OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: SecurityFocus.com Newsletter #68
From: Stephen Entwisle (seSECURITYFOCUS.COM)
Date: Mon Nov 27 2000 - 10:28:32 CST


SecurityFocus.com Newslettr #68
-------------------------------

Premier sponsor: Tivoli SecureWay

Tivoli SecureWay Privacy Manager

Protecting consumers' personally identifiable
information is essential to protect consumer trust and
brand integrity. Tivoli SecureWay Privacy Manager is
an access control solution developed specifically for
e-businesses to effectively implement privacy policies.

http://info.tivoli.com/security/sf48

--------------------------------

I. FRONT AND CENTER
     1. The Crux of NT Security - Phase Three: Controlling and Monitoring
        Communications
     2. Solaris BSM Auditing
     3. New Article in the Intrusion Detection Focus Area: ECN and its impact
        on Intrusion Detection
     4. New Article in the Intrusion Detection Focus Area: Thinking about
        Security Monitoring and Event Correlation
II. BUGTRAQ SUMMARY
     1. AT&T WinVNC Remote Desktop Default Configuration Vulnerability
     2. NetcPlus SmartServer3 Weak Encryption Vulnerability
     3. CGIForum Arbitrary File Disclosure Vulnerability
     4. NetcPlus BrowseGate Weak Encryption Vulnerability
     5. NetcPlus SmartServer3 DoS Vulnerability
     6. Koules Svgalib Buffer Overflow Vulnerability
     7. Oracle cmctl Buffer Overflow Vulnerability
     8. Adcycle Password Disclosure Vulnerability
     9. Unify eWave ServletExec JSP Source Disclosure Vulnerability
     10. BB4 Big Brother Multiple CGI Vulnerabilities
     11. Ethereal AFS Buffer Overflow Vulnerability
     12. Microsoft Windows 2000 Domain Account Lockout Bypass Vulnerability
     13. FreeBSD ppp deny_incoming Vulnerability
     14. NCSA HTTPd campas sample script Vulnerability
     15. Microsoft Windows Media Player .WMS Arbitrary Script Vulnerability
     16. Microsys CyberPatrol Insecure Registration Vulnerability
     17. IE 5.5 Index.dat Vulnerability
     18. Software602 602Pro LAN SUITE Buffer Overflow Vulnerability
     19. Microsoft Windows Media Player .ASX Buffer Overflow Vulnerability
     20. Balabit syslog-ng Incomplete Priority String Remote DoS Vulnerability
     21. HP EMS Arbitrary File Permission Change Vulnerability
     22. Quikstore Plaintext Administrator Password Vulnerability
     23. elvis-tiny File Overwrite Vulnerability
     24. Phorum PHP Source Disclosure Vulnerability
     25. Caucho Technology Resin 1.2 JSP Source Disclosure Vulnerability
     26. Microsoft NT 4.0 SynAttackProtect Denial of Service Vulnerability
     27. IBM HTTP Server Denial of Service Vulnerability
     28. Linux modprobe Buffer Overflow Vulnerability
     29. Alladin Ghostscript Symlink Vulnerability
     30. Alladin Ghostscript Arbitrary Shared Library Usage Vulnerability.
     31. Linux rcp Possible Local Arbitrary Command Execution Vulnerability
     32. Network Associates WebShield SMTP Content Filter Bypass Vulnerability
III. SECURITYFOCUS.COM NEWS ARTICLES
     1. Report: Carnivore Needs Work
     2. eBay Pulls Mitnick Memorabilia
IV.SECURITY FOCUS TOP 6 TOOLS
     1. Astaro Security Linux 1.715
     2. BUGS 4.0.0
     3. SILC (Secure Internet Live Conferencing) 20001124
     4. Bcrypt 4.0
     5. GuardDog 0.9.3
     6. IP Accounting Daemon 1.0
V. SECURITYJOBS LIST SUMMARY
     1. Swedish security specialist looking for new challenges (Thread)
     2. Wondering where I can earn while I learn (Thread)
     3. Looking for oportunities in Utah (Thread)
     4. [no subject] (Thread)
     5. Information Security Executive / CSO - #97 (Thread)
     6. VP & Director level positions throughout US (Thread)
     7. IIS Security Specialist - Long Island, NY - CONTRACT (Thread)
     8. Looking for security job - LA, non-consulting (Thread)
     9. Please Post - - - Assistant Security Administrator Position(Thread)
     10. Network Security Consultant For Hire - Bay Area, CA (Thread)
     11. Systems Security Engineer Opportunity (Thread)
VI. INCIDENTS LIST SUMMARY
     1. Mysterios s...l...o...w SYN&FIN/FIN/NULL scan (Thread)
     2. Virus or Hacked NEW PC? (Thread)
     3. LPRng remote root exploit seen in the wild (Thread)
     4. Connection to port 137 (Thread)
     5. mystery SF scan tool = Idlescan correlation (Thread)
     6. Odd response from Taiwanese ISP (Thread)
     7. Unusual URLs sent to IIS 5.0 server (Thread)
     8. Spoofed IP trying to connect to port 137 (Thread)
     9. find_ddos results (Thread)
     10. OT log analyzer (Thread)
     11. scan on TCP/21536 (Thread)
     12. port 523/TCP scans (Thread)
     13. What is this? (Thread)
     14. CERT Summary CS-2000-04 (Thread)
     15. FW: New scanning ? activity (Thread)
     16. notepad.exe backdoor (Thread)
     17. Protocol Violation (Thread)
     18. UDP port 1345 (VPJP ??) (Thread)
     19. Romeo&Juliet (fwd) (Thread)
     20. what is this ? (Thread)
     21. port 5232/TCP scans (Thread)
     22. R o m e o & J u l i e t trojan (fwd) (Thread)
     23. IDS246 Large ICMP Packet (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
     1. more locale problems? (Thread)
     2. hybrid-ircd (Thread)
     3. Windows2000 telnet exploit (Thread)
     4. dos commands via iis 4 (Thread)
     5. possible rcp hole... (Thread)
     6. Possible DoS against inetd in Solaris (Thread)
     7. dos commands via iis 4 (TFTP)-NETBIOS (Thread)
     8. ubb hole (Thread)
     9. WinNT system->domain admin (Thread)
     10. TCSEC vs CC (Thread)
     11. En: ubb hole (Thread)
     12. Fw: Virus Carring File Extensions (windows) (Thread)
     13. dos commands via iis 4 (TFTP) (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
     1. ALERT From InfoWorld: Security hole found in Internet...(Thread)
     2. System Authority on NT (Thread)
     3. ALERT From InfoWorld: Security hole found in Internet Explore...(Thread)
     4. A question about a seemingly open TCP port in Win2k (Thread)
     5. Error: System Process: License Violation ... what the heck...(Thread)
     6. Error: System Process: License Violation ... what the heck...(Thread)
     7. Error: System Process: License Violation ... what the heck...(Thread)
     8. SMS and security (Thread)
     9. NT thru the DMZ... (Thread)
     10. Someone on my port 1838 (Thread)
     11. ALERT From InfoWorld: Security hole found in Internet Explorer(Thread)
     12. Bunratty? (Thread)
     13. Error: System Process: License Violation ... what the heck...(Thread)
     14. Unusual URL sent to IIS 5.0 Web servers (Thread)
     15. WHISTLER TO BLOCK MAVERICK CODE (Thread)
     16. IIS 4 updates (Thread)
     17. hidden shares (Thread)
     18. Comparing Web Servers (Thread)
     19. Win2K Kerberos & LDAP implementations (Thread)
     20. Windows2000 Telnet Exploit (Thread)
     21. Antwort: Re: Keylogger for NT / Virus (Thread)
     22. Keylogger for NT (Thread)
     23. Documenting NT File Structures Permissions (Thread)
     24. (U//FOUO) RE: Comparing Web Servers (Thread)
     25. Unbind NetBIOS from TCP/IP (Thread)
     26. NT4 logons with physical token (Thread)
     27. FW: Disabling floppy and Inet properties (Thread)
     28. IIS unicode and FTP (Thread)
     29. Disabling floppy and Inet properties (Thread)
     30. Whoops! Re: [FOCUS-MS] unsubscribe (Thread)
     31. SecurityFocus.com Microsoft Newsletter #9 (Thread)
     32. Checking the Integrity of Registry keys (Thread)
     33. passfilt.dll and clear text passwords (Thread)
     34. log invalid username and password (Thread)
     35. Citrix MetaFrame (Thread)
     36. NT4 Account Operator Question (Thread)
     37. Problem implementing passfilt.dll (Thread)
     38. w98 and security settings question (Thread)
IX. SUN FOCUS LIST SUMMARY
     1. Bind (3Tk) (Thread)
     2. locking a user immediatly on Solaris 8 (Thread)
X. LINUX FOCUS LIST SUMMARY
     1. a few ssh questions (Thread)
     2. BIND 8.2.2-P7 ports (Thread)
     3. AW: BIND 8.2.2-P7 ports (Thread)
     4. Odd / random UDP ports listening on my machine? (Thread)
     5. SSH runing on port > 1023 (Thread)
     6. SecurityFocus.com Linux Newsletter #5 (Thread)
     7. ICMP (Thread)
     8. Choice of platform for firewall (was Re: ICMP) (Thread)
     9. problem with sniffer (Thread)
XI. SPONSOR INFORMATION - Tivoli SecureWay
XII. SUBSCRIBE/UNSUBSCRIBE INFORMATION

I. FRONT AND CENTER
-------------------

1. The Crux of NT Security - Phase Three: Controlling and Monitoring
   Communications

Aaron Sullivan's popular series continues with a look at secure network
design and implementation - Where should the Exchange server go? The
database server? The firewall?? What protocols should be permitted, and
where? These questions and more are examined in Part Three of The Crux of
NT Security, through a comparison of three common network designs.
 
http://www.securityfocus.com/focus/microsoft/nt/crux3.html

2. Solaris BSM Auditing

When considering the security of a system we need to be concerned not only
with which features and tools we use to implement the access restrictions,
but also with what logging of access we do. Logging is important for two
main reasons: regular analysis of our logs gives us an early warning of
suspicious activity and, if stored securely it can provide the evidence
required to find out what went wrong when a breach in the security policy
occurs. This article by Darren Moffat offers an overview of the Basic
Security Module implementation and management aspects, and provides us
insight helpful in raising security to another level in "Solaris BSM
Auditing."

http://www.securityfocus.com/focus/sun/articles/bsmaudit1.html

3. New Article in the Intrusion Detection Focus Area: ECN and its impact
   on Intrusion Detection

Recently, there has been some discussion on various mailing list(s) about
the Explicit Congestion Notification (ECN) proposed standard and
QUESO/nmap scan detection. The debate has been centered around the two
reserve bits in the TCP header (bits 8 & 9) that QUESO sets in a SYN
packet and those same two bits being used by ECN.

What is ECN? ECN is a standard proposed by the IETF that will cut down on
network congestion and routers dropping packets. Currently, RFC 2481
states that in order to accomplish this task ECN will use four previously
unused bits in both the IP header and the TCP Header.

http://www.securityfocus.com/focus/ids/articles/ECN.html

4. New Article in the Intrusion Detection Focus Area: Thinking about
   Security Monitoring and Event Correlation

Most security devices provide logging and alerting of known and possibly
unknown security events that occur on an information technology
infrastructure. Despite all our technological advances and the
introduction of devices like firewalls and VPNs, most companies do not
monitor the information coming from these devices.

http://www.securityfocus.com/focus/ids/articles/thinking.html

II. BUGTRAQ SUMMARY
-------------------

1. AT&T WinVNC Remote Desktop Default Configuration Vulnerability
BugTraq ID: 1961
Remote: Yes
Date Published: 2000-11-19
Relevant URL:
http://www.securityfocus.com/bid/1961
Summary:

AT&T WinVNC (Virtual Network Computing) is a freeware package available
from AT&T Labs Cambridge that allows an existing desktop of a PC to be
remotely available.

During WinVNC's default install process, a registry key is created that
could allow a remote attacker to modify the registry entry and allow
un-authenticated access to the service. The registry key -
HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\ - contains the connection
password, IP and query restrictions as well as other settings. By
default, this key is created during install with "Administrator" and
"SYSTEM" accounts having full control and the "Everybody" account having
Special Access (read and modify). Please note that under Windows 2000,
this key has "Standard User" privileges which can accomplish the same
thing.

While it is possible for a remote attacker to exploit this using regedit
(blank the password value and set the "AuthRequired" key to 0) the machine
needs to be a NT 4.0 system missing the registry permission patch. If the
machine is patched or is Windows 2000, you must have administrator rights
or equivalent to gain access from the network. If successful, a remote
attacker could gain complete access to the system.

2. NetcPlus SmartServer3 Weak Encryption Vulnerability
BugTraq ID: 1962
Remote: No
Date Published: 2000-11-18
Relevant URL:
http://www.securityfocus.com/bid/1962
Summary:
SmartServer3 is an email server designed for small networks.

A design error exists in SmartServer3 which enables an authenticated user
to view other users login information and possibly gain access to
passwords. SmartServer3 by default intsalls in the
C:\ProgramFiles\smartserver3/ directory and includes a configuration file
called dialsrv.ini. This file is accessible by all Windows authenticated
users and contains detailed user login information including the encrypted
password. However SmartServer3 uses a weak encryption scheme which can
easily be broken using a third party utility.

Successful exploitation yields unauthorized access to private data.

The following example of user login information found in the dialsrv.ini
file is provided by Steven Alexander <stevecell2000.net>:

[USER1]
realname=Carl Jones
id=Carl
dir=CARL
pw=~:kCnD3~:
extml=0
alertport=
alert=
UserActive=1
MailLimit=0
MailMAxWarn=0
MailMaxSize=20

3. CGIForum Arbitrary File Disclosure Vulnerability
BugTraq ID: 1963
Remote: Yes
Date Published: 2000-11-20
Relevant URL:
http://www.securityfocus.com/bid/1963
Summary:

DCForum is a commercial cgi script from Markus Triska which is designed to
facilitate web-based threaded discussion forums.

The script improperly validates user-supplied input to the "thesection"
parameter. If an attacker supplies a carefully-formed URL contaning '/../'
sequences as argument to this parameter, the script will traverse the
normal directory structure of the application in order to find the
specified file. As a result, it is possible to remotely view arbitrary
files on the host which are readable by user 'nobody'.

4. NetcPlus BrowseGate Weak Encryption Vulnerability
BugTraq ID: 1964
Remote: No
Date Published: 2000-11-18
Relevant URL:
http://www.securityfocus.com/bid/1964
Summary:

BrowseGate is a proxy server which supports most standard protocols.

A design error exists in BrowseGate which enables an authenticated user to
view other users encrypted passwords. BrowseGate by default intalls in the
C:\ProgramFiles\browsegate/ directory and includes a configuration file
called brwgate.ini. This file is accessible by all Windows authenticated
users and contains the encrypted password. The password is presented in
the 'scrnsze' field. However due to a weak encryption scheme it is
possible for a user to decrypt the password using a third party utility.

Successful exploitation of this vulnerability will lead to unauthorized
access to private data.

5. NetcPlus SmartServer3 DoS Vulnerability
BugTraq ID: 1965
Remote: Yes
Date Published: 2000-11-18
Relevant URL:
http://www.securityfocus.com/bid/1965
Summary:

SmartServer3 is an email server designed for small networks.

The POP3 and SMTP services within SmartServer3, is subject to a denial of
service. Submitting an unsually long argument to the User or Pass command
in the POP3 service, will cause the server service to stop responding and
refuse any new connections. An unusually long argument submitted to the
SMTP service after the 'HELO' command, will cause the server to stop
responding yet will still accept new connections. In either instance a
restart of the server service is required in order to gain normal
functionality.

Successful exploitation of this vulnerability could lead to the execution
of arbitrary commands. However this is not proven.

6. Koules Svgalib Buffer Overflow Vulnerability
BugTraq ID: 1967
Remote: No
Date Published: 2000-11-20
Relevant URL:
http://www.securityfocus.com/bid/1967
Summary:

Koules is an original, arcade-style game authored by Jan Hubicka. The
version using svgalib is usually installed setuid root so that it may
access video hardware when being run at the console by regular users. This
version contains a buffer overflow vulnerability that may allow a user to
gain higher priviledges. The vulnerability exists in handling of
user-supplied commandline arguments.

Successful exploitation of this vulnerability leads to root compromise.

7. Oracle cmctl Buffer Overflow Vulnerability
BugTraq ID: 1968
Remote: No
Date Published: 2000-11-20
Relevant URL:
http://www.securityfocus.com/bid/1968
Summary:

cmctl is the Connection Control Manager, part of the Oracle 8i
installation. A vulnerability exists that can allow elevation of
privileges.

The problem occurs in the way cmctl handles the user-supplied command line
arguments. The string representing argv[1] (the first user-supplied
commandline argument) is copied into a buffer of predefined length without
being checked to ensure that its length does not exceed the size of the
destination buffer. As a result, the excessive data that is written to the
buffer will write past its boundaries and overwrite other values on the
stack (such as the return address).

This can lead to the user executing supplied shellcode with the effective
privileges of cmctl, egid dba and euid oracle.

8. Adcycle Password Disclosure Vulnerability
BugTraq ID: 1969
Remote: Yes
Date Published: 2000-11-20
Relevant URL:
http://www.securityfocus.com/bid/1969
Summary:

Adcycle is a banner advertisement administration tool from Adcycle.com. It
utilizes a connection to a MySQL database to manage and display clickable
advertisement banners.

Upon installation, Adcycle leaves permissions to its database
configuration script 'build.cgi' accessible to remote users. This script
is designed to assist in configuring the connection to Adcycle's MySQL
database.

As part of this functionality, build.cgi outputs the applicable manager
and database passwords.

Normally, this script would be disabled prior to the completion of the
installation. However, it remains executable by the host's httpd process.
By executing this script, a remote user can obtain the management password
and gain access to Adcycle's configuration, allowing the addition,
modification or deletion of ad campaigns. A user may also further
compromise the software package and possibly the underlying system with
the MySQL database password.

In addition, when the script is executed, the AdCycle tables are wiped
out. This could lead to a loss of data and/or denial of service.

9. Unify eWave ServletExec JSP Source Disclosure Vulnerability
BugTraq ID: 1970
Remote: Yes
Date Published: 2000-11-21
Relevant URL:
http://www.securityfocus.com/bid/1970
Summary:

Unify eWave ServletExec is a Java/Java Servlet engine plug-in for major
web servers such as Microsoft IIS, Apache, Netscape Enterprise Server,
etc.

ServletExec will return the source code of JSP files when a HTTP request
is appended with one of the following characters:

.
%2E
+
%2B
\
%5C
%20
%00

For example, the following URL will yield the source of the specified JSP file:

http://target/directory/jsp/file.jsp.

Successful exploitation could lead to the disclosure of sensitive
information contained within JSP pages.

10. BB4 Big Brother Multiple CGI Vulnerabilities
BugTraq ID: 1971
Remote: Yes
Date Published: 2000-11-20
Relevant URL:
http://www.securityfocus.com/bid/1971
Summary:

Big Brother Network Monitor is a robust, feature rich network monitoring
package produced by BB4 Technologies. A problem exists that can allow
remote account guessing.

The problem occurs in the Common Gateway Interface package included with
Big Brother, which runs on the Big Brother Display Server. The CGI is
responsible for statistical posting of network operations on the Big
Brother Display Server, an interface which is accessible via Web Browser.
Due to insufficient handling of input, it is possible to verify the
existance of sensitive files and valid user accounts through the the CGI
of the Display Server. Yielding this information to a malicious user could
result in a targeted brute force password cracking attack.

The following files are affected by this flaw:

 bb-hist.sh
 bb-histlog.sh
 bb-hostsvc.sh
 bb-rep.sh
 bb-replog.sh
 bb-ack.sh

11. Ethereal AFS Buffer Overflow Vulnerability
BugTraq ID: 1972
Remote: Yes
Date Published: 2000-11-18
Relevant URL:
http://www.securityfocus.com/bid/1972
Summary:

Ethereal is a network auditing utility originally written by Gerald Combs.
A problem exists in the Ethereal package which can allow a remote user to
execute code.

The problem exists in the AFS packet parsing routine. An algorithm string
scans the contents of a packet into a predefined buffer, not checking to
see if the size of the string exceeds the buffer size. It is therefore
possible to overwrite other values on the stack including the return
address. This problem makes it possible for a malicious user to execute
code with a custom crafted packet.

12. Microsoft Windows 2000 Domain Account Lockout Bypass Vulnerability
BugTraq ID: 1973
Remote: Yes
Date Published: 2000-11-21
Relevant URL:
http://www.securityfocus.com/bid/1973
Summary:

Under certain circumstances, it is possible to bypass a domain account
lockout policy on a local machine which would render this protective
measure against brute force password attempts ineffective. The purpose of
a domain account lockout policy is to disable an account after a certain
number of unsuccessful login attempts. If this policy was not implemented,
the password of a domain account could be guessed an unlimited number of
times.

Windows 2000 hosts in a non-2000 domain using NTLM authentication will
fail to recognize a domain account lockout policy for users whose
credentials are locally cached. Cached credentials contain the username
and password in hashed form and are used in the event that the domain
controller is not available to perform authentication. Windows 2000
systems that are not using NTLM to perform authentication are not
susceptible to this vulnerability, therefore clients that are members of
Windows 2000 domains would not be vulnerable because Kerberos
authentication is being implemented.

This vulnerability would allow for the possibility of successful retrieval
of a valid password through the use of brute force techniques. If a
malicious user was able to login with a password acquired from a brute
force attack, they would gain privileges of the same level as the domain
account but would be confined to the local machine because domain
authentication would not be able to take place and the lockout policy
would be exercised at the domain level.

13. FreeBSD ppp deny_incoming Vulnerability
BugTraq ID: 1974
Remote: Yes
Date Published: 2000-11-14
Relevant URL:
http://www.securityfocus.com/bid/1974
Summary:

ppp is a utility used for handling point-to-point network connections in
unix systems. The FreeBSD version of ppp also facilitates NAT, or network
address translation for proxied communication between networks.

There is an option in ppp, "nat deny_incoming" which can be used as a
broad, simple "firewall rule". It tells the machine performing nat not to
let anything pass through the gateway that is not part of an existing nat
session. Code was added to this functonality to permit certain types of
data through the nat gateway that introduced a bug resulting in all
traffic passing through, despite the "deny_incoming" directive.

This may result in a violation of security policy and can lead to attacks
on the internal network behind the gateway.

14. NCSA HTTPd campas sample script Vulnerability
BugTraq ID: 1975
Remote: Yes
Date Published: 1997-07-15
Relevant URL:
http://www.securityfocus.com/bid/1975
Summary:

Campas is a sample CGI script shipped with some older versions of NCSA
HTTPd, an obsolete web server package. The versions that included the
script could not be determined as the server is no longer maintained, but
version 1.2 of the script itself is known to be vulnerable. The script
fails to properly filter user supplied variables, and as a result can be
used to execute commands on the host with the privileges of the web
server. Commands can be passed as a variable to the script, separated by
%0a (linefeed) characters. See exploit for example. Successful
exploitation of this vulnerability could be used to deface the web site,
read any files the server process has access to, get directory listings,
and execute anything else the web server has access to.

15. Microsoft Windows Media Player .WMS Arbitrary Script Vulnerability
BugTraq ID: 1976
Remote: Yes
Date Published: 2000-11-22
Relevant URL:
http://www.securityfocus.com/bid/1976
Summary:

Windows Media Player is an application used for digital audio, and video
content viewing.

It is possible for a user running Windows Media Player 7 to enable a skin
(.wms) file and unknowingly execute an embedded malicious script. When a
user attempts to retrieve a skin (.wms) file it is downloaded and resides
on the user's local machine. If Windows Media Player is run with the
malicious skin enabled, the Active X component would allow any arbitrary
action to be achieved. Depending on internet security settings this
vulnerability is also exploitable if the skin file in question resides on
a web site. The script could automatically launch when a user visits the
web site.

Execution of arbitrary scripts could make it possible for the malicious
host to gain rights equivalent to those of the current user.

16. Microsys CyberPatrol Insecure Registration Vulnerability
BugTraq ID: 1977
Remote: Yes
Date Published: 2000-11-22
Relevant URL:
http://www.securityfocus.com/bid/1977
Summary:

CyberPatrol is popular web access restriction software by Microsys.

A vulnerability exists in the way CyberPatrol submits registration
information from its client software to Microsys' backend
(cybercentral.microsys.com) that could allow a remote attacker to gather
confidential information including credit card details.

The client software claims that all information including credit card
details are "scrambled" before being sent to Microsys' backend.
Installation of a sniffer has shown that all information with the
exception of the credit card number is actually sent in clear text to
Microsys. A remote attacker could place a sniffer upstream from the
sending client and gather confidential registration information in
addition to the credit card number which is only protected by a
substitution cypher (please see the original bugtraq message in the
reference section for details on the cypher). Additionally, this
information could be obtained by examining the log files of a proxy
firewall.

17. IE 5.5 Index.dat Vulnerability
BugTraq ID: 1978
Remote: Yes
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/1978
Summary:

IE 5.5 (and possibly other versions) stores recently visited URLs and
cache folder names in a local file called index.dat. This file is kept in
the following known locations:

Windows 9x:
 C:/WINDOWS/Temporary Internet Files/Content.IE5/

Windows 2000:
C:/Documents and Settings/USERNAME/Local Settings/Temporary Internet Files/Content.IE5/

This file will register as local content in IE's security mechanism, but
arbitrary code can be written to it by including scripting commands in a
URL. Therefore, although the code may not execute when the URL itself it
visited, it will be trusted in the local index.dat file. To execute code
in that file, it must be parsed by IE. Microsoft has released a security
bulletin about parsing non-html files (see Microsoft Security Bulletin
MS00-055 in the credit section), however it is still possible to force IE
to render non-html files via an object tag defining the TYPE as text/html
and specifying the file in the DATA field.

Therefore, remote code can be injected into a trusted file and
successfully executed. This vulnerability can be used for many purposes,
including determining the names of the cache folders. With that
information, an attacker could cause the target to execute files
previously downloaded by the victim.

18. Software602 602Pro LAN SUITE Buffer Overflow Vulnerability
BugTraq ID: 1979
Remote: Yes
Date Published: 2000-11-22
Relevant URL:
http://www.securityfocus.com/bid/1979
Summary:

602Pro LAN SUITE is an application which provides connection sharing,
email and fax services for networks. Remote administration capabilities
exist through an integrated HTTP-server.

An unchecked buffer exists in the handling of GET requests within the
remote administration component (webprox.dll) of 602Pro LAN SUITE.
Requesting a GET command comprised of approx 1059 bytes will cause a
buffer overflow and allow the execution of arbitrary code.

Successful exploitation of this vulnerability could lead to a complete
compromise of the host

19. Microsoft Windows Media Player .ASX Buffer Overflow Vulnerability
BugTraq ID: 1980
Remote: Yes
Date Published: 2000-11-22
Relevant URL:
http://www.securityfocus.com/bid/1980
Summary:

Windows Media Player is an application used for digital audio, and video
content viewing. An unsafe buffer copy involving remotely-obtained data
exists in the Active Stream Redirector (ASX) component in Windows Media
Player. The ASX enables a user to play streaming media residing on an
intranet or external site. .ASX files are metafiles that redirect
streaming media content from a browser to Windows Media Player.

The contents of ASX files, when being interpreted by Windows Media Player,
are copied into memory buffers for run-time use. When this data is copied,
it is not ensured that the amount of data copied is within the predefined
size limits. As a result, any extraneous data will be copied over memory
boundaries and can overwrite neighbouring memory on the program's stack.

Depending on the data that is copied, a denial of service attack could be
launched or arbitrary code could be executed on the target host. Windows
Media Player runs in the security context of the user currently logged on,
therefore arbitrary code would be run at the privilege level of that
particular user. If random data were entered into the buffer, the
application would crash and restarting the application is required in
order to regain normal functionality.

If a user was misled to download a hostile .ASX file to the local machine,
they would only have to single click on the file within Windows Explorer
to activate the code. This is due to the 'Web View' option that is used by
Windows Explorer to preview web documents automatically while browsing
(this feature is enabled by default). In addition, a malformed .ASX file
could be embedded into a HTML document and be configured to execute when
opened via a browser or HTML compliant email client.

20. Balabit syslog-ng Incomplete Priority String Remote DoS Vulnerability
BugTraq ID: 1981
Remote: Yes
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/1981
Summary:

syslog-ng is a replacement for syslogd on Unix systems. Due to a fault in
the log message parsing function, it can be remotely terminated via a
SIGSEGV by causing a certain string to be included in a log message.

Each log message has a priority label, in the format <n> where n is the
priority rating. The message parsing function uses a variable named "left"
to store the number of characters remaining in the message. If the
priority label does not have the trailing '>' this value gets set to -1
due to a bug. Therefore, when the program checks to see if it is at the
end of the message by evaluating whether left=0, it does not register as
being at the end of the message.

In versions 1.4.7 and 1.4.8, the software replaces all \r and \n
characters with spaces, and this replacement process will under the above
conditions cause the program to attempt to write to unaccessible memory,
causing a segmentation fault. So for example, including the string <6
terminated with a newline into any logged input will crash syslog-ng.

Versions prior to 1.4.7 can also be exploited in a similar manner, however
more precise details are not currently available.

21. HP EMS Arbitrary File Permission Change Vulnerability
BugTraq ID: 1982
Remote: Unknown
Date Published: 2000-11-21
Relevant URL:
http://www.securityfocus.com/bid/1982
Summary:

EMS, or the Event Monitoring System, is a component of the ServiceControl
network management suite for HP-UX systems. EMS is used for polling
systems, detecting faults and reporting performance.

According to HP-UX Security Advisory HPSBUX0011-131, EMS contains a
locally exploitable security vulnerability in its handling of system
files. The vulnerability provides the ability for an attacker to change
the permissions of an arbitrary file on the root partition. HP has not
disclosed what exactly those permissions are, but they may lead to an
elevation of privileges. Additional technical details are unavailable at
this time.

It is advised that HP-UX system operators using ServiceControl upgrade to
the newest version of EMS (see the solutions section or advisory for
details).

22. Quikstore Plaintext Administrator Password Vulnerability
BugTraq ID: 1983
Remote: Yes
Date Published: 1999-04-20
Relevant URL:
http://www.securityfocus.com/bid/1983
Summary:

QuikStore is a commercial store front program providing order management,
inventory, and other e-commerce related functions to web sites. It is
written in perl, and stores configuration information in a separate
configuration file for easy setup. Certain older versions of QuikStore
stored the administrator name and password in plaintext in this
configuration file, named "quikstore.cfg" in these versions. An unsecured
default installation leaves this file world-readable, giving remote
intruders access to it through the web server. With access to this file
and the user/password combination contained in it, the intruder has full
administrative access to the online store.

Consequences of an attack could include modification of orders, product
information, prices, and gathering of customer credit card information. At
the time of writing, the specific affected versions were not known,
although versions 2.10.05 and 2.11 are not vulnerable. Any installation
storing the administrator name and password in a world readable
configuration file is vulnerable. Although this can be fixed by properly
configuring file permissions, storing password and account information in
plain text is generally a poor approach.

23. elvis-tiny File Overwrite Vulnerability
BugTraq ID: 1984
Remote: No
Date Published: 2000-09-13
Relevant URL:
http://www.securityfocus.com/bid/1984
Summary:

Elvis-tiny is a compact vi-compatible text editor.

Due to a flaw in the program's creation and naming of temporary files, a
race condition exists which could allow a properly-timed attack to read or
overwrite data from files created using the vulnerable application. The
affected files would be limited to those which are writable by the target
user.

Depending on the privileges of the target user using Elvis, this could
yield an elevation of privileges to the attacker, a denial of service, or
further compromise of the host's security.

24. Phorum PHP Source Disclosure Vulnerability
BugTraq ID: 1985
Remote: Yes
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/1985
Summary:

Phorum is a PHP based web forums package. Due to an error in the
implementation of forum selection in administrative scripts, any user can
view the source of any PHP script on the target host. This is due to
user-supplied input being referenced as a filename in two locations in the
file common.php. For example:

if($num || $f){
    if($f) $num=$f;
    if(file_exists("$admindir/forums/$num.php")){
      include "$admindir/forums/$num.php";
    }

where $f is read from user input via a form, and is meant to be the name
of a selected forum. However, any value can be submitted as $f and the
corresponding PHP file will be displayed to the browser. This could lead
to disclosure of sensitive information, including the MySql password which
is kept in master.php.

25. Caucho Technology Resin 1.2 JSP Source Disclosure Vulnerability
BugTraq ID: 1986
Remote: Yes
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/1986
Summary:

Resin is a servlet and JSP engine that supports java and javascript.

ServletExec will return the source code of JSP files when an HTTP request
is appended with certain characters. This vulnerability is dependent on
the platform that Resin is running on.

Successful exploitation could lead to the disclosure of sensitive
information contained within JSP pages.

26. Microsoft NT 4.0 SynAttackProtect Denial of Service Vulnerability
BugTraq ID: 1987
Remote: Yes
Date Published: 2000-11-22
Relevant URL:
http://www.securityfocus.com/bid/1987
Summary:

The article "Security Considerations for Network Attacks"
(http://www.microsoft.com/TechNet/security/dosrv.asp) published by
Microsoft details best practices to protect Windows NT against denial of
service attacks. It includes a number of recommended registry
configurations to harden the network stack. One particular suggested
setting, "SynAttackProtect", has been shown to render a Windows NT 4.0
system vulnerable to a remotely exploitable denial of service attack.

In the document "Security Considerations for Network Attacks", it states
that the value for REG_DWORD for the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

should be set to '2' rather than the default value of '0' in order to
circumvent SYN attacks. However, when the value is configured as '2',
Windows NT 4.0 will be vulnerable to a denial of service attack. If the
CyberCop TCP Sequence Number Prediction attack (Module 13002) (or
equivalent) is launched against a host with this registry setting, it may
crash requiring a reboot to regain system functionality. It is not exactly
known what causes this to occur.

27. IBM HTTP Server Denial of Service Vulnerability
BugTraq ID: 1988
Remote: Yes
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/1988
Summary:

IBM HTTP Server is a web server powered by Apache. The Windows NT version
is subject to this vulnerability.

IBM HTTP Server is subject to a denial of service. Requesting an unusually
long GET request comprised of approx 219 characters will cause the server
to stop responding with an error message. A restart of the application is
required in order to gain normal functionality.

Successful exploitation of this vulnerability could lead to the execution
of arbitrary commands. However this is unverified.

 Example of error message provided by benjurry <benjurryyeah.net>:

***STOP:0x0000001e(0X00000005,0X804B3A51,0X00000000,0X00000000)KMODE_EXCEPTION_NOT_HANDLED.
***Address 804B3A51 base at 80400000,Datastamp 384D9B17-ntoskrnl.exe

28. Linux modprobe Buffer Overflow Vulnerability
BugTraq ID: 1989
Remote: No
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/1989
Summary:

Modutils is a component of many linux systems that includes tools for
using loadable kernel modules. One of these tools, modprobe, loads a set
of modules that correspond to a provided "name" (passed at the command
line) automatically.

Though fixes for a recent (as of 11/23/2000, see Bugtraq ID 1936)
high-profile vulnerability in modprobe have been made available by most
vulnerable Linux vendors, it has been reported that there exists another
method for an attacker to gain root privileges exploiting modprobe.

Debian and RedHat have both released advisories regarding a vulnerability
that exists in modprobe related to the handling of input from the kernel.
A buffer overflow can occur because data passed from the user through the
kernel to modprobe isn't checked for length/validity before being used in
memory copies.

Since modprobe is still spawned as root via kmod through setuid utilities
such as ping, successful exploitation of this vulnerability can lead to
root privileges for the attacker.

29. Alladin Ghostscript Symlink Vulnerability
BugTraq ID: 1990
Remote: No
Date Published: 2000-11-22
Relevant URL:
http://www.securityfocus.com/bid/1990
Summary:

A vulnerability exists in certain versions of Alladin Ghostscript, a
multiplatform PostScript interpreter.

The method used by the program to create temporary files can allow a local
user to carry out a symbolic link attack on files elsewhere in the
affected host's filesystem. As a result, an attacker could potentially be
permitted to read or overwrite sensitive information, (ie /etc/passwd).
This could lead to an elevation of privileges, denial of service or
further compromise of the target host.

30. Alladin Ghostscript Arbitrary Shared Library Usage Vulnerability.
BugTraq ID: 1991
Remote: No
Date Published: 2000-11-22
Relevant URL:
http://www.securityfocus.com/bid/1991
Summary:

A vulnerability exists in certain versions of Alladin Ghostscript, a
multiplatform PostScript interpreter.

Improper use of the LD_RUN_PATH environment variable can cause the program
to load shared libraries found in the current directory.

An attacker with a malicious shared library could exploit this to execute
hostile code on the affected host, potentially granting an elevation of
privileges.

31. Linux rcp Possible Local Arbitrary Command Execution Vulnerability
BugTraq ID: 1992
Remote: No
Date Published: 2000-11-22
Relevant URL:
http://www.securityfocus.com/bid/1992
Summary:

rcp, or "remote copy" is a component of the Berkeley "r-services" remote
access utilities. It is installed setuid root because it uses privileged
source ports to perform rhosts and hosts.equiv authentication.

The linux version of rcp (and possibly others) contains a vulnerability
which may lead to a local root compromise if exploited on older linux
systems or systems with special configurations.

User input, via a system()-like call within the rcp source, is passed to
/bin/sh (which is actually bash on most linux systems) without being
checked for shell metacharacters. As a result, it is possible to execute
arbitrary commands with effective root privileges provided that the shell
allows it.

Versions of bash shipped with almost all recent versions of linux drop
effective privileges if they do not match the users real access levels. As
a result, this vulnerability is not a threat on these systems.

This vulnerability may be a threat on older linux systems using versions
of bash or bourne shell as /bin/sh that do not drop effective privileges.
This vulnerability may also be a threat on systems where the default
/bin/sh has been replaced with another shell that does not drop effective
privileges.

32. Network Associates WebShield SMTP Content Filter Bypass Vulnerability
BugTraq ID: 1993
Remote: Yes
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/1993
Summary:

Network Associates WebShield SMTP is an email virus scanner designed for
internet gateways.

The Content Filtering mechanism in WebShield SMTP filters incoming and
outgoing email based upon certain criteria set by the administrator such
as keywords, file attachment size, and so forth. It is possible to bypass
Content Filtering if the email transmitted contains Extended ASCII
characters such as , or . This vulnerability does not affect the
effectiveness of viral detection in any manner.

III. SECURITYFOCUS.COM NEWS AND COMMENTARY
------------------------------------------

1. Report: Carnivore Needs Work
By Kevin Poulsen

The FBI's "Carnivore" Internet surveillance tool generally
works as advertised, but would benefit from an infusion of audit trails
and internal security measures, according to a draft report released by
the Justice Department Tuesday night.

The 121-page report by the Illinois Institute of Technology Research
Institute (IITRI) describes Carnivore's workings in new detail, and
recommends that the system continue to be deployed. But the report also
includes a number of recommendations to improve the system's reliability
and security.

http://www.securityfocus.com/templates/article.html?id=118

2. eBay Pulls Mitnick Memorabilia
By Kevin Poulsen

What would you pay for a vintage computer once used by hacker Kevin
Mitnick? How about a cell phone that he once spoke on, or a genuine prison
I.D. card?

On Monday, online auction house eBay canceled an auction for Mitnick's
official federal Bureau of Prisons inmate I.D. card, ending a flow of
authentic Mitnick merchandise put up by Mitnick's father on behalf of the
hacker, who is himself barred from the Internet under the terms of his
federal supervised release.

http://www.securityfocus.com/templates/article.html?id=117

IV.SECURITY FOCUS TOP 6 TOOLS
-----------------------------
1. Astaro Security Linux 1.715
(Linux)
by Astaro AG, infoastaro.de>
Relevant URL: http://www.astaro.com/products/download.html
 
Astaro Security Linux is a new firewall solution. It does stateful
inspection, packet filtering, content filtering, virus scanning, VPN with
IPSec, and much more. With its Web-based management tool and the ability
to pull updates over the Internet, it it is pretty easy to manage. It is
based on a special hardened Linux 2.4 distribution where most daemons are
running in change-roots and are protected by capabilities.

2. BUGS 4.0.0

by Sylvain Martinez, martinezencryptsolutions.com
(FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Solaris, SunOS, UNIX,
Windows 2000, Windows 3.x, Windows 95/98 and Windows NT)
Relevant URL: http://www.bcrypt.com
 
BUGS is a strong private key encryption algorithm and applications. It is
easy to use, and includes sample applications and documentation. The
cryptography library can also be used with your own programs. It is multi
platform, open source and the package offers: An encryption file
application, a secure chat, a secure "more", a login application, etc

3. SILC (Secure Internet Live Conferencing) 20001124
by Pekka Riikonen <priikoneposeidon.pspt.fi>
Linux
Relevant URL: http://silc.pspt.fi/ >
 
SILC (Secure Internet Live Conferencing) is a protocol which provides
secure conferencing services in the Internet over insecure channels. SILC
superficially resembles IRC, although they are very different internally.
The purpose of SILC is to provide secure conferencing services. Strong
cryptographic methods are used to secure all traffic.

4. Bcrypt 4.0
(Windows 2000, Windows 95/98 and Windows NT)
by Sylvain Martinez
<Relevant URL: http://www.bcrypt.com

This is the new windows application of the well known bcrypt windows
software. It is now compatible with the new cryptography library. It
allows you to crypt/decrypt/generate key/hide files. Windows GUI using the
BUGS v3.4.0 dynamic private key cryptography algorithm. User Friendly,
Open Source, Multiplatform. You can Crypt/Decrypt, Generate Key, Hide
Files.

5. GuardDog 0.9.3
(Linux)
by Simon Edwards, simonsimonzone.com
URL: http://www.simonzone.com/software/guarddog
 
GuardDog is a user friendly firewall generation/management utility for KDE
on Linux. It allows you simply specify which protocols should be allowed
and requires no knowledge of port numbers. It is intended for client
machines and currently does not support router/gateway configurations.
Generates scripts for ipchains. Sane defaults for new firewalls, RPM
packages for Redhat and Mandrake, and display glitch fixes.

6. IP Accounting Daemon 1.0
(FreeBSD, Linux, Unix)
by Andrey Simonenko (simonsimon.org.ua)
Relevant URL: http://www.simon.org.ua/ipa/ >

IP Accounting Daemon (ipa) is a configurable IP accounting daemon. It
allows one to do IP accounting based on IP Firewall or IP Filter
accounting rules. It has a flexible configuration file with many sections
and options, including control over which time period to account over.

V. SECURITY JOBS SUMMARY
------------------------

1. Swedish security specialist looking for new challenges (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d200011231www2.nameplanet.com
 

2. Wondering where I can earn while I learn (Thread)
Relevant URL:

chnd1.az.home.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d000201c05567$097997d0$6401a8c0chnd1.az.home.com
 

3. Looking for oportunities in Utah (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d001121095lionheart
 

4. (no subject) (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d17.ddd4f8aol.com
 

5. Information Security Executive / CSO - #97 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d200011202securityfocus.com
 

6. VP & Director level positions throughout US (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d200011202securityfocus.com
 

7. IIS Security Specialist - Long Island, NY - CONTRACT (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d3A1976C3.nyc-search.com
 

8. Looking for security job - LA, non-consulting (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d932A0E022fables.la.ctp.com
 

9. Please Post - - - Assistant Security Administrator Position (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3de8.cd0182aol.com
 

10. Network Security Consultant For Hire - Bay Area, CA (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3d200011192c001.snv.cp.net
 

11. Systems Security Engineer Opportunity (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-11-24%26thread%3dAC09DC4F4NHQJPK1EX2
 

VI. INCIDENTS LIST SUMMARY
-------------------------

1. Mysterios s...l...o...w SYN&FIN/FIN/NULL scan (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011231d1o901.telia.com
 

2. Virus or Hacked NEW PC? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011230web514.mail.yahoo.com
 

3. LPRng remote root exploit seen in the wild (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011222theta.bos.bindview.com
 

4. Connection to port 137 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d3A1BDA89.icube.it
 

5. mystery SF scan tool = Idlescan correlation (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011221rowlf.vtio.org
 

6. Odd response from Taiwanese ISP (Thread)
Relevant URL:

cybercable.fr">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d00a401c0540f$e2e9f540$318b84c3cybercable.fr
 

7. Unusual URLs sent to IIS 5.0 server (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011212securityfocus.com
 

8. Spoofed IP trying to connect to port 137 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3dPine.GSO.csserve0.corp.us.uu.net
 

9. find_ddos results (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011212black-ice.cc.vt.edu
 

10. OT log analyzer (Thread)
Relevant URL:

ewsp-fcampos.multirede.com.br">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d015101c053f3$20f661b0$770110acewsp-fcampos.multirede.com.br
 

11. scan on TCP/21536 (Thread)
Relevant URL:

zhcomputer.lan">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d001201c053dc$6f6cdd90$0b01010azhcomputer.lan
 

12. port 523/TCP scans (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3dSIMEON.10bluebottle.itss
 

13. What is this? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d051D271A6dadc041.hqda.pentagon.mil
 

14. CERT Summary CS-2000-04 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011201underground.org
 

15. FW: New scanning ? activity (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3dB8B9382B4mail.ROG.COM
 

16. notepad.exe backdoor (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d25EB37ECAmortar-nt.purchase.edu
 

17. Protocol Violation (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3dPine.GSO.perl.cs.memphis.edu
 

18. UDP port 1345 (VPJP ??) (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d001120105peanut
 

19. Romeo&Juliet (fwd) (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d3A17F4F8.localhost
 

20. what is this ? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011181securityfocus.com
 

21. port 5232/TCP scans (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3d200011180securityfocus.com
 

22. R o m e o & J u l i e t trojan (fwd) (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3dPine.LNX.kanton.dkgroup.com.pl
 

23. IDS246 Large ICMP Packet (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-11-24%26thread%3dOF6FBC452eu.csc.com
 

VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------

1. more locale problems? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d200011232afflictions.org
 

2. hybrid-ircd (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d200011240www.sendpad.com
 

3. Windows2000 telnet exploit (Thread)
Relevant URL:

daftpunkn6k1ze">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d004c01c05585$d470d6b0$5241bbd4daftpunkn6k1ze
 

4. dos commands via iis 4 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3dPine.LNX.blue.localdomain
 

5. possible rcp hole... (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d200011221nsk.yi.org
 

6. Possible DoS against inetd in Solaris (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d65D9BA197TDSRV5LX
 

7. dos commands via iis 4 (TFTP)-NETBIOS (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d3A1A724E.moquijo.com
 

8. ubb hole (Thread)
Relevant URL:

ppp">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d006501c053a0$bc29c260$7ac1140appp
 

9. WinNT system->domain admin (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3dPine.LNX.orgin
 

10. TCSEC vs CC (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d200011201diffie.it.murdoch.edu.au
 

11. En: ubb hole (Thread)
Relevant URL:

ppp">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d001401c052af$3f47d300$7ac1140appp
 

12. Fw: Virus Carring File Extensions (windows) (Thread)
Relevant URL:

star01">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3d004d01c050ee$cf276d40$3ae3a318star01
 

13. dos commands via iis 4 (TFTP) (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-11-24%26thread%3dPine.LNX.blue.localdomain
 

VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------

1. ALERT From InfoWorld: Security hole found in Internet Explorer (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dPine.LNX.helumail.hel.adcore.com
 

2. System Authority on NT (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dOE24XaJTrhotmail.com
 

3. ALERT From InfoWorld: Security hole found in Internet Explorer (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dC23163F98daemsg02.software-ag.de
 

4. A question about a seemingly open TCP port in Win2k (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d200011230securityfocus.com
 

5. Error: System Process: License Violation ... what the heck do es that mean? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d46D95C8A6MAILWHQ01
 

6. Error: System Process: License Violation ... what the heck does that mean? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d4.3.2.7.2pop.euronet.nl
 

7. Error: System Process: License Violation ... what the heck does that mean? (Thread)
Relevant URL:

koenlap">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d004301c054c3$ad7c3c10$dcaea8c0koenlap
 

8. SMS and security (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d3A1C4158.tba.com.br
 

9. NT thru the DMZ... (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dADEIKOOOGgmx.co.uk
 

10. Someone on my port 1838 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dADEIKOOOGgmx.co.uk
 

11. ALERT From InfoWorld: Security hole found in Internet Explorer (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dANENIOKLGriderpoint.com
 

12. Bunratty? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d7FD257BF8usahm012.exmi01.exch.eds.com
 

13. Error: System Process: License Violation ... what the heck does that mean? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dsa1ba860.state.wy.us
 

14. Unusual URL sent to IIS 5.0 Web servers (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dB0F45BA65PL3000R
 

15. WHISTLER TO BLOCK MAVERICK CODE (Thread)
Relevant URL:

genuity.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d002801c0549c$5bdebfd0$323f4eabgenuity.com
 

16. IIS 4 updates (Thread)
Relevant URL:

tricompc">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d003c01c05467$0937cb30$8501a8c0tricompc
 

17. hidden shares (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dNEBBLAHJLgbmlogic.com.au
 

18. Comparing Web Servers (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dNKEIKLNDIdeor.co.uk
 

19. Win2K Kerberos & LDAP implementations (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dDJEGKFFMGcolorado.edu
 

20. Windows2000 Telnet Exploit (Thread)
Relevant URL:

daftpunkn6k1ze">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d021501c05491$acff7db0$5241bbd4daftpunkn6k1ze
 

21. Antwort: Re: Keylogger for NT / Virus (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d200011212mail.gmx.net
 

22. Keylogger for NT (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dNEBBKFPDMvideotron.ca
 

23. Documenting NT File Structures Permissions (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dNDBBJGPCGcameronaa.com
 

24. (U//FOUO) RE: Comparing Web Servers (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d18B70498Ffsvejx43.scott.af.mil
 

25. Unbind NetBIOS from TCP/IP (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d7FBA032DChsadenmx06.hsacorp.net
 

26. NT4 logons with physical token (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d5.0.0.25.194.133.1.201
 

27. FW: Disabling floppy and Inet properties (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d4.3.1.2.2199.126.65.225
 

28. IIS unicode and FTP (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d4.3.2.7.2pop.euronet.nl
 

29. Disabling floppy and Inet properties (Thread)
Relevant URL:

win2k">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d001401c0533e$9a64d0f0$891fd3d8win2k
 

30. Whoops! Re: [FOCUS-MS] unsubscribe (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dPine.GSO.mail
 

31. SecurityFocus.com Microsoft Newsletter #9 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dPine.GSO.mail
 

32. Checking the Integrity of Registry keys (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d009FFDF20radar.pimco.com
 

33. passfilt.dll and clear text passwords (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d633C90149CRMAXSVR01
 

34. log invalid username and password (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d715FE5F17TRAD2
 

35. Citrix MetaFrame (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d734375705chaka.orthodon.com
 

36. NT4 Account Operator Question (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d8525699A.ms1.allfirst.com
 

37. Problem implementing passfilt.dll (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3dC6D7785AEvhaishexc1.med.va.gov
 

38. w98 and security settings question (Thread)
Relevant URL:

bellsouth.net">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-11-24%26thread%3d005f01c0509c$ca5ebae0$9b03a8c0bellsouth.net
 

IX. SUN FOCUS LIST SUMMARY
----------------------------

1. Bind (3Tk) (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d92%26date%3d2000-11-24%26thread%3dPine.SOL.yemaozi
 

2. locking a user immediatly on Solaris 8 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d92%26date%3d2000-11-24%26thread%3dNEBBJCJOOus.edu.pl

X. LINUX FOCUS LIST SUMMARY
---------------------------

1. a few ssh questions (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3dPine.LNX.spice.eahd.or.ug
 

2. BIND 8.2.2-P7 ports (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3dNEBBLPDFMyggdrasil.yi.org
 

3. AW: BIND 8.2.2-P7 ports (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3d113620F6FOFFICE
 

4. Odd / random UDP ports listening on my machine? (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3d200011211oven.com
 

5. SSH runing on port > 1023 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3d009FFDF20radar.pimco.com
 

6. SecurityFocus.com Linux Newsletter #5 (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3dPine.GSO.mail
 

7. ICMP (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3d33860.195www.fyremoon.net
 

8. Choice of platform for firewall (was Re: ICMP) (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3d200011171oven.com
 

9. problem with sniffer (Thread)
Relevant URL:

http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-11-24%26thread%3d200011171dx.net.de
 

XI. SPONSOR INFORMATION - Tivoli SecureWay
------------------------------------------
     
Tivoli SecureWay Privacy Manager

Protecting consumers' personally identifiable
information is essential to protect consumer trust and
brand integrity. Tivoli SecureWay Privacy Manager is
an access control solution developed specifically for
e-businesses to effectively implement privacy policies.

http://info.tivoli.com/security/sf48

XII. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------

1. How do I subscribe?

Send an e-mail message to LISTSERVSECURITYFOCUS.COM with a message body
of:

  SUBSCRIBE SF-NEWS Lastname, Firstname

You will receive a confirmation request message to which you will have
to anwser.

2. How do I unsubscribe?

Send an e-mail message to LISTSERVSECURITYFOCUS.COM from the subscribed
address with a message body of:

  UNSUBSCRIBE SF-NEWS

If your email address has changed email aleph1securityfocus.com and I
will manualy remove you.

3. How do I disable mail delivery temporarily?

If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:

  SET SF-NEWS NOMAIL

To turn back on e-mail delivery use the command:

  SET SF-NEWS MAIL

4. Is the list available in a digest format?

Yes. The digest generated once a day.

5. How do I subscribe to the digest?

To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERVSECURITYFOCUS.COM with with a message
body of:

  SET SF-NEWS DIGEST

6. How do I unsubscribe from the digest?

To turn the digest off send a message to LISTSERV with a message body
of:

  SET SF-NEWS NODIGEST

If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.

7. I seem to not be able to unsubscribe. What is going on?

You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.