|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ben Greenbaum (bgreenbaum
securityfocus.com)Date: Mon Jul 16 2001 - 12:30:31 CDT
SecurityFocus Microsoft Newsletter #43
--------------------------------
I. FRONT AND CENTER
1. Basic Security Mechanisms for Wireless Networks
2. Chasing the Wind, Episode Eight: Still Waters
3. Future Shock
II. MICROSOFT VULNERABILITY SUMMARY
1. MS Visual Studio RAD Support Buffer Overflow Vulnerability
2. Multiple Vendor Small TCP MSS Denial of Service Vulnerability
3. Microsoft Windows 2000 LDAP SSL Password Modification
4. Microsoft Windows 2000 SMTP Improper Authentication Vulnerability
5. Windows 2000 Active Directory Authentication Vulnerability
6. Microsoft Outlook Express Address Book Spoofing Vulnerability
7. Microsoft IIS Unicode .asp Source Code Disclosure Vulnerability
8. Microsoft IIS Device File Local DoS Vulnerability
9. Microsoft Word Document Macro Execution Vulnerability
10. Microsoft SQL Server Administrator Cached Connection...
11. Microsoft Exchange OWA Embedded Script Execution Vulnerability
12. MS Index Server and Indexing Service ISAPI Extension Buffer...
13. Microsoft Internet Explorer File Contents Disclosure...
14. Microsoft Internet Explorer File Disclosure Vulnerability
15. Microsoft Windows 2000 Telnet Username DoS Vulnerability
16. Microsoft Windows 2000 Telnet Multiple Sessions DoS Vulnerability
17. Microsoft Windows 2000 Telnet Service DoS Vulnerability
18. Microsoft Windows 2000 Telnet System Call DoS Vulnerability
19. Microsoft W2K Telnet Various Domain User Account Access...
20. Microsoft Windows 2000 Telnet Privilege Escalation Vulnerability
21. Windows Media Player Internet Shortcut Execution Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Domain User can add local groups and populate it - working as...
2. Interesting problem with Frontpage 2000 extensions (Thread)
3. Win 2K Ports continued... (Thread)
4. Win 2K Ports (Thread)
5. Is netbios safe on a 2nd NIC? (Thread)
6. good spoofing tool for ChkPnt41 (Thread)
7. Exchange 2000 Front-end / Back-end (Thread)
8. Users under Win2k (Thread)
9. IAS and concurrent sessions (Thread)
10. Thousands of Closed messages to loopback in MSFTP logs (Thread)
11. Email Security (Thread)
12. NetBIOS (Thread)
13. UDP 138. Here is what I do. (Thread)
14. SecurityFocus Microsoft Newsletter #42 (Thread)
15. Exchange Server (Thread)
16. Obscurity Security (Thread)
17. Trinux (Thread)
18. Users -vs- Authentciated Users (Thread)
19. Authenticated Users & Kerberos [Was: RE: Users -vs- Authentc...
20. [Re: [Trinux]] (Thread)
21. Exchange Server - point 1 (Thread)
22. How to find service?? UDP 138?? (Thread)
23. AW: AGI: Security-Analyses-Tool (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Big Crocodile
2. Evidence Eliminator
3. Spy Agent
4. Spy Anywhere
5. NetSecure Web
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. RPC tools v1.0
2. Advanced NT Security Explorer v2.0
3. Stealth HTTP Security Scanner v1.0b29
4. Logs2Intrusions v1.0
5. HEXtreme Hex Editor for Windows v2.3
I. FRONT AND CENTER
-------------------
1. Basic Security Mechanisms for Wireless Networks
by Joe Klemencic
As more companies start to deploy wireless networking, important security
aspects are often overlooked. Wireless networking was initially marketed
towards home consumers and specialized applications, but was limited by
low throughput speeds. As the technology matured, networking standards
were introduced to ensure interoperability between vendors, and greater
speeds were obtained. Driven by both the demands of the users and the
flexibility offered by wireless networks, businesses started to deploy
wireless networks in areas that were difficult to provide wired-based
networking topologies, such as warehouses and conference rooms.
Unfortunately, due to the ease of wireless deployment, and the freshness
of the technology, many network engineers do not realize the risks
associated with operating a wireless network. Even if proper precautions
are taken to ensure a secure wireless network environment, there is still
the risk of a user purchasing their own wireless Access Point (AP) or base
stations and installing it on the network unbeknownst to the IT staff.
http://www.securityfocus.com/focus/basics/articles/wireless.html
2. Chasing the Wind, Episode Eight: Still Waters
by Robert G. Ferrell
This is the eighth installment in Robert G. Ferrell's popular
SecurityFocus series, Chasing the Wind. As we left off last time, Douglas
continued to be both excited and unnerved by the Bellatrix project and Ian
had given himself a scare while defacing a corporate web site. Meanwhile,
Bob wrestled with the frustration of the construction of the new Acme
Ailerons complex, which was now behind schedule and over budget. However,
it seemed that for one group of shady people, the construction problems
were all part of a much larger plan.
http://www.securityfocus.com/focus/ih/articles/chasing8.html
3. Future Shock
By Tim Mullen
"For most of us in the business of technology, there is no great concern
over retina scanners or smart refrigerators. But when the software that
drives our businesses' web applications continues to have vulnerability
after vulnerability that can grant an attacker full control over our
servers, then something has to be done about it-- now."
http://www.securityfocus.com/templates/column.html?id=9
II. BUGTRAQ SUMMARY
-------------------
1. MS Visual Studio RAD Support Buffer Overflow Vulnerability
BugTraq ID: 2906
Remote: Yes
Date Published: 2001-06-21
Relevant URL:
http://www.securityfocus.com/bid/2906
Summary:
FrontPage Server Extensions (FPSE) ships with Microsoft Office 2000 and
Office XP. FPSE are components that run on IIS servers and are used for
the development of websites via FrontPage and Visual InterDev.
Visual InterDev is a member of the Visual Studio web development tools,
and is used to design web applications that bring together web content,
database resources and various programs. A subcomponent of FPSE called
Visual InterDev RAD Remote Deployment Support, enables the Visual InterDev
developer to easily register COM objects on a web server.
Due to an unchecked buffer in 'fp30reg.dll' of Visual InterDev RAD Remote
Deployment Support, a user could execute arbitrary commands on a target
host. If the host is running IIS 5.0, the commands could be executed in
the context of IWAM_machinename. A host running IIS 4.0, could allow the
execution of arbitrary commands in the SYSTEM context.
The problem lies in the section of code which specifically processes COM
object register requests (fp30reg.dll). If a specially crafted request
composed of 258 bytes is sent to a server with RAD Remote Deployment
Support installed, the buffer could overrun and allow the execution of
arbitrary code.
It should be noted that Visual Studio RAD Deployment Support must be
manually installed and configured by a user. It is not installed by
default.
Successful exploitation of this vulnerability could lead to a complete
compromise of the host.
2. Multiple Vendor Small TCP MSS Denial of Service Vulnerability
BugTraq ID: 2997
Remote: Yes
Date Published: 2001-07-07
Relevant URL:
http://www.securityfocus.com/bid/2997
Summary:
A potential denial of service vulnerability exists in several TCP stack
implementations.
TCP has a MSS (maximum segment size) option that is used by a TCP client
to announce to a peer the maximum amount of TCP data that can be sent per
segment. The MSS is sent during connection establishment, and is often
set to the interface MTU minus the fixed sizes of the IP and TCP headers.
This is usually 1460 on an Ethernet using IPv4, or 1440 on an Ethernet
using IPv6.
When data of a length exceeding the MSS is written to a TCP socket, it is
broken down into segments before being passed to IP. For example, if an
application writes 2048 bytes of data to a TCP socket with the MSS set to
256, a total of 8 segments are transmitted. Using IPv4, this incurs an
additional 320 bytes for IP and TCP header data. Using IPv6, the amount
increases to 480 bytes. Sending a large number of packets often also
means a significant increase in the workload of the system sending the
data.
The potential for attacks against TCP stack implementations exists because
in many cases only a small minimum value is enforced for the MSS. By
setting the MSS to a low value (such as 1) and making requests for large
amounts of data through a TCP service, an attacker could effectively cause
a denial of service by causing a large workload on a system.
3. Microsoft Windows 2000 LDAP SSL Password Modification Vulnerability
BugTraq ID: 2929
Remote: Yes
Date Published: 2001-06-25
Relevant URL:
http://www.securityfocus.com/bid/2929
Summary:
Lightweight Directory Access Protocol (LDAP) is a protocol used to access
the Active Directory service. The Active Directory maintains information
about network resources and users. It organizes and controls user's
privileges to various network resources.
Due to inproper permissions verification, a normal user can successfully
modify any user's Windows 2000 domain login password. This is accomplished
if LDAP requests are being made over a SSL session.
The file containing the relevant user privilege information is
'chPwd.ldif'. A user could edit this file and modify the 'unicodePwd'
attribute with the desired password. Once the password modify request
function has been submitted, the user's domain password will be reset with
the new one.
The vulnerable modify request function could be carried out by a non
domain user via tcp port 636.
Successful exploitation of this vulnerability could be used to prohibit
domain user's from authenticating. In the event that the domain
administrator's password is changed, a complete compromise of the host is
possible.
4. Microsoft Windows 2000 SMTP Improper Authentication Vulnerability
BugTraq ID: 2988
Remote: Yes
Date Published: 2001-07-05
Relevant URL:
http://www.securityfocus.com/bid/2988
Summary:
The SMTP (Simple Mail Transfer Protocol) server is an internet service
which implements mail transfer according to the SMTP protocol. SMTP
installs by default in Windows 2000.
Due to a flaw in the authentication process of the SMTP service in Windows
2000, it is possible for an unauthorized host to successfully authenticate
and use the SMTP service.
This behaviour occurs when invalid credentials are submitted to the
service during the authentication process. The precise technical details
are not currently known, however the result is that a user without valid
credentials can be successfully authenticated.
This vulnerability could enable an unauthorized user to abuse SMTP
services (mass e-mailing, forging, etc.).
The vendor has reported that this vulnerability only affects the SMTP
service and will not enable an attacker to execute operating system
commands or gain administrative access on the host.
It should be noted that only stand-alone machines are affected by this
issue and not domain members.
Unfortunately, no further technical details have been provided. Updates
will be published as more information becomes available.
5. Windows 2000 Active Directory Authentication Vulnerability
BugTraq ID: 3002
Remote: Yes
Date Published: 2001-06-14
Relevant URL:
http://www.securityfocus.com/bid/3002
Summary:
A vulnerability exists when using Windows 2000 authentication, which could
enable an unauthorized user to authenticate as an authorized user. This is
achieved when using an Active Directory Group name for authentication
along with any password.
This vulnerability is known to affect Mac OS servers when configured to
use Windows 2000 for authentication.
Unfortunately no further technical details have been provided.
6. Microsoft Outlook Express Address Book Spoofing Vulnerability
BugTraq ID: 2823
Remote: Yes
Date Published: 2001-06-05
Relevant URL:
http://www.securityfocus.com/bid/2823
Summary:
Outlook Express is the standard e-mail client that is shipped with
Microsoft Windows 9x/ME/NT.
The address book in Outlook Express is normally configured to make entries
for all addresses that are replied to by the user of the mail client. An
attacker may construct a message header that tricks Address Book into
making an entry for an untrusted user under the guise of a trusted one.
The "From:" field has this format: name <emailaddress>.
If the name is of a trusted user and the address is of the attacker and
the message is replied to, then Address Book makes a misleading entry
under the name of the trusted user. All mail sent using the Address Book
entry will be intercepted by the attacker.
This vulnerability can lead to further social engineering attacks.
7. Microsoft IIS Unicode .asp Source Code Disclosure Vulnerability
BugTraq ID: 2909
Remote: Yes
Date Published: 2001-06-21
Relevant URL:
http://www.securityfocus.com/bid/2909
Summary:
When a user requests for a resource residing on a remote host, depending
on what the file extensions is, the file will be returned and run
appropriately.
A flaw exists in the handling of .asp requests. Typically when a request
is made for an .asp file, IIS will identify that it is a script and run it
as such. However if the host is formatted with a FAT file system and a
request is made with an .asp Unicode encoded file extension, IIS may not
handle the request properly and return the source code of the file.
Sensitive information in scripts (such as database usernames and
passwords) may be disclosed to attackers. Vulnerabilities present in
scripts may also be revealed if the source code is disclosed. This may
facilitate further attacks against the server.
8. Microsoft IIS Device File Local DoS Vulnerability
BugTraq ID: 2973
Remote: No
Date Published: 2001-07-04
Relevant URL:
http://www.securityfocus.com/bid/2973
Summary:
Microsoft IIS is prone to denial of service attacks by local users.
This issue is exploitable if the local attacker can create an .asp file
which attempts to perform file I/O on various devices names.
When a script uses the 'Scripting.FileSystemObject' methods to open and
read from a 'dos device', the ASP interpreter will hang. This will result
in a denial of service.
This issue is exploitable if the local attacker can create an .asp file
which triggers the condition. A user on a webhosting service may for
example use this vulnerability to cause a denial of service to other
websites hosted by the vulnerable server.
This vulnerability may also be exploitable by remote attackers if existing
scripts use the 'Scripting.FileSystemObject' methods to open files with
filenames supplied remotely. If attackers can cause the target script to
open/read from a 'device name', the denial of service will be triggered.
The end result of exploiting this vulnerability is that the server will
crash and a denial of services will occur. The affected services must be
restarted to regain normal functionality.
9. Microsoft Word Document Macro Execution Vulnerability
BugTraq ID: 2876
Remote: Yes
Date Published: 2001-05-23
Relevant URL:
http://www.securityfocus.com/bid/2876
Summary:
Microsoft Word has a security feature which prompts a user before opening
a document containing macros. A vulnerability exists in the security
feature which could enable macros within .doc files to run without the
user's knowledge.
Word fails to properly check files for macros. A Word document containing
macros can be modified (by one byte using a hex editor) in such a way that
upon opening the file, the macros will execute without the user's
knowledge.
This vulnerability can be exploited regardless of the level of security
set.
Successful exploitation of this vulnerability could assist in further
attacks against the victim, or possibly lead to a complete compromise of
the target.
10. Microsoft SQL Server Administrator Cached Connection Vulnerability
BugTraq ID: 2863
Remote: No
Date Published: 2001-06-12
Relevant URL:
http://www.securityfocus.com/bid/2863
Summary:
Query methods are SQL Server commands used to request information from the
database. A flaw exists in the handling of specially structured ad hoc
queries, which could enable a normal user to gain administrative
privileges.
In order to gain access to information in the database, a user must make a
connection to the server. Once access to the database is no longer
required, the user logging off will terminate the connection. However, by
design, SQL Server will store the connection used by the user in cache for
a certain amount of time. This is done to improve the server's
performance. Next time that particular user logs in, SQL Server can
reinstate the cached connection rather than creating a new one.
It is possible for a logged in user to use an ad hoc query in a particular
way, that would invoke the cached connection of the system administrator
rather than that of the user. This would enable the user to access the
database with administrative privileges.
In order to successfully exploit this issue, Mixed Mode authentication
must be enabled. Hosts with Windows authentication enabled will not be
affected by this issue.
11. Microsoft Exchange OWA Embedded Script Execution Vulnerability
BugTraq ID: 2832
Remote: Yes
Date Published: 2001-06-06
Relevant URL:
http://www.securityfocus.com/bid/2832
Summary:
Microsoft Exchange 2000 enables users to access their inboxes and other
various resources located in the Web Storage System. Outlook Web Access
(OWA) enables user's to remotely access these resources via a URL. OWA
ships with Microsoft Exchange 2000 by default.
Due to a flaw in the interaction between Exchange's OWA service and
Internet Explorer, it is possible for an email attachment to execute
without prompting the user.
Typically, when opening email attachments, the operating system prompts a
user with a dialogue box requesting a selection of the appropriate
application to view the file. However, when viewing email via OWA using an
IE browser, upon opening an email attachment the dialogue is not displayed
and the file is automatically opened.
This vulnerability could enable a user to embed a malicious script into an
HTML attachment. Since IE parses any script in a file, upon the recipient
opening the file the script will run.
Successful exploitation of this vulnerability could lead to a complete
compromise of the host.
12. MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability
BugTraq ID: 2880
Remote: Yes
Date Published: 2001-06-18
Relevant URL:
http://www.securityfocus.com/bid/2880
Summary:
Microsoft Index Server and Indexing Service enables text searches on an
internet or intranet site via a web browser. Index Server ships with
Windows NT 4.0 Option Pack and Indexing Service ships with Windows 2000.
An unchecked buffer exists in a certain ISAPI extension associated with
the Index Server and Indexing Service.
A host running Microsoft Index Server or Indexing Service is susceptible
to the execution of arbitrary code, due to an unchecked buffer in the
'idq.dll' ISAPI extension. If a request is made, in a particular manner,
to a host with 'idq.dll' installed, either Index Server or Indexing
Service will experience a buffer overflow and allow the execution of
arbitrary code. Unfortunately, the Index Server and Indexing Service runs
in the Local System context; therefore, the attacker can specify arbitrary
code to be run with Local System privileges.
'idq.dll' provides support for Internet Data Administration (.ida) files
and Internet Data Query (.idq) files. In order to exploit this
vulnerability script mappings that associate '.idq' and '.ida' files with
'idq.dll' must exist.
It should be noted that Index Server and Indexing Service do not need to
be running in order for an attacker to exploit this issue. 'idq.dll' is
installed by default when IIS is installed, subsequently IIS would need to
be the only service running.
Successful exploitation of this vulnerability could lead to complete
compromise of the target host.
13. Microsoft Internet Explorer File Contents Disclosure Vulnerability
BugTraq ID: 2836
Remote: Yes
Date Published: 2001-06-06
Relevant URL:
http://www.securityfocus.com/bid/2836
Summary:
MSIE contains a vulnerability which may allow malicious website operators
to obtain data (non-cookie) from the filesystem of a remote client.
If a known local file on the client filesystem is referenced as script
source, some of its contents can be read if they are formatted in a
certain way. The contents have to be formatted as though script variables
are being assigned values, ie:
variablename=variablevalue
If a file containing data formatted in this manner exists on the client
filesystem at a known location, it may be possible for malicious
webmasters to obtain some of it's content.
The vulnerability lies in the fact that MSIE will read these name/value
pairs as variables and their values in the script interpreter. The values
can then be referenced simply by using the associated variables in the
script code, the names of which must also be known by the attacker.
Because of the knowledge required to exploit this vulnerability and the
fact that the file must be formatted correctly, real-world exploitation is
unlikely (but not out of the question). The primary concern is that MSIE
is providing data from files outside of the allowed areas to remote hosts.
Depending on the contents of the known file, this vulnerability could
reveal sensitive data and assist in further attacks against the target.
14. Microsoft Internet Explorer File Disclosure Vulnerability
BugTraq ID: 2833
Remote: Yes
Date Published: 2001-03-31
Relevant URL:
http://www.securityfocus.com/bid/2833
Summary:
Due to a flaw in Internet Explorer's handling of embedded script
(MSScriptControl.ScriptControl) combined with GetObject function in a web
page, it is possible for a remote web site operator to retrieve a known
file from a visiting user's system.
A web page containing script(MSScriptControl.ScriptControl) and the
GetObject function with the known path to an exisiting file, will return
the contents of the requested file back to the web server.
This vulnerability may allow the execution of arbitrary commands, although
it has not been confirmed.
Successful exploitation of this vulnerability could disclose sensitive
data, which may assist in further attacks against the target.
15. Microsoft Windows 2000 Telnet Username DoS Vulnerability
BugTraq ID: 2838
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2838
Summary:
Microsoft Windows 2000 ships with a telnet service. Due to a flaw in the
implementation of the telnet service, it is possible for a remote client
to cause a denial of service on the host.
By design, the telnet service will drop a connection if an exceptionally
long string of characters are received in the supplied username.
However, if approximately 4300 characters already exist in the input
buffer and approximately 127 ascii encoded backspaces (0x7b) are
submitted, the telnet service will crash.
A restart of the service is required in order to regain normal
functionality.
This vulnerability may be the result of a buffer overflow, although not
verified this could lead to the execution of arbitrary code on the target
host.
16. Microsoft Windows 2000 Telnet Multiple Sessions DoS Vulnerability
BugTraq ID: 2843
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2843
Summary:
Microsoft Windows 2000 ships with a telnet service. A vulnerability exists
in the telnet service which could enable a remote client to perform a
denial of service attack against a host.
It is possible for a remote client to connect to the telnet service and leave the connection idle without the host terminating the session. If this technique is performed as many times as the host allows connections, other legitimate clients will not be able to connect to the service. Under "normal" conditions idle connections time out after a certain amount of time.
No further technical details have been provided.
A restart of the service is required in order to gain normal
functionality.
17. Microsoft Windows 2000 Telnet Service DoS Vulnerability
BugTraq ID: 2844
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2844
Summary:
Microsoft Windows 2000 ships with a telnet service. A vulnerability exists
in the telnet service which could enable a client to cause the host to
stop responding.
If a client makes numerous connections to the host in a particular way,
the telnet service could begin to consume all available system resources
and eventually crash.
This vulnerability is caused by the way handlers function in Windows 2000.
Under certain conditions, the handlers are not properly reinstated to the
system for reuse.
No further technical details have been provided.
A restart of the service is required in order to regain normal
functionality.
18. Microsoft Windows 2000 Telnet System Call DoS Vulnerability
BugTraq ID: 2846
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2846
Summary:
Microsoft Windows 2000 ships with a telnet service. A vulnerability exists
in the telnet service which could enable a user to terminate any telnet
session.
Admininstrative privileges are required in order to access the management
console of the telnet service, however a certain underlying system call
does not require admin privileges.
Typically, in order to make some system calls one requires a certain level
of privilege (admin), but a flaw exists which enables a normal user to
make a specific system call. If this system call is properly made it is
possible to terminate telnet sessions. This is achieved if a program
running on the server with normal privileges initiates the system call to
terminate a telnet session.
In order for a user to exploit this vulnerability, a user must log onto
the server and load a program that will run the system call.
A restart of the service is required in order to regain normal
functionality.
19. Microsoft W2K Telnet Various Domain User Account Access Vulnerability
BugTraq ID: 2847
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2847
Summary:
Microsoft Windows 2000 contains a flaw in the handling of telnet domain
authentication.
If a user attempts to authenticate using a valid login name appended with
specially chosen characters, the telnet service will not require the user
to specify the domain which the account belongs. The service will instead
search the domain and all trusted domains for the user account, if the
account is enabled the user will have to complete authentication.
Once an attacker is aware of a valid user account, brute force techniques
can be used to attempt access into the trusted domain.
Successful exploitation of this vulnerability will disclose environment
information and username existance, both pieces of information could
assist in further attacks against the host.
20. Microsoft Windows 2000 Telnet Privilege Escalation Vulnerability
BugTraq ID: 2849
Remote: Yes
Date Published: 2001-06-08
Relevant URL:
http://www.securityfocus.com/bid/2849
Summary:
A vulnerability exists in the way Windows 2000 telnet service handles
server-side named pipes.
A server-side named pipe is created each time telnet starts a new session,
the pipes and are named in a predictable sequence.
Due to the predictability of server-side named pipes, any local user with
privileges to execute a program is able create a server-side named pipe
and assume the security context of the system service the next time a
session is started. By running the telnet service after arbitrary code has
been attached to the named pipe, the code will be run in the Local System
context as part of the initialization process.
It has been reported that this vulnerability can be exploited via two
methods. Unfortunately no further technical details have been provided.
Successful exploitation of this vulnerability could lead to the complete
compromise of the host.
21. Windows Media Player Internet Shortcut Execution Vulnerability
BugTraq ID: 2765
Remote: Yes
Date Published: 2001-05-23
Relevant URL:
http://www.securityfocus.com/bid/2765
Summary:
Windows Media Player is an application used for digital audio, and video
content viewing.
Typically internet shortcuts are created and saved on the user's system in
the MSIE Internet cache. Due to a flaw in the implementation of WMP,
internet shortcuts are created by WMP and saved in the temporary internet
files folder with known filenames.
When IE opens a file from its cache, it is opened in the Internet Zone,
which restricts what the HTML/Script can do. However, a file residing on
the local system outside of this cache is opened by IE in the Local
Computer Zone, which has considerably more privileges than the Internet
Zone.
When WMP creates Internet shortcuts, it stores them outside of the MSIE
cache. As a result, these shortcuts when opened are done so in the Local
Computer Zone. This may allow for maliciously crafted shortcuts to read
files and send back the data to webservers.
This particular vulnerability does not require that the user click on the
shortcut to execute the code, an attacker could execute the shortcut using
the same method used to create it. However, knowledge of the relative path
to the location where the shortcut is created must be known.
Knowledge of the relative path to the temporary internet files folder is
dependent on the operating system the target is using. Windows 95, 98 and
ME has a commonly known default location. However, Windows NT 4.0 and
Win2K's temporary internet files folder resides in the user's local
settings, which would vary from system to system.
Successful exploitation of this vulnerability could assist in further
attacks against the target host.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Domain User can add local groups and populate it - working as des igned? (Thread)
Relevant URL:
2. Interesting problem with Frontpage 2000 extensions (Thread)
Relevant URL:
3. Win 2K Ports continued... (Thread)
Relevant URL:
4. Win 2K Ports (Thread)
Relevant URL:
5. Is netbios safe on a 2nd NIC? (Thread)
Relevant URL:
6. good spoofing tool for ChkPnt41 (Thread)
Relevant URL:
7. Exchange 2000 Front-end / Back-end (Thread)
Relevant URL:
8. Users under Win2k (Thread)
Relevant URL:
http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-07-13%26thread%3d5.0.2.1.0usermail.com
16. Obscurity Security (Thread)
Relevant URL:
17. Trinux (Thread)
Relevant URL:
18. Users -vs- Authentciated Users (Thread)
Relevant URL:
waw.getin.pl">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-07-13%26thread%3d004001c10638$dcff2b10$c503a8c0waw.getin.pl
19. Authenticated Users & Kerberos [Was: RE: Users -vs- Authentciated Users] (Thread)
Relevant URL:
20. [Re: [Trinux]] (Thread)
Relevant URL:
21. Exchange Server - point 1 (Thread)
Relevant URL:
22. How to find service?? UDP 138?? (Thread)
Relevant URL:
23. AW: AGI: Security-Analyses-Tool (Thread)
Relevant URL:
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Big Crocodile
by Sow
Platforms: Windows 2000, Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1470
Summary:
Big Crocodile is a powerful, secure password manager. Storage of all your
passwords, logins and hyperlinks in a securely encrypted file. Big
Crocodile can automatically insert the passwords into the windows that
require them. Password generator with advanced functions, multi file
interface, special password folders, backup, export and other features.
This program is very easy to use. The program uses powerful commercial
encryption algorithm.
2. Evidence Eliminator
by Spy Software Solutions
Platforms: Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1467
Summary:
Evidence Eliminator is your solution to secure file deletion (exceeds US
Dept. of Defense standards). Now you can erase your internet history,
files, pictures, videos, and anything else with the knowledge it will
never be recoverable.
3. Spy Agent
by Spy Software Solutions
Platforms: Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1466
Summary:
Allows remote monitoring which records keystrokes, emails, websites,
applications, usage times, logins, passwords, and more...
4. Spy Anywhere
by Spy Software Solutions
Platforms: Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1465
Summary:
Allows remote administration and monitoring of any computer via any web-
browser. Shutdown, restart, lock, close running applications, view real-
time screenshots, and much more.
5. NetSecure Web
by NetSecure Software
Platforms: AIX, BSDI, Linux, Solaris and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1012
Summary:
NetSecure Web enables you to create Internet services guaranteeing full
protection of your information system network.
* Total access to internal database server
* Fully transparent for internal and external users
* Preserves your private network from intrusion
* Ensures that only authorized requests are delivered
* Easy installation and operation
V.NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. RPC tools v1.0
by Bindview
Relevant URL:
http://www.securityfocus.com/tools/2114
Platforms: Windows 2000, Windows 95/98 and Windows NT
Summary:
The RPC tools package contains three separate tools for obtaining to dump
the contents of the endpoint mapper database. ifids is similar to rpcdump
but allows you to query a single RPC server and can even allow you to
query an RPC server which is not listed in the endpoint map obtained with
rpcdump above. walksam is a tool which allows you to dump the information
of each user found within the SAM database via Named Pipes or using the
additional protocol sequences used by Windows 2000 domain controllers.
2. Advanced NT Security Explorer v2.0
by Elcom Ltd.
Relevant URL:
http://www.securityfocus.com/tools/1319
Platforms: Windows NT
Summary:
Advanced NT Security Explorer is an application for NT system
administrators for finding holes in system security. It analyses user
password hashes, and tries to recover plain-text passwords. If it's
possible to recover the password in a reasonable time, the password should
be considered to be insecure, and so it's time to change it.
Users can access a hard drive from another computer in the network and
copy a SAM registry key, where password hashes are stored. Also, users can
sniff a network and recover password hash from sniffer results. Advanced
NT Security Explorer (ANTExp) will help you in your way to complete system
security.
In addition, ANTExp could be used for recovering lost passwords of
particular users.
3. Stealth HTTP Security Scanner v1.0b29
by Felipe Moniz, Security Specialist
Relevant URL:
http://www.securityfocus.com/tools/2109
Platforms: Linux, Windows 2000, Windows 95/98 and Windows NT
Summary:
Stealth 1.0 scans for 2883 HTTP vulnerabilities. This tool is designed
especially for the system administrators, security consultants and IT
professionals to check the possible security holes and to confirm any
present security vulnerabilities that hackers can exploit. Totally free
for commercial and non-commercial use.
4. Logs2Intrusions v1.0
by Ekrem ORAL
Relevant URL:
http://www.securityfocus.com/tools/2108
Platforms: Windows 2000, Windows 95/98 and Windows NT
Summary:
This program parses IIS or Apache web server logfiles then create possible
intrusions report.
5. HEXtreme Hex Editor for Windows v2.3
by Mikersoft
Relevant URL:
http://www.securityfocus.com/tools/2105
Platforms: Windows 2000, Windows 95/98 and Windows NT
Summary:
Powerful Color Coded Hex Editor for Windows. Customize your own color
coding by setting byte or byte range colors to make files more readable to
you. Easy to use multiple document interface with modern look & feel.
Quickly and easily edit files up to 4 gigabytes in size with no worry of
running out of memory. Lightning fast searches on even the largest of
files. Search a file for a hex string, common ASCII string, or even for
Unicode strings.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]