|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Marc Fossi (mfossi
securityfocus.com)Date: Mon Apr 15 2002 - 16:50:11 CDT
SecurityFocus Microsoft Newsletter #82
--------------------------------------
This Issue is Sponsored by: Ingrian Networks
FREE Web Seminar on "Protecting Data by Controlling Access." Who's got
access to your enterprise data? How do you let the right people obtain
access to the data they are authorized to view?
FREE web seminar from Netegrity, maker of SiteMinder access controls and
Ingrian Networks, the leader in Secure Networking
http://www2.ingrian.com/techlib/promo/secfocus041502.html
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Securing Privacy, Part One: Hardware Issues
2. Securing Windows 2000 Communications with IP Filters: Part Two
3. Managing Intrusion Detection Systems in Large Organizations P2
4. My Daily Virus
5. SecurityFocus PDP Program
6. Event Announcement
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability
2. Microsoft IIS Help File Search Cross Site Scripting Vulnerability
3. CSNews Professional Remote Command Execution Vulnerability
4. CSChat-R-Box Remote Command Execution Vulnerability
5. Funk Software Proxy Weak Password Storage Vulnerability
6. Funk Software Proxy Named Pipe Weak Permissions Arbitrary...
7. Microsoft Office Web Components Active Script Execution...
8. CSLiveSupport Remote Command Execution Vulnerability
9. Microsoft Office Web Components Local File Read Vulnerability
10. Microsoft Office Web Components Chart Local File Existence...
11. Microsoft OWC DataSourceControl ConnectionFile Local File...
12. Funk Proxy Weak Default Installation Permissions Vulnerability
13. Microsoft VBScript ActiveX Word Object Denial Of Service...
14. Abyss Web Server Plaintext Administrative Password Vulnerability
15. Abyss Web Server File Disclosure Vulnerability
16. Microsoft IIS HTTP Header Field Delimiter Buffer Overflow...
17. Microsoft IIS FTP Connection Status Request Denial of Service...
18. Microsoft IIS Chunked Encoding Transfer Heap Overflow...
19. Microsoft IIS HTTP Redirect Cross Site Scripting Vulnerability
20. Microsoft IIS Chunked Encoding Heap Overflow Variant...
21. Microsoft Windows Terminal Server Group Policy Bypass...
22. Microsoft IIS ISAPI Filter Access Violation Denial of Service...
23. Microsoft Office Web Components Clipboard Information...
24. Microsoft IIS HTTP Error Page Cross Site Scripting Vulnerability
25. Microsoft IIS ASP Server-Side Include Buffer Overflow...
26. Microsoft OWC Spreadsheet XMLURL Local File Existence...
III. MICROSOFT FOCUS LIST SUMMARY
1. MBSA and MS's attempts at "security" (Thread)
2. net use and LM / NTLM (Thread)
3. Peculiar login troubles. (Thread)
4. Users slam Microsoft Security Analyser (Thread)
5. MBSA and MS's attempts at "security" (Thread)
6. URLScan Documentation Contradiction (I think) (Thread)
7. Info about missing HTML files in MBSA (Thread)
8. Security policy in the Group policy objects are applied
9. Microsoft Baseline Security Analyzer v1.0 Released 8th April
10. VPN / IPSEC (Thread)
11. Peculiar login troubles. (Thread)
12. January Security Rollup package listed in Windows update...
13. Securing Microsoft Windows 2000 Terminal Services with Terminal S
14. Editing MS-2000 Firewall Rules (Thread)
15. Problem with auto unpacking Hotfixes (from 1 machine only)
16. L2tp over Ipsec w2k against Nortel Switch (Thread)
17. More about MBSA and MS's attempts at "security" (Thread)
18. Microsoft Baseline Security Analyzer v1.0 Released 8th April...
19. Fwd: L2tp over Ipsec w2k against Nortel Switch (Thread)
20. Free/Shareware IPSec code or apps for Windows (Thread)
21. VPN / IPSEC (Thread)
22. Free/Shareware IPSec code or apps for Windows (Thread)
23. Microsoft PPTP (Was: Internet Services Manager) (Thread)
24. msxml3.dll file version to high after applying set of (Thread)
25. Microsoft PPTP (Was: Internet Services Manager) (Thread)
26. Internet Services Manager (Thread)
27. Detailed Port Filtering (Thread)
28. Group Policy denies access to some programs (Thread)
29. Using syslog clients (Thread)
30. SecurityFocus Microsoft Newsletter #81 (Thread)
31. Group Policy denies access to some programs (Thread)
32. Editing MS-2000 Firewall Rules (Thread)
33. SOAP toolkit V2 security and vulnerabilities (Thread)
34. IE6 Problems Update (Thread)
35. msxml3.dll file version to high after applying set of hotfixes
36. Windows NT 4.0 Print Spooler Security (Thread)
37. Windows NT 4.0 Print Spooler Security (Thread)
38. msxml3.dll file version to high after applying set of hotfixes
39. Cryptographic Authentication Techniques - NTLM ? (Thread)
40. Problem with auto unpacking Hotfixes (from 1 machine only)
41. Internet Services Manager (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. StoneGate High Availability Firewall
2. ipPulse
3. GemSAFE Enterprise
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. PWL Grabber
2. Bouncer v1.0.RC5
3. Panoptis v0.1
4. File::Scan v0.20
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. Securing Privacy, Part One: Hardware Issues
by Scott Granneman
This article is the first of a series of three articles that will examine
privacy concerns as they relate to security. This article will examine
hardware-based privacy issues, specifically: hardware solutions for small
networks and wireless devices, hardware-based spyware, and some attempts
by hardware vendors to infringe upon users' privacy.
http://online.securityfocus.com/infocus/1568
2. Securing Windows 2000 Communications with IP Filters: Part Two
by Joe Klemencic
This is the second part of a two-part series on implementing Windows 2000
IP Security filters. In the first article, we offered an overview of IP
security policies, including defining, testing, and expanding IP security
policies. In this installment, we will be discussing encryption of Windows
systems and implementing IP security filters.
http://online.securityfocus.com/infocus/1566
3. Managing Intrusion Detection Systems in Large Organizations, Part Two
by Paul Innella, Oba McMillan, and David Trout, with assistance from
Rebecca Bace
This is the second part of a two-part series devoted to discussing the
implementation of intrusion detection systems in large organizations. In
the first installment, we looked at some of the challenges of planning,
integrating, and deploying IDSs in a large organization. In this
installment, we will look at managing agents in a distributed environment,
managing data from multiple IDS packages, and correlating data from
distributed agents.
http://online.securityfocus.com/infocus/1567
4. My Daily Virus
by George Smith
Why continue to run a "WildList" cataloging every virus in the world when
they all show up in our inboxes anyway?
http://online.securityfocus.com/columnists/73
5. SecurityFocus PDP Program
Attention Non-profits and Universities: Sign-up now for preferred pricing
on the only global early-warning system for cyber attacks - SecurityFocus
ARIS Threat Management System.
http://www.securityfocus.com/corporate/products/pdpsection.shtml
6. Event Announcement
Infotec 2002 Information Technology Expo & Conference, "Business
Technology in a Changing World---Are You in a Security State of Mind?"
(Omaha, Nebraska April 22-24, 2002). Held in conjunction with Information
Security Awareness Week on April 20-26. Over 120 different sessions for
everyone; from novice to expert. Sessions range from 75 minutes to full
day depending on content; including HIPAA, Technical Security, Security
Management, and more. Keynotes include: Ryan Russell, SecurityFocus;
Marcus Ranum, NFR; Dr. Peter Neumann, SRI International; Dr. Douglas
Maughan, DARPA; and many more. For full details go to
http://www.infotec.org or contact eideticmindspring.com
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability
BugTraq ID: 4474
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4474
Summary:
A buffer overflow in the HTR ISAPI extension has been reported for
Microsoft IIS (Internet Information Services).
HTR is a scripting technology for IIS that has been largely superseded by
ASP (Active Server Pages). A condition exists in the HTR ISAPI extension
that may enable a remote attacker to send a number of malformed requests
which are capable of overwriting locations in memory with
attacker-supplied data.
This condition affects IIS 4.0, IIS 5.0 and may be effectively mitigated
by disabling the extension.
Exploitation of this vulnerability may result in a denial of service or
allow for a remote attacker to execute arbitrary instructions on the
victim host.
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
2. Microsoft IIS Help File Search Cross Site Scripting Vulnerability
BugTraq ID: 4483
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4483
Summary:
A Cross Site Scripting issue exists in some versions of IIS. The Help File
search functionality included with IIS may, under some circumstances,
construct HTML content including unsanitized user supplied input.
An attacker may construct a link to a vulnerable server such that it
exploits this vulnerability. When an innocent user follows this link, the
script code will be reproduced by the server, and execute within the
context of the vulnerable site. This may result in the exposure of
sensitive data and cookie information, or allow the attacker to subvert
the content and functionality of the site.
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
3. CSNews Professional Remote Command Execution Vulnerability
BugTraq ID: 4451
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4451
Summary:
csNews Professional is a script for managing news items on a website. It
will run on most Unix and Linux variants, as well as Microsoft Windows
operating systems.
csNews Professional is prone to an issue which may enable an attacker to
execute Perl code with the privileges of the webserver process.
It is possible to craft a web request which is capable of passing
arbitrary data to the configuration script, including attacker-supplied
Perl code. Perl code passed in this manner will be interpreted by the
vulnerable script, effectively allowing a remote attacker to execute
arbitrary Perl code with the privileges of the webserver process.
For exploitation to be successful, the attacker must pass properly URL
encoded Perl code in CGI parameters via a web request. For example:
http://host/cgi-bin/csNews.cgi?command=savesetup&setup=PERL_CODE_HERE
This issue may enable a remote attacker to gain local, interactive access
to the host running the vulnerable software.
4. CSChat-R-Box Remote Command Execution Vulnerability
BugTraq ID: 4452
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4452
Summary:
csChat-R-Box is a web chat script. It will run on most Unix and Linux
variants, as well as Microsoft Windows operating systems.
csChat-R-Box is prone to an issue which may enable an attacker to execute
Perl code with the privileges of the webserver process.
It is possible to craft a web request which is capable of passing
arbitrary data to the configuration script, including attacker-supplied
Perl code. Perl code passed in this manner will be interpreted by the
vulnerable script, effectively allowing a remote attacker to execute
arbitrary Perl code with the privileges of the webserver process.
For exploitation to be successful, the attacker must pass properly URL
encoded Perl code in CGI parameters via a web request. For example:
http://host/cgi-bin/csChatRBox.cgi?command=savesetup&setup=PERL_CODE_HERE
This issue may enable a remote attacker to gain local, interactive access
to the host running the vulnerable software.
5. Funk Software Proxy Weak Password Storage Vulnerability
BugTraq ID: 4459
Remote: No
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4459
Summary:
Proxy is a remote host administration tool distributed and maintained by
Funk Software. It is available for the Microsoft Windows platforms.
A problem with Proxy could make it possible for users to gain elevated
privileges on a system. The problem is in the storage of password values.
Proxy uses weak encryption to store the password values of Proxy. In
doing so, passwords allowing the remote login of administrators may be
recovered. This could lead to a user gaining elevated privileges on a
host.
On Windows 2000 and NT 4.0 hosts, the password is stored in the registry.
On Windows 9X systems, this value is stored in the PHOST.INI file,
contained in the Proxy install directory. This problem is compounded by
the vulnerability Bugtraq ID 4458 titled "Funk Proxy Weak Default
Installation Permissions Vulnerability."
6. Funk Software Proxy Named Pipe Weak Permissions Arbitrary Access Vulnerability
BugTraq ID: 4460
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4460
Summary:
Proxy is a remote administration software package distributed and
maintained by Funk Software. It is designed for use on Microsoft Windows
Operating Systems.
A problem with the software package could allow a local user to change
arbitrary configuration variables. The problem is in the permissions set
on named pipes by Proxy.
The Proxy program does not adequately set permissions on named pipes.
When the program executes, a Windows Named Pipe is created for the
program. However, 'Full Control' privileges of this named pipe are
granted to group 'Everyone.'
This problem could lead to an attacker changing configuration parameters
through the Proxy host software locally. Additionally, it could allow a
local user to gain access to the Proxy password. This problem affects
Windows 2000 and NT 4.0 hosts.
7. Microsoft Office Web Components Active Script Execution Vulnerability
BugTraq ID: 4449
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4449
Summary:
Microsoft Office Web Components (OWC) are a collection of ActiveX objects
which provide limited Office functionality to web pages.
A vulnerability has been reported within some versions of the OWC
Spreadsheet component. It is possible for a web page using this component
to execute arbitrary Active Script code, even when Active Scripting has
been disabled by the client.
This is possible through usage of the HOST() formula within the
Spreadsheet component. It is possible to associate script code with events
of the OWC object. This has been demonstrated through usage of the
setTimeout method, although other vectors may be possible.
Reportedly this formula may also be used to manipulate the browser
Document Object Model (DOM), with less severe consequences.
8. CSLiveSupport Remote Command Execution Vulnerability
BugTraq ID: 4450
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4450
Summary:
csLiveSupport is a script for providing live web support. It will run on
most Unix and Linux variants, as well as Microsoft operating systems.
csLiveSupport is prone to an issue which may enable an attacker to execute
Perl code with the privileges of the webserver process.
It is possible to craft a web request which is capable of passing
arbitrary data to the configuration script, including attacker-supplied
Perl code. Perl code passed in this manner will be interpreted by the
vulnerable script, effectively allowing a remote attacker to execute
arbitrary Perl code with the privileges of the webserver process.
For exploitation to be successful, the attacker must pass properly URL
encoded Perl code in CGI parameters via a web request. For example:
http://host/cgi-bin/csLiveSupport.cgi?command=savesetup&setup=PERL_CODE_HERE
This issue may enable a remote attacker to gain local, interactive access
to the host running the vulnerable software.
9. Microsoft Office Web Components Local File Read Vulnerability
BugTraq ID: 4453
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4453
Summary:
Microsoft Office Web Components (OWC) are a collection of ActiveX objects
which provide limited Office functionality to web pages. OWC is installed
by default with both Office 2000 and Office XP.
A vulnerability has been reported within some versions of the OWC
Spreadsheet component. It is possible for a web page using this component
to read the content of any known local file.
This is possible through the LoadText method of the Range object. By
design, this object will throw an error if the requested file is not in
the same domain as the current document. However, it is possible to pass a
URL to this method which causes a redirect to a local file. Under these
circumstances, the trust decision is made based on the URL, and the file
is loaded.
Given access to the file contents, it is possible to transfer it to a
hostile server with additional script code. Under some circumstances, a
malicious script may be able to use this information to perform further,
intelligent attacks.
10. Microsoft Office Web Components Chart Local File Existence Disclosure Vulnerability
BugTraq ID: 4454
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4454
Summary:
Microsoft Office Web Components (OWC) are a collection of ActiveX objects
which provide limited Office functionality to web pages. OWC is installed
by default with both Office 2000 and Office XP.
A vulnerability has been reported within some versions of the OWC Chart
component. It is possible for a web page using this component to verify
the existence of any specified local file.
The Load method of the Chart object does not provide any security checks
on the file location. If it is passed a file name which does not exist on
the local system, an error message is returned. It is possible for the
calling page to detect this error condition, and determine that the file
did not exist.
It is not currently believed to be possible to access the file contents in
the case that the specified file does exist on the local system. The
attacker may, however, be able to use this information to perform further,
intelligent attacks against the vulnerable system.
11. Microsoft OWC DataSourceControl ConnectionFile Local File Existence Disclosure Vulnerability
BugTraq ID: 4456
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4456
Summary:
Microsoft Office Web Components (OWC) are a collection of ActiveX objects
which provide limited Office functionality to web pages. OWC is installed
by default with both Office 2000 and Office XP.
A vulnerability has been reported within some versions of the OWC
DataSourceControl component. It is possible for a web page using this
component to verify the existence of any specified local file.
The ConnectionFile property of the Spreadsheet object does not provide any
security checks on the file location. If it is passed a file name which
does not exist on the local system, an error message is returned. It is
possible for the calling page to detect this error condition, and
determine that the file did not exist.
It is not currently believed to be possible to access the file contents in
the case that the specified file does exist on the local system. The
attacker may, however, be able to use this information to perform further,
intelligent attacks against the vulnerable system.
12. Funk Proxy Weak Default Installation Permissions Vulnerability
BugTraq ID: 4458
Remote: No
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4458
Summary:
Proxy is a software package distributed and maintained by Funk Software.
It is available for use on the Microsoft Windows platform.
A problem with the software could allow users to alter Proxy software
configurations. The problem is in the default directory permissions.
A default Proxy installation uses insecure default directory and registry
entries. In Windows 2000 and NT 4.0 systems, members of the group
'Everyone' are permitted full access to the Proxy software installation
directory. Additionally, the registry entries in NT 4.0 may be altered by
any member of the group 'Everyone' with 'Special Access'.
This could allow a local user on the system to modify directory contents
in the Proxy directory, or on affected NT 4.0 hosts, registry settings.
13. Microsoft VBScript ActiveX Word Object Denial Of Service Vulnerability
BugTraq ID: 4463
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4463
Summary:
A vulnerability has been discovered which is reported to affect Microsoft
Internet Explorer, Outlook and Word. Other Office components may also be
affected by this issue.
It is possible to misuse VBScript ActiveX Word objects to cause a denial
of service to affected software. This is accomplished by creating an
excessive number of Word objects. A WINWORD.EXE process is created to
facilitate the creation of each individual ActiveX Word object. For
example, an attacker may create a loop which loads the malicious ActiveX
Word object 100 times or more, causing a denial of service condition to
occur.
It should be noted that this misuse of ActiveX Word objects will cause a
security warning to be displayed about the creation of an unsafe ActiveX
object (depending on the security settings of the affected program).
However, even if the user chooses not to proceed, the ActiveX Word object
is still loaded into memory an excessive number of times. The resulting
exhaustion of resources may cause the entire system to become unstable,
resulting in a denial of service.
14. Abyss Web Server Plaintext Administrative Password Vulnerability
BugTraq ID: 4467
Remote: No
Date Published: Apr 07 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4467
Summary:
Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.
The administrative password for Abyss Web Server is stored in plaintext in
the configuration file (abyss.conf). If a local attacker can read the
configuration file, they can trivially gain administrative access to the
web server.
Additionally, BugTraq ID 4466 "Abyss Web Server File Disclosure
Vulnerability" describes an issue which may also enable remote attackers
to trivially disclose the contents of the Abyss Web Server configuration
file.
Sensitive information about the web server's configuration may also be
disclosed as a result of this vulnerability.
This issue was reported for Abyss Web Server for Microsoft Windows
operating systems. It is not known whether the Linux version is also
affected by this vulnerability.
15. Abyss Web Server File Disclosure Vulnerability
BugTraq ID: 4466
Remote: Yes
Date Published: Apr 07 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4466
Summary:
Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.
Abyss Web Server does not filter certain types of potentially malicious
input from web requests.
It is possible for a remote attacker to disclose the contents of arbitrary
web-readable files by making a specially crafted web request containing
encoded dot-dot-slash (../) sequences. Such a request will enable the
attacker to browse files outside of the wwwroot directory.
This issue may be exploited by a remote attacker to gain access to the
administrative configuration file for the web server. Another known issue
regarding plaintext storage of the administrative password is described in
BugTraq ID 4467 "Abyss Web Server Plaintext Administrative Password
Vulnerability" .
This issue was reported for Abyss Web Server for Microsoft Windows
operating systems. It is not known whether the Linux version is also
affected by this vulnerability. Furthermore, it should be noted that web
servers on multi-user Windows operating systems generally run with SYSTEM
privileges.
16. Microsoft IIS HTTP Header Field Delimiter Buffer Overflow Vulnerability
BugTraq ID: 4476
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4476
Summary:
A buffer overflow related to the processing of request header fields has
been reported for Microsoft IIS (Internet Information Services).
This problem is related to the interpretation of HTTP header field
delimiters. It is possible to create a request that may appear to have
field delimiters when the check for them occurs, but does not. The
evasion of this check creates a potentially exploitable buffer overflow
condition. This vulnerability affects IIS 4.0, IIS 5.0 and IIS 5.1.
Exploitation of this vulnerability may result in a denial of service or
allow for a remote attacker to execute arbitrary instructions on the
victim host.
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
17. Microsoft IIS FTP Connection Status Request Denial of Service Vulnerability
BugTraq ID: 4482
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4482
Summary:
A vulnerability has been identified in Microsoft Internet Information
Server's FTP service. The FTP service is installed by default with IIS
4.0 but must be specified on installations of IIS 5.0 and 5.1.
The condition is present when a request is made for the FTP transfer
status is made via the STAT command. A client issuing this command with a
large number of file globbing characters as the argument may cause the
service to crash.
When the malformed request is processed, an error condition is created but
not properly reported back to the software module that relayed the user's
request. The calling module then uses the uninitialized data, causing an
access violation error. This causes the IIS service to fail, resulting in
termination of all current FTP sessions as well as failure of web
services.
On IIS 4.0 servers, the IIS service would have to be manually restarted to
resume normal operation. On IIS 5.0 and 5.1 servers, the service will
automatically restart itself.
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
18. Microsoft IIS Chunked Encoding Transfer Heap Overflow Vulnerability
BugTraq ID: 4485
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4485
Summary:
A heap overflow condition in the 'chunked encoding transfer mechanism'
related to Active Server Pages has been reported for Microsoft IIS
(Internet Information Services).
Web clients may send data to ASP (Active Server Pages) scripts in variable
sized chunks. This is part of the HTTP protocol specification and is
known as a chunked encoding tansfer. The chunked encoding transfer
mechanism must allocate a buffer in order to handle the transfer.
There is a lack of sufficient bounds checking on this buffer, which is
dynamically allocated by the ISAPI extension that handles ASP scripting.
This result is a remotely exploitable heap overflow.
This condition affects IIS 4.0 and IIS 5.0. Exploitation of this
vulnerability may result in a denial of service or allow for a remote
attacker to execute arbitrary instructions on the victim host.
Microsoft IIS 5.0 is reported to ship with a default script (iisstart.asp)
which may be sufficient for a remote attacker to exploit. Other sample
scripts may also be exploitable.
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
19. Microsoft IIS HTTP Redirect Cross Site Scripting Vulnerability
BugTraq ID: 4487
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4487
Summary:
A Cross Site Scripting issue exists in some versions of IIS. The HTTP
Redirect page created by IIS may, under some circumstances, contain HTML
content which includes unsanitized user supplied input.
An attacker may construct a link to a vulnerable server such that it
exploits this vulnerability. When an innocent user follows this link, the
script code will be reproduced by the server, and execute within the
context of the vulnerable site. This may result in the exposure of
sensitive data and cookie information, or allow the attacker to subvert
the content and functionality of the site.
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
20. Microsoft IIS Chunked Encoding Heap Overflow Variant Vulnerability
BugTraq ID: 4490
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4490
Summary:
A heap overflow condition in the 'chunked encoding transfer mechanism'
related to Active Server Pages has been reported for Microsoft IIS
(Internet Information Services).
Web clients may send data to ASP (Active Server Pages) scripts in variable
sized chunks. This is part of the HTTP protocol specification and is
known as a chunked encoding tansfer. The chunked encoding transfer
mechanism must allocate a buffer in order to handle the transfer.
There is a lack of sufficient bounds checking on this buffer, which is
dynamically allocated by the ISAPI extension that handles ASP scripting.
This result is a remotely exploitable heap overflow.
Exploitation of this vulnerability may result in a denial of service or
allow for a remote attacker to execute arbitrary instructions on the
victim host.
This vulnerability is a variant of that discussed in BID 4485 "Microsoft
IIS Chunked Encoding Transfer Heap Overflow Vulnerability".
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
21. Microsoft Windows Terminal Server Group Policy Bypass Vulnerability
BugTraq ID: 4464
Remote: No
Date Published: Apr 09 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4464
Summary:
An issue has been reported in Microsoft Windows Terminal Server, which
could allow a user of the service to bypass the group policy setting and
access restricted resources.
When group policies are created they are stored in the SYSVOL share. Upon
a user authenticating, the appropriate policies are applied.
Allegedly, exceeding the number of permitted users specified in the per
server license agreement, could allow for any additional users to bypass
group policy settings, and access additional resources residing on the
host. Users are reported to retain their original user permissions, and
may have access to additional applications, files, directories etc. This
issue results because any additional users connected to the host, fail to
connect to the SYSVOL share and inherit appropriate group policy settings.
For example, if group policies are set to only allow two users, and both
are given access to only one application, yet three connections are made
to the host, the third user may be able to access various applications
residing on the host. Group policy settings are not inherited by
additional users that have exceeded the per server agreement, and
therefore users may peruse resources on the host with his/her user
permissions.
This issue may only exist on Microsoft's Terminal Server 90-day trial
edition, however, this is not yet confirmed.
As testing is underway, additional details are forthcoming.
22. Microsoft IIS ISAPI Filter Access Violation Denial of Service Vulnerability
BugTraq ID: 4479
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4479
Summary:
A vulnerability has been identified in the way Microsoft Internet
Information Server handles URL errors. This vulnerability exists on IIS
servers that also have Front Page Server Extensions or ASP.NET installed.
If a certain ISAPI filter that is installed with Front Page Server
Extensions and ASP.NET receives a URL that exceeds the maximum allowable
length, the IIS service will fail. This is because the ISAPI filter fails
the request and sets the URL to a null value. When IIS receives the null
value, it still tries to process the request before sending the error
message back to the requester. This results in an access violation error
which causes the IIS service to fail.
On IIS 4.0 servers, the IIS service would have to be manually restarted to
resume normal operation. On IIS 5.0 and 5.1 servers, the service will
automatically restart itself.
So far, Microsoft has only identified this issue in one ISAPI filter that
is installed with Front Page Server Extensions and ASP.NET, however, there
is a possibility that other ISAPI filters could contain the same
behaviour. The vulnerability is not within the ISAPI filter itself, but
with the way that IIS handles the null value returned by the filter.
Custom ISAPI filters may also be affected by this condition.
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
23. Microsoft Office Web Components Clipboard Information Disclosure Vulnerability
BugTraq ID: 4457
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4457
Summary:
Microsoft Office Web Components (OWC) are a collection of ActiveX objects
which provide limited Office functionality to web pages. OWC is installed
by default with both Office 2000 and Office XP.
A vulnerability has been reported within some versions of the OWC
Spreadsheet component. It is possible for a web page using this component
to gain control over the clipboard operations.
This is possible via the 'Paste' method of the Range object, and the
'Copy' method of the Cell object. These methods allow a web page to gain
full control of the clipboard. This includes reading the contents and
under some circumstances, manipulating the clipboard contents.
Reportedly, it is possible to exploit this issue even if the 'Allow paste
operations via script' security feature in IE is disabled.
Exploitation of this issue could reveal sensitive information which may
assist in further attacks against the host.
24. Microsoft IIS HTTP Error Page Cross Site Scripting Vulnerability
BugTraq ID: 4486
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4486
Summary:
A Cross Site Scripting issue exists in some versions of IIS. The HTTP
Error Page created by IIS may, under some circumstances, contain HTML
content which includes unsanitized user supplied input.
When a 404 HTTP error page is constructed by IIS, a portion of the content
includes a link to the top level domain of the missing page. This string
consists of the data between the strings '://' and '/' in the supplied
URL.
An attacker may construct a URL which includes malicious script content
within this string. This may be done by including script code within the
HTTP Basic Authentication section of the URL. Properly escaped, such code
will not interfer with the DNS lookup for the targetted site, and will
display properly on the page returned by IIS.
An attacker may construct a link to a vulnerable server such that it
exploits this vulnerability. When an innocent user follows this link, the
script code will be reproduced by the server, and execute within the
context of the vulnerable site. This may result in the exposure of
sensitive data and cookie information, or allow the attacker to subvert
the content and functionality of the site.
It has been reported that this issue may be exploited to steal
cookie-based authentication credentials from users of a number of
Microsoft domains/services (such as hotmail, passport, etc.).
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
25. Microsoft IIS ASP Server-Side Include Buffer Overflow Vulnerability
BugTraq ID: 4478
Remote: Yes
Date Published: Apr 10 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4478
Summary:
A buffer overflow related to the processing requested filenames that are
to be included as file includes in ASP scripts has been reported for
Microsoft IIS (Internet Information Services).
IIS attempts to ensure that the length of the filename is not excessive in
length. A condition exists that may allow for this check to be bypassed,
resulting in a potential buffer overflow. This condition affects IIS 4.0,
IIS 5.0 and IIS 5.1.
It may be possible, under some circumstances, for a remote attacker to
supply a malicious value for the filename, which will be processed by the
server. Exploitation requires that the attacker can influence when and
how the file is included.
Exploitation of this vulnerability may result in a denial of service or
allow for a remote attacker to execute arbitrary instructions on the
victim host.
It is important to note that this BugTraq ID is an individual
vulnerability entry to followup the aggregated Multiple Remote IIS
Vulnerabilities alert released by SecurityFocus.
26. Microsoft OWC Spreadsheet XMLURL Local File Existence Disclosure Vulnerability
BugTraq ID: 4455
Remote: Yes
Date Published: Apr 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4455
Summary:
Microsoft Office Web Components (OWC) are a collection of ActiveX objects
which provide limited Office functionality to web pages. OWC is installed
by default with both Office 2000 and Office XP.
A vulnerability has been reported within some versions of the OWC
Spreadsheet component. It is possible for a web page using this component
to verify the existence of any specified local file.
The XMLURL property of the Spreadsheet object will follow redirections
after making a security decision. As a result, a provided URL in the same
domain as the malicious document which redirects to a specific local file
will be allowed.
If it is passed a file name which does not exist on the local system, an
error message is returned. It is possible for the calling page to detect
this error condition, and determine that the file did not exist.
Additionally, it is possible to view the file contents if the file is a
valid WorkSheet XML document. The attacker may also be able to use this
information to perform further, intelligent attacks against the vulnerable
system.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. MBSA and MS's attempts at "security" (Thread)
Relevant URL:
chaka.orthodon.com">http://online.securityfocus.com/archive/88/4D5D8A4276CCD411BEB400A0C9E105C40203DB9Fchaka.orthodon.com
2. net use and LM / NTLM (Thread)
Relevant URL:
lauradominion.com">http://online.securityfocus.com/archive/88/015201c1e250$c94f6810$081e060alauradominion.com
3. Peculiar login troubles. (Thread)
Relevant URL:
4. Users slam Microsoft Security Analyser (Thread)
Relevant URL:
5. MBSA and MS's attempts at "security" (Thread)
Relevant URL:
lauradominion.com">http://online.securityfocus.com/archive/88/011501c1e242$ecacefc0$081e060alauradominion.com
6. URLScan Documentation Contradiction (I think) (Thread)
Relevant URL:
hitsexchange01.advance-med.com">http://online.securityfocus.com/archive/88/BB7FD4FF9E440648A731452E5D341FB0C66615hitsexchange01.advance-med.com
7. Info about missing HTML files in MBSA (Thread)
Relevant URL:
mickey.questinc.org">http://online.securityfocus.com/archive/88/E00ECDED326C0B4288A0B4F7F02DE2DD131A46mickey.questinc.org
8. Security policy in the Group policy objects are applied successfully but then .asp pages fails (Thread)
Relevant URL:
admin2002">http://online.securityfocus.com/archive/88/004e01c1e201$30b8b2e0$c901070aadmin2002
9. Microsoft Baseline Security Analyzer v1.0 Released 8th April (Thread)
Relevant URL:
topdom1.topas-consulting.com">http://online.securityfocus.com/archive/88/0036E50ED28FDC40B5123322012AF3DD0BCA4Btopdom1.topas-consulting.com
10. VPN / IPSEC (Thread)
Relevant URL:
topdom1.topas-consulting.com">http://online.securityfocus.com/archive/88/0036E50ED28FDC40B5123322012AF3DD0BCA4Atopdom1.topas-consulting.com
11. Peculiar login troubles. (Thread)
Relevant URL:
mail.drunkendruid.com">http://online.securityfocus.com/archive/88/5.1.0.14.1.20020411214022.00a967c8mail.drunkendruid.com
12. January Security Rollup package listed in Windows update... (Thread)
Relevant URL:
gweebot.powerserve.com.au">http://online.securityfocus.com/archive/88/20020412015108.GA9989gweebot.powerserve.com.au
13. Securing Microsoft Windows 2000 Terminal Services with Terminal S ervices Advanced Client (TSAC) enabled (Thread)
Relevant URL:
fnal.gov">http://online.securityfocus.com/archive/88/OFC9488DAB.FBA1BEC1-ON86256B98.0078ABD6fnal.gov
14. Editing MS-2000 Firewall Rules (Thread)
Relevant URL:
garbarek.hsc.fr">http://online.securityfocus.com/archive/88/20020411141856.GA29117garbarek.hsc.fr
15. Problem with auto unpacking Hotfixes (from 1 machine only) (Thread)
Relevant URL:
simail17.server.bosch.com">http://online.securityfocus.com/archive/88/E7EAF01D6CD3D411938F00508BAF919B0504682Asimail17.server.bosch.com
16. L2tp over Ipsec w2k against Nortel Switch (Thread)
Relevant URL:
exgau100qsm00.oceania.corp.anz.com">http://online.securityfocus.com/archive/88/CDEBAB5BBFE0024AABEAF438FB2A4D07013802DFexgau100qsm00.oceania.corp.anz.com
17. More about MBSA and MS's attempts at "security" (Thread)
Relevant URL:
melbserv1.hvp.com.au">http://online.securityfocus.com/archive/88/12303B570DD6B447BC791C605E7A0766A241melbserv1.hvp.com.au
18. Microsoft Baseline Security Analyzer v1.0 Released 8th April (Thread)
Relevant URL:
web20514.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020410211830.73234.qmailweb20514.mail.yahoo.com
19. Fwd: L2tp over Ipsec w2k against Nortel Switch (Thread)
Relevant URL:
20. Free/Shareware IPSec code or apps for Windows (Thread)
Relevant URL:
web20203.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020410182848.64815.qmailweb20203.mail.yahoo.com
21. VPN / IPSEC (Thread)
Relevant URL:
hyperion.perihelion.net">http://online.securityfocus.com/archive/88/20020410133404.A30833hyperion.perihelion.net
22. Free/Shareware IPSec code or apps for Windows (Thread)
Relevant URL:
web20208.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020410171256.84518.qmailweb20208.mail.yahoo.com
23. Microsoft PPTP (Was: Internet Services Manager) (Thread)
Relevant URL:
D2CSPEXM001.smartpipes.com">http://online.securityfocus.com/archive/88/4652644B98DFF34696801F8F3070D3FE01DB915BD2CSPEXM001.smartpipes.com
24. msxml3.dll file version to high after applying set of (Thread)
Relevant URL:
rubikon.pl">http://online.securityfocus.com/archive/88/1501382380237.20020410102231rubikon.pl
25. Microsoft PPTP (Was: Internet Services Manager) (Thread)
Relevant URL:
derekshome.com">http://online.securityfocus.com/archive/88/005301c1e01f$1228db40$0a00a8c0derekshome.com
26. Internet Services Manager (Thread)
Relevant URL:
mail.stdnet.com">http://online.securityfocus.com/archive/88/5.1.0.14.0.20020409115326.085a4db8mail.stdnet.com
27. Detailed Port Filtering (Thread)
Relevant URL:
web12306.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020409064738.82627.qmailweb12306.mail.yahoo.com
28. Group Policy denies access to some programs (Thread)
Relevant URL:
lauradominion.com">http://online.securityfocus.com/archive/88/01dd01c1df7a$5085ba70$1600010alauradominion.com
29. Using syslog clients (Thread)
Relevant URL:
hihamerica.com">http://online.securityfocus.com/archive/88/3028CF711B34D41193160008C7B9873F0131B332hihamerica.com
30. SecurityFocus Microsoft Newsletter #81 (Thread)
Relevant URL:
mail.securityfocus.com">http://online.securityfocus.com/archive/88/Pine.LNX.4.43.0204081549370.12546-100000mail.securityfocus.com
31. Group Policy denies access to some programs (Thread)
Relevant URL:
32. Editing MS-2000 Firewall Rules (Thread)
Relevant URL:
mail.mis.sandstream.com">http://online.securityfocus.com/archive/88/E748F5C5A5A8D411B14100508BDCB15CD7FD69mail.mis.sandstream.com
33. SOAP toolkit V2 security and vulnerabilities (Thread)
Relevant URL:
eidyia.spherebusinessgroup.com">http://online.securityfocus.com/archive/88/E48EF4B51A3A47468CEA37E874AA16D86051E3eidyia.spherebusinessgroup.com
34. IE6 Problems Update (Thread)
Relevant URL:
neurotika">http://online.securityfocus.com/archive/88/000401c1df3a$ee727420$0201a8c0neurotika
35. msxml3.dll file version to high after applying set of hotfixes (Thread)
Relevant URL:
mail.tellurian.net">http://online.securityfocus.com/archive/88/5.1.0.14.0.20020408124534.01fc5d68mail.tellurian.net
36. Windows NT 4.0 Print Spooler Security (Thread)
Relevant URL:
mail.securityfocus.com">http://online.securityfocus.com/archive/88/20020408182922.15721.qmailmail.securityfocus.com
37. Windows NT 4.0 Print Spooler Security (Thread)
Relevant URL:
sdefusr1.france.ppg.com">http://online.securityfocus.com/archive/88/F3CFDEEC7F81D311AA7B0090279AA2F4FAC7AEsdefusr1.france.ppg.com
38. msxml3.dll file version to high after applying set of hotfixes (Thread)
Relevant URL:
lauradominion.com">http://online.securityfocus.com/archive/88/000d01c1df21$2c642540$1600010alauradominion.com
39. Cryptographic Authentication Techniques - NTLM ? (Thread)
Relevant URL:
hkisrv08.tw.fi">http://online.securityfocus.com/archive/88/B36C365832C90E47A37F4FFCDDEFC46D04F79Bhkisrv08.tw.fi
40. Problem with auto unpacking Hotfixes (from 1 machine only) (Thread)
Relevant URL:
mailserver-2k.fireapple.com">http://online.securityfocus.com/archive/88/761DBCC144B6334A81251171C684A6FB73C517mailserver-2k.fireapple.com
41. Internet Services Manager (Thread)
Relevant URL:
xatl01.atl.hp.com">http://online.securityfocus.com/archive/88/D40B270649ACD3118E2800A0C9E319F30C70C87Bxatl01.atl.hp.com
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. StoneGate High Availability Firewall
by Stonesoft
Platforms: Linux, Solaris, Windows NT, Windows 2000
Relevant URL:
http://www.stonesoft.com/document/143.html
Summary:
StoneGate provides the first fully scalable, high security and high
performance firewall and VPN solution for business critical applications.
StoneGate is the first firewall to provide secure connections and load
balancing between multiple ISPs to ensure continuous network connectivity.
2. ipPulse
by Northwest Performance Software
Platforms: Windows 95/98, Windows NT
Relevant URL:
http://www.ippulse.com/ippulsemain.html
Summary:
ipPulse is a Remote Status Monitoring Tool. Use ipPulse to monitor the
up/down status of IP connected devices (nodes) on any IP connected
network. ipPulse uses a variety of methods, including SNMP, to poll and
check the network connectivity of a list of user-defined nodes. ipPulse
alerts you to failures using a variety of techniques ranging from audible
messages to email and pager notification. You can even control ipPulse
remotely by logging into Remote Control using any Telnet application.
3. GemSAFE Enterprise
by Gemplus Corporation
Platforms: Windows 95/98, Windows NT, Windows 2000
Relevant URL:
http://www.gemplus.com/products/software/gemsafe/index.html
Summary:
GemSAFE is the Gemplus family of solutions that addresses the computing
security needs of individuals, enterprises and integrators by taking
advantage of the inherent benefits of smart cards.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. PWL Grabber
by Simon Steed
Relevant URL:
http://www.xploiter.com/tambu/tambupwl.shtml
Platforms: Windows 95/98
Summary:
A simple program that will display the cached passwords from your systems
PWL file.
The biggest problem with Windows is that by default, all your passwords
are stored in a file with the extension *.pwl in your windows directory.
This program, like others that are available, tear this file apart &
reveal not only all your shares + passwords but dial up as well.
The output can be redirected to a text file enabling hard copy record to
be kept.
2. Bouncer v1.0.RC5
by Chris Mason chrisr00t3d.org.uk
Relevant URL:
http://www.r00t3d.org.uk/bin/
Platforms: FreeBSD, Linux, OpenBSD, Solaris, Windows 2000, Windows NT
Summary:
Bouncer is a network tool which allows you to bypass proxy restrictions
and obtain outside connections from an internal LAN. It uses SSL
tunneling, which allows you to obtain a constant streaming connection out
of a proxy. If you are restricted behind a proxy and can access secure
online ordering sites, then you can get out to whatever host on whatever
port you want. It also supports a lot of other features including socks 5,
basic authentication, access control lists, and Web-based administration,
and will run on Windows, Linux, and FreeBSD.
3. Panoptis v0.1
by Constantinos A. Kotsokalis ckotsogrnet.gr
Relevant URL:
http://panoptis.sourceforge.net/
Platforms: Linux, POSIX, UNIX
Summary:
Panoptis is a tool to detect and stop DoS/DDoS attacks. It relies on data
provided by NetFlow-enabled routers, and includes functionality to
cooperate with other "Panoptis" detectors in order to trace the attack
back to its source.
4. File::Scan v0.20
by Henrique Dias hdiasaeiou.pt
Relevant URL:
http://www.cpan.org/authors/id/H/HD/HDIAS/
Platforms: N/A
Summary:
File::Scan allows users to make multiplataform virus scanners which can
detect Windows/DOS/Mac viruses. It include a virus scanner and signatures
database.
VI. SPONSORSHIP INFORMATION
---------------------------
This Issue is Sponsored by: Ingrian Networks
FREE Web Seminar on "Protecting Data by Controlling Access." Who's got
access to your enterprise data? How do you let the right people obtain
access to the data they are authorized to view?
FREE web seminar from Netegrity, maker of SiteMinder access controls and
Ingrian Networks, the leader in Secure Networking
http://www2.ingrian.com/techlib/promo/secfocus041502.html
-------------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]