|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: SecurityFocus.com Newsletter #73
From: Stephen Entwisle (se
SECURITYFOCUS.COM)Date: Tue Jan 02 2001 - 10:32:37 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
SecurityFocus.com Newsletter #73
--------------------------------
This issue sponsored by: Network ICE
High-Speed Intrusion Protection for the Enterprise from Network ICE
With a unique combination of intrusion detection plus blocking, we deliver
centrally-managed intrusion protection products that guard VPN clients,
Gigabit segments and enterprise servers against attack. Block attacks
other products miss, without dropping packets, suffering CPU meltdown or
flooding your NOC with false alarms.
Don't believe it? We can prove it: http://www.networkice.com
I. FRONT AND CENTER
1. An Introduction to Viruses and Malicious Code Part Two: Protecting
Your Computers and Data
II. BUGTRAQ SUMMARY
1. dialog /tmp File Race Condition Vulnerability
2. Upland Solutions 1st Up Mail Server DoS Vulnerability
3. GnuPG Silent Import of Secret Keys Vulnerability
4. Security-Enhanced Linux Buffer Overflow Vulnerability
5. Technote Inc Technote 'board' Function File Disclosure Vulnerability
6. Technote Inc Technote 'filename' Variable File Disclosure Vulnerability
7. ikonboard Arbitrary Command Execution Vulnerability
III.SECURITY FOCUS TOP 6 TOOLS
1. Advanced Administrative Tools 4.25
2. Dsniff 2.3
3. Fwall 0.1-1
4. twwwscan 0.7
5. NNCookCt - Navigator cookie cutter
6. HouseCall
IV. SECURITYJOBS LIST SUMMARY
1. IT Security Analyst - £45k (Thread)
2. Out of Office Probe (Thread)
3. Junior and Senior level Security Consultants needed in US and Canada
V. INCIDENTS LIST SUMMARY
1. scans on ports 3072 and 1024, why? (Thread)
2. Wake-up call (Thread)
3. new NT worm (Thread)
4. backdoor or bot? (Thread)
5. New to this and need help plz!! (Thread)
6. Tons of ping activity? (Thread)
7. Port 8 and Ping (Thread)
8. infection? (Thread)
9. Out of Office Probe (Thread)
10. scan on TCP/21536 (Thread)
11. Probes on UDP port 27015 (Thread)
12. Strange messages from sendmail. (Thread)
13. probes for (pro)ftp(d) (Thread)
14. IAP (Thread)
VI. VULN-DEV RESEARCH LIST SUMMARY
1. InET Labs Files (Thread)
2. execution inside of Perl reg ex? (Thread)
3. The NSA's Security-Enhanced Linux (Thread)
4. PI DLL (Thread)
5. source code extracting (Thread)
6. buffer overflow(?) help (Thread)
7. [DeepZone black tool] WinNT/2k portable shellcode generator...(Thread)
8. IE5 Crash (Thread)
9. PERL's -e check (Thread)
10. Lynx-SSL doesn't check server certificates (Thread)
11. In response to Mr. Testa's statment...(Thread)
12. Proxy stuff (Thread)
13. EMC Symmetrix SAN (Thread)
14. GATEWAY ? (Thread)
VII. MICROSOFT FOCUS LIST SUMMARY
1. IPSec as a simple firewall (Thread)
2. RV: SQL Server (DSN) Hack (Thread)
3. SQL Server (DSN) Hack (Thread)
4. NTLM AND WAP (Thread)
5. Only UNICODE "/" and "\" cause problem? (Thread)
6. ISA (Thread)
7. NT encryption (Thread)
8. infection? (Thread)
9. Microsoft Outlook 2000 9.0.0.2711 Plain Text Passwords (Thread)
10. Disabling NetBIOS and IIS (Thread)
11. Windows NT 4.0 SCP (Thread)
12. Chatting Client(s) appropriate for a moderately secure...(Thread)
13. tcp wrappers (Thread)
14. SecurityFocus.com Microsoft Newsletter #14 (Thread)
15. System/App "footprints" for forensics (Thread)
16. IIS/NT logging (Thread)
VIII. SUN FOCUS LIST SUMMARY
1. rstchown kernel setting (Thread)
IX. LINUX FOCUS LIST SUMMARY
1. Not executing code (stopping fork() loop) (Thread)
2. Not executing code (Thread)
3. Dsniff (Thread)
4. SecurityFocus.com Linux Newsletter #9 (Thread)
X. SPONSOR INFORMATION - Network Ice
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. FRONT AND CENTER
-------------------
1. An Introduction to Viruses and Malicious Code Part Two: Protecting Your
Computers and Data
by Brad Griffin
In Part One of this series, SecurityFocus.com writer Brad Griffin
introduced readers to viruses and other forms of malicious code. He
discussed the various ways in which viruses can infect a user's computer
and how they can affect a user's important data. This article, the second
in a three-part series, will discuss ways of protecting computers against
virus infection, including: anti-virus software, proper handling of e-mail
and external media such as floppy disks, the dangers of non-essential
software, and the necessity of user education.
http://www.securityfocus.com/focus/basics/articles/malintro2.html
II. BUGTRAQ SUMMARY
-------------------
1. dialog /tmp File Race Condition Vulnerability
BugTraq ID: 2151
Remote: No
Date Published: 2000-12-25
Relevant URL:
http://www.securityfocus.com/bid/2151
Summary:
dialog is a program available with the Debian distribution of the Linux
Operating System. A problem exists which could allow a user to append to
or overwrite files owned by another user.
Various programs such as debconf are dependent upon dialog. However,
dialog creates lock files in the /tmp directory insecurely. A brute force
attack involving creating numerous symbolic links in the /tmp filesystem
makes it possible to truncate any linked file that is writable by the user
executing dialog (be it directly, or through another program). It is
possible for a user with malicious intent to exploit this vulnerability
and truncate, corrupt, or overwrite sensitive files that privileged only
to the user executing dialog.
2. Upland Solutions 1st Up Mail Server DoS Vulnerability
BugTraq ID: 2152
Remote: Yes
Date Published: 2000-12-25
Relevant URL:
http://www.securityfocus.com/bid/2152
Summary:
1st Up Mail Server is an email server which supports most common internet
protocols and email software offered by Upland Solutions.
It is possible to cause a denial of service in 1st Up Mail Server, the
vulnerability exists in the "mail from" field. By submitting an unusually
large number of characters (over 300) in the "mail from" field, an error
message will display and cause the server service to stop responding. A
restart of the service is required in order to gain normal functionality.
This vulnerability may be the result of a buffer overflow, although not
verified this could lead to the execution of arbitrary code on the target
host.
The error message that will display is as follows:
"Application popup: smtp server: smtp server.exe - Application Error : The
instruction at "0x00402f23" referenced memory at "0x61616161". The memory
could not be "read"."
"Click on OK to terminate the program Click on CANCEL to debug the
program."
3. GnuPG Silent Import of Secret Keys Vulnerability
BugTraq ID: 2153
Remote: Yes
Date Published: 2000-12-25
Relevant URL:
http://www.securityfocus.com/bid/2153
Summary:
GnuPG is the GNU Privacy Guard, a public key program designed to
facilitate secure email between parties. A problem exists which could
allow a breaking of the ring of trust.
The problem occurs in the trust of secret keys by GnuPG. GnuPG considers
the public keys that correspond to known secret keys to be trusted in
entirety. However, GnuPG imports secret keys from key servers silently,
and can therefore break the trust model by accepting a secret key that
corresponds to a key held in the public ring. This makes it possible for a
user with malicious intent to infiltrate and break the trust of a group by
uploading a public and private key to a certificate authority or key
server, and creating a situation that would allow a user to import the
public key and private key to their keyring.
4. Security-Enhanced Linux Buffer Overflow Vulnerability
BugTraq ID: 2154
Remote: No
Date Published: 2000-12-26
Relevant URL:
http://www.securityfocus.com/bid/2154
Summary:
Security-Enhanced Linux is an add-on access control infrastructure
developed and distributed by the U.S. National Security Agency. A problem
exists which could allow the altering of sensitive information on a
running system.
The problem occurs in the libsecure/get_default_type.c file.
get_default_type attempts to allocate buffer space by extracting the
default type from /etc/security/default_type and copying the result to a
buffer. The buffer that is created, however, is generally one byte too
small and creates an ideal situation for a buffer overflow attack. This
vulnerability can be exploited by a malicious user to potentially
overwrite malloc()'d fields that may contain other application data, or
overhead data that another application was relying upon.
5. Technote Inc Technote 'board' Function File Disclosure Vulnerability
BugTraq ID: 2155
Remote: Yes
Date Published: 2000-12-23
Relevant URL:
http://www.securityfocus.com/bid/2155
Summary:
Technote Inc. offers a Multicommunication Package which includes a web
board type of service.
A script that ships with Technote, print.cgi, accepts a parameter called
"board". This remotely-supplied variable is used as a filename when the
open() function is called. In addition to allowing the attacker to specify
a file to be opened remotely, the variable is not checked for "../"
character sequences. As a result, a malicious remote user can specify an
arbitrary file on the file system as this variable (by using ../ sequences
followed by its real path), which will be opened by the script. Its
contents will then be disclosed to the attacker.
Successful exploitation of this vulnerability could lead to the disclosure
of sensitive information and possibly assist in further attacks against
the victim
It should be noted that the attacker may only read files which are
accessible to the web-server process.
6. Technote Inc Technote 'filename' Variable File Disclosure Vulnerability
BugTraq ID: 2156
Remote: Yes
Date Published: 2000-12-27
Relevant URL:
http://www.securityfocus.com/bid/2156
Summary:
Technote Inc. offers a Multicommunication Package which includes a web
board type of service.
A script that ships with Technote, main.cgi, accepts a parameter called
"filename". This remotely-supplied variable is used as a filename when the
open() function is called. In addition to allowing the attacker to specify
a file to be opened remotely, the variable is not checked for "../"
character sequences. As a result, a malicious remote user can specify any
file on the file system as this variable (by using ../ sequences followed
by its real path), which will be opened by the script. Its contents will
then be disclosed to the attacker.
Successful exploitation of this vulnerability could lead to the disclosure
of sensitive information and possibly assist in further attacks against
the victim
It should be noted that the attacker may only read files which are
accessible to the web-server process.
7. ikonboard Arbitrary Command Execution Vulnerability
BugTraq ID: 2157
Remote: No
Date Published: 2000-12-28
Relevant URL:
http://www.securityfocus.com/bid/2157
Summary:
ikonboard is a forum management software package available from
ikonboard.com. A problem exists with could allow users access to
restricted resources.
The problem occurs in the operation of the register.cgi script. Due to
insufficient checking of input, it is possible to execute system binaries
as the effective userid of the web server process. By setting the
$SEND_MAIL variable in the URL, it is possible to specify the binary to
execute as the httpd userid, and then register to execute the program.
This design flaw makes it possible for a user with malicious intent to
gain local access to a system running ikonboard.
III.SECURITY FOCUS TOP 6 TOOLS
-----------------------------
1. Advanced Administrative Tools 4.25
Platforms: Windows 2000, Windows 95/98 and Windows NT
by G-Lock Software
Relevant URL: http://www.glocksoft.com/aatools.htm
Advanced Administrative Tools is a multithreaded network diagnostic tool.
Its purpose is to accumulate data pertaining to network status and
availability, using all of the latest development tools in network
research. It is a 11-in-1 utility, including Port Scanner with an internal
database of ports (officially assigned, unofficially used, or currently
affected by network Trojan Horses), CGI security Analyzer, Proxy Analyzer
(with free proxy anonymous rating), Email Verifier, Links analyzer,
Network Status - TCP/UDP protocol monitor that displays local IP and
remote IP, TCP or UDP ports in use, Process Info, Whois, System Info,
Resource Viewer and Registry Cleaner.
2. Dsniff 2.3
Platforms: FreeBSD, Linux, NetBSD, OpenBSD and Solaris
by Dug Song (dugsongmonkey.org)
Relevant URL: http://www.monkey.org/~dugsong/dsniff/
dsniff is a collection of traffic sniffing tools for network auditing and
penetration testing.
3. Fwall 0.1-1
Platforms: N/A
by StarLink
Relevant URL: http://www.conectividade.com.br/fwall-sw.html
Using fwall, type a single command line and with little knowledge you can:
-Create complex IPchains, Bash, Perl (and others) based firewall scripts
- Block or permit access to services with a single command line
-Select modules (plug-ins) from a menu screen -Permanently
activate/deactivate the firewall
4. twwwscan 0.7
Platforms: Windows 2000, Windows 95/98 and Windows NT
by pilot
Relevant URL: http://www.securityfocus.com/tools/1886
Updated version of twwwscan with added -v option support html type report
support CVE information included completed NT/2000 IIS detail patch
information. Last(~2000/12/23) WWW Vulnerabilities 300 over bugs check
5. NNCookCt - Navigator cookie cutter
Platforms: Windows 95/98
by J Nickson
Relevant URL: http://www.roninsg.com/nncookct.htm
Some so called security software just destroys the cookie file. This is
primitive. NNCookCt lets you choose. Not all cookies are bad. Some are
handy. With NNCookCt, you can know:
-Who they are from
-Be in plain text (unless they have a logon sequence)
-Give you a clue as to what they are about.
6. HouseCall
Platforms: Windows 2000, Windows 95/98 and Windows NT
by Trend Micro
Relevant URL: http://housecall.antivirus.com/
Free on-line virus scanning service from Trend Micro for Exchange Server
mailbox, Lotus Notes Database, and for local disk. Nothing to install;
HouseCall scans for and cleans viruses over the Web through ActiveX and
Java technology. As a result, the product is always up-to-date.
IV. SECURITY JOBS SUMMARY
------------------------
1. IT Security Analyst - £45k (Thread)
Relevant URL:
2. Out of Office Probe (Thread)
Relevant URL:
3. Junior and Senior level Security Consultants needed in US and Canada. (Thread)
Relevant URL:
V. INCIDENTS LIST SUMMARY
-------------------------
1. scans on ports 3072 and 1024, why? (Thread)
Relevant URL:
2. Wake-up call (Thread)
Relevant URL:
3. new NT worm (Thread)
Relevant URL:
4. backdoor or bot? (Thread)
Relevant URL:
5. New to this and need help plz!! (Thread)
Relevant URL:
6. Tons of ping activity? (Thread)
Relevant URL:
7. Port 8 and Ping (Thread)
Relevant URL:
8. infection? (Thread)
Relevant URL:
9. Out of Office Probe (Thread)
Relevant URL:
10. scan on TCP/21536 (Thread)
Relevant URL:
11. Probes on UDP port 27015 (Thread)
Relevant URL:
12. Strange messages from sendmail. (Thread)
Relevant URL:
13. probes for (pro)ftp(d) (Thread)
Relevant URL:
14. IAP (Thread)
Relevant URL:
VI. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. InET Labs Files (Thread)
Relevant URL:
2. execution inside of Perl reg ex? (Thread)
Relevant URL:
3. The NSA's Security-Enhanced Linux (Thread)
Relevant URL:
4. PI DLL (Thread)
Relevant URL:
govcls.tampabay.rr.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2000-12-30%26thread%3d002401c071c6$ebf5ed40$46b98118govcls.tampabay.rr.com
5. source code extracting (Thread)
Relevant URL:
6. buffer overflow(?) help (Thread)
Relevant URL:
7. [DeepZone black tool] WinNT/2k portable shellcode generator is on-line!!! (Thread)
Relevant URL:
8. IE5 Crash (Thread)
Relevant URL:
9. PERL's -e check (Thread)
Relevant URL:
10. Lynx-SSL doesn't check server certificates (Thread)
Relevant URL:
11. In response to Mr. Testa's statment (was PERL's -e check) (Thread)
Relevant URL:
12. Proxy stuff (Thread)
Relevant URL:
13. EMC Symmetrix SAN (Thread)
Relevant URL:
14. GATEWAY ? (Thread)
Relevant URL:
VII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. IPSec as a simple firewall (Thread)
Relevant URL:
WIREDCITY.COM.AU">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-12-30%26thread%3d003201c07171$b3b4fd40$e160a1cbWIREDCITY.COM.AU
2. RV: SQL Server (DSN) Hack (Thread)
Relevant URL:
3. SQL Server (DSN) Hack (Thread)
Relevant URL:
4. NTLM AND WAP (Thread)
Relevant URL:
5. Only UNICODE "/" and "\" cause problem? (Thread)
Relevant URL:
6. ISA (Thread)
Relevant URL:
7. NT encryption (Thread)
Relevant URL:
8. infection? (Thread)
Relevant URL:
9. Microsoft Outlook 2000 9.0.0.2711 Plain Text Passwords (Thread)
Relevant URL:
genuity.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2000-12-30%26thread%3d012701c07080$585b09e0$323f4eabgenuity.com
10. Disabling NetBIOS and IIS (Thread)
Relevant URL:
11. Windows NT 4.0 SCP (Thread)
Relevant URL:
12. Chatting Client(s) appropriate for a moderately secure environment (Thread)
Relevant URL:
13. tcp wrappers (Thread)
Relevant URL:
14. SecurityFocus.com Microsoft Newsletter #14 (Thread)
Relevant URL:
15. System/App "footprints" for forensics (Thread)
Relevant URL:
16. IIS/NT logging (Thread)
Relevant URL:
VIII. SUN FOCUS LIST SUMMARY
----------------------------
1. rstchown kernel setting (Thread)
Relevant URL:
IX. LINUX FOCUS LIST SUMMARY
---------------------------
1. Not executing code (stopping fork() loop) (Thread)
Relevant URL:
2. Not executing code (Thread)
Relevant URL:
3. Dsniff (Thread)
Relevant URL:
4. SecurityFocus.com Linux Newsletter #9 (Thread)
Relevant URL:
X. SPONSOR INFORMATION - Network Ice
-------------------------------------
High-Speed Intrusion Protection for the Enterprise from Network ICE
With a unique combination of intrusion detection plus blocking, we deliver
centrally managed intrusion protection products that guard VPN clients,
Gigabit segments and enterprise servers against attack. Block attacks
other products miss, without dropping packets, suffering CPU meltdown or
flooding your NOC with false alarms.
Don't believe it? We can prove it: http://www.networkice.com
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERVSECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]