various command-line parameters,
    letting a local attacker execute arbitrary code under root privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0300.html

    *** {02.26.024} Cross - Cisco Secure ACS Acme.server file disclosure

    Cisco Secure ACS for Unix platforms includes the Acme.server HTTP
    service, which has been found to contain a remotely exploitable
    directory browsing/file disclosure bug.

    This vulnerability has been confirmed by Cisco. Contact your Cisco
    representative for an available patch.

    Source: Cisco (SecurityFocus Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0017.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9I0gY+LUG5KFpTkYRAmQCAJ9hYWnNAcNJYm9TncN5nqbX2eWjrgCfS93s
    oljPRgU782SHct520VjUG6Q=
    =Qd8P
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    TechQuiz: SSL Security
    How sharp are you when it comes to securing corporate resources? Find
    out by trying to outsmart our editors. If you succeed, you could win a
    nifty security token from our sponsor, Rainbow Technologies.
    http://www.nwc.com/techquiz/

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).