|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Marc Fossi (mfossi_at_securityfocus.com)
Date: Mon Nov 04 2002 - 16:32:13 CST
SecurityFocus Microsoft Newsletter #111
---------------------------------------
This issue sponsored by: SecurityFocus DPP Program
Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
---------------------------------------------------------------
I. FRONT AND CENTER
1. Scary Movie
2. Attack of the Mod Squads
3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft PPTP Buffer Overrun Vulnerability
2. Multiple Microsoft IIS Vulnerabilities
3. Microsoft IIS Out Of Process Privilege Escalation Vulnerability
4. Microsoft IIS WebDAV Denial Of Service Vulnerability
5. Microsoft IIS Script Source Access File Upload Vulnerability
6. Microsoft IIS Administrative Pages Cross Site Scripting Vuln
III. MICROSOFT FOCUS LIST SUMMARY
1. Access to well-known ports on Win2K (Thread)
2. Certification for Win2k Web Servers (Thread)
3. IIS 5 and client certificates (Thread)
4. Preventing copying files (Thread)
5. Priviledge escalation attack (Thread)
6. The death of shatter attacks? (Thread)
7. WINNT security priviledge escalation attack (Thread)
8. Securing ASP.NET for Hosting (Thread)
9. SecurityFocus Microsoft Newsletter #110 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. VirusScan Thin Client
2. EasyCrypt
3. CASQUE Systems
4. Cypherus v.2.0
5. BVRP Mail Warden
6. ABF Outlook Express Backup
V. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. Scary Movie
Hollywood's creative geniuses have launched a new horror genre: the computer
virus slasher film. How did we live without this?
http://online.securityfocus.com/columnists/121
2. Attack of the Mod Squads
Game console mod chips can be used for everything from watching movies to
installing Linux on your X-Box. But under goofy copyright laws, the piracy
app kills all the others.
http://online.securityfocus.com/columnists/119
3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14
Vendor Expo March 10 & 11
Solutions to today's security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all! Go to:
http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft PPTP Buffer Overrun Vulnerability
BugTraq ID: 6067
Remote: Yes
Date Published: Oct 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6067
Summary:
Microsoft has reported a buffer overrun in its implementation of the PPTP
service. The condition occurs when a vulnerable implementation processes
malformed control data. The precise nature of the control data involved
and how it is malformed has not been disclosed.
It is reportedly possible to exploit both PPTP servers and clients. To
exploit a server, a malicious client need only initiate a PPTP connection.
During this process, malformed control data may be transmitted to trigger
the overrun.
To exploit clients, a malicious server must transmit the malformed data to
the target after a connection has been initiated and is active.
As the overrun occurs in the kernel, attackers may exploit the
vulnerability to crash target hosts. It may also be possible to execute
arbitrary code, however this has not been confirmed.
**Note: It is likely that this is BID 5807. This has not been confirmed
by Microsoft. If this is the same issue, this BID will be retired.
2. Multiple Microsoft IIS Vulnerabilities
BugTraq ID: 6068
Remote: Yes
Date Published: Oct 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6068
Summary:
Microsoft Internet Information Services (IIS) is prone to multiple
vulnerabilities.
The first vulnerability may allow an attacker to obtain elevated
privileges. This vulnerability can be exploited by an attacker to load and
execute applications on the vulnerable server with SYSTEM level
privileges. This vulnerability can exploited when IIS is configured to run
applications out of process.
The second vulnerability may allow a remote attacker to cause a denial of
service condition. This vulnerability is related to how IIS allocates
memory for WebDAV (Web-based Distributed Authoring and Versioning)
requests. Any specially crafted WebDAV requests may result in IIS
allocating an extremely large amount of memory on the server. Several
malformed requests sent to the server will result in the vulnerable system
failing to respond to further legitimate requests for service. This
vulnerability affects IIS 5.0 and 5.1 only.
The third vulnerability may allow a remote attacker to upload a file onto
the vulnerable server and possibly execute it. The vulnerability is a
result of inappropriate listing of file types that are subject to the
script source access permission in IIS 5.0. Files of type .COM are not on
the list of files that are subject to script source access. As a result an
attacker may be able to upload malicious .COM files to a vulnerable server
and possibly execute it. This vulnerability only affects IIS 5.0.
The final vulnerability is a cross site scripting vulnerability. The
vulnerability is a result of improper sanitization of user-supplied input
by IIS. Several web pages, provided by IIS for administrative purposes do
not adequately sanitize user-supplied input. Any malicious HTML code that
may be included in the URI will be executed.
** At the earliest possible convenience, this record will be divided up
into new vulnerability records where it is appropriate. Existing records
will also be updated to reflect the information contained in the Microsoft
Security Bulletin.
3. Microsoft IIS Out Of Process Privilege Escalation Vulnerability
BugTraq ID: 6069
Remote: Yes
Date Published: Oct 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6069
Summary:
Microsoft IIS (Internet Information Services) is vulnerable to a privilege
elevation vulnerability.
IIS can be configured to run applications either 'in process' or 'out of
process'. The vulnerability is due to the way applications are executed
when IIS is configured to run applications out of process. By default, IIS
5.0 and 5.1 run applications run out of process for increased stability
and security. Applications executed out of process will be executed within
the security context of the IWAM_computername account.
When IIS is configured to run out of process, .asp requests and ISAPI dlls
are executed within the dllhost.exe process. The dllhost.exe process uses
CoImpersonateClient in order to obtain an impersonation token for the
SYSTEM account in order to process the request. It then uses a
RevertToSelf call in order to return to IWAM_computername privilege level.
It is possible for an attacker to manipulate the dllhost.exe memory space
while it is running with IWAM_computername privilege. This could cause
dllhost.exe to execute attacker supplied code when it impersonates SYSTEM
privileges.
It should be noted that exploitation is possible only when an attacker has
write and execute permissions on Web directories.
This vulnerability was originally described in BugTraq ID 6068. It is now
being assigned its own BugTraq ID.
4. Microsoft IIS WebDAV Denial Of Service Vulnerability
BugTraq ID: 6070
Remote: Yes
Date Published: Oct 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6070
Summary:
A denial of service vulnerability has been reported for Microsoft IIS 5
and 5.1. The vulnerability is related to how WebDAV requests are handled
by IIS. WebDAV (Web-based Distributed Authoring and Versioning) is a set
of HTTP extensions that allows multiple users to edit and manage files on
remote web servers.
An attacker can exploit this vulnerability by making a specially crafted
WebDAV request to a vulnerable IIS server. This results in IIS allocating
an extremely large amount of memory on the server. Several such malformed
requests sent to the server will result in the vulnerable system consuming
all available memory resources and failing to respond to further
legitimate requests for service.
Exploitation of this vulnerability is possible only if the Indexing
service is enabled and WebDAV requests are allowed. By default, the
Indexing service is not enabled.
This vulnerability was originally described in BugTraq ID 6068. It is now
being assigned its own BugTraq ID.
5. Microsoft IIS Script Source Access File Upload Vulnerability
BugTraq ID: 6071
Remote: Yes
Date Published: Oct 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6071
Summary:
A vulnerability has been reported for Microsoft IIS 5.0 that may allow a
remote attacker to upload certain files onto a vulnerable server and
possibly execute it.
The vulnerability is due to an inappropriate listing of file types that
are subject to the script source access permission.
It should be noted that exploitation is possible only when an attacker has
write permissions on Web directories. Files of type .COM are not on the
list of files that are subject to script source access. As a result an
attacker may be able to upload malicious .COM files to a vulnerable
server. An attacker who also has execute permissions on Web directories
may be able to execute the malicious file on the vulnerable server.
This vulnerability was originally described in BugTraq ID 6068. It is now
being assigned its own BugTraq ID.
6. Microsoft IIS Administrative Pages Cross Site Scripting
Vulnerabilities
BugTraq ID: 6072
Remote: Yes
Date Published: Oct 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6072
Summary:
Microsoft IIS is prone to cross-site scripting attacks.
The vulnerability is a result of improper sanitization of user-supplied
input by IIS. Several web pages, provided by IIS for administrative
purposes do not adequately sanitize user-supplied input. Any malicious
HTML code that may be included in the URI will be executed.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials.
This vulnerability was originally described in BugTraq ID 6068. It is now
being assigned its own BugTraq ID.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Access to well-known ports on Win2K (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298428
2. Certification for Win2k Web Servers (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298429
3. IIS 5 and client certificates (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298427
4. Preventing copying files (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298085
5. Priviledge escalation attack (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298083
6. The death of shatter attacks? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298031
7. WINNT security priviledge escalation attack (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298036
8. Securing ASP.NET for Hosting (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/297638
9. SecurityFocus Microsoft Newsletter #110 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/297465
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
-----------------------------------------
1. VirusScan Thin Client
by Network Associates
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
As the Internet becomes the hub of an increasing number of business
transactions and users, especially mobile users depend on network
availability to perform mission critical functions, bandwidth becomes
essential resource for IT to manage. At 1/5 the size of competitive
offerings, VirusScan TC keeps down the cost of anti-virus management by
reducing the software deployment bandwidth and giving the administrator
total control.
2. EasyCrypt
by Eon Solutions Ltd.
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
EasyCrypt is a file encryption software program - a cryptographic product
with the versatility to protect all PC based files or folders from
unauthorised disclosure, even where the PC itself is shared between
individuals.
3. CASQUE Systems
by Distributed Management Systems (DMS)
Platforms: Os Independent
CASQUE provides components to build secure systems with Strong
Authentication, Authorisation and Key Update on local or wide area networks
or WWW.
4. Cypherus v.2.0
by Cypherus, Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT
Cypherus solves the problem of digital security. Industry proven 448-bit
encryption protects your hard drive and email correspondence. The Cypherus
File Shredder completely removes any trace of unwanted data from your
system.
5. BVRP Mail Warden
by BVRP Software UK
Platforms: Windows 2000, Windows NT
BVRP Mail Warden provides vital email protection for your business against
unwanted, dangerous or inappropriate email messages flowing in and out of
your organisation.
6. ABF Outlook Express Backup
by ABF Software
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
ABF Outlook Express Backup is a backup and synchronization tool for the
popular Outlook Express mail client. It allows to backup and restore
messages, address book, settings, mail and news accounts, message rules,
blocked senders lists, signatures, and even favorites. All parts can be
processed either separately or together. The user can choose the identity to
save or restore data. The program allows to backup data on the one computer
and restoring on the other, this feature makes ABF Outlook Express Backup a
real synchronization tool. The program has a handy and simplified user
interface, very useful for beginners. The user interface is multilingual.
English, French, Russian, and Macedonian languages are supported.
V. SPONSORSHIP INFORMATION
---------------------------
This issue sponsored by: SecurityFocus DPP Program
Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]