NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2003

From: Network Computing and The SANS Institute (sans+ZZ50114773684146342_at_sans.org)
Date: Thu Jan 30 2003 - 14:52:35 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 004 (03.04)
                  Thursday, January 30, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.

One rare and useful skill in fighting back against hackers is reverse
engineering of malicious code. Sadly, too few defenders know how to do
it. One of the best is Lenny Zeltser and SANS has persuaded Lenny to
offer his "Reverse-Engineering Malware" course as part of SANS on-site
training program. If your organization is looking to expand its capacity
to fight malicious code, see http://www.sans.org/onsite to learn more
about this course.

************************* Begin Advertisement ************************

This issue sponsored by Internet Security Systems.

Need expert assistance to recover from SQL Slammer?
Trust the pros who were the first to discover, name and
respond to the Slammer worm: Internet Security Systems!
Click for special offers on X-Force (tm) Information
Security Assessment or our Emergency Response Services!
http://www.iss.net/ad/ers_cmpnetcompsans013003

************************** End Advertisement *************************

To not add to the inundation of worm reports, this will be the only
mention of the SQL Slammer worm. All said and done, the Internet is
still here and now there are other security issues to address.

Notable vulnerabilities this week include an slocate local buffer
overflow, a Solaris KCMS overflow and a Microsoft patch that removes
a denial of service found in domain controllers.

Over the course of the last months, the SAC team has been making small
changes to increase the efficiency and conciseness of this newsletter.
One recent change was the grouping of third-party PHP script
vulnerabilities into a single item. This reduces the overall number of
items in the newsletter (while still reporting all vulnerabilities),
thereby allowing you to more quickly analyze our content for immediate
risks. Or at least that's what we hope. However; we'd like to hear your
opinion on this change. If you have a spare moment, we set up an online
feedback page so you can tell us if you like this type of grouping. The
process is quick. Just go to the URL below, and in two clicks you'll be
done. http://archives.neohapsis.com/vote/

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.04.007} Win - MS03-001: DC locator service overflow
{03.04.008} Win - MS03-002: MS Content Management Server cumulative
            patch
{03.04.009} Win - MS03-003: Outlook 2002 v1 exchange certificate
            information leak
{03.04.016} Win - MS Terminal Server locked MSGINA DoS
{03.04.001} Linux - Update {03.02.020}: KDE parameter mishandling on
            shell commands
{03.04.002} Linux - Update {03.03.010}: ISC DHCP/minires buffer overflow
{03.04.004} Linux - Update {02.50.024}: Fetchmail local address
            creation vulnerability
{03.04.006} Linux - Update {02.29.004}: libpng progressive image
            loading overflows
{03.04.010} Linux - Update {03.03.008}: MySQL multiple vulnerabilities
            01/21
{03.04.014} Linux - Update {03.03.003}: CVS directory double-free
            vulnerability
{03.04.015} Sol - kcms_server KCS_OPEN_PROFILE file retrieval
{03.04.017} Sol - at -r race condition
{03.04.003} Cross - Multiple PHP script vulnerabilities 01/28
{03.04.005} Cross - dhcprelay invalid BOOTP packet flood/DoS
{03.04.011} Cross - Hypermail attachment name progress overflow
{03.04.012} Cross - SpamAssassin spamc BSMTP overflow
{03.04.013} Cross - slocate -r/-c parameter overflow
{03.04.018} Cross - Sun Java JSSE incorrect certificate validation

- --- Windows News -------------------------------------------------------

*** {03.04.007} Win - MS03-001: DC locator service overflow

Microsoft released MS03-001 ("DC locator service overflow"). The
Windows locator service, which is running by default on Windows NT
and 2000 domain controllers, contains a buffer overflow that allows
a remote attacker to execute arbitrary code.

FAQ and patch:
http://www.microsoft.com/security/security_bulletins/ms03-001.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q1/0000.html

*** {03.04.008} Win - MS03-002: MS Content Management Server cumulative
patch

Microsoft released MS03-002 ("MS Content Management Server cumulative
patch"). Microsoft Content Management Server version 2001 contains
a cross-site scripting bug. Version 2002 is unaffected.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-002.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q1/0001.html

*** {03.04.009} Win - MS03-003: Outlook 2002 v1 exchange certificate
information leak

Microsoft released MS03-003 ("Outlook 2002 v1 exchange certificate
information leak"). Outlook 2002 contains a bug in the encrypting of
HTML e-mail with v1 Exchange Server Security certificates, which could
leave the e-mail unencrypted. This could expose sensitive information.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-003.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q1/0002.html

*** {03.04.016} Win - MS Terminal Server locked MSGINA DoS

A report has surfaced indicating that normal users of Windows Terminal
Server can remotely reboot the server by first creating a read lock-on
msgina.dll and then logging in.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0257.html

- --- Linux News ---------------------------------------------------------

*** {03.04.001} Linux - Update {03.02.020}: KDE parameter mishandling
on shell commands

Multiple vendors released multiple updated KDE packages, which fix
the vulnerability discussed in {03.02.020} ("KDE parameter mishandling
on shell commands").

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0032.html

*** {03.04.002} Linux - Update {03.03.010}: ISC DHCP/minires buffer
overflow

Multiple vendors released updated DHCP daemon packages, which fix
the vulnerability discussed in {03.03.010} ("ISC DHCP/minires buffer
overflow").

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0031.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2003-q1/0004.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-01/0243.html

Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html

Source: Mandrake, Conectiva, SuSE, Slackware
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0031.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q1/0004.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0243.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0250.html

*** {03.04.004} Linux - Update {02.50.024}: Fetchmail local address
creation vulnerability

EnGarde and Mandrake released updated Fetchmail packages, which fix
the vulnerability discussed in {02.50.024} ("Fetchmail local address
creation vulnerability").

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0001.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0050.html

Source: EnGarde, Mandrake
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0001.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0050.html

*** {03.04.006} Linux - Update {02.29.004}: libpng progressive image
loading overflows

Mandrake and Conectiva released updated libpng packages, which fix
the vulnerability discussed in {02.29.004} ("libpng progressive image
loading overflows").

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0035.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2003-q1/0006.html

Source: Mandrake, Conectiva
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0035.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q1/0006.html

*** {03.04.010} Linux - Update {03.03.008}: MySQL multiple
vulnerabilities 01/21

EnGarde released updated MySQL packages, which fix the vulnerabilities
discussed in {03.03.008} ("MySQL multiple vulnerabilities 01/21").

Updated RPMs are listed at the reference URL below.

Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0000.html

*** {03.04.014} Linux - Update {03.03.003}: CVS directory double-free
vulnerability

Multiple vendors released updated CVS packages, which fix the
vulnerability discussed in {03.03.003} ("CVS directory double-free
vulnerability").

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0225.html

Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2003-01/0232.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2003-q1/0003.html

Source: SuSE, Conectiva, Slackware (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0225.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q1/0003.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0232.html

- --- Solaris News -------------------------------------------------------

*** {03.04.015} Sol - kcms_server KCS_OPEN_PROFILE file retrieval

The kcms_server daemon contains a vulnerability in the KCS_OPEN_PROFILE
procedure that allows a remote attacker to read arbitrary files on
the system.

This vulnerability is confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0211.html

*** {03.04.017} Sol - at -r race condition

The at utility reportedly contains a race condition in the deletion
of files provided to the -r command-line option. The end result is
that a local attacker can delete any file on the system.

This vulnerability is not confirmed. An exploit has been published.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0044.html

- --- Cross-Platform News ------------------------------------------------

*** {03.04.003} Cross - Multiple PHP script vulnerabilities 01/28

The following list of vulnerable PHP script packages was reported
this week. Typically, these vulnerabilities are not confirmed.

MyRoom 3.5: file upload/script execution
http://archives.neohapsis.com/archives/bugtraq/2003-01/0197.html

PHPMyPub 1.2.0: admin authorization bypass
http://archives.neohapsis.com/archives/bugtraq/2003-01/0200.html

Zorum Portal 3.x: file include/remote script execution
http://archives.neohapsis.com/archives/bugtraq/2003-01/0209.html

PHP TopSites: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2003-01/0217.html

PHPLinks 2.x: unauthorized e-mail sending
http://archives.neohapsis.com/archives/bugtraq/2003-01/0244.html

YabbSE 1.5.1: file include/remote code execution
http://archives.neohapsis.com/archives/bugtraq/2003-01/0205.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0259.html

Dotproject dev20030121: file reading
http://archives.neohapsis.com/archives/bugtraq/2003-01/0320.html

Nuked-Klan 1.2: CSS and SQL injection
http://archives.neohapsis.com/archives/bugtraq/2003-01/0330.html

*** {03.04.005} Cross - dhcprelay invalid BOOTP packet flood/DoS

A Debian advisory indicates the dhcprelay application incorrectly
handles malformed BOOTP packets, which causes the dhcprelay application
to broadcast multiple copies, flooding the network and causing a
denial of service.

Updated Debian DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0211.html

*** {03.04.011} Cross - Hypermail attachment name progress overflow

Hypermail versions prior to 2.1.6 contain a buffer overflow in the
handling of large attachment file names if the 'progress' display
option is set to 2. This is typically only used for debugging and
is not the default. The 'mail' CGI program also contains a buffer
overflow in the handling of large DNS host names.

Version 2.1.6 contains the fixes.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0042.html

*** {03.04.012} Cross - SpamAssassin spamc BSMTP overflow

The spamc daemon shipped with SpamAssassin versions 2.40 through 2.43
contains a buffer overflow when running in BSMTP mode. This allows
a remote attacker to execute arbitrary code.

This vulnerability is confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0272.html

*** {03.04.013} Cross - slocate -r/-c parameter overflow

The slocate application contains buffer overflows in the handling
of the -r and -c command-line parameters. Since slocate is typically
installed suid root, this allows a local root compromise.

This vulnerability is confirmed and fixed in version 2.7, available at:
ftp://ftp.geekreview.org/slocate/src/slocate-2.7.tar.gz

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-01/0273.html
http://archives.neohapsis.com/archives/bugtraq/2003-01/0278.html

*** {03.04.018} Cross - Sun Java JSSE incorrect certificate validation

Sun's JSSE (Java Secure Socket Extension) does not properly validate
digital certificates, possibly allowing a malicious Web site to trick
the JSSE application into believing it is trusted.

Sun confirmed this vulnerability.

HP-UX patches are listed at the reference URL below.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q1/0018.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE+OYnY+LUG5KFpTkYRAhzfAJ0ddc7UTulmjwnxBlDqrIN/gOgRmgCeLc5l
yFFpc/8hZ/txIRhyBqqATYI=
=5Ths
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue sponsored by Internet Security Systems.

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/

We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <sanssans.org>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]