|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: SecurityFocus.com Newsletter #69
From: Stephen Entwisle (se
SECURITYFOCUS.COM)Date: Mon Dec 04 2000 - 10:48:15 CST
- Next message: Stephen Entwisle: "SecurityFocus Newsletter #70"
- Previous message: Stephen Entwisle: "SecurityFocus.com Newsletter #68"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
SecurityFocus.com Newsletter #69
--------------------------------
Premier Sponsor: Baseline Software Inc.
INSTANT, DEFINITIVE, UP-TO-DATE POLICIES FROM BASELINE!
INFORMATION SECURITY POLICIES MADE EASY is a compilation of 1000+
already-written information security policies by internationally known
consultant Charles Cresson Wood. Save time and money developing policies
for information security manuals, systems standards, contingency plans,
outsourcing agreements.
For more information, go to www.baselinesoft.com
------------------------------------------------
I. FRONT AND CENTER
1. Identifying ICMP Hackery Tools Used In The Wild Today
2. Introduction to Incident Handling
3. Analysis of the T0rn Rootkit
II. BUGTRAQ SUMMARY
1. Lotus Notes Client R5 File Existence Verification Vulnerability
2. Info2www CGI Input Handling Vulnerability
3. Broker FTP Directory Permissions Vulnerability
4. Phorum Arbitrary File Read Vulnerability
5. Twig Remote Arbitrary Script Execution Vulnerability
6. Network Associates WebShield SMTP Invalid Outgoing Recipient Field...
7. Multiple Vendor whois CGI Metacharacter Vulnerability
8. Miva htmlscript 2.x Directory Traversal Vulnerability
9. JJ sample CGI program Escape Character Vulnerability
10. Multiple Vendor test-cgi Directory Listing Vulnerability
11. Secure Locate Heap Corruption Vulnerability
12. Winsock FTPd Directory Transversal Vulnerability
13. Bourne Shell /tmp file Vulnerability
14. Microsoft Windows 2000 DNS Memory Leak Vulnerability
15. PTlink IRCD and Services Denial of Service Vulnerability
16. rcvtty Arbitrary Command Execution Vulnerability
17. Multiple Vendor "Out Of Band" Data (winnuke.c) DoS Vulnerability
18. Ipswitch IMail Web Service "HOST" Denial Of Service Vulnerability
19. Cisco 675 Web Administration Denial of Service Vulnerability
20. SonicWALL SOHO Denial of Service Vulnerability
21. TrendMicro InterScan VirusWall Shared Directory Vulnerability
22. S.u.S.E. in.identd Denial of Service Vulnerability
23. Midnight Commander Directory Viewing Command Execution Vulnerability
24. IBM Net.Data Path Disclosure Vulnerability
25. Microsoft Windows 2000 Telnet Session Timeout DoS Vulnerability
26. Greg Matthews Classifieds.cgi Hidden Variable Vulnerability
27. Greg Matthews Classifieds.cgi Metacharacter Vulnerability
28. Merchant Order Form 1.2 Order Log Permissions Vulnerability
29. Windows 9x / NT 4.0 NetBIOS over TCP/IP Resource Exhaustion Vuln
30. Multiple Vendor .BAT/.CMD Remote Command Execution Vulnerability
31. Webcom Datakommunikation CGI Guestbook rguest/wguest Vulnerability
32. Novell NetWare Web Server 2.x convert.bas Vulnerability
33. GlimpseHTTP and WebGlimpse Piped Command Vulnerability
34. AnalogX Proxy Server DoS Vulnerability
35. Majordomo Config-file admin_password Configuration Vulnerability
36. Trlinux Postaci Webmail Password Disclosure Vulnerability
37. Microsoft SQL Server / Data Engine xp_displayparamstmt Buffer...
38. Microsoft SQL Server / Data Engine xp_enumresultset Buffer Overflow
39. AIX setsenv Buffer Overflow Vulnerability
40. AIX digest Buffer Overflow Vulnerability
41. AIX enq Buffer Overflow Vulnerability
42. AIX setclock Buffer Overflow Vulnerability
43. AIX pioout Buffer Overflow Vulnerability
44. AIX piobe Buffer Overflow Vulnerability
45. Microsoft SQL Server/Data Engine xp_showcolv Buffer Overflow Vuln
46. Microsoft SQL Server/Data Engine xp_updatecolvbm Buffer Overflow Vuln
47. Microsoft SQL Server/Data Engine xp_peekqueue Buffer Overflow Vuln
48. Microsoft SQL Server/Data Engine xp_printstatements Buffer Overflow...
49. Microsoft SQL Server/Data Engine xp_proxiedmetadata Buffer Overflow
50. Microsoft SQL Server/Data Engine xp_SetSQLSecurity Buffer Overflow...
III. SECURITYFOCUS.COM NEWS ARTICLES
1. Judiciary weighs privacy, access
2. Hijackers take AIM accounts
IV.SECURITY FOCUS TOP 6 TOOLS
1. MindTerm 1.99pre2
2. Linux Intrusion Detection System (LIDS) 0.9.11
3.RelayTCP
4.MindTerm 1.99pre2
5. Anomy Mail Sanitizer 1.32
6.solpromisc 1.0
V. SECURITYJOBS LIST SUMMARY
1. Systems/Applications Engineer, DC area (Thread)
2. SCM and Security (Thread)
3. Internet Security Trainer (Thread)
4. Southern California C++ Network Programming Projects... (Thread)
5. e-business security manager position in NYC (Thread)
6. Security Analyst Needed (Thread)
7. Network Engineer-Security Focus (Thread)
8. New York city-based security consultant seeks pure play PKI...(Thread)
VI. INCIDENTS LIST SUMMARY
1. Rooted, new DDoS also (Thread)
2. Hybris worm (Thread)
3. Scan to Port 1243 (Thread)
4. DNS Messages (Thread)
5. Hack'a'Tack trojan (?) (Thread)
6. !! SCAN TO THE PORT 1243 !! (Thread)
7. Crack attempt last weekend (Thread)
8. LPRng exploits (Thread)
9. scans for port 4000 udp (Thread)
10. SMTP brute force attack? (Thread)
11. Looks like a duck...quacks like a duck... (Thread)
12. strange HTTP scan/attack? (Thread)
13. t0rnrootkit (Thread)
14. Ping flood IPs (Thread)
15. Virus or Hacked NEW PC? (Thread)
16. [Snort-users] 13 instances of ping bsd (Thread)
17. LPRng remote root exploit seen in the wild (Thread)
18. Trafic port 587 (Thread)
19. port 3647? (Thread)
20. Ping flood? (Thread)
21. Scan of ports 100 and 510 (Thread)
22. Connection to port 137 (Thread)
23. sendmail 8.11.0 and port 587/TCP (Thread)
24. Interesting Attack. (Thread)
25. Unusual URLs sent to IIS 5.0 server (Thread)
26. Spoofed (?) BSD Pings (Thread)
27. FYI: Slow port 137 scanning in reverse IP# order (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. lpd exploit? (Thread)
2. lpd exploit (Thread)
3. PHP.Pirus (Thread)
4. cAIM bug (Thread)
5. Linksys DSL routers and fragments (Thread)
6. Recent post & .asx file as attachment.. (Thread)
7. .asx bufferoverrun... (Thread)
8. hybrid-ircd (Thread)
9. Windows2000 telnet exploit (Thread)
10. [Update] NSFOCUS SA2000-07: Microsoft IIS 4.0/5.0 CGI File...(Thread)
11. RIPv1, v2 and OSFP exploits? (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Securing a production box (Thread)
2. FW: Parting Admin (Thread)
3. IPSec through NAT (was RE: Microsoft Exchange SMTP server...(Thread)
4. ntuser.dat (Thread)
5. Parting Admin (Thread)
6. Win2000 Pro share reconnection (Thread)
7. Win2k Advanced Server (Thread)
8. Bug in MS Win2k - Policy with SP1 install (Thread)
9. Distributing patches and fixes on a LAN. (Thread)
10. Executing remote commands via Telnet (Thread)
11. Ghost Users (Was departing Admin) (Thread)
12. Changing the banner in IIS (Thread)
13. AW: Win2k Advanced Server (Thread)
14. Recent post & .asx file as attachment.. (Thread)
15. Securing a database (Thread)
16. .asx file bufferoverrun (Thread)
17. IPSec through NAT (was RE: Microsoft Exchange SMTP server...(Thread)
18. hidden shares (Thread)
19. security issue in event viewer... (Thread)
20. Microsoft Exchange SMTP server and DMZ area. (Thread)
21. The Basics (Thread)
22. IIS 4 updates (Thread)
23. WHISTLER TO BLOCK MAVERICK CODE (Thread)
24. SV: IIS 4 updates (Thread)
25. windows SYN FLOOD (Thread)
26. Fwd:Distributing patches and fixes on a LAN. (Thread)
27. Disabling floppy and Inet properties (Thread)
28. Clandestine authentication on NT? (Thread)
29. System Authority on NT (Thread)
30. Error: System Process: License Violation ... what the heck... (Thread)
31. A question about a seemingly open TCP port in Win2k (Thread)
32. SecurityFocus.com Microsoft Newsletter #10 (Thread)
33. Checking the Integrity of Registry keys (Thread)
34. Updated version of the Registry Key Integrity Checker (Thread)
IX. SUN FOCUS LIST SUMMARY
1. Fw: Re: Compiling OpenSSH [Re: SunSHIELD BSM and SSH] (Thread)
2. Compiling OpenSSH [Re: SunSHIELD BSM and SSH] (Thread)
3. firewall penetration (Thread)
4. SunSHIELD BSM and SSH (Thread)
5. FW: SunSHIELD BSM and SSH (Thread)
6. Is fsirand still needed? (Thread)
7. Network Mapping (Thread)
X. LINUX FOCUS LIST SUMMARY
1. Firewall (Thread)
2. firewall penetration (Thread)
3. Does it have openssh`s problem?? (Thread)
4. Does it have openssh's problem?? (Thread)
5. openssl Certificates + Netscape or IE (Thread)
6. ISDN Callback, encrypted channel, etc. on RH 7 (Thread)
7. SecurityFocus.com Linux Newsletter #6 (Thread)
8. [No Subject]
9. your mail (Thread)
XI. SPONSOR INFORMATION - Baseline Software Inc.
XII. SUBSCRIBE/UNSUBSCRIBE INFORMATION
--------------------------------------
I. FRONT AND CENTER
-------------------
1. Identifying ICMP Hackery Tools Used In The Wild Today
Several tools exist in the wild today that allow a malicious computer
attacker to send crafted ICMP datagrams. Those datagrams can be used for
various tasks: host detection, advanced host detection, Operating System
Fingerprinting and more. This article by Ofir Arkin will examine whether
we can identify the different tools used for ICMP hackery that are
available in the wild today. If we can identify the tool, we may be able
to identify the underlying operating system or a number of operating
systems that this tool might be running on top of.
http://www.securityfocus.com/focus/ids/articles/icmptools.html
2. An Introduction to Incident Handling
Incident handling is a generalized term that refers to the response by a
person or organization to an computer security incident or attack. An
organized and careful reaction to an incident could mean the difference
between complete recovery and total disaster. This paper by Chad Cook
provides a logical, sequential approach to managing two of the most common
forms of attack - viruses and system compromise. The method this article
describes is a useful step-by-step approach for safe recovery and response
without the need for highly technical knowledge.
http://securityfocus.com/focus/basics/articles/inchan.html
3. New in Intrusion Detection Focus Area: Analysis of the T0rn Rootkit
The purpose of this paper is to inform the IDS community of signatures
related to the t0rn rootkit. This paper will not serve as a how-to guide
to the t0rn rootkit; rather, it is designed to identify binaries and ports
that t0rn uses. This paper will also provide md5sums of binaries and
analysis on how to detect t0rn.
http://www.securityfocus.com/focus/ids/articles/t0rn.html
II. BUGTRAQ SUMMARY
-------------------
1. Lotus Notes Client R5 File Existence Verification Vulnerability
BugTraq ID: 1994
Remote: Yes
Date Published: 2000-11-24
Relevant URL:
http://www.securityfocus.com/bid/1994
Summary:
Lotus Notes Client R5 is a messaging and collaboration tool that contains
a built in web browser. The web browser implements a Java Virtual Machine
(VM) designed specifically for Lotus Notes. A security vulnerability
exists in the Execution Control List (ECL) feature within the Java VM that
may allow a third party intruder to verify the existence of files on the
system. The ECL utilizes a much more lenient ruleset when accessing local
files than the standard Java security model implemented by JDK 1.1 which
prohibits any access to local files. The ECL will present the user with a
dialogue box whenever he/she attempts to read an existing local file if
the getSystemResource() method of the java.lang.ClassLoader class is used.
At this point, the user can either authorize execution or abort the
operation.
By observing the time elapsed during execution, it is possible to verify
the existence of files on the target machine through a specially crafted
java applet. If a malicious website operator were to host such a java
applet on their site, they would be able to determine what files exist on
the visitor's systems.
2. Info2www CGI Input Handling Vulnerability
BugTraq ID: 1995
Remote: Yes
Date Published: 1998-03-03
Relevant URL:
http://www.securityfocus.com/bid/1995
Summary:
The info2www script allows HTTP access to information stored in GNU EMACS Info Nodes. This script fails
to properly parse input and can be used to execute commands on the server with permissions of the web
server, by passing commands as part of a variable. Potential consequences of a successful exploitation
involve anything the web server process has permissions to do, including possibly web site defacement.
3. Broker FTP Directory Permissions Vulnerability
BugTraq ID: 1996
Remote: Yes
Date Published: 2000-11-21
Relevant URL:
http://www.securityfocus.com/bid/1996
Summary:
Broker FTP is a FTP Server package for Windows NT/2000 and Windows 95/98
from TransSoft.
Multiple vulnerabilities exist in Broker FTP Server that could allow a
remote attacker to browse root directories and possibly retrieve account
names and passwords.
During a default install, Broker FTP asks the user to create a FTP
directory for the server, e.g.: d:\FTP. Once installation is complete, any
user, including anonymous, can connect to the service and browse the
entire drive in which Broker FTP has been installed.
A second vulnerability exists in Broker FTP whereby a remote attacker
could gain access to usernames, passwords and account information. If the
root directory of the Broker FTP is the same as the install location, an
unauthorized user could browse directories until locating the
%%WinDir%%\BrokerProfiles.Dat file. Accounts and user information
(including user rights) are stored within this file in clear text and
easily retrievable.
It is unknown at this time whether any or all users have write access to
the root directory or any other directory other than their own.
4. Phorum Arbitrary File Read Vulnerability
BugTraq ID: 1997
Remote: Yes
Date Published: 2000-11-24
Relevant URL:
http://www.securityfocus.com/bid/1997
Summary:
Phorum is a PHP based web forums package. Due to an error in the handling
of user input in administrative scripts, any user can view the any file
readable by the webserver on the target host. This is due to user-supplied
input being referenced as a filename in two locations in the file
common.php.
The ForumLang variable, used to specify a language in which the forum will
be displayed, is not checked for "../" character sequences. As a result,
it is possible for users to supply a path consisting of "../" sequences
followed by an arbitrary file on the filesystem to the script, which will
open it and display its contents.
The consequences of this vulnerability being exploited is a disclosure of
system information (eg valid accounts). Under certain circumstances, this
may also indirectly lead to the attacker gaining local access to the
system.
5. Twig Remote Arbitrary Script Execution Vulnerability
BugTraq ID: 1998
Remote: Yes
Date Published: 2000-11-25
Relevant URL:
http://www.securityfocus.com/bid/1998
Summary:
Twig is a popular web-based email system written in PHP3. Version 2.5.1
and possibly earlier versions of Twig contain a vulnerability that may
allow a remote attacker to gain local access to the webserver on which it
is installed with httpd privileges.
One of Twig's component scripts, index.php3, uses a variable called
vhosts[], containing entries for each virtual host on the webserver. It is
referenced in index.php3 when loading "include" PHP3 scripts, which will
be interpreted and executed when loaded.
Unfortunately, this variable isn't initialized before it is referenced,
making it possible for an attacker to remotely set its value to an
arbitrary host. When index.php3 references values in this variable it will
find the one set remotely by the attacker. The script will then attempt to
retrieve a php3 include file from the host in the vhosts[] variable.
If this host serves valid php3 include files as requested by index.php3,
the script will be loaded and its contents interpreted/executed.
6. Network Associates WebShield SMTP Invalid Outgoing Recipient Field DoS Vuln.
BugTraq ID: 1999
Remote: No
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/1999
Summary:
Network Associates WebShield SMTP is an email virus scanner designed for
internet gateways.
In the event that WebShield SMTP receives an outgoing email containing six
"%20" followed by any character within the recipient field, the
application will crash, resulting in an access violation error upon
processing of the email. Restarting WebShield SMTP is required in order
to regain normal functionality. It has been unverified as to whether or
not arbitrary code can be executed on the target system if specially
crafted code is inserted into the buffer.
7. Multiple Vendor whois CGI Metacharacter Vulnerability
BugTraq ID: 2000
Remote: Yes
Date Published: 1999-11-09
Relevant URL:
http://www.securityfocus.com/bid/2000
Summary:
Whois scripts provide InterNIC lookup services via HTTP. The vulnerable
scripts include versions of Matt's Whois and CGI City Whois. Older
versions of these fail to filter metacharacters, allowing execution of
arbitrary commands by embedding the commands in the domain name to lookup.
Specifically, the UNIX command separation character ";" can be used to
execute commands. Successful exploitation of this vulnerability would
allow an attacker to execute commands with the privileges of the web
server process, which could result in retrieval of sensitive information,
web defacements, etc.
8. Miva htmlscript 2.x Directory Traversal Vulnerability
BugTraq ID: 2001
Remote: Yes
Date Published: 1998-01-26
Relevant URL:
http://www.securityfocus.com/bid/2001
Summary:
Miva's htmlscript CGI program provides a unique scripting language with
HTML type tags. (Note that htmlscript is an older product no longer
distributed by Miva under that name.) Versions of the htmlscript
interpreter (a CGI script) prior to 2.9932 are vulnerable to a file
reading directory traversal attack using relative paths (eg.,
"../../../../../../etc/passwd"). An attacker need only append this path
as a variable passed to the script via a URL. The contents of any file to
which the web server process has read access can be retrieved using this
method.
9. JJ sample CGI program Escape Character Vulnerability
BugTraq ID: 2002
Remote: Yes
Date Published: 1996-12-24
Relevant URL:
http://www.securityfocus.com/bid/2002
Summary:
JJ is a sample CGI program distributed with NCSA HTTPd servers. It passes
unfiltered user data directly to the /bin/mail program, and as such can be
used to escape to a shell using the ~ character on systems with a
/bin/mail which allows this. The attacker must know the password the
program requests, but by default the program uses HTTPdRocKs or SDGROCKS.
These default passwords must be changed in the program's source code. The
consequence of a successful exploit is a shell with the UID of the server.
10. Multiple Vendor test-cgi Directory Listing Vulnerability
BugTraq ID: 2003
Remote: Yes
Date Published: 1996-04-01
Relevant URL:
http://www.securityfocus.com/bid/2003
Summary:
NCSA HTTPd and comes with a CGI sample shell script, test-cgi, located by
default in /cgi-bin. This script does not properly enclose an "ECHO"
command in quotes, and as a result "shell expansion" of the * character
can occur under some configurations. This allows a remote attacker to
obtain file listings, by passing *, /*, /usr/* etc., as variables. The
ECHO command expands the * to give a directory listing of the specified
directory. This could be used to gain information to facilitate future
attacks. This is identical to a problem with another sample script,
nph-test-cgi. See references.
11. Secure Locate Heap Corruption Vulnerability
BugTraq ID: 2004
Remote: No
Date Published: 2000-11-26
Relevant URL:
http://www.securityfocus.com/bid/2004
Summary:
Secure Locate maintains an index of the entire filesystem, including files
only visible by root. The slocate binary is setgid "slocate" so it can
read this index. Slocate contains a heap-corruption vulnerability that may
compromise disclosure of these files if exploited.
When running slocate, users are able to specify a database of their own as
a commandline parameter. A subtle vulnerability exists in slocate's
reading of these user-supplied databases that may allow a local user to
execute arbitrary code with effective gid slocate.
When reading the contents of the database file, slocate initially reads a
value from the file that is supposed to indicate the offset in a
malloc()'d buffer at which the data is to be written. If this number
exceeds the size of the allocated buffer, the bytes from the file will be
written to the memory following the buffer, the malloc structure.
As a result, it is possible for a local user to overwrite internal malloc
memory structures on the heap with arbitrary data. Attackers can replace a
legitimate malloc structure with a malicious one designed to cause other
areas of memory to be overwritten.
12. Winsock FTPd Directory Transversal Vulnerability
BugTraq ID: 2005
Remote: Yes
Date Published: 2000-11-27
Relevant URL:
http://www.securityfocus.com/bid/2005
Summary:
Winsock FTPd is a popular FTP server from Texas Imperial Software.
A vulnerability exists in Winsock FTPd that could allow an unauthorized
user to browse the root directory of the drive where Winsock FTPd has been
installed.
During install, Winsock FTPd allows the administrator to "Restrict to home
directory and below" effectively creating a chroot jail for users. Upon
logging in, a user can pass a the server a malformed change directory
request that will allow any user (including anonymous) to browse the root
directory and possibly retrieve/write files to the root directory on which
Winsock FTPd resides.
Upon connecting to the Winsock FTPd server, a user could issue the
command: cd ../../ This will normally result in the message "User is not
allowed to ../../" and will be returned to their chroot jail directory.
If the user issues the following command: cd /../.. they will not receive
the "User is not allowed to" message and will change directory to root on
the drive or partition where Winsock FTPd has been installed.
If the administrator has installed Winsock FTPd on the same drive or
partition that contains the operating system, a remote attacker could gain
access to systems files, password files, etc. that could lead to a
complete system compromise.
13. Bourne Shell /tmp file Vulnerability
BugTraq ID: 2006
Remote: No
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/2006
Summary:
Bourne Shell is part of the standard system utilities distributed with all
UNIX and UNIX Clone Operating Systems. A vulnerability exists that could
allow arbitrary writing to files.
The problem exists in the insecure creation of files in the /tmp
directory. When using redirection, files are created in the /tmp directory
without first checking for existance of the file. This could result in a
symbolic link attack that could be used to corrupt any file that the owner
of the redirecting shell has access to write to.
14. Microsoft Windows 2000 DNS Memory Leak Vulnerability
BugTraq ID: 2007
Remote: Yes
Date Published: 2000-01-01
Relevant URL:
http://www.securityfocus.com/bid/2007
Summary:
Windows 2000 Server and Advanced Server, without any service packs
installed, contain a minor issue that could, in theory, be used by an
attacker in a Denial of Service attack. DNS Services provided by DNS.EXE
contain a "memory leak" bug that can, in some cases, continue to slowly
consume system rmemory. The rate of memory usage growth depends on the
number of DNS queries the server receives, so submitting a flood of
requests to a vulnerable system could cause a Denial of Service. The
server would have to be restarted in order to resume normal functioning.
15. PTlink IRCD and Services Denial of Service Vulnerability
BugTraq ID: 2008
Remote: Yes
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/2008
Summary:
PTlink IRCd and Services are freely available IRC Software packages for
hosting IRC servers, and are maintained by the PTlink Coders Team. A
condition exists that could allow the Denial of Service to legitimate
users.
The problem exists in the handling of modes by both the IRC Services and
IRC daemon. A user connected to an IRC server running the PTlink IRCd and
Services can set themselves mode +owgscfxeb, then issue an operator
command of any type which will result in the crashing of the IRC Services.
The IRCd is then vulnerable to Denial of Service by issuing an IRC
Operator command of any type, and a user setting themselves mode
+owgscfxeb following the Operator command. This vulnerability makes it
possible for a malicious user to crash the IRC Services and daemon,
creating a total Denial of Service.
16. rcvtty Arbitrary Command Execution Vulnerability
BugTraq ID: 2009
Remote: No
Date Published: 2000-11-27
Relevant URL:
http://www.securityfocus.com/bid/2009
Summary:
rcvtty is a component of the unix NH mail system. The version of rcvtty
for BSD/OS systems is known to contain a vulnerability that may allow
local users to elevate their privileges.
The problem occurs in the ability of rcvtty to execute programs on the
system without first dropping SGID priviledges. A shell script run through
rcvtty would result in the contents of the shell script being executed
with a SGID of tty. This creates the potential for a malicious user to
gain elevated system priviledges.
17. Multiple Vendor "Out Of Band" Data (winnuke.c) DoS Vulnerability
BugTraq ID: 2010
Remote: Yes
Date Published: 1997-05-07
Relevant URL:
http://www.securityfocus.com/bid/2010
Summary:
Older versions of Microsoft Windows (95, Windows for Workgroups 3.11,
Windows NT up to and including 4.0), as well as SCO Open Server 5.0, have
a vulnerability relating to the way they handle TCP/IP "Out of Band" data.
According to Microsoft, "A sender specifies "Out of Band" data by setting
the URGENT bit flag in the TCP header. The receiver uses the URGENT
POINTER to determine where in the segment the urgent data ends. Windows NT
bugchecks when the URGENT POINTER points to the end of the frame and no
normal data follows. Windows NT expects normal data to follow. "
As a result of this assumption not being met, Windows gives a "blue screen
of death" and stops responding.
Windows port 139 (NetBIOS) is most susceptible to this attack. although
other services may suffer as well. Rebooting the affected machine is
required to resume normal system functioning.
18. Ipswitch IMail Web Service "HOST" Denial Of Service Vulnerability
BugTraq ID: 2011
Remote: Yes
Date Published: 2000-08-17
Relevant URL:
http://www.securityfocus.com/bid/2011
Summary:
IPSwitch IMail is an e-mail server which provides WWW (HTTP) E-mail
services. By default this web service resides on port 8181 or 8383.
Sending an HTTP request with an extremely long "HOST" field multiple times
can cause the system hosting the service to become unresponsive. Each long
request "kills" a thread without freeing up the memory used by it. By
repeating this request, the system's resources can be used up completely.
19. Cisco 675 Web Administration Denial of Service Vulnerability
BugTraq ID: 2012
Remote: Yes
Date Published: 2000-11-28
Relevant URL:
http://www.securityfocus.com/bid/2012
Summary:
The Cisco 675 DSL Router is a popular DSL router in wide use and
distributed to major telco's for their SOHO clients.
A vulnerability exists in the Cisco 675 DSL Router that could allow a
remote attacker to initiate a Denial of Service attack against the router
requiring it to be power cycled in order to resume normal operation.
If the Cisco 675 DSL Router has the Web Administration Interface enabled,
a remote attacker could telnet to the router and issue a simple malformed
HTTP GET request. Once connected via telnet to the Web Administration
Interface, issuing the command GET ? \n \n will crash the telnet session
as well as the router, requiring it be power cycled before resuming normal
operation.
It is possible, though not tested, that other Cisco routers in this series
(673, 675e, 676, and 678) are also vulnerable.
Currently, the only available solution is to disable the Web Based
Administration Interface via the Router by issuing the following commands:
cbos# set web disabled
cbos# write
cbos# reboot
20. SonicWALL SOHO Denial of Service Vulnerability
BugTraq ID: 2013
Remote: Yes
Date Published: 2000-11-29
Relevant URL:
http://www.securityfocus.com/bid/2013
Summary:
SonicWALL SOHO provides a secure internet connection for a network.
SonicWALL SOHO is subject to a denial of service. By specifying an
unusually long username on the authentication page, SonicWALL SOHO will
stop responding and refuse any new connections. This has been verified to
last for up to 30 seconds until functionality resumes, although a restart
of the service may be required in order to gain normal functionality. In
addition, it has been verified that this vulnerability is exploitable by
way of various malformed HTTP requests.
This vulnerability may be the result of a buffer overflow, although not
verified this could lead to the execution of arbitrary code on the target
host.
21. TrendMicro InterScan VirusWall Shared Directory Vulnerability
BugTraq ID: 2014
Remote: Yes
Date Published: 2000-11-28
Relevant URL:
http://www.securityfocus.com/bid/2014
Summary:
TrendMicro InterScan VirusWall is virus and malicious code scanner
designed for internet gateways.
After completion of the installation process, the InterScan VirusWall
installer assigns the 'Everyone' group 'Full Control' permissions in the
Access Control List of the \Interscan directory and all of its contents
without notifying the user. Corresponding permissions are also configured
for the file share "Intscan" that is created during installation. This
is done in order to enable the Interscan plug-in eManager to access files
contained in the Interscan directory.
It is not a recommended practice to grant the 'Everyone' group 'Full
Control' rights. This would give read, write, and execute privileges to
any user for the directories specified above. Therefore, a malicious user
may be able to upload, delete, modify, and execute files within the
directory which opens up the possibility of a myriad of exploits that can
be performed. The InterScan directory also contains executables that are
run upon startup. This may lead to the automatic execution of implanted
trojans or other malicious code.
22. S.u.S.E. in.identd Denial of Service Vulnerability
BugTraq ID: 2015
Remote: Yes
Date Published: 2000-11-29
Relevant URL:
http://www.securityfocus.com/bid/2015
Summary:
The in.identd service is used to provide remote systems with usernames
associated with tcp connection port pairs. The version of in.identd that
ships with S.u.S.E. Linux contains a remotely exploitable denial of
service vulnerability that may result in the service crashing.
Though the denial of service is the result of oversized input recieved by
the server, it is not an overflow. What happens is that the identd server
realizes that the input is too long and changes the value of some pointer
to NULL. The server then attempts to dereference this pointer and
terminates due to a segmentation violation.
The S.u.S.E. ident daemon is multithreaded and is not spawned via inetd.
There is only one in.identd process started, usually by init. As a result,
if it is terminated it is not restarted. A denial of the identd service
occurs until manually restarted.
23. Midnight Commander Directory Viewing Command Execution Vulnerability
BugTraq ID: 2016
Remote: No
Date Published: 2000-11-28
Relevant URL:
http://www.securityfocus.com/bid/2016
Summary:
Midnight Commander is a popular file management tool for unix systems.
Among many other features, Midnight Commander allows users to traverse
their filesystem using a menu-style console interface. There exists a
vulnerability in the way Midnight Commander handles directories that may
allow for arbitrary commands to be executed when maliciously created
directories are opened.
Attackers can embed commands into directory names after certain byte
values (0x03 and 0x14) that will be executed when a user running Midnight
Commander opens them. Because Midnight Commander doesn't list entire
directory names in the filesystem window if they are long, this sequence
of characters (nonprintable) and the commands can be hidden from the user
if enough printable/normal looking characters preceed them.
This vulnerability requires direct user interaction (user must open the
malicious directory with Midnight commander) to be exploited.
If exploited, this vulnerability can result in an elevation of privileges
for the attacker.
24. IBM Net.Data Path Disclosure Vulnerability
BugTraq ID: 2017
Remote: Yes
Date Published: 2000-11-29
Relevant URL:
http://www.securityfocus.com/bid/2017
Summary:
IBM Net.Data is a scripting language used to create web applications, it
supports a wide range of language environments and is compatible with most
recognized databases.
Net.Data contains a vulnerability which reveals server information.
Requesting a specially crafted URL, by way of the CGI application,
comprised of an invalid request and known database, will reveal the
physical path of server files.
Successful exploitation of this vulnerability could assist in further
attacks against the victim host.
25. Microsoft Windows 2000 Telnet Session Timeout DoS Vulnerability
BugTraq ID: 2018
Remote: Yes
Date Published: 2000-11-30
Relevant URL:
http://www.securityfocus.com/bid/2018
Summary:
The Telnet daemon shipped with Windows 2000 is susceptible to a trivial
denial of service attack if an initiated session is not reset. After a
certain interval of time, a telnet session will timeout if the user does
not supply a username or password. The connection will not be reset until
the user enters a character. If a malicious user were to connect to a
Windows 2000 telnet daemon and not reset the connection, they would
effectively deny any other access to the telnet server because the maximum
number of client connections is 1. Any other user that attempts to
connect to the telnet server during that time will receive the following
error message:
Microsoft Windows Workstation allows only 1 Telnet Client License
Server has closed connection
Viewing 'List the Current Users' option will not display the timed out
session because successful authorization did not take place.
26. Greg Matthews Classifieds.cgi Hidden Variable Vulnerability
BugTraq ID: 2019
Remote: Yes
Date Published: 1998-12-15
Relevant URL:
http://www.securityfocus.com/bid/2019
Summary:
Classifieds.cgi is a perl script (part of the classifieds package by Greg
Matthews) which provides simple classified ads to web sites. Due to
improper input validation it can be used to execute any command on the
host machine, with the privileges of the web server. If the attacker can
submit a command to run as a hidden variable that command will be
executed. Normally this variable is reserved for the mail program and is
accessed from an HTML page with the following piece of code: <input
type="hidden" name="mailprog" value="/usr/sbin/sendmail">
27. Greg Matthews Classifieds.cgi Metacharacter Vulnerability
BugTraq ID: 2020
Remote: Yes
Date Published: 1998-12-15
Relevant URL:
http://www.securityfocus.com/bid/2020
Summary:
Classifieds.cgi is a perl script (part of the classifieds package by Greg
Matthews) which provides simple classified ads to web sites. Due to
improper input validation it can be used to read files on the host
machine, with the privileges of the web server. This can be accomplished
by embedding the input redirection metacharacter along with a filename
into the form field used for e-mail address entry (<input name=return>).
Any file that the web server process has read access to can be retrieved.
28. Merchant Order Form 1.2 Order Log Permissions Vulnerability
BugTraq ID: 2021
Remote: Yes
Date Published: 1999-04-20
Relevant URL:
http://www.securityfocus.com/bid/2021
Summary:
Merchant Order Form is a shareware shopping cart program. Poor
installations leave the order log file world readable, allowing retrieval
of sensitive information such as customer order history and credit card
information. This is more of a configuration issue than a vulnerability in
the software, although leaving credit card information in plain text and
allowing it to reside in a world readable directory is a poor practice.
29. Windows 9x / NT 4.0 NetBIOS over TCP/IP Resource Exhaustion Vulnerability
BugTraq ID: 2022
Remote: Yes
Date Published: 2000-11-30
Relevant URL:
http://www.securityfocus.com/bid/2022
Summary:
Microsoft's implementation NetBIOS is vulnerable to a remotely exploitable
denial of service attack. An attacker who has access to the NBT port can
cause the system to become exhausted of network resources and cease
functioning.
The attack is carried out by initiating many connections and then closing
them, leaving the target tcp sockets in FINWAIT_1 state. Although the
sockets will eventually time out and be freed, an attacker can
continuously send more, initiating and closing new connections using up
any freed network resources. The result may be a denial of useful NetBIOS
services until the attack stops.
This type of attack is well known as simple resource exhaustion, but has
become an issue with new tools that enable attackers to launch more
effective resource exhaustion attacks. Microsoft has released fixes to
patch this vulnerability in NT 4.0sp6. This vulnerability affects many
operating systems aside from Microsoft Windows, however Microsoft is the
only vendor thus far to issue a patch and workaround.
30. Multiple Vendor .BAT/.CMD Remote Command Execution Vulnerability
BugTraq ID: 2023
Remote: Yes
Date Published: 1996-03-01
Relevant URL:
http://www.securityfocus.com/bid/2023
Summary:
Some web servers that allow batch files to be executed via CGI are
vulnerable to an attack whereby an intruder can execute commands on the
target machine. This can be accomplished by submitting the command to be
executed as a variable preceded by the ampersand (&) symbol, eg.
http://targethost/cgi-bin/batfile.bat?&hostile_command. This apparently
causes the server to call the function: system("batfile.bat
&hostile_command") which the command interpreter interprets as separate
commands. Microsoft IIS 1.0 is vulnerable to this attack whether or not
the .BAT file requested even exists. Successfully exploiting this
vulnerability allows an attacker to execute commands on the target machine
with the privileges of the web server. This vulnerability may also be
exploited via . CMD files.
31. Webcom Datakommunikation CGI Guestbook rguest/wguest Vulnerability
BugTraq ID: 2024
Remote: Yes
Date Published: 1999-04-09
Relevant URL:
http://www.securityfocus.com/bid/2024
Summary:
The freeware guestbook package from freeware.webcom.se provides a
web-based guestbook feature, using CGI. Some versions of this guestbook
(undetermined at the time of writing) are vulnerable to an attack allowing
an intruder to retrieve the contents of arbitrary files to which the web
server has access. This can be accomplished by specifying the path and
filename as the parameter "template" to either rguest.exe or wguest.exe -
see Exploit for example. These two programs typically reside in /cgi-bin.
32. Novell NetWare Web Server 2.x convert.bas Vulnerability
BugTraq ID: 2025
Remote: Yes
Date Published: 1996-07-03
Relevant URL:
http://www.securityfocus.com/bid/2025
Summary:
Novell NetWare Web Server 2.x versions came with a CGI written in BASIC
called convert.bas. This script allows retrieval of files outside of the
normal web server context. This can be accomplished simply by submitting
the filename and path as a parameter to the script, using relative paths
(../../) to traverse directories. Access may or may not be limited to the
SYS: volume.
33. GlimpseHTTP and WebGlimpse Piped Command Vulnerability
BugTraq ID: 2026
Remote: Yes
Date Published: 1996-07-03
Relevant URL:
http://www.securityfocus.com/bid/2026
Summary:
WebGlimpse and GlimpseHTTP are web indexing and search engine programs
with some associated management scripts. GlimpseHTTP up to and including
2.0, and WebGlimpse prior to version 1.5, suffer from a common
vulnerability involving the component "aglimpse". This script fails to
filter the pipe metacharacter, allowing arbitrary command execution. The
demonstration exploit for this vulnerability includes the unix shell "IFS"
(Internal Field Separator) variable for situations where the web server
filters space characters - by setting this to an acceptable character ("5"
in the example exploit) it is possible to use commands with more than one
field. (eg., "mail memyhost.tld").
34. AnalogX Proxy Server DoS Vulnerability
BugTraq ID: 2027
Remote: Yes
Date Published: 2000-11-23
Relevant URL:
http://www.securityfocus.com/bid/2027
Summary:
AnalogX Proxy Server enables networked computers to request various
internet services through the proxy gateway. AnalogX supports most common
internet protocols.
AnalogX Proxy Server is subject to a denial of service. Requesting
unusually long arguments to the FTP, SMTP and POP3 service, the server
will stop responding. A restart of the server service is required in order
to gain normal functionality.
Successful exploitation of this vulnerability could lead to the execution
of arbitrary code on the target host, however this has not been verified.
35. Majordomo Config-file admin_password Configuration Vulnerability
BugTraq ID: 2028
Remote: Yes
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2028
Summary:
Majordomo is a popular open-source e-mail list server written in Perl.
There exists a common configuration error in Majordomo's authentication
system that may allow for remote attackers to execute administrative
commands.
Majordomo authenticates list administrators using passwords each time an
administrative command is issued. During authentication, the supplied
password is first compared to the value of the admin_password option in
the list configuration file. If the two match, the administrator is
authenticated and the command is executed. If not, majordomo attempts to
open a file in the lists directory with a filename in the format:
"listname.passwd", where "listname" is the name of the current list. The
password is then read from that file.
Many Majordomo setup/installation guides instruct the user configuring
Majordomo not to set a real password as the value of admin_password,
rather assign the option the value of the filename to be opened containing
the password (in the list.passwd filename format). If this is done, the
filename specified as the value for admin_passwd effectively becomes a
valid password and can be used to authenticate an administrator.
If a system has been configured this way, a remote attacker can guess the
name of the file (listname.passwd) and use it as the password to
successfully execute administrator commands.
36. Trlinux Postaci Webmail Password Disclosure Vulnerability
BugTraq ID: 2029
Remote: Yes
Date Published: 2000-11-30
Relevant URL:
http://www.securityfocus.com/bid/2029
Summary:
Postaci Webmail is a database-driven web e-mail system. PostACI contains a
vulnerability in its default configuration that may allow a remote
attacker to gain access to the underlying database.
Webmail stores database username and password information in a file called
global.inc. This file is world-readable and stored in a directory
accessible by a web browser over the internet. As a result, an attacker
can retrieve the global.inc file with a web browser on a typical system
(default configuration). Once obtained, the attacker may be able to access
the systems database.
Successful exploitation will lead to the attacker gaining unauthorized
access to the database.
Depending on the database and system type, this may lead to a compromise
of interactive access on the host running Webmail and the database.
37. Microsoft SQL Server / Data Engine xp_displayparamstmt Buffer Overflow Vuln
BugTraq ID: 2030
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2030
Summary:
The API Srv_paraminfo(), which is implemented by Extended Stored
Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible
to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the
data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When
called, they invoke a function called Srv_paraminfo() to parse the input
parameters.
A vulnerability lies in Srv_paraminfo() and the fact that it does not
check the length of the parameter string that an XP passes to it. If an
attacker can pass an overly long string to the XP xp_displayparamstmt, a
buffer overflow can occur due to an unsafe memory copy. This can cause SQL
Server to crash.
It may also be possible for attackers to execute arbitrary code on the
host running SQL Server. The attacker would need to overwrite the return
address of the calling function with the address of supplied shellcode in
memory. This shellcode would be executed under the context of the account
that the SQL Server service was configured to run under. The minimum
privilege level that the account would have to possess are SYSTEM
privileges.
This vulnerability is confined to those who can successfully log onto the
SQL server.
38. Microsoft SQL Server / Data Engine xp_enumresultset Buffer Overflow Vuln.
BugTraq ID: 2031
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2031
Summary:
The API Srv_paraminfo(), which is implemented by Extended Stored
Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible
to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the
data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When
called, they invoke a function called Srv_paraminfo() to parse the input
parameters.
A vulnerability lies in Srv_paraminfo() and the fact that it does not
check the length of the parameter string that an XP passes to it. If an
attacker can pass an overly long string to the XP xp_enumresultset, a
buffer overflow can occur due to an unsafe memory copy. This can cause SQL
Server to crash.
It may also be possible for attackers to execute arbitrary code on the
host running SQL Server. The attacker would need to overwrite the return
address of the calling function with the address of supplied shellcode in
memory. This shellcode would be executed under the context of the account
that the SQL Server service was configured to run under. The minimum
privilege level that the account would have to possess are SYSTEM
privileges.
This vulnerability is confined to those who can successfully log onto the
SQL server.
39. AIX setsenv Buffer Overflow Vulnerability
BugTraq ID: 2032
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2032
Summary:
AIX is a version of the UNIX Operating System distributed by IBM. A
problem exists that could allow a user elevated priviledges.
The problem occurs in the setsenv binary. It has been reported that a
buffer overflow exists in this binary which could allow a user to
overwrite variables on the stack, including the return address. This makes
it possible for a malicious user to execute arbitrary code, and
potentially attain a UID of 0.
40. AIX digest Buffer Overflow Vulnerability
BugTraq ID: 2033
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2033
Summary:
AIX is a version of the UNIX Operating System distributed by IBM. A
vulnerability exists in the operating system which could allow a user an
elevation in priviledge.
The problem occurs in the digest binary. It is reported that it is
possible to overflow a buffer in the program and overwrite a pointer to
the stack, which in turn can result in an overflow in a library referenced
by the binary. The secondary overflow in the library makes it possible to
overwrite other stack variables, including the return address. A
malicious user could use this vulnerability to gain an elevation in
priviledges, and potentially UID 0.
41. AIX enq Buffer Overflow Vulnerability
BugTraq ID: 2034
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2034
Summary:
AIX is a variant of the UNIX Operating System, distributed by IBM. A
problem exists that may allow elevation of user priviledges.
The problem occurs in the enq program. It is reported that an overflow
exists in the command line argument parsing, which could lead to the
overwriting of variables on the stack. This creates the potential for a
malicious user to execute arbitrary code, and possibly gain administrative
access.
42. AIX setclock Buffer Overflow Vulnerability
BugTraq ID: 2035
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2035
Summary:
AIX is a variant of the UNIX Operating System, distributed by IBM. A
problem exists which could allow local users to gain elevation of
priviledges.
The problem occurs in the setclock binary. Due to a buffer overflow in the
main() function of the program caused by input handling, it is possible to
overwrite pointers to the stack and potentially other variables. This
creates an opportunity for a malicious user to gain elevated priviledges,
and potentially administrative access.
43. AIX pioout Buffer Overflow Vulnerability
BugTraq ID: 2036
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2036
Summary:
AIX is a variant of the UNIX Operating System, distributed by IBM. A
problem exists which could allow elevation of priviledges for local users.
The problem exists in the pioout program. Parsing of the environment
variable PIODEVNAME when stored in heap memory causes the program to die,
due to insufficient handling by a strcpy() function. This makes it
possible for a malicious user to generate a custom crafted environment
variable that could allow for the overwriting of stack variables, and
potentially execute arbitrary code.
44. AIX piobe Buffer Overflow Vulnerability
BugTraq ID: 2037
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2037
Summary:
AIX is a variant of the UNIX Operating System, distributed by IBM. A
problem exists which can allow a local user elevated priviledges.
The problem exists in the piobe program. Due to the insuffient handling of
the PIOSTATUSFILE, PIOTITLE, and PIOVARDIR environment variables, it's
possible to overwrite stack variables. This makes it possible for a
malicious user to pass specially formatted strings to the program via
environment variables, and potentially gain administrative access.
45. Microsoft SQL Server / Data Engine xp_showcolv Buffer Overflow Vulnerability
BugTraq ID: 2038
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2038
Summary:
The API Srv_paraminfo(), which is implemented by Extended Stored
Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible
to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the
data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When
called, they invoke a function called Srv_paraminfo() to parse the input
parameters.
A vulnerability lies in Srv_paraminfo() and the fact that it does not
check the length of the parameter string that an XP passes to it. If an
attacker can pass an overly long string to the XP xp_showcolv, a buffer
overflow can occur due to an unsafe memory copy. This can cause SQL Server
to crash.
It may also be possible for attackers to execute arbitrary code on the
host running SQL Server. The attacker would need to overwrite the return
address of the calling function with the address of supplied shellcode in
memory. This shellcode would be executed under the context of the account
that the SQL Server service was configured to run under. The minimum
privilege level that the account would have to possess are SYSTEM
privileges.
This vulnerability is confined to those who can successfully log onto the
SQL server.
46. Microsoft SQL Server / Data Engine xp_updatecolvbm Buffer Overflow Vuln.
BugTraq ID: 2039
Remote: Yes
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2039
Summary:
The API Srv_paraminfo(), which is implemented by Extended Stored
Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible
to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the
data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When
called, they invoke a function called Srv_paraminfo() to parse the input
parameters.
A vulnerability lies in Srv_paraminfo() and the fact that it does not
check the length of the parameter string that an XP passes to it. If an
attacker can pass an overly long string to the XP xp_updatecolvbm, a
buffer overflow can occur due to an unsafe memory copy. This can cause SQL
Server to crash.
It may also be possible for attackers to execute arbitrary code on the
host running SQL Server. The attacker would need to overwrite the return
address of the calling function with the address of supplied shellcode in
memory. This shellcode would be executed under the context of the account
that the SQL Server service was configured to run under. The minimum
privilege level that the account would have to possess are SYSTEM
privileges.
This vulnerability is confined to those who can successfully log onto the
SQL server.
47. Microsoft SQL Server / Data Engine xp_peekqueue Buffer Overflow Vuln.
BugTraq ID: 2040
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2040
Summary:
The API Srv_paraminfo(), which is implemented by Extended Stored
Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible
to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the
data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When
called, they invoke a function called Srv_paraminfo() to parse the input
parameters.
A vulnerability lies in Srv_paraminfo() and the fact that it does not
check the length of the parameter string that an XP passes to it. If an
attacker can pass an overly long string to the XP xp_peekqueue, a buffer
overflow can occur due to an unsafe memory copy. This can cause SQL Server
to crash.
It may also be possible for attackers to execute arbitrary code on the
host running SQL Server. The attacker would need to overwrite the return
address of the calling function with the address of supplied shellcode in
memory. This shellcode would be executed under the context of the account
that the SQL Server service was configured to run under. The minimum
privilege level that the account would have to possess are SYSTEM
privileges.
This vulnerability is confined to those who can successfully log onto the
SQL server.
48. Microsoft SQL Server / Data Engine xp_printstatements Buffer Overflow Vuln.
BugTraq ID: 2041
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2041
Summary:
The API Srv_paraminfo(), which is implemented by Extended Stored
Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible
to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the
data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When
called, they invoke a function called Srv_paraminfo() to parse the input
parameters.
A vulnerability lies in Srv_paraminfo() and the fact that it does not
check the length of the parameter string that an XP passes to it. If an
attacker can pass an overly long string to the XP xp_printstatements, a
buffer overflow can occur due to an unsafe memory copy. This can cause SQL
Server to crash.
It may also be possible for attackers to execute arbitrary code on the
host running SQL Server. The attacker would need to overwrite the return
address of the calling function with the address of supplied shellcode in
memory. This shellcode would be executed under the context of the account
that the SQL Server service was configured to run under. The minimum
privilege level that the account would have to possess are SYSTEM
privileges.
This vulnerability is confined to those who can successfully log onto the
SQL server.
49. Microsoft SQL Server / Data Engine xp_proxiedmetadata Buffer Overflow Vuln.
BugTraq ID: 2042
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2042
Summary:
The API Srv_paraminfo(), which is implemented by Extended Stored
Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible
to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the
data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When
called, they invoke a function called Srv_paraminfo() to parse the input
parameters.
A vulnerability lies in Srv_paraminfo() and the fact that it does not
check the length of the parameter string that an XP passes to it. If an
attacker can pass an overly long string to the XP xp_proxiedmetadata, a
buffer overflow can occur due to an unsafe memory copy. This can cause SQL
Server to crash.
It may also be possible for attackers to execute arbitrary code on the
host running SQL Server. The attacker would need to overwrite the return
address of the calling function with the address of supplied shellcode in
memory. This shellcode would be executed under the context of the account
that the SQL Server service was configured to run under. The minimum
privilege level that the account would have to possess are SYSTEM
privileges.
This vulnerability is confined to those who can successfully log onto the
SQL server.
50. Microsoft SQL Server / Data Engine xp_SetSQLSecurity Buffer Overflow Vuln
BugTraq ID: 2043
Remote: No
Date Published: 2000-12-01
Relevant URL:
http://www.securityfocus.com/bid/2043
Summary:
The API Srv_paraminfo(), which is implemented by Extended Stored
Procedures (XPs) in Microsoft SQL Server and Data Engine, is susceptible
to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the
data entered into the buffer.
XPs are DLL files that perform high level functions in SQL Server. When
called, they invoke a function called Srv_paraminfo() to parse the input
parameters.
A vulnerability lies in Srv_paraminfo() and the fact that it does not
check the length of the parameter string that an XP passes to it. If an
attacker can pass an overly long string to the XP xp_SetSQLSecurity, a
buffer overflow can occur due to an unsafe memory copy. This can cause SQL
Server to crash.
It may also be possible for attackers to execute arbitrary code on the
host running SQL Server. The attacker would need to overwrite the return
address of the calling function with the address of supplied shellcode in
memory. This shellcode would be executed under the context of the account
that the SQL Server service was configured to run under. The minimum
privilege level that the account would have to possess are SYSTEM
privileges.
This vulnerability is confined to those who can successfully log onto the
SQL server.
III. SECURITYFOCUS.COM NEWS AND COMMENTARY
------------------------------------------
1. Judiciary Weighs Privacy, Access
By Kevin Poulsen
The federal judiciary is asking for the public's help in hashing out the
privacy issues attendant with allowing web access to court case files,
which can sometimes include such sensitive information as medical
histories, personnel files, tax returns and social security numbers.
The dead-tree versions of criminal and civil case files have long been
open to public inspection and copying. But as the federal judiciary moves
into the information age and puts more of those files on the web, it's
having second thoughts about the "the privacy and security implications of
vastly wider public access," according to a recent statement from the
Administrative Office of the U.S. Courts.
http://securityfocus.com/templates/article.html?id=120
2. Hijackers Take AIM Accounts
By Kevin Poulsen
Hackers exploiting a loophole in America Online's signup process have
begun taking their pick of AOL Instant Messenger (AIM) accounts, hijacking
them virtually at will.
The technique emerged early this month on AOL-Files, a meeting place for
AOL hackers, where it was born as a harmless hack that allows users to
establish AOL accounts with screen names that are -- unconventionally --
indented.
http://securityfocus.com/templates/article.html?id=119
IV.SECURITY FOCUS TOP 6 TOOLS
-----------------------------
1. MindTerm 1.99pre2
(AIX, FreeBSD, HP-UX, Java, Linux, MacOS, Solaris, Windows 95/98
and Windows NT)
by Mats Andersson (mindtermmindbright.se)
Relevant URL: http://www.mindbright.se/mindterm/
MindTerm is a complete ssh-client in pure Java. It can be used either as a
standalone Java application or as a Java applet. Three packages of
importance are provided (terminal, ssh, and security). The terminal
package is a rather complete vt102/xterm-terminal, and the ssh-package
contains the ssh- protocol and also "drop-in" socket replacements to use
ssh-tunnels transparently from a Java application/applet. It also contains
functionality to realize a ssh-server. Finally, the security package
contains RSA, DES, 3DES, Blowfish, IDEA, and RC4 ciphers.
2. Linux Intrusion Detection System (LIDS) 0.9.11
(Linux)
by Xie Hua Gang (xhggem.ncic.ac.cn)
Relevant URL: http://www.lids.org/
The Linux Intrusion Detection System is a patch which enhances the
kernel's security. When it is in effect, chosen files access, all
system/network administration operations, any capability use, raw device,
mem, and I/O access can be made impossible even for root. You can define
which program can access which file. It uses and extends the system
capabilities bounding set to control the whole system and adds some
network and filesystem security features to the kernel to enhance the
security. You can finely tune the security protections online, hide
sensitive processes, receive security alerts through the network, and
more.
3.RelayTCP
(Windows 2000, Windows 95/98 and Windows NT)
by DLC Sistemas
Relevant URL: http://www.dlcsistemas.com/html/relay_tcp.html
RelayTCP allows to redirect TCP/IP connections from a local port to a
remote IP and port. Relay TCP has the capacity to record all the
connections made and the data transferred. It's useful for transferred
data debuggin purposes
4.MindTerm 1.99pre2
(AIX, FreeBSD, HP-UX, Java, Linux, MacOS, Solaris, Windows 95/98
and Windows NT)
by Mats Andersson (mindtermmindbright.se)
Relevant URL: http://www.mindbright.se/mindterm/
MindTerm is a complete ssh-client in pure Java. It can be used either as a
standalone Java application or as a Java applet. Three packages of
importance are provided (terminal, ssh, and security). The terminal
package is a rather complete vt102/xterm-terminal, and the ssh-package
contains the ssh- protocol and also "drop-in" socket replacements to use
ssh-tunnels transparently from a Java application/applet. It also contains
functionality to realize a ssh-server. Finally, the security package
contains RSA, DES, 3DES, Blowfish, IDEA, and RC4 ciphers.
5. Anomy Mail Sanitizer 1.32
(Perl, any system supporting Perl)
by Bjarni R. Einarsson (brenetverjar.is)
Relevant URL: http://mailtools.anomy.net/
The Anomy mail sanitizer is a filter designed to block email-based
security risks, such as trojans and viruses. It can scan an arbitrarily
complex RFC822 or MIME message and remove or rename attachments, truncate
unusually long MIME header fields and sanitize HTML by disabling
Javascript, etc. It uses a single-pass pure Perl MIME parser, which can
make it both more efficient and more precise than other similar programs.
The sanitizer has built-in support for third-party virus scanners.
6.solpromisc 1.0
(Solaris)
by User Datagram Protocol
Relevant URL: http://www.low-level.net/udp/projects.html
This is a kernel module which you can load to detect attempts to put
devices into promiscuous mode from user space via DLPI (e.g. solsniff,
tcpdump, anything pcap based). It dumps the cred struct for the process,
and the driver responsible, to the dmesg output buffer for collection by
syslog. Read the source, please.
V. SECURITY JOBS SUMMARY
------------------------
1. Systems/Applications Engineer, DC area (Thread)
Relevant URL:
2. SCM and Security (Thread)
Relevant URL:
IDICALIF.COM">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-12-02%26thread%3d001a01c05ba8$6b5d3dc0$ac39ea18IDICALIF.COM
3. Internet Security Trainer (Thread)
Relevant URL:
4. Southern California C++ Network Programming Projects (Beachside Living) (Thread)
Relevant URL:
net.ipsamerica.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d77%26date%3d2000-12-02%26thread%3d003b01c05af5$4a469180$d1bd0140net.ipsamerica.com
5. e-business security manager position in NYC (Thread)
Relevant URL:
6. Security Analyst Needed (Thread)
Relevant URL:
7. Network Engineer-Security Focus (Thread)
Relevant URL:
8. New York city-based security consultant seeks pure play PKI company (Thread)
Relevant URL:
VI. INCIDENTS LIST SUMMARY
-------------------------
1. Rooted, new DDoS also (Thread)
Relevant URL:
2. Hybris worm (Thread)
Relevant URL:
3. Scan to Port 1243 (Thread)
Relevant URL:
4. DNS Messages (Thread)
Relevant URL:
5. Hack'a'Tack trojan (?) (Thread)
Relevant URL:
6. !! SCAN TO THE PORT 1243 !! (Thread)
Relevant URL:
7. Crack attempt last weekend (Thread)
Relevant URL:
8. LPRng exploits (Thread)
Relevant URL:
9. scans for port 4000 udp (Thread)
Relevant URL:
10. SMTP brute force attack? (Thread)
Relevant URL:
rockynet.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d75%26date%3d2000-12-02%26thread%3d01e401c05a31$e1ee44c0$1cd8a8cerockynet.com
11. Looks like a duck...quacks like a duck... (Thread)
Relevant URL:
12. strange HTTP scan/attack? (Thread)
Relevant URL:
13. t0rnrootkit (Thread)
Relevant URL:
14. Ping flood IPs (Thread)
Relevant URL:
15. Virus or Hacked NEW PC? (Thread)
Relevant URL:
16. [Snort-users] 13 instances of ping bsd (Thread)
Relevant URL:
17. LPRng remote root exploit seen in the wild (Thread)
Relevant URL:
18. Trafic port 587 (Thread)
Relevant URL:
19. port 3647? (Thread)
Relevant URL:
20. Ping flood? (Thread)
Relevant URL:
21. Scan of ports 100 and 510 (Thread)
Relevant URL:
22. Connection to port 137 (Thread)
Relevant URL:
23. sendmail 8.11.0 and port 587/TCP (Thread)
Relevant URL:
24. Interesting Attack. (Thread)
Relevant URL:
25. Unusual URLs sent to IIS 5.0 server (Thread)
Relevant URL:
26. Spoofed (?) BSD Pings (Thread)
Relevant URL:
27. FYI: Slow port 137 scanning in reverse IP# order (Thread)
Relevant URL:
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. lpd exploit? (Thread)
Relevant URL:
2. lpd exploit (Thread)
Relevant URL:
3. PHP.Pirus (Thread)
Relevant URL:
4. cAIM bug (Thread)
Relevant URL:
5. Linksys DSL routers and fragments (Thread)
Relevant URL:
6. Recent post & .asx file as attachment.. (Thread)
Relevant URL:
7. .asx bufferoverrun... (Thread)
Relevant URL:
8. hybrid-ircd (Thread)
Relevant URL:
9. Windows2000 telnet exploit (Thread)
Relevant URL:
10. [Update] NSFOCUS SA2000-07: Microsoft IIS 4.0/5.0 CGI File N ame Inspection Vulnerability (Thread)
Relevant URL:
11. RIPv1, v2 and OSFP exploits? (Thread)
Relevant URL:
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Securing a production box (Thread)
Relevant URL:
2. FW: Parting Admin (Thread)
Relevant URL:
3. IPSec through NAT (was RE: Microsoft Exchange SMTP server and DMZ area.) (Thread)
Relevant URL:
4. ntuser.dat (Thread)
Relevant URL:
5. Parting Admin (Thread)
Relevant URL:
6. Win2000 Pro share reconnection (Thread)
Relevant URL:
7. Win2k Advanced Server (Thread)
Relevant URL:
8. Bug in MS Win2k - Policy with SP1 install (Thread)
Relevant URL:
9. Distributing patches and fixes on a LAN. (Thread)
Relevant URL:
10. Executing remote commands via Telnet (Thread)
Relevant URL:
AnchorIS.Com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-12-02%26thread%3d000f01c05bac$7a6c8a10$af05a8c0AnchorIS.Com
11. Ghost Users (Was departing Admin) (Thread)
Relevant URL:
AnchorIS.Com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-12-02%26thread%3d00ae01c05b54$74ffde40$af05a8c0AnchorIS.Com
12. Changing the banner in IIS (Thread)
Relevant URL:
13. AW: Win2k Advanced Server (Thread)
Relevant URL:
14. Recent post & .asx file as attachment.. (Thread)
Relevant URL:
15. Securing a database (Thread)
Relevant URL:
16. .asx file bufferoverrun (Thread)
Relevant URL:
17. IPSec through NAT (was RE: Microsoft Exchange SMTP server andDMZ area.) (Thread)
Relevant URL:
18. hidden shares (Thread)
Relevant URL:
19. security issue in event viewer... (Thread)
Relevant URL:
20. Microsoft Exchange SMTP server and DMZ area. (Thread)
Relevant URL:
21. The Basics (Thread)
Relevant URL:
22. IIS 4 updates (Thread)
Relevant URL:
23. WHISTLER TO BLOCK MAVERICK CODE (Thread)
Relevant URL:
24. SV: IIS 4 updates (Thread)
Relevant URL:
25. windows SYN FLOOD (Thread)
Relevant URL:
26. Fwd:Distributing patches and fixes on a LAN. (Thread)
Relevant URL:
27. Disabling floppy and Inet properties (Thread)
Relevant URL:
28. Clandestine authentication on NT? (Thread)
Relevant URL:
29. System Authority on NT (Thread)
Relevant URL:
30. Error: System Process: License Violation ... what the heck do es that mean? (Thread)
Relevant URL:
31. A question about a seemingly open TCP port in Win2k (Thread)
Relevant URL:
32. SecurityFocus.com Microsoft Newsletter #10 (Thread)
Relevant URL:
33. Checking the Integrity of Registry keys (Thread)
Relevant URL:
34. Updated version of the Registry Key Integrity Checker (Thread)
Relevant URL:
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. Fw: Re: Compiling OpenSSH [Re: SunSHIELD BSM and SSH] (Thread)
Relevant URL:
wh.unihannover.de">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d92%26date%3d2000-12-02%26thread%3d008201c05be1$62c01aa0$60b34b82wh.unihannover.de
2. Compiling OpenSSH [Re: SunSHIELD BSM and SSH] (Thread)
Relevant URL:
3. firewall penetration (Thread)
Relevant URL:
4. SunSHIELD BSM and SSH (Thread)
Relevant URL:
5. FW: SunSHIELD BSM and SSH (Thread)
Relevant URL:
6. Is fsirand still needed? (Thread)
Relevant URL:
7. Network Mapping (Thread)
Relevant URL:
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. Firewall (Thread)
Relevant URL:
gods.ro">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d91%26date%3d2000-12-02%26thread%3d001b01c05bda$da8325c0$0101a8c0gods.ro
2. firewall penetration (Thread)
Relevant URL:
3. Does it have openssh`s problem?? (Thread)
Relevant URL:
4. Does it have openssh's problem?? (Thread)
Relevant URL:
5. openssl Certificates + Netscape or IE (Thread)
Relevant URL:
6. ISDN Callback, encrypted channel, etc. on RH 7 (Thread)
Relevant URL:
7. SecurityFocus.com Linux Newsletter #6 (Thread)
Relevant URL:
8. [ no subject ]
Relevant URL:
9. your mail (Thread)
Relevant URL:
XI. SPONSOR INFORMATION - Baseline Software Inc.
------------------------------------------------
INSTANT, DEFINITIVE, UP-TO-DATE POLICIES FROM BASELINE!
INFORMATION SECURITY POLICIES MADE EASY is a compilation of 1000+
already-written information security policies by internationally known
consultant Charles Cresson Wood. Save time and money developing policies
for information security manuals, systems standards, contingency plans,
outsourcing agreements.
For more information, go to www.baselinesoft.com.
XII. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERVSECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
- Next message: Stephen Entwisle: "SecurityFocus Newsletter #70"
- Previous message: Stephen Entwisle: "SecurityFocus.com Newsletter #68"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]