|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stephen Entwisle (se
SECURITYFOCUS.COM)Date: Mon Apr 02 2001 - 12:56:46 CDT
SecurityFocus.com Microsoft Newsletter #28
------------------------------------------
I. FRONT AND CENTER
1. The NT Local Administrator and Shared Passwords
II. MICROSOFT VULNERABILITY SUMMARY
1. Windows NT Dr. Watson 'user.dmp' Permissions Vulnerability
2. Plus! 98 Windows ME Password Disclosure Vulnerability
3. Visual Basic / Visual Studio 'VB T-SQL ' Buffer Overflow Vulnerability
4. IE MIME Header Attachment Execution Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. [No Subject]
2. Can't do switched SMB sniff (was: l0phtcrack on a switched...(Thread)
3. IPSec (Thread)
4. Windows NT4 Remote Registry Access (Thread)
5. Windows 2000 Opened Ports (Thread)
6. MDAC Version vulnerability. (Thread)
7. MS00-080. "HTTP 500 Internal server error" (asp.dll?) (Thread)
III. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Specter
2. Centrax
3. Steganos 3 Security Suite
4. MAILsweeper for SMTP
IV. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Restorer2000
2. Redirector
3. PromiScan
4. winpcap - Win2000
5. winpcap - W95
V. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. FRONT AND CENTER
-------------------
1. The NT Local Administrator and Shared Passwords
There is a Local Administrator account on every NT machine currently
deployed. It is extremely common to find many NT machines in an enterprise
sharing the same password for this Local Administrator account. This
article by SecurityFocus writer Daniel Marvin will establish that this
shared password constitutes a security vulnerability. It will subsequently
discuss various steps to mitigate the risk arising from the shared
password, and make a case for applying unique passwords to every Local
Administrator account in your enterprise.
http://www.securityfocus.com/focus/microsoft/nt/sharedpass.html
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Windows NT Dr. Watson 'user.dmp' Permissions Vulnerability
BugTraq ID: 2501
Remote: No
Date Published: 2001-03-23
Relevant URL:
http://www.securityfocus.com/bid/2501
Summary:
Dr. Watson ships with Microsoft Windows NT and is installed by default.
Dr. Watson is a system error debugger designed to detect and locate errors
in programs. These errors are logged in a text file or saved in a binary
crash dump file (user.dmp) everytime a fault occurs. A crash in Outlook
Express would result in sensitive information which had resided in memory,
such as email passwords or other security-related data, being written to
the dump file.
Due to a security flaw in Microsoft Windows NT's implementation of Dr.
Watson, the Everyone group has Full Control of the crash dump file
(user.dmp). The file contains varied information, including processes
running at the time the error occurred, details of the program error
itself, information on the system and the user logged in at the time the
error took place, etc. If an unauthorized user successfully gained access
to this file, they could obtain sensitive information, including (for
example) POP3 account passwords, or other private data.
It should be noted that Windows 2000 is subject to the same issue except a
user would only gain read access to the 'user.dmp' file.
Successful exploitation of this vulnerability could lead to the disclosure
of sensitive information (the POP3 password) and possibly assist in
further compromises of the victim's privacy and security.
2. Microsoft Plus! 98 Windows ME Password Disclosure Vulnerability
BugTraq ID: 2516
Remote: No
Date Published: 2001-03-28
Relevant URL:
http://www.securityfocus.com/bid/2516
Summary:
Plus! 98 is an add on package by Microsoft for Windows 98 and includes
numerous add-on features. One feature called Compressed Folders enables
the user to password-protect compressed folders. This feature was
implemented in Windows ME.
Due to a flaw in the implementation of the Compressed Folders feature in
Microsoft Plus! 98 and Windows ME, the password used to protect the
compressed folder is stored on the user's machine in plaintext. A user who
gains access to a machine with this feature installed could locate the
file where the password is stored and use it to access any compressed
folder and the contents within the folder.
Successful exploitation could allow a local intruder to gain full access
to any compressed folder and file.
3. Microsoft Visual Basic / Visual Studio 'VB T-SQL ' Buffer Overflow Vuln
BugTraq ID: 2521
Remote: Yes
Date Published: 2001-03-27
Relevant URL:
http://www.securityfocus.com/bid/2521
Summary:
Visual Basic Enterprise Edition and Visual Studio Enterprise Edition both
ship with a DCOM object called VB T-SQL Debugger (vbsdicli.exe). T-SQL
Debugger enables a user to debug remotely stored procedures in Transact
SQL language. T-SQL Debugger runs with the privileges of the locally
logged in user.
A method within VB T-SQL Debugger object called 'NewSPID' is used to
create a new stored procedure ID within the database.
An unchecked buffer within 'lpctstrDbName' which is a parameter of the
'NewSPID' method, could be exploited by submitting 128 characters or more
in the 'DbName'. The end result is a potential buffer overflow condition,
which may lead to the execution of arbitrary code.
Successfully exploitation of this vulnerability could lead to complete
comprimise of the host.
4. Microsoft IE MIME Header Attachment Execution Vulnerability
BugTraq ID: 2524
Remote: Yes
Date Published: 2001-03-29
Relevant URL:
http://www.securityfocus.com/bid/2524
Summary:
Multi-Purpose Internet Mail Extensions (MIME) enables users to exchange
various data files over the internet. Prior to transmission a MIME header
type is specified by the server, enabling the recipient to choose the
appropriate viewer for the data indicated in the header. Uncommon MIME
headers typically aren't automatically viewed, instead a user is promted
with warning message of some kind.
HTML email messages undergo a procedure in IE called rendering, this
procedure enables IE to display the HTML mail and select the appropriate
attachment viewer if necessary. HTML mail is displayed in IE rather than a
regular mail application because HTML mail is essentially a web page sent
as mail.
Due to a flaw in IE it is possible for an attacker to run remotely
supplied code on the recipients machine.
If an attacker composed an HTML email containing an executable attachment
with a modified uncommon MIME header, IE would execute the unknown
attachment rather than prompting the user. The end result may lead to the
execution of arbitrary code.
This vulnerability could be exploited via a malicious web site hosting the
HTML document in question.
Successful exploitation of this vulnerability could lead to complete
comprimise of the host.
IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. [ no subject ]
Relevant URL:
2. Can't do switched SMB sniff (was: l0phtcrack on aswitched network, still...) (Thread)
Relevant URL:
3. IPSec (Thread)
Relevant URL:
4. Windows NT4 Remote Registry Access (Thread)
Relevant URL:
5. Windows 2000 Opened Ports (Thread)
Relevant URL:
6. MDAC Version vulnerability. (Thread)
Relevant URL:
7. MS00-080. "HTTP 500 Internal server error" (asp.dll?) (Thread)
Relevant URL:
martinagency.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-03-30%26thread%3d00bb01c0b38a$dda7e300$8ef41e18martinagency.com
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Specter
by Netsec
Platforms: Windows NT
Relevant URL:
http://www.securityfocus.com/products/668
Summary:
SPECTER is a smart honeypot or deception system. It simulates a complete
machine for attackers to work on. SPECTER offers common Internet services
such as SMTP and FTP which appear perfectly normal to the attackers but in
fact are traps for them to tap into, mess around and leave traces without
even knowing that they are connected to a fake system which does none of
the things it appears to do but instead logs everything and notifies the
appropriate people. SPECTER can even investigate the originators while
they are still trying to break in.
2. Centrax
by CyberSafe
Platforms: Windows NT
Relevant URL:
http://www.securityfocus.com/products/901
Summary:
Centrax is a complete intrusion detection suite that integrates network
and host-based intrusion detection, vulnerability assessment, and audit
policy management into a single, easy-to-use package. Centrax provides the
most effective balance between network and host technologies, providing
maximum protection against all threats to an enterprise. The system also
includes vulnerability analysis and policy management to complete its
comprehensive detection and response capability. By combining each of
these components under a common interface, Centrax provides a balanced,
complete suite for detecting threats both inside and outside the network.
3. Steganos 3 Security Suite
Platforms: Windows 2000, Windows 95/98 and Windows NT
by CenturionSoft
Relevant URL:
http://www.securityfocus.com/products/1162
Summary:
The Steganos 3 Security Suite is a complete, easy to use security package.
Steganos encrypts and conceals your data. The Steganos Safe is your secure
hard drive, which disappears at the click of a button. Includes: Internet
Trace Destructor, file shredder, e-mail encryption, password manager and
computer locking.
4. MAILsweeper for SMTP
Platforms: Windows 2000 and Windows NT
by Baltimore Technologies
Relevant URL:
http://www.securityfocus.com/products/1412
Summary:
Mission-critical Content Security solution for the gateway that allows
businesses to implement policy for Internet e-mail. Free download for
pre-purchase trial.
V.NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Restorer2000
by BitMart Inc.
Platforms: Windows NT
Relevant URL:
http://www.securityfocus.com/tools/1982
Summary:
Restorer2000 is a powerful utility, which can undelete files being deleted
accidentally in NTFS partitions and even reconstruct formatted and
corrupted drives. Restorer2000 can restore files such non-trivial cases as
national language filenames, very long filenames, NTFS compressed
filenames and files with an alternative data streams - such as Windows
2000 file information. Unique SmartScan technology combined with
flexibility of adjusting all parameters gives you real control over
fastest data reconstruction ever seen. Usage of Drive Images is very
useful for such tasks as recovering drive with a lot of bad sectors.
Detailed context sensitive information and ability to adjust as much as
possible bring you incredible quality and data safety in extremely
non-ordinal situations. You can find and restore deleted files in a few
seconds using program's powerful algorithms.
2. Redirector
by sallas
Platforms: Windows 95/98
Relevant URL:
http://www.securityfocus.com/tools/1981
Summary:
Forget FXP This is the new trading tool. Example: You want a movie. The
other guy needs a mp3 album which is on one of your servers. Usually you
had to download the album upload it to the other guy. Now, with Redirector
you can simple let the other guy connect to your ip and is redirected to
the server with the album. Now its like the fxp method. I just can
download the mp3s, without knowing the ip, port, username and password for
your server. Easy trading.
3. PromiScan
by Hyler<hylersecurityfriday.com>
Platforms: Windows 2000
Relevant URL:
http://www.securityfocus.com/tools/1980
Summary:
This is software searches for promiscuous nodes on the local net. It does
not create a heavy load on the network. And, PromiScan quickly searches
for promiscuous nodes. Finding a promiscuous node is very difficult. In
many cases, the result is not certain. The node likely to be a promiscuous
node is quickly listed by PromiScan. The listed nodes are clearly visible.
And, you can find the nodes that promiscuous mode are not permitted.
PromiScan is very useful for security management of a local network.
4. winpcap - Win2000
by Loris Degioanni, Piero Viano, Fulvio Risso, others - winpcapnetgroup-serv.polito.it
Platforms: Windows 2000
Relevant URL:
http://www.securityfocus.com/tools/1493
Summary:
The packet capture driver is a device driver that adds to Windows 95,
Windows 98, Windows NT and Windows 2000 the ability to capture and send
raw packets in a way very similar to the Berkeley Packet Filter of UNIX
kernels. Packet.dll is an API that can be used to access directly the
functions of the BPF driver. WinPcap exports a set of primitives that are
compatible with libpcap, the famous UNIX capture library. It offers a set
of higher level functions to capture packets in a way independent from the
underlying network hardware and operating system.
5. winpcap - W95
by Loris Degioanni, Piero Viano, Fulvio Risso, others - winpcapnetgroup-serv.polito.it
Platforms: Windows 95/98
Relevant URL:
http://www.securityfocus.com/tools/1491
Summary:
The packet capture driver is a device driver that adds to Windows 95,
Windows 98, Windows NT and Windows 2000 the ability to capture and send
raw packets in a way very similar to the Berkeley Packet Filter of UNIX
kernels. Packet.dll is an API that can be used to access directly the
functions of the BPF driver. WinPcap exports a set of primitives that are
compatible with libpcap, the famous UNIX capture library. It offers a set
of higher level functions to capture packets in a way independent from the
underlying network hardware and operating system.
VI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM with a message body
of:
SUBSCRIBE FOCUS-MS Lastname, Firstname
You will receive a confirmation request message to which you will have
to respond.
2. How do I unsubscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE FOCUS-MS
If your email address has changed email aleph1securityfocus.com and I
will manually remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET FOCUS-MS NOMAIL
To turn back on e-mail delivery use the command:
SET FOCUS-MS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERVSECURITYFOCUS.COM with with a message
body of:
SET FOCUS-MS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET FOCUS-MS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send e-mail from
the appropiate address or e-mail the moderator to be unsubscribed
manually.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]