|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Marc Fossi (mfossi_at_securityfocus.com)
Date: Mon Aug 26 2002 - 13:31:11 CDT
SecurityFocus Microsoft Newsletter #101
---------------------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System
>From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.
With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.
Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Windows ICF: Can't Live With it, Can't Live Without it
2. Introduction to Autorooters: Crackers Working Smarter, not Harder
3. Know Your Enemy: Building Virtual Honeynets
4. An Open Letter to the CIO
5. Send Congress Back to School
6. The 21 Best Ways to Lose Your Information
7. SecurityFocus DPP Program
8. InforwarCon 2002
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Internet Explorer XML Datasource Applet File...
2. Tomahawk Technologies SteelArrow Cookie HTTP Header Buffer...
3. MySQL Null Root Password Weak Default Configuration Vulnerability
4. Tomahawk Technologies SteelArrow ARO File Request Buffer...
5. Ilia Alshanetsky FUDForum SQL Injection Vulnerability
6. Microsoft File Transfer Manager ActiveX Control Buffer Overflow...
7. MySQL Bind Address Not Enabled Weak Default Configuration...
8. WebEasyMail POP3 Server Valid User Name Information Disclosure...
9. Lynx Command Line URL CRLF Injection Vulnerability
10. Kerio MailServer Multiple SYN Packet Denial Of Service...
11. Microsoft Windows Media Player File Attachment Script...
12. Abyss Web Server Administrative Console Unauthorized Access...
13. Microsoft TSAC ActiveX Control Buffer Overflow Vulnerability
14. Microsoft Network Share Provider SMB Request Buffer Overflow...
15. Microsoft Internet Explorer Java Logging Executable Code...
16. AOL Instant Messenger Link Special Character Remote Heap...
17. Tomahawk Technologies SteelArrow Chunked Transfer Encoding...
18. nCipher PKCS#11 Symmetric Message Signature Verification...
19. Ilia Alshanetsky FUDForum File Disclosure Vulnerability
20. Kerio MailServer Web Mail Multiple Cross Site Scripting...
21. Multiple Microsoft Internet Explorer Vulnerabilitie...
22. Ilia Alshanetsky FUDForum File Modification Vulnerability
23. Microsoft File Transfer Manager Arbitrary File Upload/Download...
24. MySQL Logging Not Enabled Weak Default Configuration...
25. Abyss Web Server Malicious HTTP Request Information Disclosure...
26. Abyss Web Server Encoded Backslash Directory Traversal...
27. WebEasyMail SMTP Service Format String Vulnerability
28. Multiple VNC Products For Windows Win32 Messaging API...
29. Stephen Ball File Manager Source.PHP Directory Traversal...
31. Apache Tomcat 4.1 JSP Request Cross Site Scripting Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. MS02-042 Patch on win2k pro kills capability to map to default...
2. info MBSA and patch (Thread)
3. Windows File Sharing with IPCop (Thread)
4. Force user login after 15 minutes of idle time w/o using a...
5. Force user login after 15 minutes of idle time w/o using a...
6. Force user login after 15 minutes of idle time w/o using a...
7. Force user login after 15 minutes of idle time w/o using a...
8. Outlook2000-Security-Settings (Thread)
9. Window XP login (Thread)
10. Windows 2000 SP3 (security) problems (Thread)
11. SP3 Problems? (Thread)
12. Windows Update for XP (Thread)
13. SecurityFocus Microsoft Newsletter #100 (Thread)
IV. MICROSOFT PRODUCTS
1. Advanced Office XP Password Recovery
2. VigilEnt Policy Center (VPC)
3. RemoteAudit
V. MICROSOFT TOOLS
1. NTFS Reader for DOS v1.0
2. Analyzer
3. Archaeopteryx v1.0
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. Windows ICF: Can't Live With it, Can't Live Without it
By David Wong
Windows ICF (Internet Connection Firewall) is the built-in firewall in
Windows XP. For this article, we put ICF into the lab and set our security
penetration testers loose at it to see how good it is. In this article, we
will give an overview of ICF, see how ICF performs under a simulated
attack, and discuss the pros and cons of ICF. ...
http://online.securityfocus.com/infocus/1620
2. Introduction to Autorooters: Crackers Working Smarter, not Harder
by Matt Tanase
Efficiency and automation: one can argue that they are two of the most
valuable by-products of any technology. There is little doubt that the
electronic tools of today allow us to get more done in less time. We use
software to eliminate tedious work, reduce man-hours, and sift through
mounds of data in seconds. Crackers, as we know, are smart... and lazy. It
should come as no surprise then that they too, have employed technology to
reduce their workload. The result? A type of malicious code known as
autorooters, programs designed to automatically scan and attack target
computers at blistering speeds.
http://online.securityfocus.com/infocus/1619
3. Know Your Enemy: Building Virtual Honeynets
by The Honeynet Project
Over the past several years, honeynets have demonstrated their value as a
security mechanism, primarily to learn about the tools, tactics, and
motives of the blackhat community. This information is critical for
organizations to better understand and protect against the threats they
face. Among the problems with honeynets is that they are resource
intensive, difficult to build, and complex to maintain. Honeynets require
a variety of both physical systems and security mechanisms to be
effectively deployed. However, the Honeynet Project has been researching a
new possibility, virtual honeynets. These systems share many of the values
of traditional honeynets, but have the advantages of running all the
systems on a single system. This makes virtual honeynets cheaper to build,
easier to deploy, and simpler to maintain.
http://online.securityfocus.com/infocus/1614
4. An Open Letter to the CIO
By Richard Forno
As the summer winds down and work resumes in earnest, our humble columnist
offers this open letter to CIOs on behalf of security admins everywhere.
http://online.securityfocus.com/
5. Send Congress Back to School
By Tim Mullen
So this aide walks into the office of Jack Valenti, President and CEO of
the Motion Picture Association of America... "Sorry for the interruption,
Mr. Valenti" she says, "but it's about the Berman Bill. What should we do
about it?"
http://online.securityfocus.com/columnists/103
6. The 21 Best Ways to Lose Your Information
by Kevin Beaver, CISSP (kbeaver
principlelogic.com)
Have you ever wondered what the best ways are to get hacked, be adversely
affected by disasters, or otherwise lose information stored on your
computer systems? Here, in no particular order, are the 21 best ways to
not secure your systems:
http://online.securityfocus.com/guest/16221
7. SecurityFocus DPP Program
Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
8. InforwarCon 2002
InforwarCon 2002: Homeland Defense and Cyber-Terrorism, Washington, DC
September 4-5, 2002, optional workshops September 3 & 6. Presented by MIS
Training Institute and Interpact, Inc. Proven strategies for protecting
against threats to critical infrastructures and government systems.
Visit us at:
http://www.misti.com/08/iw02nl26inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Internet Explorer XML Datasource Applet File Disclosure Vulnerability
BugTraq ID: 5490
Remote: No
Date Published: Aug 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5490
Summary:
A problem in Microsoft Internet Explorer could lead to the disclosure of
sensitive information.
The problem is in the XML Datasource Applet included with numerous
versions of Microsoft Internet Explorer. The applet is used in a page
such as the following:
<applet code="com.ms.xml.dso.XMLDSO.class" width="0" height="0"
id="xmldso" MAYSCRIPT="true"> </applet>
Due to the design of the datasource applet, it may be possible for a user
to view the contents of local files via a remote page. By building a
custom-crafted page that specifies the code base as the local system, it
would be possible to display the contents of known local files.
This vulnerability could lead to the disclosure of sensitive information.
It is unknown whether this vulnerability could be exploited by a remote
host to read the contents of the known file.
2. Tomahawk Technologies SteelArrow Cookie HTTP Header Buffer Overflow Vulnerability
BugTraq ID: 5494
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5494
Summary:
SteelArrow Web Application Server is a freely available application server
by Tomahawk Technologies Inc. It is designed for use with Microsoft
Windows operating systems.
Reportedly, SteelArrow suffers from a buffer overflow condition when
cookies are used. SteelArrow keeps records of user sessions using cookies.
It is possible for an attacker to supply an overly long value of the
Cookie HTTP header that will cause the buffer overflow condition. This
will cause the SteelArrow service to crash and overwrite stack memory with
attacker supplied values.
As the SteelArrow service is installed as a system service, any
attacker-supplied code will be executed with SYSTEM privileges. The
attacker may also crash the service by sending excessive amounts of data
that has not specifically been constructed to cause code execution.
This vulnerability was first described in BugTraq ID 4860, Tomahawk
Technologies SteelArrow Web Application Server Multiple Buffer Overflow
Vulnerabilities.
3. MySQL Null Root Password Weak Default Configuration Vulnerability
BugTraq ID: 5503
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5503
Summary:
MySQL is is an open source relational database project, and is available
for a number of operating systems, including Microsoft Windows.
A weak default configuration problem has been reported in some versions of
MySQL. Reportedly, the root user of the database is defined with no
password, and granted login privileges from any host.
Users unaware of this may fail to define a strong password for the root
user. While the MySQL security documentation does suggest verifying that
the root user has a password defined, an inexperienced administrator may
overlook this step.
Exploitation of this issue can allow a remote attacker to connect to the
database with full privileges. Exploitation may result in access to
sensitive information, or allow denial of service attacks through the
destruction of data.
This issue has been reported in the Windows binary release of MySQL. Other
versions may share this default configuration, this has not however been
confirmed.
4. Tomahawk Technologies SteelArrow ARO File Request Buffer Overflow Vulnerability
BugTraq ID: 5495
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5495
Summary:
SteelArrow Web Application Server is a freely available application server
by Tomahawk Technologies Inc. It is designed for use with Microsoft
Windows operating systems.
Reportedly, SteelArrow suffers from a buffer overflow condition requests
for files with a .ARO extension are made. It is possible for an attacker
to supply an overly long value to the SteelArrow service, when requesting
files with a .ARO extension, that will cause the buffer overflow
condition. This results in an access violation in DLLHOST.EXE that will
cause the SteelArrow service to crash and overwrite stack memory with
attacker supplied values.
Any attacker-supplied code will be executed with the privileges of the
IWAM account. The attacker may also crash the service by sending excessive
amounts of data that has not specifically been constructed to cause code
execution.
This vulnerability was first described in BugTraq ID 4860, Tomahawk
Technologies SteelArrow Web Application Server Multiple Buffer Overflow
Vulnerabilities.
5. Ilia Alshanetsky FUDForum SQL Injection Vulnerability
BugTraq ID: 5500
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5500
Summary:
Ilia Alshanetsky FUDForum is a freely available Web-based forum. It is
implemented in PHP and is available for Linux and Unix variant, as well
as, Microsoft Windows operating systems.
Reportedly, L-Forum is vulnerable to SQL injection attacks. User input is
not properly sanitized before being included in SQL statements. The
vulnerability lies in the files 'report.php', 'selmsg.php' and
'showposts.php'.
SQL code may be inserted into the requests and executed by the database
server. These requests could include adding, deleting, and modifying data.
It may be possible to access sensitive information, such as authentication
credentials for other users of the forum software.
Additionally, this may allow a remote attacker to exploit vulnerabilities
that exist in the underlying database.
6. Microsoft File Transfer Manager ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 5508
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5508
Summary:
The Microsoft File Transfer Manager (FTM) ActiveX control is used to allow
beta test customers and others to download files from certain Microsoft
sites.
The File Transfer Manager ActiveX control is signed by Microsoft and
marked as safe for scripting, which could allow it to be installed by a
website with littlw or no warning on a system if the user has chosen to
always trust content from Microsoft.
A buffer overflow exists in the function that parses input strings that
are passed via scripts to a Persist function. A string passed to TS= that
is longer than 12kb will overflow the buffer, resulting in memory
corruption. Execution of arbitrary code may be possible, since memory can
potentially be corrupted with attacker-supplied data.
7. MySQL Bind Address Not Enabled Weak Default Configuration Vulnerability
BugTraq ID: 5511
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5511
Summary:
MySQL is is an open source relational database project, and is available
for a number of operating systems, including Microsoft Windows.
MySQL supports the 'bind-address' configuration directive. This restricts
database access to the defined address. If remote administration is not
required, this variable may be set to the loopback address 127.0.0.1,
preventing access from any remote system.
This option is not enabled by default, possibly allowing remote access to
default installations of the server. The MySQL security documentation
does, however, suggest restricting remote access to the server to only
required hosts.
This issue has been reported in the Windows binary release of MySQL. Other
versions may share this default configuration, this has not however been
confirmed.
8. WebEasyMail POP3 Server Valid User Name Information Disclosure Vulnerability
BugTraq ID: 5519
Remote: Yes
Date Published: Aug 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5519
Summary:
WebEasyMail is a MTA (Mail Transfer Agent) designed for use with Microsoft
Windows NT, 2000 and XP operating systems.
An issue has been discovered in WebEasyMail's POP3 server which may make
it easier for remote attackers to verify the existence of user accounts.
In particular, it is trivial for an attacker to determine if a username
exists or not. When a user authenticates against the POP3 server using an
invalid username followed by a password, WebEasyMail gives the following
feedback:
-ERR invalid username
This issue allows the attacker to determine which usernames are valid. The
attacker may then attempt a brute-force attack in an attempt to crack the
passwords of valid usernames.
9. Lynx Command Line URL CRLF Injection Vulnerability
BugTraq ID: 5499
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5499
Summary:
Lynx is a freely distributable, text-based WWW client. It is available for
use on various operating systems and platforms including Linux and Unix
variant and Microsoft Windows operating environments.
A CRLF injection vulnerability has been reported for Lynx that may allow
an attacker to include extra HTTP headers when viewing web pages. If Lynx
is called from the command line, carriage return and line feed (CRLF)
characters may be included in the specified URL. These characters are not
escaped when the input is used to construct a HTTP request.
As CRLF is used as a delimiter between headers under the HTTP protocol,
exploitation of this vulnerability will result in additional headers being
included in the HTTP request.
Injection of a 'Host' header may cause the request to be serviced as if
made to a different domain, if the server in question supports multiple
hosts. It may also be possible to inject arbitrary cookie data.
It is still possible for attackers to exploit this vulnerability even if
the '-realm' and '-restrictions=useragen' options are used. Reportedly, it
is also possible for an attacker to contact other type of servers,
including POP3 servers and MTAs (Mail Transfer Agents).
This vulnerability has been reported for Lynx versions 2.8.4rel.1,
2.8.5dev.8, 2.8.3rel.1 and 2.8.2rel.1. It is not known whether other
versions are affected.
*** Links 0.9.6 and ELinks have also been reported as being vulnerable.
Some versions of Links and ELinks URL encode space characters so an
attacker needs to use tab characters, instead of spaces, to exploit the
issue on these browsers.
10. Kerio MailServer Multiple SYN Packet Denial Of Service Vulnerability
BugTraq ID: 5505
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5505
Summary:
Kerio MailServer is a mail server designed for use with Microsoft Windows
and Linux and Unix variant operating systems.
Kerio MailServer is vulnerable to a denial of service condition when it
receives multiple SYN packets.
An attacker may be able to exploit this vulnerability by sending multiple
SYN packets to all the services of Kerio Mailserver (POP3, SMTP, IMAP,
Secure IMAP, POP3S, Web-mail, Secure Web-mail). This prevents all the
affected services from responding to requests for service.
An attacker sending five SYN packets will cause the service to stop
responding for a few minutes. During this duration, Kerio Mailserver will,
reportedly, consume all resources of the system and fail to respond to any
more requests for service. Repeated exploitation of this vulnerability
will prevent Mailserver from responding at all. Other services offered by
the vulnerable system will be affected as well.
11. Microsoft Windows Media Player File Attachment Script Execution Vulnerability
BugTraq ID: 5543
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5543
Summary:
Microsoft Windows Media Player is distributed with multiple versions of
the Microsoft Windows Operating System.
Reportedly, Microsoft Windows Media Player may allow malicious file
attachments to execute arbitrary code in the context of the local system.
Specifically the vulnerability is due to incorrect validation of WMD
(*.wmd) files. WMD (Windows Media Download) packages are used by Media
Player to store files in a user's known Virtual Music directory.
When downloaded, WMD packages will create a folder with the same name as
the downloaded package and store it in the default "Virtual Music" folder.
This folder typically resides in My Documents\My Music\Virtual Albums\.
It is possible for an attacker to compose a malicious WMD file consisting
of a malicious .ASX and .ASF file and have Media Player extract these
files into a known location. The ASX enables a user to play streaming
media residing on an intranet or external site.
Windows Media Player runs in the security context of the user currently
logged on, therefore arbitrary code would be run at the privilege level of
that particular user.
12. Abyss Web Server Administrative Console Unauthorized Access Vulnerability
BugTraq ID: 5548
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5548
Summary:
Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.
A vulnerability has been reported for Abyss Web Server for both the Linux
and Microsoft Windows operating environments. Reportedly, it is possible
for an attacker to obtain access to Abyss Web Server's administrative
console without any need for authentication.
An attacker can exploit this vulnerability to change any, and all,
configuration parameters of Abyss Web Server, including the administrative
password. It will also enable the remote attacker to stop and restart the
Web server.
13. Microsoft TSAC ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 5554
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5554
Summary:
Microsoft offers Terminal Services client functionality over the web
through the Terminal Services Advanced Client (TSAC) ActiveX control. It
is an optional component that can be installed by end-users.
A buffer overflow vulnerability has been reported in the TSAC control.
The condition occurs when the invoking parameters are of excessive length.
This may be exploited by remote attackers to execute arbitrary
instructions on the affected client host.
As ActiveX objects are invoked through HTML, exploitation may occur if
victims visit malicious websites. Attacks through malicious HTML e-mail
may also be possible if the victim is using versions of Outlook and
Outlook Express prior to 2002 and 6.0 respectively, without having added
the Outlook Email Security Update.
The TSAC control is not shipped with Windows or MSIE by default. It is an
optional component that may be added if a client connects to a webserver
with Terminal Services. To determine if the control is present,
users/administrators should open MSIE and perform the following
operations:
- select the "Tools" menu-bar option
- select "Internet Options"
- click on the "General" tab
- click on "Settings"
- click on "View Objects"
Check the list for the following program files:
"Microsoft Terminal Services Client Control"
"Microsoft RDP Client Control"
If they are not present, the control is not installed.
If they are present, right click on them and view their
properties. If the following IDs are listed, a vulnerable version
of the TSAC control is installed:
{1fb464c8-09bb-4017-a2f5-eb742f04392f}
{791fa017-2de3-492e-acc5-53c67a2b94d0}
Servers hosting the TSAC control should install the patch to ensure that
vulnerable versions are not installed by users.
14. Microsoft Network Share Provider SMB Request Buffer Overflow Vulnerability
BugTraq ID: 5556
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5556
Summary:
Microsoft Windows operating systems use the Server Message Block (SMB)
protocol to support services such as file and printer sharing. A buffer
overflow vulnerability has been reporting in the handling of some
malformed SMB requests.
A remote attacker able to connect to a vulnerable system may send a
specially constructed SMB request packet in order to exploit this
vulnerability. Maliciously formatted packets requesting the
NetServerEnum2, NetServerEnum3 or NetShareEnum transaction, may corrupt
heap memory, causing the system to crash. A reboot is required in order to
regain normal functionality.
This problem occurs when messages are received with the fields 'Max Param
Count' or 'Max Data Count' set to zero. In both cases, insufficient heap
memory is allocated to store some data from the packet. This error leads
to the eventual corruption of control data used for adjacent blocks of
heap memory. In turn, heap manipulation functions will be led to access
invalid memory locations, causing the system to crash.
Due to the nature of this vulnerability, it is possible that careful
exploitation could lead to the execution of arbitrary code. In this case,
an attacker may gain local access to the vulnerable system, possibly with
privileges. However, the ability to execute arbitrary code through
exploitation of this issue has not yet been confirmed.
This vulnerability may be exploited both as an authenticated user, and
with anonymous access to the service. Reportedly, anonymous access is
enabled by default on some systems.
15. Microsoft Internet Explorer Java Logging Executable Code Vulnerability
BugTraq ID: 5491
Remote: Yes
Date Published: Aug 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5491
Summary:
A problem with Microsoft Internet Explorer may provide a vector for the
storage of malicious code within systems.
Internet Explorer provides the Java Logging feature in the advanced
controls sections. This feature is intended to log the activity of
various java applications executed by the browser, and logs activity to
the C:\%System%\Java\javalog.txt file. It is not enabled by default.
Under some circumstances, the java logging feature in Internet Explorer
may provide a place for the storage of malicious code. When a page is
visited by Internet Explorer, it may be possible to log executable code
directly to the file created by java logging.
This could be used to store malicious code that could be executed in the
context of the Local System security zone, through a vulnerability such as
that described in Bugtraq ID 5450 or 5473.
This feature has been confirmed in Internet Explorer 6.0. It is not
currently known whether this feature is present in previous versions.
16. AOL Instant Messenger Link Special Character Remote Heap Overflow Vulnerability
BugTraq ID: 5492
Remote: Yes
Date Published: Aug 18 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5492
Summary:
AIM is the AOL Instant Messenger. It is available for various platforms,
including Linux and Microsoft Windows. This vulnerability affects the
Windows client.
It has been reported that it is possible to cause a heap overflow in AIM.
A problem has been reported in the handling of special characters, such as
spaces (%20). When an URL is sent to a user containing special characters
that must be converted to addressable format, an overflow may occur.
This has reportedly been reproduced to create a denial of service.
In the event that this is an exploitable heap overflow, this vulnerability
could potentially be used to execute arbitrary code. If this is the case,
remote code execution in the context of the AIM user would result.
17. Tomahawk Technologies SteelArrow Chunked Transfer Encoding Heap Overflow Vulnerability
BugTraq ID: 5496
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5496
Summary:
SteelArrow Web Application Server is a freely available application server
by Tomahawk Technologies Inc. It is designed for use with Microsoft
Windows operating systems.
A heap overflow vulnerability has been reported for SteelArrow when
handling chunked encoded transfers. The HTTP protocol specifies a method
of data encoding called 'Chunked Encoding', designed to facilitate
fragmentation of HTTP requests in transit. When processing requests for
.ARO files coded with the 'Chunked Encoding' mechanism, SteelArrow fails
to properly calculate required buffer sizes.
This will cause SteelArrow to cause an exception in DLLHOST.EXE and
overwrite heap memory. It is possible for an attacker manipulate data
structures to inject malicious code into attacker supplied memory
addresses. Any attacker-supplied code will be executed with the privileges
of the IWAM account.
This vulnerability was first described in BugTraq ID 4860, Tomahawk
Technologies SteelArrow Web Application Server Multiple Buffer Overflow
Vulnerabilities.
18. nCipher PKCS#11 Symmetric Message Signature Verification Vulnerability
BugTraq ID: 5498
Remote: Unknown
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5498
Summary:
nCipher produces a range of hardware and software security products which
support a range of cryptographic operations. A vulnerability has been
reported in the nCipher cryptographic library, related to the checking of
some message signatures.
The RSA PKCS#11 specification allows the signing of messages with a
symmetric key. Verification of these signatures is supported by the
nCipher cryptographic library. However, an error in the library
implementation may result in incorrect results being returned when
signatures are verified.
Under some conditions, the vulnerable function C_Verify may return the
'CKR_OK' message when an invalid signature is verified. The
'CKR_SIGNATURE_INVALID' message would normally be expected under this
condition. As a result, products and processes which rely on this library
function may make erroneous trust decisions regarding messages with
invalid signatures.
The consequences of exploitation will be highly dependent on the nature of
the application using the vulnerable library. It is likely that
exploitation will allow an attacker to inject or modify encrypted
information which is normally protected by a signature. Impersonation of
trusted parties may be possible.
Reportedly, the vulnerable signature mechanism is used by a number of
common protocols, including SSLv2, SSH and IPSEC.
This issue exists in versions 1.2.0 and later of the nCipher cryptographic
library.
19. Ilia Alshanetsky FUDForum File Disclosure Vulnerability
BugTraq ID: 5501
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5501
Summary:
Ilia Alshanetsky FUDForum is a freely available Web-based forum. It is
implemented in PHP and is available for Linux and Unix variant, as well
as, Microsoft Windows operating systems.
Reportedly, FUDForum may disclose contents of arbitrary files to
attackers. This vulnerability is present in the 'tmp_view.php' script. The
vulnerability is the result of FUDForum failing to check the path of the
file that is being requested.
By simply making malicious requests to 'tmp_view.php' via URI parameters,
an attacker is able to obtain access to potentially sensitive files.
20. Kerio MailServer Web Mail Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 5507
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5507
Summary:
Kerio MailServer is a mail server designed for use with Microsoft Windows
and Linux and Unix variant operating systems.
Reportedly, Kerio Mailserver is vulnerable to cross site scripting
attacks. The vulnerability is present in Kerio Mailserver's web mail
component.
An attacker may exploit this vulnerability by causing a victim user to
follow a malicious link. Attacker-supplied code may execute within the
context of the site hosting the vulnerable software when the malicious
link is visited.
This type of vulnerability may be used to steal cookies or perform other
web-based attacks. It may be possible to take actions as an authenticated
user of the web mail system.
21. Multiple Microsoft Internet Explorer Vulnerabilities
BugTraq ID: 5557
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5557
Summary:
Microsoft has released a security bulletin describing multiple
vulnerabilities in Internet Explorer 5.01, 5.5 and 6.0.
The first issue is a buffer overflow in the Gopher protocol handler.
This vulnerability was previously alerted on and is described in further
detail in Bugtraq ID 4930 "Multiple Microsoft Product Gopher Client Buffer
Overflow Vulnerability". Exploitation will allow arbitrary code to be
executed with the privileges that the affected product is run with.
The second issue is described to be a buffer overflow in an ActiveX
component used to display specially formatted text. This issue in the
Legacy Text Formatting component may enable a remote attacker to execute
code on a client system with the privileges of the user running the
affected client. The vulnerable component is reportedly not installed by
default in current versions of Internet Explorer and was removed from the
Microsoft website when the vendor first learned of the issue.
The third issue reportedly allows a remote attacker to exploit the browser
to read XML data that is located in a known location. The source of the
issue is apparently due to how Internet Explorer handles HTTP redirects.
An attacker may exploit this issue via a malicious webpage that redirects
the browser to access resources on the local filesystem of the client
machine.
The fourth issue is in how Internet Explorer displays download dialogues
to users. It is possible to exploit this condition to misrepresent the
source of a file being downloaded to appear as though it is coming from a
trusted source, when in fact it originates from an untrusted source. The
user must still interactively execute the file that was misrepresented via
the download dialogue.
The fifth issue appears to be an issue that was previously alerted on.
Further details can be found in the vulnerability record Bugtraq ID 5196
"Microsoft Internet Explorer OBJECT Tag Same Origin Policy Violation
Vulnerability". This may allow remote attackers to gain unauthorized
access to local resources on client systems and perform actions such as
the execution of local binaries. The attacker would not be able to pass
parameters to local executables invoked in this manner. The attacker must
know the name and location of the local resource to exploit this issue.
The sixth issue is a variant of the issue described in Microsoft Security
Bulletin MS02-023 and Bugtraq ID 4754 Microsoft Internet Explorer Cookie
Content Disclosure Vulnerability. It may potentially allow an attacker to
cause malicious script code and HTML to execute with the relaxed
restrictions associated with the Local Computer Zone.
** At the earliest possible convenience, this record will be divided up
into new vulnerability records where it is appropriate. Existing records
will also be updated to reflect the information contained in the Microsoft
Security Bulletin.
22. Ilia Alshanetsky FUDForum File Modification Vulnerability
BugTraq ID: 5502
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5502
Summary:
Ilia Alshanetsky FUDForum is a freely available Web-based forum. It is
implemented in PHP and is available for Linux and Unix variant, as well
as, Microsoft Windows operating systems.
Reportedly, it is possible for an administrator to manipulate (create,
modify and view) files outside of the FUDForum directories. This
vulnerability is present in the 'adm/admbrowse.php' script. The
vulnerability is the result of FUDForum allowing access to files and
directories outside of FUDForum directories.
By simply making malicious requests to 'adm/admbrowse.php' via URI
parameters, an attacker is able to obtain access to potentially sensitive
files. It may also be possible to create and modify arbitrary files on the
vulnerable system. However, this has not been confirmed.
23. Microsoft File Transfer Manager Arbitrary File Upload/Download Vulnerability
BugTraq ID: 5512
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5512
Summary:
The Microsoft File Transfer Manager (FTM) ActiveX control is used to allow
beta test customers and others to download files from certain Microsoft
sites.
The File Transfer Manager ActiveX control can queue any download or upload
item in the list of scheduled items without notifying the user. This can
reportedly be accomplished by setting the TGT= and TGN= parameters during
a call to the Persist function.
Through a man in the middle attack, an attacker may be able to set the
URL= parameter to their TCP proxy and pointing the proxy to Microsoft
servers. This could potentially allow the attacker to upload or download
any file of their choosing.
24. MySQL Logging Not Enabled Weak Default Configuration Vulnerability
BugTraq ID: 5513
Remote: Yes
Date Published: Aug 19 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5513
Summary:
MySQL is is an open source relational database project, and is available
for a number of operating systems, including Microsoft Windows.
Reportedly, most logging is disabled by default in MySQL. If not
explicitely enabled, an administrator may not detect malicious actions or
attacks against the database.
Logging of errors may, however, be enabled by default.
This issue has been reported in the Windows binary release of MySQL. Other
versions may share this default configuration, this has not however been
confirmed.
25. Abyss Web Server Malicious HTTP Request Information Disclosure Vulnerability
BugTraq ID: 5549
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5549
Summary:
Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.
Reportedly, it is possible for attackers to obtain the contents of files
by appending a special character to HTTP requests to Abyss Web Server.
An attacker can exploit this vulnerability to obtain access to contents of
potentially sensitive files. Reportedly, by appending the '+' character,
Abyss Web Server will disclose the contents of some files to remote
attackers.
It has been reported possible to exploit this vulnerability to view the
contents of '.chl' files used for remote administration of the server. It
may be possible to view the contents of other executable files intended to
serve CGI requests. This has not, however, been confirmed. This
vulnerability has been reported for Abyss Web Server 1.0.3. It is not
known whether other versions are affected.
26. Abyss Web Server Encoded Backslash Directory Traversal Vulnerability
BugTraq ID: 5547
Remote: Yes
Date Published: Aug 22 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5547
Summary:
Abyss Web Server is a freely available personal web server. It is
maintained by Aprelium Technologies and runs on Microsoft Windows
operating systems, as well as Linux.
A directory traversal vulnerability has been reported for Abyss Web
Server. The issue is related to the failure to properly process the
backslash '\', encoded as '%5c', character, which may be used as a
directory delimiter under these platforms. By using the URL encoded
sequence '%2e%2e%5c', the web root may be escaped.
Exploitation can result in arbitrary system files being sent to a remote
attacker. This information may be of value in attempting further attacks
against the vulnerable system.
The directory traversal vulnerability was reported for Abyss Web Server
for both the Microsoft Windows and Linux operating environment. In a Linux
environment, it is only possible to escape immediately out of the web root
directory and into the Abyss folder; it is not possible for an attacker to
view files residing outside of the Abyss installation folder. However, in
a Windows environment the attacker is able to traverse outside of the
webroot and into all areas of the filesystem.
27. WebEasyMail SMTP Service Format String Vulnerability
BugTraq ID: 5518
Remote: Yes
Date Published: Aug 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5518
Summary:
WebEasyMail is a MTA (Mail Transfer Agent) designed for use with Microsoft
Windows NT, 2000 and XP operating systems.
WebEasyMail is prone to a format string vulnerability. This problem is due
to incorrect handling of user input by the SMTP service offered by
WebEasyMail. The affected service's name is emsrv.exe.
When the service receives malformed input, it will reportedly crash. It
may be possible to corrupt memory by passing format strings through the
vulnerable service. This may potentially be exploited to overwrite
arbitrary locations in memory with attacker-specified values.
Successful exploitation of this issue may allow the attacker to execute
arbitrary instructions with the privileges of the WebEasyMail service,
however, this has not been confirmed.
This vulnerability has been reported for WebEasyMail 3.4.2.2. It is not
known whether other versions are affected.
28. Multiple VNC Products For Windows Win32 Messaging API Vulnerability
BugTraq ID: 5530
Remote: No
Date Published: Aug 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5530
Summary:
Virtual Network Computing, or VNC, is a system which provides remote
access to a desktop environment. A vulnerability has been reported in a
number of VNC products when used on Microsoft Windows based systems.
Vulnerable VNC products provide graphical user interface elements which
run with privileges. A local user with lower privileges may send arbitrary
Win32 messages to the privileged process.
It has been reported possible to exploit this ability to force the VNC
process to execute arbitrary code, providing the attacker with elevated
privileges. More subtle attacks based on modifications to the dialogs
presented to the user may also be possible, although this has not been
confirmed.
This general class of vulnerabilities has been documented as BID 5408.
29. Stephen Ball File Manager Source.PHP Directory Traversal
Vulnerability
BugTraq ID: 5533
Remote: Yes
Date Published: Aug 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5533
Summary:
Stephen Ball File Manager is a utility to manage files on a system. It is
implemented in PHP and is available for Microsoft Windows and Unix and
Linux variant operating systems.
A vulnerability has been reported for File Manager 1.5. Reportedly, it is
possible to launch directory traversal attacks against File Manager. It is
possible for remote attackers to access arbitrary files residing on a
vulnerable host.
An attacker may exploit this issue by submitting a request to the script
'source.php', and passing a CGI parameter specifying an arbitrary system
file. The '../' character sequence may be used to escape the specified
root directory.
Information disclosed through this vulnerability may aid an attacker in
making further attacks against the vulnerable system.
30. Microsoft Terminal Services Inactive Console Screensaver Lock Failure Weakness
BugTraq ID: 5535
Remote: No
Date Published: Aug 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5535
Summary:
A weakness has been reported for Microsoft Windows Terminal Services.
Reportedly, the Terminal Services screensaver will not automatically lock
the session if the client window is minimized.
If the automatic invocation of a screen saver is relied upon to provide
security, sessions may not be protected. An attacker able to gain local
access to a client session may access minimized Terminal Services session
as the vulnerable user.
This vulnerability was reported on a Microsoft Windows 2000 Server
operating environment. It is not known whether Terminal Server for Windows
NT is affected.
31. Apache Tomcat 4.1 JSP Request Cross Site Scripting Vulnerability
BugTraq ID: 5542
Remote: Yes
Date Published: Aug 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5542
Summary:
Jakarta Tomcat is a Java Servlet and JSP server produced by the Apache
Software Foundation. Tomcat is available for Microsoft Windows, Linux, and
other Unix based operating systems.
A cross site scripting vulnerability has been reported in some versions of
Tomcat. Reportedly, if a HTTP request is made for a JSP, malicious script
code embedded in the URI may be included in a page generated by Tomcat.
An attacker may generate a link to a vulnerable site, and include
arbitrary malicious script code. If a user is enticed into following this
link, the supplied code will be returned by the server, and execute within
the context of the vulnerable site.
Exploitation may result in the disclosure of sensitive cookie data, or the
ability to take actions as an authenticated user of the vulnerable site.
The consequences of exploitation will be highly dependant on the details
of the vulnerable site.
This may be related to the issues discussed in BID 2982. This has not,
however, been confirmed.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. MS02-042 Patch on win2k pro kills capability to map to default shares (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288697
2. info MBSA and patch (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288703
3. Windows File Sharing with IPCop (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288698
4. Force user login after 15 minutes of idle time w/o using a screen saver (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288427
5. Force user login after 15 minutes of idle time w/o using a screen saver (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288426
6. Force user login after 15 minutes of idle time w/o using a sc reen saver (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288410
7. Force user login after 15 minutes of idle time w/o using a screen saver (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288394
8. Outlook2000-Security-Settings (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288398
9. Window XP login (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288257
10. Windows 2000 SP3 (security) problems (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288233
11. SP3 Problems? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288232
12. Windows Update for XP (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288134
13. SecurityFocus Microsoft Newsletter #100 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/288117
IV. MICROSOFT PRODUCTS
----------------------
1. Advanced Office XP Password Recovery
by Elcomsoft Co. Ltd.
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.elcomsoft.com/aoxppr.html
Summary:
A program to recover lost or forgotten passwords to files/documents
created in Microsoft Office applications (all versions up to Office
2002/XP): Word, Excel, Access (including user-level passwords and owner
info), Outlook, Project, Money, PowerPoint, Visio, Publisher, Backup,
Schedule+, Mail. Can also reset MS Internet Explorer Content Advisor
password, and open password-protected VBA projects (created in any
application) via the "backdoor". Most passwords are being recovered
instantly; the "password to open" in Word/Excel 97/2000/XP can be
recovered using "brute-force" and dictionary attacks, highly optimized for
speed.
2. VigilEnt Policy Center (VPC)
by PentaSafe
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.pentasafe.com/products/vpc/
Summary:
VigilEnt Policy Center (VPC) software automates policy management best
practices by enabling you to create security policies, distribute them
online, educate employees, and track and report compliance.
3. RemoteAudit
by EMCO Software
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.emco.is/remoteaudit2/rafeatures.html
Summary:
RemoteAudit Generates hardware and software inventory for Microsoft
Network LAN it finds Installed Software using administrator rights on
remote computers. Scan for file or registry location from custom database
with "Custom Scan" and option for required matching value. One mouse click
gathers all information into a table with filter options for every column.
Extremely light network load. Run it during working hours without
disturbing users.
V. MICROSOFT TOOLS
-------------------
1. NTFS Reader for DOS v1.0
by Active Data Recovery Software
Relevant URL:
http://online.securityfocus.com/tools/2823
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
NTFS Reader for DOS is a freeware tool that provides read access to NTFS
partitions within the MS-DOS environment. You can preview files on NTFS
and copy files from NTFS to FAT volumes or network drives. Can be run from
DOS bootable floppy.
2. Analyzer
by Piero Viano, analyzernetgroup-serv.polito.it
Relevant URL:
http://netgroup-serv.polito.it/analyzer/
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:
Analyzer is a fully configurable analyzer program. It was developed in the
Win32 environment. It can be used with both Windows 95/98 and Windows
NT/2000 platforms. It is composed of three parts: a graphical interface,
an analysis engine and a capture program.
3. Archaeopteryx v1.0
by FoxThree
Relevant URL:
http://members.fortunecity.com/sektorsecurity/projects/archaeopteryx.html
Platforms: Windows 2000, Windows NT
Summary:
Archaeopteryx is a Passive mode OS Identification Tool. It is based off
Siphon v.666 by SubTerrain. It has a great GUI and a highly configurable
OS signature file. It uses POSIX threads for multi-threading (pthreads for
Win32). Also requires WinPCAP Drivers. We plan to support this tool
actively! So, please send all new OS signatures to us
VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System
>From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.
With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.
Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]