|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stephen Entwisle (se
SECURITYFOCUS.COM)Date: Mon Jan 15 2001 - 12:05:55 CST
SecurityFocus.com Newsletter #75
--------------------------------
This issue sponsored by: The Black Hat Briefings
Early bird registration for the Black Hat Briefings Win2K conference ends
January 22! Black Hat is the industry's hottest security event series,
and the Win2K conference February 14-15 in Las Vegas will sell out.
Featuring a top faculty of Win2K and "underground" security experts.
Platinum sponsors include Microsoft and PricewaterhouseCoopers.
See what all of the industry buzz is about at www.blackhat.com or contact
+1.916.853.8555 or infoconvmgmt.com to register.
------------------------------------------------
I. FRONT AND CENTER
1. Linux Firewall - the Traffic Shaper
2. Infected Objects - Part Four
II. BUGTRAQ SUMMARY
1. StorageSoft ImageCast IC3 DoS Vulnerability
2. IBM HTTP Server AfpaCache DoS Vulnerability
3. NetScreen Firewall Denial of Service Vulnerability
4. eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
5. WebMaster ConferenceRoom Developer Edition DoS Vulnerability
6. Solaris exrecover Buffer Overflow Vulnerability
7. Linux ReiserFS Kernel Oops and Code Execution Vulnerability
8. glibc RESOLV_HOST_CONF File Read Access Vulnerability
9. Apache /tmp File Race Vulnerability
10. arpwatch /tmp File Race Condition Vulnerability
11. squid /tmp File Race Condition Vulnerability
12. linuxconf /tmp File Race Condition Vulnerability
13. mgetty /tmp File Race Condition Vulnerability
14. gpm /tmp File Race Condition Vulnerability
15. wu-ftpd /tmp File Race Condition Vulnerability
16. inn /tmp File Race Condition Vulnerability
17. sdiff /tmp File Race Condition Vulnerability
18. Borland/Inprise Interbase Backdoor Password Vulnerability
19. Solaris arp Buffer Overflow Vulnerability
20. getty_ps /tmp File Race Condition Vulnerability
21. rdist /tmp File Race Condition Vulnerability
22. shadow-utils /etc/default Temp File Race Condition Vulnerability
23. Ultraboard Incorrect Directory Permissions Vulnerability
24. Basilix Webmail Incorrect File Permissions Vulnerability
25. Microsoft Web Client Extender NTLM Authentication Vulnerability
26. Compaq Web Admin Buffer Overflow Vulnerability
III. SECURITYFOCUS.COM NEWS ARTICLES
1. Interbase back door exposed
2. Is IRC doomed?
3. Clinton relaxes supercomputer export rules
4. 'Analyzer' pleads Guilty
5. Egghead: credit cards safe
IV.SECURITY FOCUS TOP 6 TOOLS
1. XploiterStat Pro 2.7.1.27
2. Linux Intrusion Detection System (LIDS) 1.0.4 for 2.4.0
3. NT_Security
4. CryptoPadSplicer 0.4.1
5. mod_auth_any 1.0.2
6. Advanced Password Generator 2.73
V. SECURITYJOBS LIST SUMMARY
1. Network Security (Thread)
2. Senior Computer Security Investigator - NY - #218 (Thread)
3. Security Architect - NY - #218 (Thread)
4. Security Testing & Vulnerability Analyst - NY - #218 (Thread)
5. Looking for work in NY city. (Thread)
6. Resume - experienced Security Analyst (Thread)
7. Looking for a job (Thread)
8. IT Security Operations Administrator - UK (Thread)
9. MD: IO Instructor - Camp Springs, MD (VIC DC) (Thread)
10. Cisco Systems InfoSec IT Engineer IV/ Security Applications (Thread)
11. Job Posting (Thread)
12. DCE & Tivoli Policy Director (Thread)
13. Information Security Account Managers Needed In NJ (Thread)
VI. INCIDENTS LIST SUMMARY
1. properties in e-mail from sexyfun (Thread)
2. Scans of 21536 (Thread)
3. statd-exploit attack against RH 7.0 (Thread)
4. madmax (Thread)
5. CVX? Re: Scans of 21536 (Thread)
6. Pls send captures. Re: CVX? Re: Scans of 21536 (Thread)
7. Can anyone guess at this "scan"?? (Thread)
8. Linux Kernel 2.4 relaese (Thread)
9. Finding out who owns particular IP addresses (Thread)
10. DNS requests from 209.67.50.203 (fwd) (Thread)
11. bootable readonly media in your pocket (Thread)
12. bootable readonly media in your pocket Re: yes, its t0rn again (Thread)
13. yes, its t0rn again - chkrootkit (Thread)
14. Strange scan behavior (Thread)
15. UDP 28431 Scans (Thread)
16. Some kind of DoS killing a fastethernet interface (Thread)
17. yes, its t0rn again (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Solaris /usr/lib/exrecover buffer overflow (Thread)
2. Code (Thread)
3. ztelnet setuid on Peanut Linux... (Thread)
4. [unicode / iis4] (Thread)
5. New mailing list -WWW-Mobile-Code Security (Thread)
6. Lotus Domino 5.0.5 Web Server vulnerability - reading...(Thread)
7. traceroute-4.4BSD (slack) heap overflow (Thread)
8. smk (Thread)
9. INFO (Thread)
10. exim and ip options? (Thread)
11. Lotus Domino 5.0.5 Web Server vulnerability - reading...(Thread)
12. Seyon buffer overflow exploit. (Thread)
13. Lotus Domino 5.0.5 Web Server vulnerability - reading... (Thread)
14. Router worm exploiting poor SNMP security. (Thread)
15. The NSA's Security-Enhanced Linux (Thread)
16. unicode / iis4 (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. Windows NT/2000 - Disabling LAN Man Password Hash (Thread)
2. computer does not show up in Network Neighborhood (Thread)
3. ICS (Thread)
4. Microsoft Internet Security and Acceleration (ISA) Server 2000 (Thread)
5. Restricting access to ftproot on IIS 4.0 (Thread)
6. NetworkComputing testing of vulnerability scanners (Thread)
7. unknown authentication package (Thread)
8. Verisign 128 Global Server ID's (Thread)
9. SecurityFocus.com Microsoft Newsletter #16 (Thread)
IX. SUN FOCUS LIST SUMMARY
1. Removing default system accounts (Thread)
2. sunscreen EFS: was Testing fw1 implementation (Thread)
3. Sun Security Bulletin #00200 (fwd) (Thread)
4. Testing fw1 implementation (Thread)
5. Openssh and Solaris8(sparc) (Thread)
6. Solaris specific security documentation? (Thread)
7. FW: Solaris /usr/lib/exrecover buffer overflow (Thread)
8. Solaris 7 sticky bit on directory (Thread)
X. LINUX FOCUS LIST SUMMARY
1. identd/nmap (Thread)
2. SecurityFocus.com Linux Newsletter #11 (Thread)
XI. SPONSOR INFORMATION
XII. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. FRONT AND CENTER
-------------------
1. Linux Firewall - the Traffic Shaper
The firewall is a fundamental component of all computer security
strategies. However, the simple firewall is not only restricted to
safeguarding the user's valuable information - it can also optimize the
user's bandwidth. This article, by Jeroen Wortelboer and Jan Van Oorschot
will discuss how Linux firewalls can be used to shape traffic to optimize
quality of Internet service and to reduce vulnerability to DoS attacks.
http://www.securityfocus.com/focus/linux/articles/trafshap.html
2. Infected Objects - Part Four
No matter how quickly the speed of the Internet increases, we still find
it convenient to compress files before we send them. Once a file is
compressed, however, it becomes harder for a virus scanner to find any
virus threat that may be lurking inside it. The challenge of peering
inside the various compression and archival formats to discover the
viruses hidden there has not gotten easier over time. This article - the
fourth in a series by Robert Vibert examining different aspects of viruses
- will discuss the implications of various forms of file compression for
virus protection.
http://wwww.securityfocus.com/focus/virus/articles/infobj4.html
II. BUGTRAQ SUMMARY
-------------------
1. StorageSoft ImageCast IC3 DoS Vulnerability
BugTraq ID: 2174
Remote: Yes
Date Published: 2001-01-08
Relevant URL:
http://www.securityfocus.com/bid/2174
Summary:
StorageSoft ImageCast IC3 is an imaging application which migrates a
replication of an existing desired hard drive to a target drive. All
settings, tasks and resources are configured in the ImageCast Control
Center (ICCC).
ImageCast IC3 is subject to a denial of service. By sending unusually long
strings to the ICCC service listening on port 12002, the program will
consume all available CPU usage refusing any new connections.
Additionally, sending multiple packets containing long strings to port
8081 will cause the ICCC service (ICCC.exe) to crash completely. A restart
of the application is required in order to gain normal functionality.
2. IBM HTTP Server AfpaCache DoS Vulnerability
BugTraq ID: 2175
Remote: Yes
Date Published: 2001-01-08
Relevant URL:
http://www.securityfocus.com/bid/2175
Summary:
IBM HTTP Server contains AfpaCache directive which turns the Fast Response
Cache Accelerator function on or off.
IBM HTTP Server is subject to a denial of service. Requesting multiple
malformed HTTP GET requests will cause the consumption of kernel memory
and eventually lead to a denial of service. This condition is due to the
AfpaCache module not releasing allocated memory after "Bad Request" HTTP
requests. A restart of the service is required inorder to gain normal
functionality.
It should be noted that WebSphere is built based on IBM HTTP Server and is
subject to this vulnerability.
3. NetScreen Firewall Denial of Service Vulnerability
BugTraq ID: 2176
Remote: Yes
Date Published: 2001-01-08
Relevant URL:
http://www.securityfocus.com/bid/2176
Summary:
NetScreen Firewall is a network appliance used to secure against intruders
and various types of attacks to a network. NetScreen has a Web
administrative Interface (WebUI) used to configure and set the firewall
settings.
It is possible to cause a denial of service in NetScreen Firewall.
Requesting an unusually long URL to WebUI listening on default port 80,
will cause the firewall to crash. A restart of the service is required in
order to gain normal functionality.
4. eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
BugTraq ID: 2177
Remote: Yes
Date Published: 2001-01-07
Relevant URL:
http://www.securityfocus.com/bid/2177
Summary:
bbs_forum.cgi is a popular Perl cgi script from eXtropia.com. It supports
the creation and maintenance of web-based threaded discussion forums.
Version 1.0 of bbs_forum.cgi fails to properly validate user-supplied,
URL-encoded input to the read environment variable. Maliciously-formed
URLs submitted to the script may contain references to files on the host's
filesystem, as well as shell commands which will be run with the privilege
level of the webserver (ie, user 'nobody'). As a result, unpatched
affected versions of the script permit an attacker to execute arbitrary
code and to read arbitrary files on the vulnerable system.
5. WebMaster ConferenceRoom Developer Edition DoS Vulnerability
BugTraq ID: 2178
Remote: Yes
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2178
Summary:
WebMaster ConferenceRoom Developer Edition is a chat package which enables
a large community of users to chat together. ConferenceRoom has a wide
range of capabilities and a user friendly channel moderation feature.
It is possible to cause a denial of service in ConferenceRoom. By making
duplicate connections and executing special server commands in both
sessions, ConferenceRoom will crash and refuse any new connections. A
restart of the service is required in order to gain normal functionality.
6. Solaris exrecover Buffer Overflow Vulnerability
BugTraq ID: 2179
Remote: No
Date Published: 2001-01-09
Relevant URL:
http://www.securityfocus.com/bid/2179
Summary:
exrecover is a system binary included with Solaris, a variant of the UNIX
Operating System distributed by Sun Microsystems. A problem in the binary
could lead to a local attack.
The problem occurs in the handling of format strings by the program. By
executing the program and using format strings as arguments to the
command, it is possible to overflow buffers and cause the program to
crash. The binary, as distributed with Solaris versions 2.4 through 2.6,
is setuid root. While no known exploits exist for this problem, future
research and exploitation of this vulnerability could occur, making it
possible for a user with malicious intent to overwrite stack variables and
potentially arbitrarily execute code.
7. Linux ReiserFS Kernel Oops and Code Execution Vulnerability
BugTraq ID: 2180
Remote: No
Date Published: 2001-01-09
Relevant URL:
http://www.securityfocus.com/bid/2180
Summary:
ReiserFS is a file system alternative to the Linux ext2 file system. It
was originally written by Hans Reiser, and is freely available and
publicly maintained.
A problem has been reported in the handling of long file names with
ReiserFS version 3.5.28 on SuSE Linux distribution 7.0. It is possible to
create a directory with a long file name (the initial example displayed a
directory with 768 characters), then attempt to list the file system using
system binary ls or with built in shell function echo and create a Denial
of Service. Upon attempting to list or echo the contents of the
filesystem, a kernel buffer overflow occurs, overwriting variables on the
stack including possibly the return address, as well as crashing the
system. It may be possible for a malicious user to execute arbitrary code,
deny service to legitimate users, and potentially break out of a chroot
environment. This vulnerability is yet unverified.
8. glibc RESOLV_HOST_CONF File Read Access Vulnerability
BugTraq ID: 2181
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2181
Summary:
glibc is the C Library distributed with most implementations of the Linux
Operating System. It is freely available through the Free Software
Foundation, and publicly maintained.
A problem in versions of glibc 2.1.9 and greater allow a local user access
to restricted files. A typo in the glibc source creates a situation of
insufficent validation and clearing of the environment variable
RESOLV_HOST_CONF, a controlled environment variable that is normally
cleared when suid/sgid programs are executed. Therefore, it is possible
for a local user to set this environment variable to a sensitive system
file and gain read privileges to the file. This vulnerability makes it
possible for a user with malicious intent to read the shadow file, and
gain access to encrypted passwords. Successful exploitation of this
vulnerability could lead to compromise of system accounts, elevated
privileges, and potentially administrative access.
9. Apache /tmp File Race Vulnerability
BugTraq ID: 2182
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2182
Summary:
Apache web server is a popular http daemon, distributed with many variants
of the UNIX Operating System and maintained by the Apache Project. Immunix
is a hardened Linux distribution maintained by the Immunix team at the
WireX Corporation.
A problem has been discovered in the Apache httpd distributed with the
Immunix Linux distribution, a distribution based off the RedHat Linux
distribution. Apache programs htdigest and htpasswd are used to offer
advanced features to users of the web server. However, these two helper
programs insecurely create files in the /tmp directory, which could allow
for /tmp file guessing. This makes it possible for a user with malicious
motives to symblink attack files writable by the UID of the Apache
process.
10. arpwatch /tmp File Race Condition Vulnerability
BugTraq ID: 2183
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2183
Summary:
arpwatch is a program designed as part of the tcpdump package. It is
distributed with numerous UNIX variants, and freely available. Immunix is
a hardened Linux distribution maintained by the Immunix group at WireX
Corporation.
A vulnerability exists in arpwatch that could allow a user to perform a
symbolic link attack. When executed, the arpwatch program creates files in
the /tmp directory under certain conditions. These files, however, are not
created in a secure manner, and not stat()'d when the program executes and
attempts to create these files. It is possible to guess the handle of
these files, and create them in advance as symbolic links to programs that
are writable by the user executing arpwatch. The user executing arpwatch
would then overwrite the linked files, or append content to them, thus
corrupting the file. This makes it possible for a user with malicious
motives to overwrite or append to files owned by the user of arpwatch, the
typical user of arpwatch being root.
11. squid /tmp File Race Condition Vulnerability
BugTraq ID: 2184
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2184
Summary:
squid is a freely available Web Proxy software package, written and
maintained by the National Science Foundation. Problems with the software
could lead to a race condition.
The problem occurs in the operation of the software and it's creation of
/tmp files. The squid package can be configured to send out emails to the
administrator when updates occur. However, when the email is created,
files in the /tmp directory are created insecurely and the pre-existance
of files is not queried. The creation of the files in the /tmp directory
normally occur under the conditions of either using a development version
of squid, or when the system clock is reporting an incorrect time.
Therefore, it is possible for a user with malicious motives to guess the
handle of a future /tmp file, and create a symbolic link to a file
writable by the UID of the squid process, thus overwriting a file owned by
the squid user, or appending to and corrupting the file.
12. linuxconf /tmp File Race Condition Vulnerability
BugTraq ID: 2186
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2186
Summary:
linuxconf is a powerful configuration tool available for various
distributions of the Linux Operating System. A problem exists which could
potentially allow a race condition and symbolic link attack.
The problem occurs in the creation of /tmp files by linuxconf. The vpop3d
program, which is part of the linuxconf package, creates /tmp files in an
insecure manner under some circumstances. This could result in guessing of
the filename of a future /tmp file, and the creation of a symbolic link to
a file writable by the user executing linuxconf, which is normally root. A
user with malicious motives could use this vulnerability to potentially
overwrite or append to system files.
13. mgetty /tmp File Race Condition Vulnerability
BugTraq ID: 2187
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2187
Summary:
mgetty is a freely available, publicly maintained software package
designed to handle dialin and fax services on the Linux Operating System.
A problem exists with could allow a symbolic link attack.
The problem occurs in the handling of files created in the /tmp directory.
During execution of the program, files are created in the /tmp directory.
However, these files are created in an insecure manner, which makes it
possible to guess the filename of a future /tmp file. This makes it
possible for a user with malicious motives to create a number of symbolic
links in the /tmp directory, and potentially append to or overwrite system
files that are write-accessible to the UID executing mgetty, normally
root.
14. gpm /tmp File Race Condition Vulnerability
BugTraq ID: 2188
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2188
Summary:
gpm is a software package designed to provide console mouse support, and
is distributed with most versions of the Linux Operating System. A problem
in the package could allow a race condition.
The problem is in the creation and handling of /tmp files by the gpm
package. gpm will under some circumstances create files in the /tmp
directory. The files created in the /tmp directory are created insecurely,
as they first use a predictable filename and do not check for the
existance of previously existing files. It is therefore possible for a
user with malicious motives to create symbolic links to files that the UID
of the gpm process (normally running as root) has write access to and
either overwrite, or append to and corrupt the linked files.
15. wu-ftpd /tmp File Race Condition Vulnerability
BugTraq ID: 2189
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2189
Summary:
wu-ftpd is an open source, freely available ftp daemon software package
included with many distributions of the Linux Operating System. A problem
in the software could allow a race condition.
The problem occurs in the creation and handling of files in the /tmp
directory. The program privatepw within the software package creates files
within the /tmp directory insecurely, first by using a predictable naming
scheme for the files, and additionally by not checking for the existance
of the file. It is possible to create a range of symbolic links using
variants of the name of the wu-ftpd /tmp filename. This problem could
allow a user to overwrite or append to and corrupt a file that the UID of
the wu-ftpd process has write access to. The wu-ftpd process normally runs
as root.
16. inn /tmp File Race Condition Vulnerability
BugTraq ID: 2190
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2190
Summary:
inn is a freely available, open source Usenet software package maintained
and available through the ISC, and packaged with various distributions of
the Linux Operating System. A vulnerability exists which could allow a
race condition to occur.
The problem occurs in the in the creation and handling of /tmp files by
the inn program. Under some circumstances, inn will create files in the
/tmp directory that use a predictable filename. In addition, inn may not
check for the existance of these files. It is possible to create a range
of symbolic links using predicted filenames in the /tmp directory, which
could result in a symbolic link attack. This makes it possible for a user
with malicious intent to symbolically link a file that's write-accessible
by the UID of the inn process, and potentially overwrite or append to and
corrupt the linked file.
17. sdiff /tmp File Race Condition Vulnerability
BugTraq ID: 2191
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2191
Summary:
diffutils is a cornerstone package of all Linux distributions. It is a
freely available, open source, publicly maintained software package
available through the GNU.
A problem in the sdiff program included with diffutils could create a race
condition. This vulnerability is in the creation and handling of files in
the /tmp directory. Under certain circumstances, sdiff will create files
in the /tmp directory, which is done insecurely by first not checking for
the existance of the file, and additionally by using a predictable
filename. It is possible to create a range of symbolic links to a file
that is write-accessible to the user executing the sdiff program, thus
resulting in a symbolic link attack if the sdiff program attempts to
create one of the predicted filenames. The result is the possibility of a
user with malicious motives overwriting or appending to and corrupting a
file that is write-accessible by the UID of the sdiff process.
18. Borland/Inprise Interbase Backdoor Password Vulnerability
BugTraq ID: 2192
Remote: Yes
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2192
Summary:
Interbase is an open source relational database offered by Borland Inprise
Corporation.
Interbase contains a backdoor user account and password called
"LOCKSMITH". When accessed this account will eliminate all implemented
security allowing full control of any database and contents within the
database, this level of access will allow any function to be performed
including modification of objects, root access and execution of arbitrary
functions. "LOCKSMITH" is hard coded in the database engine and is located
in the jrd/pwd.h header.
Successful exploitation of this vulnerability will lead to complete
compromise of the host.
19. Solaris arp Buffer Overflow Vulnerability
BugTraq ID: 2193
Remote: No
Date Published: 2001-01-12
Relevant URL:
http://www.securityfocus.com/bid/2193
Summary:
The arp utility is used for viewing and manipulating tables containing
network to hardware address mappings. On Solaris systems up to version 8,
arp is installed setgid and owned by group bin.
For convenience, Solaris arp supports the option to insert multiple
entries contained in a file at once with the -f parameter. The field
values in the file are extracted as strings via sscanf(). As a result,
there is nothing to ensure that their length does not exceed the size of
the local variables allocated to store them. It is possible to overwrite
stack variables and corrupt program execution flow if fields in the
supplied file are oversized.
This vulnerability can be exploited to execute code with effective groupid
bin privileges. Group 'bin' privileges on Solaris systems can lead to
root access.
Solaris has released patches for this vulnerability, which are in the
solution section.
20. getty_ps /tmp File Race Condition Vulnerability
BugTraq ID: 2194
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2194
Summary:
getty_ps is an open source, freely available, publicly maintained software
package shipped with many distributions of Linux. It is designed to handle
logins to the console and terminal.
A problem in the getty_ps software package could make it vulnerable to a
symbolic link attack. The problem occurs in the creation and handling of
files in the /tmp directory by the getty_ps program. Under certain
circumstances, getty_ps will create files in the /tmp filesystem in an
insecure manner. The program uses a naming scheme that could make it
possible to guess the filename of future files in the /tmp directory, and
does not check for the existance of the file before attempting to create
it. It is possible to create a range of symbolic links with forecasted
filenames, and link them to files that are write-accessible by the UID of
the getty_ps process, which is normally run as root. A malicious user
could use this vulnerability to overwrite or append to and corrupt system
files.
21. rdist /tmp File Race Condition Vulnerability
BugTraq ID: 2195
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2195
Summary:
rdist is a freely available, open source software package distributed with
numerous variants of the Linux Operating System. It is designed to
maintain identical copies of files on numerous different machines,
preserving as many different attributes of the file as possible.
A problem in the program exists that could allow for a symbolic link
attack. Under some circumstances, rdist will create files in the /tmp
directory. However, the files created in the /tmp file system are created
insecurely, as the name of future files created by rdist can be predicted,
and the program does not check for the existance of files before
attempting to create them. It is possible to create a range of symbolic
links in the /tmp file system using forecasted names of files that could
be created by the rdist process, and symbolically linked to files that are
write-accessible to the UID of the rdist process. This makes it possible
for a user with malicious intent to overwrite or append to and corrupt
files owned by another user, and potentially system files.
22. shadow-utils /etc/default Temp File Race Condition Vulnerability
BugTraq ID: 2196
Remote: No
Date Published: 2001-01-10
Relevant URL:
http://www.securityfocus.com/bid/2196
Summary:
shadow-utils is a freely available, open source software package available
with most distributions of the Linux Operating System. shadow-utils
provides a higher level of security to systems by providing stronger
cryptography and secure account management tools.
A problem in the package could create the opportunity for a symbolic link
attack. During execution of the passwd program, temporary files are
created in the /etc/default directory. The files created in this directory
use predictable filenames. In the event of the /etc/default directory
being world writable, it is possible to create a range of symbolic links
to files owned by another user that could overwrite or append to files
that are write-accessible by the UID of the passwd process. This could
make it possible for a user with malicious motives to overwrite or append
to and corrupt files writable by the UID of the passwd process.
23. Ultraboard Incorrect Directory Permissions Vulnerability
BugTraq ID: 2197
Remote: No
Date Published: 2001-01-11
Relevant URL:
http://www.securityfocus.com/bid/2197
Summary:
A version of Ultraboard 2000, a bulletin board script from UltraScripts,
is reported to install with improperly-set directory permissions.
As a result, a local user could copy malicious cgi scripts to these
directories which would then be remotely executable with the privilege
level of the webserver.
This may lead to a compromise of data owned by the webserver user, such as
defacement of the webpage.
24. Basilix Webmail Incorrect File Permissions Vulnerability
BugTraq ID: 2198
Remote: No
Date Published: 2001-01-11
Relevant URL:
http://www.securityfocus.com/bid/2198
Summary:
A vulnerability has been reported in basilix webmail v. 0.9.7b.
Basilix Webmail ships with several configuration files that have the file
extensions '.class' and '.inc'. Among other things, these files contain
the authentication information for the MySQL database that the product
uses.
These files reside in directories accessible via http. If the webserver is
not configured to treat .class and .inc files as PHP scripts,they can be
retrieved by remote users.
Properly exploited, this information can allow further attacks on the
affected host.
25. Microsoft Web Client Extender NTLM Authentication Vulnerability
BugTraq ID: 2199
Remote: Yes
Date Published: 2001-01-11
Relevant URL:
http://www.securityfocus.com/bid/2199
Summary:
Web Extender Client (WEC) is a feature in Office 2000, Windows 2000 and
Windows ME used in web publishing. WEC enables a user to manipulate basic
file functions such as DIR using the HTTP protocol.
Due to a design error, WEC does not implement the security zone settings
in Internet Explorer. The vulnerability lies within the fact that WEC may
initiate a NTLM challenge-response session with any server even if it is
not trusted. Therefore, a malicious user could possibly obtain
third-party NTLM credentials by either creating a HTML or email message
which requests a session that would automatically send NTLM credentials
back to the malicious user. They could then apply brute force techniques
to the recovered data to access a valid password.
Successful exploitation of this vulnerability could lead to the disclosure
of sensitive information and possibly assist in further attacks against
the victim.
26. Compaq Web Admin Buffer Overflow Vulnerability
BugTraq ID: 2200
Remote: Unknown
Date Published: 2001-01-11
Relevant URL:
http://www.securityfocus.com/bid/2200
Summary:
A vulnerability has been reported in the web-based administration
component common to a number of Compaq software products.
The administration tool is vulnerable to buffer overflow attack techniques
employing maliciously-formed user-supplied input. Properly exploited, this
vulnerability can allow a remote attacker to execute arbitrary code on the
affected system, with the privilege level of the system administrator.
The advisory did not provide further information about this vulnerability.
The following was excerpted from notification by
<researchteamesecurityonline.com>:
Affected Technologies:
Compaq Foundation Agents 4.0-4.90, 1.0-2.1
Digital Unix (Tru64) 4.0F and later
Insight Manager XE 1.0-2.1, LC 1.03c, 1.50A
Survey Utility 2.17-2.33
Intelligent Cluster Admin 1.0-2.1
System Healthcheck 3.0.0
Enterprise Volume Manager/Command Scripter 1.1 and 1.0
Insight Management Desktop Web Agents 3.70
Armada Insight Mgr 4.20-4.20J
Management Agents 4.30-4.35, 4.36-4.37E, 4.36E
Open SAN Manager 1.0
SANWorks Resource Monitor 1.0
Storage Allocation Reporter 1.0
III. SECURITYFOCUS.COM NEWS AND COMMENTARY
------------------------------------------
1. Interbase back door exposed
By Kevin Poulsen
A back door password has been hidden in Borland/Inprise's popular
Interbase database software for at least seven years, potentially exposing
tens of thousands of private databases at corporations and government
agencies to unauthorized access and manipulation over the Internet,
experts say.
http://www.securityfocus.com/templates/article.html?id=136
2. Is IRC doomed?
Distributed denial of service attacks threaten the net's last
commercial-free zone.
By Thomas C. Greene, The Register
January 11, 2001 3:17 PM PT
Recent media coverage of massive, crippling DDoS attacks against Undernet,
one of the largest IRC (Internet relay chat) networks, indicates the mere
tip of an iceberg. In an informal survey of IRC administrators from
Undernet, IRCNet, EFnet, and AustNet, we've learned that DDoSing kiddiots
have been gobbling up enough bandwidth to make the entire project too
expensive to maintain.
http://www.securityfocus.com/templates/article.html?id=135
3. Clinton relaxes supercomputer export rules
By Kevin Poulsen
The White House announced Wednesday that it would ease export restrictions
on high-speed supercomputers, expanding the list of nations to which U.S.
companies can ship powerful systems without obtaining prior approval from
the Commerce Department.
Because supercomputers are vital to nuclear weapons design and other
military applications, export restriction were crafted in the cold war era
to keep big iron out of the hands of rogue nations or potential
adversaries. But as processing power of common desktop machines
skyrocketed each year, the government struggled to keep pace, and industry
became frustrated by the regulatory fetters on international sales.
http://securityfocus.com/templates/article.html?id=134
4. 'Analyzer' pleads Guilty
By Kevin Poulsen
Ehud Tenebaum, the Israeli hacker famous as "The Analyzer," has plead
guilty in Israel to the 1998 attacks on unclassified U.S. Defense
Department systems that once touched off alarms at the highest levels of
government.
In an appearance late last month before the Magistrate's Court in Kfar
Sava, a suburb east of Tel Aviv, the 21-year-old hacker admitted to
cracking U.S. and Israeli computers, and plead guilty to conspiracy,
wrongful infiltration of computerized material, disruption of computer use
and destroying evidence.
http://www.securityfocus.com/templates/article.html?id=133
5. Egghead: credit cards safe
By Thomas C. Greene, The Register
Hacked computer e-tailer Egghead.com said it has "evidence which suggests"
that its team of security sleuths interrupted the recent cyber break-in
while it was going on, a mysterious event which may or may not have
resulted in millions of credit card details being compromised.
http://www.securityfocus.com/templates/article.html?id=132
IV.SECURITY FOCUS TOP 6 TOOLS
-----------------------------
1. XploiterStat Pro 2.7.1.27
Platforms: Windows 2000, Windows 95/98 and Windows NT
by Simon Steed (simonxploiter.com)
Relevant URL: http://www.xploiter.com/xploiterstat/
XploiterStat Pro is a shareware network management tool in a similar vein
to the dos program 'Netstat.exe' - i.e. shows all the connections to your
machine, listening ports (identifying trojans) etc. allowing you the user
to see TCP/UDP & ICMP connections are present on your machine. This is the
latest release of the program formerly known as Totostat Enhanced.
It can be used by networking professionals to determine what connections
are on the machine at any time along with all the ports that may be
listening (i.e. services, trojan horses etc.).
2. Linux Intrusion Detection System (LIDS) 1.0.4 for 2.4.0
Platforms: Linux
by Xie Hua Gang (xhggem.ncic.ac.cn)
Relevant URL: http://www.lids.org/
The Linux Intrusion Detection System is a patch which enhances the
kernel's security. When it is in effect, chosen files access, all
system/network administration operations, any capability use, raw device,
mem, and I/O access can be made impossible even for root. You can define
which program can access which file. It uses and extends the system
capabilities bounding set to control the whole system and adds some
network and filesystem security features to the kernel to enhance the
security. You can finely tune the security protections online, hide
sensitive processes, receive security alerts through the network, and
more.
3. NT_Security
Platform: Windows NT
by HB3^
Relevant URL: http://www.securityfocus.com/tools/1902
NT_Security2.reg - Registry File helps Administrators SECURE their Win
NT4.0(ws/server) and possibly some Win2k machines in a quick and efficient
way. Just to be sure that everything applies to your machine go and check
all the entires. If you want to remove one entry just add ';' infront of
it. Added more Useful Registry Entries to <a
href="http:/packetstorm.securify.com/NT/NT_security.reg">NT_Security.reg</a>.
By <a href="http://node.bc.ca/">HB3^, Node Solutions, Inc.</a>
4. CryptoPadSplicer 0.4.1
Platform: Linux and PalmOS
by Boris Wesslowski (bwkybs.de)
Relevant URL: http://www.kybs.de/boris/software.shtml
CryptoPadSplicer is a conduit for a Palm application called CryptoPad. It
can transfer, decrypt, and save files from a PalmPilot to a PC.
5. mod_auth_any 1.0.2
Platforms: Linux, Solaris and UNIX
by Nafees Bin Zafar, binzafarmusc.edu
Relevant URL: http://www.itlab.musc.edu/~nafees/mod_auth_any.html
mod_auth_any is a runtime module for the Apache HTTP Server. Quite
possibly the best webserver in the world. This module allows you to use
any command line program (such as webNIS) to authenticate a user. No more
having to keep AuthUserFiles in sync, or maintain some nasty database. You
can even have an expect script that does ssh authentication.
6. Advanced Password Generator 2.73
Platforms: Windows 2000, Windows 95/98 and Windows NT
by Segobit Software
Relevant URL: http://www.securityfocus.com/tools/1907
Advanced Password Generator is a application designed to generate
passwords of any length and character content. Advanced Password Generator
allow users to do choice random number generator, which built into this
application.This feature is used to generate an extremely random seed
value. Random number generators written in low-level language, and some of
random number generators, which built into this application, is impossible
to write in high-level language (Basic,Pascal,C++ and other). After
registration user can to obtain the application with the own additional
random number generator. Advanced Password Generator will create
alphabetic, numeric, alphanumeric or all keyboard characters password of
user-defined lengths.Password can be generated in lowercase or mixed
case.All passwords can be printed.
V. SECURITY JOBS SUMMARY
------------------------
1. Network Security (Thread)
Relevant URL:
2. Senior Computer Security Investigator - NY - #218 (Thread)
Relevant URL:
3. Security Architect - NY - #218 (Thread)
Relevant URL:
4. Security Testing & Vulnerability Analyst - NY - #218 (Thread)
Relevant URL:
5. Looking for work in NY city. (Thread)
Relevant URL:
6. Resume - experienced Security Analyst (Thread)
Relevant URL:
7. Looking for a job (Thread)
Relevant URL:
8. IT Security Operations Administrator - UK (Thread)
Relevant URL:
9. MD: IO Instructor - Camp Springs, MD (VIC DC) (Thread)
Relevant URL:
10. Cisco Systems InfoSec IT Engineer IV/ Security Applications (Thread)
Relevant URL:
11. Job Posting (Thread)
Relevant URL:
12. DCE & Tivoli Policy Director (Thread)
Relevant URL:
13. Information Security Account Managers Needed In NJ (Thread)
Relevant URL:
VI. INCIDENTS LIST SUMMARY
-------------------------
1. properties in e-mail from sexyfun (Thread)
Relevant URL:
2. Scans of 21536 (Thread)
Relevant URL:
3. statd-exploit attack against RH 7.0 (Thread)
Relevant URL:
4. madmax (Thread)
Relevant URL:
5. CVX? Re: Scans of 21536 (Thread)
Relevant URL:
6. Pls send captures. Re: CVX? Re: Scans of 21536 (Thread)
Relevant URL:
7. Can anyone guess at this "scan"?? (Thread)
Relevant URL:
8. Linux Kernel 2.4 relaese (Thread)
Relevant URL:
9. Finding out who owns particular IP addresses (Thread)
Relevant URL:
10. DNS requests from 209.67.50.203 (fwd) (Thread)
Relevant URL:
11. bootable readonly media in your pocket (Thread)
Relevant URL:
12. bootable readonly media in your pocket Re: yes, its t0rn again (Thread)
Relevant URL:
13. yes, its t0rn again - chkrootkit (Thread)
Relevant URL:
14. Strange scan behavior (Thread)
Relevant URL:
15. UDP 28431 Scans (Thread)
Relevant URL:
16. Some kind of DoS killing a fastethernet interface (Thread)
Relevant URL:
17. yes, its t0rn again (Thread)
Relevant URL:
VII. VULN-DEV RESEARCH LIST SUMMARY
----------------------------------
1. Solaris /usr/lib/exrecover buffer overflow (Thread)
Relevant URL:
2. Code (Thread)
Relevant URL:
defcomsec.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d82%26date%3d2001-01-14%26thread%3d03f601c07d7a$4d2f4700$f600a8c0defcomsec.com
3. ztelnet setuid on Peanut Linux... (Thread)
Relevant URL:
4. [unicode / iis4] (Thread)
Relevant URL:
5. New mailing list -WWW-Mobile-Code Security (Thread)
Relevant URL:
6. Lotus Domino 5.0.5 Web Server vulnerability - reading fi (Thread)
Relevant URL:
7. traceroute-4.4BSD (slack) heap overflow (Thread)
Relevant URL:
8. smk (Thread)
Relevant URL:
9. INFO (Thread)
Relevant URL:
10. exim and ip options? (Thread)
Relevant URL:
11. Lotus Domino 5.0.5 Web Server vulnerability - reading files outside the web root (Thread)
Relevant URL:
12. Seyon buffer overflow exploit. (Thread)
Relevant URL:
13. Lotus Domino 5.0.5 Web Server vulnerability - reading filesoutside the web root (Thread)
Relevant URL:
14. Router worm exploiting poor SNMP security. (Thread)
Relevant URL:
15. The NSA's Security-Enhanced Linux (Thread)
Relevant URL:
16. unicode / iis4 (Thread)
Relevant URL:
VIII. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Windows NT/2000 - Disabling LAN Man Password Hash (Thread)
Relevant URL:
2. computer does not show up in Network Neighborhood (Thread)
Relevant URL:
jungle.funkybadger.org">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-01-14%26thread%3d159001c07bdf$4b108070$3200a8c0jungle.funkybadger.org
3. ICS (Thread)
Relevant URL:
4. Microsoft Internet Security and Acceleration (ISA) Server 2000 (Thread)
Relevant URL:
5. Restricting access to ftproot on IIS 4.0 (Thread)
Relevant URL:
6. NetworkComputing testing of vulnerability scanners (Thread)
Relevant URL:
7. unknown authentication package (Thread)
Relevant URL:
8. Verisign 128 Global Server ID's (Thread)
Relevant URL:
9. SecurityFocus.com Microsoft Newsletter #16 (Thread)
Relevant URL:
IX. SUN FOCUS LIST SUMMARY
----------------------------
1. Removing default system accounts (Thread)
Relevant URL:
2. sunscreen EFS: was Testing fw1 implementation (Thread)
Relevant URL:
3. Sun Security Bulletin #00200 (fwd) (Thread)
Relevant URL:
4. Testing fw1 implementation (Thread)
Relevant URL:
5. Openssh and Solaris8(sparc) (Thread)
Relevant URL:
6. Solaris specific security documentation? (Thread)
Relevant URL:
promien.prz.rzeszow.pl">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d92%26date%3d2001-01-14%26thread%3d00d201c07b3b$028f3340$220ba8c0promien.prz.rzeszow.pl
7. FW: Solaris /usr/lib/exrecover buffer overflow (Thread)
Relevant URL:
tantalus.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d92%26date%3d2001-01-14%26thread%3d004101c07b30$091d84b0$f0f066cftantalus.com
8. Solaris 7 sticky bit on directory (Thread)
Relevant URL:
X. LINUX FOCUS LIST SUMMARY
---------------------------
1. identd/nmap (Thread)
Relevant URL:
2. SecurityFocus.com Linux Newsletter #11 (Thread)
Relevant URL:
XI. SPONSOR INFORMATION - The Black Hat Briefings
-------------------------------------------------
Early bird registration for the Black Hat Briefings Win2K conference ends
January 22! Black Hat is the industry's hottest security event series,
and the Win2K conference February 14-15 in Las Vegas will sell out.
Featuring a top faculty of Win2K and "underground" security experts.
Platinum sponsors include Microsoft and PricewaterhouseCoopers.
See what all of the industry buzz is about at www.blackhat.com or contact
+1.916.853.8555 or infoconvmgmt.com to register.
XII. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERVSECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERVSECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]