OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ43448411416515285_at_sans.org)
Date: Thu Dec 12 2002 - 13:21:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 049 (02.49)
                      Thursday, December 12, 2002
                           Created for you by
                Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ************************* Begin Advertisement ************************

    This issue sponsored by SPI Dynamics.

    ALERT: How a hacker launches a Web application attack step-by-step Learn
    why 70% of today's successful hacks involve Web Application attacks such
    as: SQL Injection, XSS, Cookie Manipulation, Session Hijacking and
    Parameter Manipulation. All undetectable by Firewalls and IDS! Download
    a *FREE* white paper from SPI Dynamics for a guide to protection!
    http://www.spidynamics.com/mktg/webappsecurity31

    ************************** End Advertisement *************************

    Occasionally, the SAC team comes across an advisory where we need to
    determine whether or not the vulnerability discussed is indeed a bug,
    configuration problem, user error, etc. A great example would be one
    of the numerous PHP scripts, where playing around with a URL parameter
    gets PHP to display error information. The vulnerability in this case
    is not in the script--although it does house the bug, which lets this
    vulnerability surface. Rather, the PHP configuration is set up to dump
    diagnostic error information to the user. Fix your PHP configuration,
    and you've fixed this entire class of problems. The same goes for IIS
    ASP pages, which particularly love to dump ODBC error information,
    thereby directly aiding in SQL tampering attacks. Plus, there are the
    usual default passwords, users initiating denial of service attacks
    against themselves, insecure storage of passwords used in insecure
    protocols (IMAP, POP, FTP), etc.

    Last week, Trust Factory released an advisory detailing how the
    ShopFactory CGI shopping cart potentially allows a user to manipulate
    items' prices. Granted, it's not great that the script allows this,
    but it's also not the only way to take advantage of this type of
    vulnerability. Traditionally, many shopping cart applications will
    fire off an e-mail to a fulfillment contact for actual processing. With
    enough knowledge, attackers can easily spoof that e-mail and indicate,
    for example, that they should be sent 25 rubber duckies without
    actually paying for them. This entire realm of problems is no different
    than what retailers in the physical world have been dealing with for
    years: fraud. You could walk into a store and put a $2.99 price tag on
    a $59.99 item, and the only way you'll get caught is if the checkout
    clerk is aware that the item in question is definitely not $2.99. In
    addition, there's the entire foray into cloned and stolen credit cards.

    In the end, online systems are just as susceptible to many of the same
    methods of fraud as a physical world stores. We all know 100-percent
    security is a myth. Otherwise, you would not be subscribed to this
    newsletter. It is in a retailer's best interest to periodically
    sample or check orders to ensure that the automated process has not
    been tampered with. This checking procedure could even be automated,
    as long as the check exists independently of other processes. For
    instance, having the purchasing and verification programs use the
    same price database doesn't help when someone manipulates a price to
    an incorrect value within the database.

    Back to ShopFactory... Does your company trust that a potentially
    vulnerable CGI running on a potentially insecure Web server on a
    potentially weak operating system sitting on a potentially untrustworthy
    network interfacing with untrustworthy attackers is actually fulfilling
    orders with no amount of fraud? Right, we didn't think so. If you double
    check your orders independently of the purchasing process, you won't
    have to worry about an outsider (or insider) buying your rubber duckies
    for less than bargain basement prices.

    Those of you interested in the TrustFactory CGI vulnerability can read:
    http://archives.neohapsis.com/archives/bugtraq/2002-12/0018.html

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.49.018} Win - Enceladus FTP server CD overflow
    {02.49.021} Win - MS02-067: Outlook 2000 e-mail header DoS
    {02.49.022} Win - MS02-068: IE cumulative patch 12/2002
    {02.49.023} Win - IPD kernel protection bypass
    {02.49.003} Linux - Update {02.45.022}: Pine 4.44 malformed from field
                vulnerability
    {02.49.004} Linux - Update {02.43.007}: ypserv memory leak DoS
    {02.49.005} Linux - Update {02.31.009}: RPC XDR array decoding overflow
    {02.49.006} Linux - Update {02.45.027}: KDE KIO rlogin/telnet protocol
                handler overflows
    {02.49.007} Linux - Update {02.40.013}: Apache hostname CSS, ab
                overflow and shared memory vulnerabilities
    {02.49.009} Linux - Gnuplot SuSE local vulnerability
    {02.49.010} Linux - Update {01.33.006}: groff/pic format vulnerability
                circumvents -S
    {02.49.011} Linux - Update {02.35.017}: Python insecure temp file
                handling
    {02.49.002} HPUX - ied unauthorized data access
    {02.49.012} SCO - Update {02.19.010}: OpenBSD file descriptor DoS and
                fd/suid vulnerability
    {02.49.001} Cross - smb2www CGI command execution
    {02.49.008} Cross - OpenLDAP2 multiple vulnerabilities
    {02.49.013} Cross - Canna two local vulnerabilities
    {02.49.014} Cross - wget directory recursion vulnerability
    {02.49.015} Cross - apt-www-proxy multiple vulnerabilities
    {02.49.016} Cross - gtetrinet overflows by malicious server
    {02.49.017} Cross - tcpdump BGP decoding overflow
    {02.49.019} Cross - Cyrus SASL library overflows
    {02.49.020} Cross - Exim admin user pid file vulnerability

    - --- Windows News -------------------------------------------------------

    *** {02.49.018} Win - Enceladus FTP server CD overflow

    The Enceladus Server Suite version 3.9 reportedly contains a buffer
    overflow in the handling of the 'CD' FTP command, thereby allowing
    a remote attacker to execute arbitrary code on the system.

    This vulnerability is not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0097.html

    *** {02.49.021} Win - MS02-067: Outlook 2000 e-mail header DoS

    Microsoft released MS02-067 ("Outlook 2000 e-mail header DoS"). The
    Outlook 2000 (only) client crashes when it receives a particular type
    of e-mail with a malformed header. The client will continue to crash
    whenever it encounters the particular e-mail. Other Outlook versions
    are not affected.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-067.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/microsoft/2002-q4/0015.html

    *** {02.49.022} Win - MS02-068: IE cumulative patch 12/2002

    Microsoft released MS02-068 ("IE cumulative patch 12/2002"). This
    patch contains all prior Internet Explorer patches as well as a fix
    for a critical new vulnerability, which lets a malicious e-mail or
    Web site execute arbitrary command-line commands on a user's system.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-068.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/microsoft/2002-q4/0017.html

    *** {02.49.023} Win - IPD kernel protection bypass

    The Integrity Protection Driver prior to version 1.3 contains two bugs
    that allow a local attacker to bypass the restrictions it is supposed
    to provide: indirect access to \Device\PhysicalMemory via an object
    symlink; and dependency on the system clock lets an attacker roll
    the clock back in order to disengage the driver.

    These vulnerabilities are confirmed and fixed in version 1.3.

    Source: NTBugtraq
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q4/0087.html

    - --- Linux News ---------------------------------------------------------

    *** {02.49.003} Linux - Update {02.45.022}: Pine 4.44 malformed from
                    field vulnerability

    Conectiva released updated pine packages, which fix the vulnerability
    discussed in {02.45.022} ("Pine 4.44 malformed from field
    vulnerability").

    Updated RPMs are listed at the reference URL below.

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0023.html

    *** {02.49.004} Linux - Update {02.43.007}: ypserv memory leak DoS

    Caldera/SCO released updated nis packages, which fix the vulnerability
    discussed in {02.43.007} ("ypserv memory leak DoS").

    Updated RPMs are listed at the reference URL below.

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0022.html

    *** {02.49.005} Linux - Update {02.31.009}: RPC XDR array decoding
                    overflow

    Caldera/SCO released updated glibc packages, which fix the
    vulnerability discussed in {02.31.009} ("RPC XDR array decoding
    overflow").

    Updated RPMs are listed at the reference URL below.

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0023.html

    *** {02.49.006} Linux - Update {02.45.027}: KDE KIO rlogin/telnet
                    protocol handler overflows

    Debian released updated kdelibs packages, which fix the vulnerability
    discussed in {02.45.027} ("KDE KIO rlogin/telnet protocol handler
    overflows").

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0871.html

    *** {02.49.007} Linux - Update {02.40.013}: Apache hostname CSS, ab
                    overflow and shared memory vulnerabilities

    Caldera/SCO released updated Apache packages, which fix the
    vulnerabilities discussed in {02.40.013} ("Apache hostname CSS,
    ab overflow and shared memory vulnerabilities").

    Updated RPMs are listed at the reference URL below.

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0024.html

    *** {02.49.009} Linux - Gnuplot SuSE local vulnerability

    SuSE indicated that a SuSE-specific patch to gnuplot introduces a
    local buffer overflow on systems prior to SuSE version 8.0.

    SuSE confirmed this vulnerability. A patch is currently in the
    works. Information is in the Pending Vulnerabilities section of the
    URL referenced below.

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/1119.html

    *** {02.49.010} Linux - Update {01.33.006}: groff/pic format
                    vulnerability circumvents -S

    Caldera/SCO released updated groff packages, which fix the
    vulnerability discussed in {01.33.006} ("groff/pic format vulnerability
    circumvents -S").

    Updated RPMs are listed at the reference URL below.

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0025.html

    *** {02.49.011} Linux - Update {02.35.017}: Python insecure temp file
                    handling

    Mandrake rereleased updated python packages, which fix the
    vulnerability discussed in {02.35.017} ("Python insecure temp file
    handling"). The previous updates contained a packaging error.

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0267.html

    - --- HP-UX News ---------------------------------------------------------

    *** {02.49.002} HPUX - ied unauthorized data access

    An HP advisory indicates that the ied utility can view unauthorized
    data. Further details were not provided.

    This vulnerability is confirmed. Patches were released:
    HPUX 11.00: PHCO_24446
    HPUX 10.XX: PHCO_27560

    Source: HP/Compaq
    http://archives.neohapsis.com/archives/hp/2002-q4/0053.html

    - --- SCO News -----------------------------------------------------------

    *** {02.49.012} SCO - Update {02.19.010}: OpenBSD file descriptor DoS
                    and fd/suid vulnerability

    SCO/Caldera released updates, which fix the vulnerability
    discussed in {02.19.010} ("OpenBSD file descriptor DoS and fd/suid
    vulnerability"). It turns out SCO is also vulnerable to one of the
    problems suffered by OpenBSD.

    Updates are listed at the reference URL below.

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0026.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.49.001} Cross - smb2www CGI command execution

    A Debian advisory indicates that a vulnerability in the smb2www CGI
    allows a remote attacker to execute arbitrary command-line commands
    accessible to the Web server user ID.

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0864.html

    *** {02.49.008} Cross - OpenLDAP2 multiple vulnerabilities

    The SuSE security team found multiple remote and local buffer overflows
    in the OpenLDAP2 package, which allow the execution of arbitrary code.

    SuSE confirmed these and released updated RPMs, listed at the reference
    URL below.

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2002-q4/1119.html

    *** {02.49.013} Cross - Canna two local vulnerabilities

    The Canna kana-kanji input server contains two vulnerabilities,
    including a local buffer overflow that yields user 'bin' privileges.

    Red Hat confirmed this and released updated RPMs, listed at the
    reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0053.html

    *** {02.49.014} Cross - wget directory recursion vulnerability

    Wget prior to version 1.8.2 contains a vulnerability whereby a
    malicious Web site's content could cause wget to write files outside
    the download directory.

    Red Hat confirmed this vulnerability and released updated RPMs,
    listed at the reference URL below.

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0054.html

    *** {02.49.015} Cross - apt-www-proxy multiple vulnerabilities

    The apt-www-proxy utility version 0.1 contains two vulnerabilities:
    a denial of service attack that causes the app to crash; and various
    format string vulnerabilities that could allow the execution of
    arbitrary code.

    These vulnerabilities are not confirmed. A third-party patch is
    available at the reference URL below.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-12/0081.html

    *** {02.49.016} Cross - gtetrinet overflows by malicious server

    The gtetrinet game included with Debian Linux contains multiple buffer
    overflows that may allow a malicious server to execute arbitrary code
    on a user's system.

    Debian confirmed this vulnerability and released updated DEBs, listed
    at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0951.html

    *** {02.49.017} Cross - tcpdump BGP decoding overflow

    Tcpdump's decoding of BGP messages contains a buffer overflow that
    allows maliciously introduced BGP traffic to cause a buffer overflow
    and execute arbitrary code on the machine running tcpdump.

    This vulnerability is confirmed.

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0952.html

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0018.html

    Source: Debian, Caldera
    http://archives.neohapsis.com/archives/linux/debian/2002-q4/0952.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0018.html

    *** {02.49.019} Cross - Cyrus SASL library overflows

    The Cyrus SASL library prior to version 2.1.10 contains buffer
    overflows that could lead to the remote execution of arbitrary code.

    Multiple products use the SASL library for authentication.

    This vulnerability is confirmed and fixed in version 2.1.10.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-12/0075.html

    *** {02.49.020} Cross - Exim admin user pid file vulnerability

    Exim versions 3.x and 4.x contain a vulnerability that allows a defined
    Exim admin user to exploit a local format string buffer overflow in
    the handling of the pid_file_path parameter.

    The vendor confirmed this vulnerability and released a patch,
    available at:
    http://www.exim.org/pipermail/exim-users/Week-of-Mon-20021202/046978.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-12/0033.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9+N+3+LUG5KFpTkYRAhqhAJ4nX60SjuqRI1O+rO6JiZWr+oruKwCgh9ud
    WOQZtxmx0ipb6ZLVfjoH4eo=
    =+2fI
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ************************* Begin Advertisement ************************

    This issue sponsored by SPI Dynamics.

    ALERT: How a hacker launches a Web application attack step-by-step Learn
    why 70% of today's successful hacks involve Web Application attacks such
    as: SQL Injection, XSS, Cookie Manipulation, Session Hijacking and
    Parameter Manipulation. All undetectable by Firewalls and IDS! Download
    a *FREE* white paper from SPI Dynamics for a guide to protection!
    http://www.spidynamics.com/mktg/webappsecurity31

    ************************** End Advertisement *************************

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).