|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ43448411416515285_at_sans.org)
Date: Thu Dec 12 2002 - 13:21:45 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 049 (02.49)
Thursday, December 12, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics.
ALERT: How a hacker launches a Web application attack step-by-step Learn
why 70% of today's successful hacks involve Web Application attacks such
as: SQL Injection, XSS, Cookie Manipulation, Session Hijacking and
Parameter Manipulation. All undetectable by Firewalls and IDS! Download
a *FREE* white paper from SPI Dynamics for a guide to protection!
http://www.spidynamics.com/mktg/webappsecurity31
************************** End Advertisement *************************
Occasionally, the SAC team comes across an advisory where we need to
determine whether or not the vulnerability discussed is indeed a bug,
configuration problem, user error, etc. A great example would be one
of the numerous PHP scripts, where playing around with a URL parameter
gets PHP to display error information. The vulnerability in this case
is not in the script--although it does house the bug, which lets this
vulnerability surface. Rather, the PHP configuration is set up to dump
diagnostic error information to the user. Fix your PHP configuration,
and you've fixed this entire class of problems. The same goes for IIS
ASP pages, which particularly love to dump ODBC error information,
thereby directly aiding in SQL tampering attacks. Plus, there are the
usual default passwords, users initiating denial of service attacks
against themselves, insecure storage of passwords used in insecure
protocols (IMAP, POP, FTP), etc.
Last week, Trust Factory released an advisory detailing how the
ShopFactory CGI shopping cart potentially allows a user to manipulate
items' prices. Granted, it's not great that the script allows this,
but it's also not the only way to take advantage of this type of
vulnerability. Traditionally, many shopping cart applications will
fire off an e-mail to a fulfillment contact for actual processing. With
enough knowledge, attackers can easily spoof that e-mail and indicate,
for example, that they should be sent 25 rubber duckies without
actually paying for them. This entire realm of problems is no different
than what retailers in the physical world have been dealing with for
years: fraud. You could walk into a store and put a $2.99 price tag on
a $59.99 item, and the only way you'll get caught is if the checkout
clerk is aware that the item in question is definitely not $2.99. In
addition, there's the entire foray into cloned and stolen credit cards.
In the end, online systems are just as susceptible to many of the same
methods of fraud as a physical world stores. We all know 100-percent
security is a myth. Otherwise, you would not be subscribed to this
newsletter. It is in a retailer's best interest to periodically
sample or check orders to ensure that the automated process has not
been tampered with. This checking procedure could even be automated,
as long as the check exists independently of other processes. For
instance, having the purchasing and verification programs use the
same price database doesn't help when someone manipulates a price to
an incorrect value within the database.
Back to ShopFactory... Does your company trust that a potentially
vulnerable CGI running on a potentially insecure Web server on a
potentially weak operating system sitting on a potentially untrustworthy
network interfacing with untrustworthy attackers is actually fulfilling
orders with no amount of fraud? Right, we didn't think so. If you double
check your orders independently of the purchasing process, you won't
have to worry about an outsider (or insider) buying your rubber duckies
for less than bargain basement prices.
Those of you interested in the TrustFactory CGI vulnerability can read:
http://archives.neohapsis.com/archives/bugtraq/2002-12/0018.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.49.018} Win - Enceladus FTP server CD overflow
{02.49.021} Win - MS02-067: Outlook 2000 e-mail header DoS
{02.49.022} Win - MS02-068: IE cumulative patch 12/2002
{02.49.023} Win - IPD kernel protection bypass
{02.49.003} Linux - Update {02.45.022}: Pine 4.44 malformed from field
vulnerability
{02.49.004} Linux - Update {02.43.007}: ypserv memory leak DoS
{02.49.005} Linux - Update {02.31.009}: RPC XDR array decoding overflow
{02.49.006} Linux - Update {02.45.027}: KDE KIO rlogin/telnet protocol
handler overflows
{02.49.007} Linux - Update {02.40.013}: Apache hostname CSS, ab
overflow and shared memory vulnerabilities
{02.49.009} Linux - Gnuplot SuSE local vulnerability
{02.49.010} Linux - Update {01.33.006}: groff/pic format vulnerability
circumvents -S
{02.49.011} Linux - Update {02.35.017}: Python insecure temp file
handling
{02.49.002} HPUX - ied unauthorized data access
{02.49.012} SCO - Update {02.19.010}: OpenBSD file descriptor DoS and
fd/suid vulnerability
{02.49.001} Cross - smb2www CGI command execution
{02.49.008} Cross - OpenLDAP2 multiple vulnerabilities
{02.49.013} Cross - Canna two local vulnerabilities
{02.49.014} Cross - wget directory recursion vulnerability
{02.49.015} Cross - apt-www-proxy multiple vulnerabilities
{02.49.016} Cross - gtetrinet overflows by malicious server
{02.49.017} Cross - tcpdump BGP decoding overflow
{02.49.019} Cross - Cyrus SASL library overflows
{02.49.020} Cross - Exim admin user pid file vulnerability
- --- Windows News -------------------------------------------------------
*** {02.49.018} Win - Enceladus FTP server CD overflow
The Enceladus Server Suite version 3.9 reportedly contains a buffer
overflow in the handling of the 'CD' FTP command, thereby allowing
a remote attacker to execute arbitrary code on the system.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0097.html
*** {02.49.021} Win - MS02-067: Outlook 2000 e-mail header DoS
Microsoft released MS02-067 ("Outlook 2000 e-mail header DoS"). The
Outlook 2000 (only) client crashes when it receives a particular type
of e-mail with a malformed header. The client will continue to crash
whenever it encounters the particular e-mail. Other Outlook versions
are not affected.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-067.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0015.html
*** {02.49.022} Win - MS02-068: IE cumulative patch 12/2002
Microsoft released MS02-068 ("IE cumulative patch 12/2002"). This
patch contains all prior Internet Explorer patches as well as a fix
for a critical new vulnerability, which lets a malicious e-mail or
Web site execute arbitrary command-line commands on a user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-068.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0017.html
*** {02.49.023} Win - IPD kernel protection bypass
The Integrity Protection Driver prior to version 1.3 contains two bugs
that allow a local attacker to bypass the restrictions it is supposed
to provide: indirect access to \Device\PhysicalMemory via an object
symlink; and dependency on the system clock lets an attacker roll
the clock back in order to disengage the driver.
These vulnerabilities are confirmed and fixed in version 1.3.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2002-q4/0087.html
- --- Linux News ---------------------------------------------------------
*** {02.49.003} Linux - Update {02.45.022}: Pine 4.44 malformed from
field vulnerability
Conectiva released updated pine packages, which fix the vulnerability
discussed in {02.45.022} ("Pine 4.44 malformed from field
vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0023.html
*** {02.49.004} Linux - Update {02.43.007}: ypserv memory leak DoS
Caldera/SCO released updated nis packages, which fix the vulnerability
discussed in {02.43.007} ("ypserv memory leak DoS").
Updated RPMs are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0022.html
*** {02.49.005} Linux - Update {02.31.009}: RPC XDR array decoding
overflow
Caldera/SCO released updated glibc packages, which fix the
vulnerability discussed in {02.31.009} ("RPC XDR array decoding
overflow").
Updated RPMs are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0023.html
*** {02.49.006} Linux - Update {02.45.027}: KDE KIO rlogin/telnet
protocol handler overflows
Debian released updated kdelibs packages, which fix the vulnerability
discussed in {02.45.027} ("KDE KIO rlogin/telnet protocol handler
overflows").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0871.html
*** {02.49.007} Linux - Update {02.40.013}: Apache hostname CSS, ab
overflow and shared memory vulnerabilities
Caldera/SCO released updated Apache packages, which fix the
vulnerabilities discussed in {02.40.013} ("Apache hostname CSS,
ab overflow and shared memory vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0024.html
*** {02.49.009} Linux - Gnuplot SuSE local vulnerability
SuSE indicated that a SuSE-specific patch to gnuplot introduces a
local buffer overflow on systems prior to SuSE version 8.0.
SuSE confirmed this vulnerability. A patch is currently in the
works. Information is in the Pending Vulnerabilities section of the
URL referenced below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q4/1119.html
*** {02.49.010} Linux - Update {01.33.006}: groff/pic format
vulnerability circumvents -S
Caldera/SCO released updated groff packages, which fix the
vulnerability discussed in {01.33.006} ("groff/pic format vulnerability
circumvents -S").
Updated RPMs are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0025.html
*** {02.49.011} Linux - Update {02.35.017}: Python insecure temp file
handling
Mandrake rereleased updated python packages, which fix the
vulnerability discussed in {02.35.017} ("Python insecure temp file
handling"). The previous updates contained a packaging error.
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0267.html
- --- HP-UX News ---------------------------------------------------------
*** {02.49.002} HPUX - ied unauthorized data access
An HP advisory indicates that the ied utility can view unauthorized
data. Further details were not provided.
This vulnerability is confirmed. Patches were released:
HPUX 11.00: PHCO_24446
HPUX 10.XX: PHCO_27560
Source: HP/Compaq
http://archives.neohapsis.com/archives/hp/2002-q4/0053.html
- --- SCO News -----------------------------------------------------------
*** {02.49.012} SCO - Update {02.19.010}: OpenBSD file descriptor DoS
and fd/suid vulnerability
SCO/Caldera released updates, which fix the vulnerability
discussed in {02.19.010} ("OpenBSD file descriptor DoS and fd/suid
vulnerability"). It turns out SCO is also vulnerable to one of the
problems suffered by OpenBSD.
Updates are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0026.html
- --- Cross-Platform News ------------------------------------------------
*** {02.49.001} Cross - smb2www CGI command execution
A Debian advisory indicates that a vulnerability in the smb2www CGI
allows a remote attacker to execute arbitrary command-line commands
accessible to the Web server user ID.
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0864.html
*** {02.49.008} Cross - OpenLDAP2 multiple vulnerabilities
The SuSE security team found multiple remote and local buffer overflows
in the OpenLDAP2 package, which allow the execution of arbitrary code.
SuSE confirmed these and released updated RPMs, listed at the reference
URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q4/1119.html
*** {02.49.013} Cross - Canna two local vulnerabilities
The Canna kana-kanji input server contains two vulnerabilities,
including a local buffer overflow that yields user 'bin' privileges.
Red Hat confirmed this and released updated RPMs, listed at the
reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0053.html
*** {02.49.014} Cross - wget directory recursion vulnerability
Wget prior to version 1.8.2 contains a vulnerability whereby a
malicious Web site's content could cause wget to write files outside
the download directory.
Red Hat confirmed this vulnerability and released updated RPMs,
listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0054.html
*** {02.49.015} Cross - apt-www-proxy multiple vulnerabilities
The apt-www-proxy utility version 0.1 contains two vulnerabilities:
a denial of service attack that causes the app to crash; and various
format string vulnerabilities that could allow the execution of
arbitrary code.
These vulnerabilities are not confirmed. A third-party patch is
available at the reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0081.html
*** {02.49.016} Cross - gtetrinet overflows by malicious server
The gtetrinet game included with Debian Linux contains multiple buffer
overflows that may allow a malicious server to execute arbitrary code
on a user's system.
Debian confirmed this vulnerability and released updated DEBs, listed
at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0951.html
*** {02.49.017} Cross - tcpdump BGP decoding overflow
Tcpdump's decoding of BGP messages contains a buffer overflow that
allows maliciously introduced BGP traffic to cause a buffer overflow
and execute arbitrary code on the machine running tcpdump.
This vulnerability is confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0952.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0018.html
Source: Debian, Caldera
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0952.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0018.html
*** {02.49.019} Cross - Cyrus SASL library overflows
The Cyrus SASL library prior to version 2.1.10 contains buffer
overflows that could lead to the remote execution of arbitrary code.
Multiple products use the SASL library for authentication.
This vulnerability is confirmed and fixed in version 2.1.10.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0075.html
*** {02.49.020} Cross - Exim admin user pid file vulnerability
Exim versions 3.x and 4.x contain a vulnerability that allows a defined
Exim admin user to exploit a local format string buffer overflow in
the handling of the pid_file_path parameter.
The vendor confirmed this vulnerability and released a patch,
available at:
http://www.exim.org/pipermail/exim-users/Week-of-Mon-20021202/046978.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0033.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9+N+3+LUG5KFpTkYRAhqhAJ4nX60SjuqRI1O+rO6JiZWr+oruKwCgh9ud
WOQZtxmx0ipb6ZLVfjoH4eo=
=+2fI
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics.
ALERT: How a hacker launches a Web application attack step-by-step Learn
why 70% of today's successful hacks involve Web Application attacks such
as: SQL Injection, XSS, Cookie Manipulation, Session Hijacking and
Parameter Manipulation. All undetectable by Firewalls and IDS! Download
a *FREE* white paper from SPI Dynamics for a guide to protection!
http://www.spidynamics.com/mktg/webappsecurity31
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]