Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FWD: SANS Windows Security Digest Vol. 3 Num. 6
- From: Paul Howell
- Date: Fri Jun 30 21:22:26 2000
------- Forwarded Message
From: The SANS Institute <sans@sans.org>
Subject: SANS Windows Security Digest Vol. 3 Num. 6
************************************************************************
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 3, Number 6
June 30, 2000
Dr. Jesper M. Johansson (Boston University)
Editorial Board:
Dr. Matt Bishop (Univ. California, Davis)
Jeff Brown (Merrill Lynch)
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (IBM Security and Privacy Services)
Chris Lalka (Exxon)
Steve Lewis (GRCI)
Eric Maiwald (Fortrex)
Rob Marchand (Array Systems),
Dr. Gene Schultz (Global Integrity Corporation, an SAIC Company)
Copyright 2000. The SANS Institute. All rights reserved.
You may forward this issue to your co-workers and encourage them to
subscribe. To do so, send a note with the subject "NT Digest" to
digest@sans.org
************************************************************************
This month has seen the usual share of activity. Six new Microsoft
security bulletins were issued, and Microsoft updated three bulletins.
Because of the large number of updates, we have placed those in separate
section. Perhaps the biggest news this month is the availability of the
security patch for Microsoft Outlook. More on that in item 2.3.1 below.
In addition, some very interesting insights into the replication
protocols for NT were published. Read more about them in 2.3.2 and
2.3.4. Lastly, we will tell you how to enable the modification of Access
Control Lists in Active Directory in the tip of the month.
JMJ
*********************** Sponsored by SurfWatch *************************
Is Network Bandwidth a concern for your company?
If employees have Internet access, it should be. When employees
download movie clips, music, and other large files from the Internet,
access for business purposes can be delayed. This issue can easily be
avoided with SurfWatch. Download now and try SurfWatch FREE for 30
days. http://www.surfwatch.com
************************************************************************
Table of Contents
1. Microsoft Security Bulletins
1.1. Updated bulletins
1.1.1. Update: MS00-031 - Patch Available for "Undelimited .HTR Request"
and "File Fragment Reading via .HTR" Vulnerabilities
1.1.2. Update: MS00-035 - Patch Available for "SQL Server 7.0 Service
Pack Password" Vulnerability
1.1.3. Update: MS00-038 - "Malformed Windows Media Encoder Request"
1.2. New Bulletins
1.2.1. MS00-020 - Patch Available for "Desktop Separation" Vulnerability
1.2.2. MS00-032 - Patch and Tool Available for "Protected Store Key
Length" Vulnerability
1.2.3. MS00-037 - Patch Available for "HTML Help File Code Execution"
Vulnerability
1.2.4. MS00-039 - Patch Available for "SSL Certificate Validation"
Vulnerabilities
1.2.5. MS00-040 - Patch Available for "Remote Registry Access
Authentication" Vulnerability
1.2.6. MS00-041 - Patch Available for "DTS Password" Vulnerability
2. Microsoft Software Issues
2.1. IE Issues
2.1.1. IE 5 cross-frame navigation vulnerability
2.2. Windows 2000 Only (Note, these are issues that affect only Windows
2000. Win2K may also be affected by issues listed under All/Other
Microsoft Software Issues below)
2.2.1. shell:// chrashes explorer
2.3. All/Other Microsoft Software Issues
2.3.1. Security update for MS Outlook 98 and 2000 available
2.3.2. Reasons to upgrade your systems from SP3 to SP4 or Win2k
2.3.3. Buffer overflow in Windows Explorer
2.3.4. Unauthenticated SMB DOS vulnerabilities
2.3.5. Windows DNS server leaks administrator account name
3. Third-party software issues
3.1. Buffer overflows and DOS attacks discovered this month Many buffer
overflows and DOS attacks are discovered each month. We report the ones
we know about here. We have divided them into two groups: those that
are exploitable buffer overruns, and those that merely provide a remote
Denial of Service attack. The buffer overruns are generally more severe.
In addition, we have tried to give you a little more information in a
concise format. To that end, certain items are marked with a # or @
sign. A # sign means that an exploit for this issue is publicly
available. An @ sign means that a fix is available currently. We have
also, in some cases, included a URL after the item. That URL points to
either a fix, if one is available, or to the vendor's web-site, if we
know it.
Exploitable Buffer Overruns
* #@ i-drive Filo 1.0.0.1 (fixed in Filo 1.5.3
http://www.idrive.com/site/download/WinFiloInstaller.exe)
* # EServ 2.9.2 and lower (http://www.eserv.ru)
* @ HP Web JetAdmin 6.0 (fixed in JetAdmin 6.0.1233
http://www.hp.com/cposupport/swindexes/hpwebjetad1880_swen.html)
* # Sambar Server 4.3 (fixed by removing line INIT =
samples.dll:netutils_init in config.ini)
* #@ WebBBS v1.15 (fixed in version 1.17 http://www.webbbs.org)
* @ CMail v2.4.7 (fixed in 2.4.8 http://www.computalynx.net)
* HP Openview Network Node Manager v6.1 (http://www.openview.hp.com/)
* #@ WinProxy 2.0.0 and 2.0.1 (fixed in 2.0.2
http://www2.comco.ne.jp/~sin/WinProxy/)
DOS attacks
* #@ mDaemon 2.8.5.0 (fixed in mDaemon 2.8.6.0 and higher
http://www.mdaemon.com)
* # Real Networks Real Server 7.0 and 7.01 (http://www.real.com)
* # Ceilidh v2.60a (http://www.lilikoi.com/)
* # Small HTTP Server v. 1.212
(http://wwwwin.wplus.net/pp/mrdoors/srv/index.htm)
* # Dragon Server 1.0 and 2.0 (http://www.shadowopsoftware.com/)
* #@ AnalogX SimpleServer WWW v. 1.05 (fixed in 1.06
http://www.analogx.com/files/sswwwi.exe)
* #@ PGP Certificate Server Version 2.5.0 and 2.5.1 (fix available from
vendor. http://www.nai.com)
3.2. Firewall-1 IP Fragmentation vulnerability
3.3. Weak encryption of passwords in PassWD 1.2
3.4. Allaire Security Bulletin ASB00-014: Cold Fusion Denial of Service
vulnerability
3.5. Allaire Security Bulletin ASB00-015: Allaire JRun sample file
vulnerabilities
3.6. Code exposure vulnerability in interpreters for JSP and/or JHTML
pages
3.6.1. Unify's ServletExec JSP interpreter
3.6.2. BEA WebLogic
3.6.3. IBM WebSphere
3.7. Vulnerabilities and fixes in Norton Antivirus for Exchange
3.8. NAI Webshield SMTP scanner unable to block Base64 attachments
4. Tip of the month: Can't figure out how to secure user objects in
Active Directory?
========================================================================
1. Microsoft Security Bulletins
1.1. Updated bulletins
1.1.1. Update: MS00-031 - Patch Available for "Undelimited .HTR Request"
and "File Fragment Reading via .HTR" Vulnerabilities
In the May digest we discussed MS00-031. This month Microsoft updated
that bulletin to alert of a new patch for IIS 5.0 (Windows 2000).
Apparently, the original IIS 5.0 patch did not eliminate the "File
Fragment Reading via .HTR" vulnerability. The IIS 4.0 patch works as
advertised. The new patch is available at:
* http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20903
For more information see:
* Microsoft Security Bulletin MS00-031
http://www.microsoft.com/technet/security/bulletin/MS00-031.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-031
http://www.microsoft.com/technet/security/bulletin/fq00-031.asp
* Microsoft Knowledge Base (KB) article Q260838 "IIS Stops Servicing
HTR Requests"
http://www.microsoft.com/technet/support/kb.asp?ID=260838
* Microsoft Knowledge Base (KB) article Q260069 "Malformed HTR Request
Returns Source Code for ASP Scripting Files"
http://www.microsoft.com/technet/support/kb.asp?ID=260069
* The May 2000 SANS Windows Security Digest
* The Cerberus advisory
http://www.cerberus-infosec.co.uk/advisories.html
* The ISS X-Force advisory
http://xforce.iss.net/alerts/advise52.php
1.1.2. Update: MS00-035 - Patch Available for "SQL Server 7.0 Service
Pack Password" Vulnerability
Also in the May WSD we covered a problem with SQL Server 7.0, SP1 and
SP2. When the server is installed in Mixed Mode and an administrator
installs the service pack using SQL Authentication, the sa password is
stored in %temp%\sqlsp.log. However, this month the bulletin was updated
to announce that the password is also recorded in
%systemroot%\setup.iss. The patch has been updated to address this as
well. Again, the patch is not for SQL Server itself. Rather, the patch
should be applied to the service pack source files before the service
pack is applied. It is available at:
* Microsoft SQL Server 7.0 Service Pack 2
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21546
For more information see:
* Microsoft Security Bulletin MS00-035
http://www.microsoft.com/technet/security/bulletin/MS00-035.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-035
http://www.microsoft.com/technet/security/bulletin/fq00-035.asp
* Microsoft Knowledge Base (KB) article Q263968 "FIX: Service Pack
Install Can Save Standard Security Password in File"
http://www.microsoft.com/technet/support/kb.asp?ID=263968
* The May 2000 Windows Security Digest
* A whitepaper on securing SQL Server
http://www.microsoft.com/technet/SQL/Technote/secure.asp
1.1.3. Update: MS00-038 - "Malformed Windows Media Encoder Request"
In May Microsoft released a security patch for the Windows Media
Services. However, the patch that was created contained a regression
error. No information was released on what the regression error was,
but users who upgraded their installations with the original patch are
advised to apply the new patch as well. The patch is available at:
* http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21904
For more information see:
* Microsoft Security Bulletin MS00-038
http://www.microsoft.com/technet/security/bulletin/MS00-038.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-038
http://www.microsoft.com/technet/security/bulletin/fq00-038.asp
* Microsoft Knowledge Base (KB) article Q264133 "Malformed MSBD Packet
Causes Windows Media Encoder to Fail"
http://www.microsoft.com/technet/support/kb.asp?ID=264133
1.2. New Bulletins
1.2.1. MS00-020 - Patch Available for "Desktop Separation" Vulnerability
This patch has been in the works for quite some time. The issue involves
the separation of processes within WindowStations. When a user logs on
to a Windows NT or 2000 system a session is created. Each session
contains one or more WindowStations. Each WindowStation, in turn,
contains one or more desktops. The problem is that a process in one
desktop can access information in a different WindowStation than its
parent. This could allow an interactive user to, for example, interact
with the Winlogon process running in a WindowStation in the SYSTEM
user's context.
All Windows 2000 systems are vulnerable. However, users in a Terminal
Server session cannot exploit this because a Terminal Server session
runs in a separate session.
The knowledge base article incorrectly states that this fix was included
in the "March 23 security update." This is incorrect. There was no March
23 security update, and the version numbers of the files in the hotfix
are different than anything on a system with all security fixes
installed. Therefore, to fix this problem, you must apply this fix:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20836
For more information see:
* Microsoft Security Bulletin MS00-020
http://www.microsoft.com/technet/security/bulletin/MS00-020.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-020
http://www.microsoft.com/technet/security/bulletin/fq00-020.asp
* Microsoft Knowledge Base (KB) article Q260197 "Interactive Logon
Allows Unauthorized Actions in Desktop Process"
http://www.microsoft.com/technet/support/kb.asp?ID=260197
1.2.2. MS00-032 - Patch and Tool Available for "Protected Store Key
Length" Vulnerability
The Protected Store in Windows is a part of the CryptoAPI and is used
to provide encrypted storage for security sensitive information, such
as private keys and certificates. By design, the Protected Store should
be encrypted with the highest level of encryption installed on the
system. However, on Windows 2000, it is always encrypted with 40-bit
encryption, in spite of the fact that the OS ships with 56-bit
encryption installed. If the user upgrades to 128-bit encryption, using
the included high-encryption pack, the Protected Store remains at
40-bits.
The patch will upgrade the encryption so that on 56-bit security system
a 56-bit DES key is applied. On 128-bit security systems the Protected
Store will be secured using Triple-DES. The bulletin FAQ incorrectly
states that this results in a cryptographic security of a 168-bit key.
This is incorrect. Triple-DES uses two 56-bit keys, giving it 112-bit
cryptographic strength.
The patch, which has temporarily been removed to fix a regression error,
will be re-posted when it is stable. It will be available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21703
For more information see:
* Microsoft Security Bulletin MS00-032
http://www.microsoft.com/technet/security/bulletin/MS00-032.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-032
http://www.microsoft.com/technet/security/bulletin/fq00-032.asp
* Microsoft Knowledge Base (KB) article Q260219 "High Encryption Pack
Does Not Protect Windows 2000 Private Keys"
http://www.microsoft.com/technet/support/kb.asp?ID=260219
1.2.3. MS00-037 - Patch Available for "HTML Help File Code Execution"
Vulnerability
Microsoft released this patch to mitigate a vulnerability in the HTML
help file facility. However, the patch does not eliminate the problem.
All help files in Windows 2000 and many help files in Windows NT 4.0
and various applications use an HTML format. These files are stored as
CHM files. These help files may contain functionality to launch code
without user approval. This functionality is intended to be used to run
Wizards. However, it is possible for an attacker to launch malicious
code if a user launches a help file containing this code. Doing so is
only possible if the help file is either local to the user's system or
contained on an SMB share accessible to the user. Note, the user does
not consciously need to launch the help file. The Active Scripting
engine contains a showHelp call that can be used to launch a help file
that is accessible as detailed above. This code can be included on a
web page, or in an e-mail message.
According to CERT/CC, the attack relies on the following conditions to
succeed:
1. The attacker must cause the user to launch the help file,
intentionally or unintentionally. This can be accomplished by using the
showHelp call in Active Scripting
2. The help file must be accessible to the user, and the attacker must
know the relative location from the user's perspective
3. If the Active Scripting attack vector is used, the script must run
in a security zone that allows execution of ActiveX controls marked as
safe for scripting
4. The HHCtrl control must be present. It also must be marked as "safe
for scripting" and "safe for initialization." Windows 2000, IE 4.x and
5.x all provide this by default.
It would be prudent to take several steps to mitigate this vulnerability
and others like it. The more of these measures are taken, the better.
However, some of them interfere significantly with functionality.
1. Configure firewalls to block outgoing SMB in addition to incoming
SMB. Commonly, firewalls only block SMB coming in. However, this shows
that it is just as important to block it going out. To block SMB, block
the following ports:
a. 137 TCP and UDP (NetBIOS name service)
b. 138 UDP (NetBIOS datagram service)
c. 139 TCP (NetBIOS session service)
d. 445 TCP and UDP (Microsoft CIFS on Windows 2000)
2. Teach users that files with a CHM extension should be treated with
the same caution as files with an EXE extension
3. Configure e-mail packages to disallow Active Scripting. Microsoft
has made available a security patch for MS Outlook 98 and 2000 that does
this. See item 2.3.1 below for more information on that patch. For all
other e-mail packages using the Internet Explorer engine, such as Eudora
and Outlook Express, this must be done manually. Configure these
packages to read e-mail in the Restricted Sites zone, and then disable
execution of all active content in that zone
4. Disable, or at least prompt, scripting of ActiveX components marked
as safe for scripting in the Internet Zone.
5. Disable Active Scripting in the Internet Zone. Note that this will
severely cripple many Internet sites.
6. Disable ActiveX controls entirely in the Internet Zone. Note that
this will cripple certain useful components, such as the Adobe Acrobat
plug-in. To mitigate this problem, Internet Explorer can be configured
to only run Administrator approved ActiveX controls. However, this
presents significant administrative overhead and is only practical in
environments with strong central control
The "safe for scripting" or "safe for initialization" attributes can
also be removed from the HHCtrl control. However, this would cripple
the help system, and is not likely to be an option in many environments.
However, should you wish to do so, remove one or both of the following
registry keys:
Hive: HKEY_CLASSES_ROOT
Key: \CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\Implemented
Categories\
Sub-key: {7DD95801-9882-11CF-9FA9-00AA006C42C4} (Safe for scripting)
Sub-key: {7DD95802-9882-11CF-9FA9-00AA006C42C4} (Safe for
initialization)
For more information see:
* Microsoft Security Bulletin MS00-037
http://www.microsoft.com/technet/security/bulletin/MS00-037.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-037
http://www.microsoft.com/technet/security/bulletin/fq00-037.asp
* Microsoft Knowledge Base (KB) article Q259166 "UNC Path Can Be Used
to Start Programs by Using .chm Files"
http://www.microsoft.com/technet/support/kb.asp?ID=259166
* CERT Advisory CA-2000-12
http://www.cert.org/advisories/CA-2000-12.html
1.2.4. MS00-039 - Patch Available for "SSL Certificate Validation"
Vulnerabilities
Internet Explorer has problems in validating SSL certificates. These
problems are very similar to those in Netscape Navigator discussed in
the May 2000 Windows Security Digest. In fact, the IE problems were also
discovered by ACROS, like the Netscape problems.
The fix actually solves two problems, which are unrelated. The first
problem is that if an SSL session is opened via a frame or an image
(e.g. an image link using SSL is embedded in a web page) IE will only
validate the root certificate authority, not whether the certificate is
valid. The second vulnerability is that IE only validates a certificate
for each site once per IE session. Thus, an attacker may be able to pose
as a trused site if s/he manages to poison the DNS database. If the
client connects to the true trusted site, then connects to another site,
and then connects to the now-poisoned trusted site, the certificate
would never be validated for the second visit.
The vulnerability affects all versions of IE 4.x and 5.x for Windows,
including Windows 2000. A fix is currently only available for IE 5.01.
A fix for IE 4.01 SP2 will allegedly be made available at a later date.
Users of other versions of vulnerable browsers are advised to upgrade
to either IE 5.01 or 4.01 SP2 and then fix that version. The fix is
available at:
* http://www.microsoft.com/windows/ie/download/critical/patch7.htm
* http://windowsupdate.microsoft.com
For more information see:
* Microsoft Security Bulletin MS00-039
http://www.microsoft.com/technet/security/bulletin/MS00-039.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-039
http://www.microsoft.com/technet/security/bulletin/fq00-039.asp
* Microsoft Knowledge Base (KB) article Q254902 "Invalid SSL
Certificates May Be Bypassed in Internet Explorer"
http://www.microsoft.com/technet/support/kb.asp?ID=254902
* The ACROS bulletin
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0006&L=NTBUGTRAQ&P=R1498
* CERT Advisory CA-2000-10
http://www.cert.org/advisories/CA-2000-10.html
1.2.5. MS00-040 - Patch Available for "Remote Registry Access
Authentication" Vulnerability
>From the "stupid DOS tricks" department comes a Denial of Service
vulnerability in all versions of Windows NT 4.0. By sending a specially
malformed packet to the remote registry service, an attacker can crash
the winlogon.exe service. Crashing that service causes the entire
machine to crash. Note that exploit code for this problem is available.
Microsoft has issued a patch for this problem, but the patch only works
on the Intel version of NT 4.0. There is no Alpha patch available yet;
nor is there a patch for Terminal Server yet. This problem does not
affect Windows 2000. The patch is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21772
For more information see:
* Microsoft Security Bulletin MS00-040
http://www.microsoft.com/technet/security/bulletin/MS00-040.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-040
http://www.microsoft.com/technet/security/bulletin/fq00-040.asp
* Microsoft Knowledge Base (KB) article Q264684 "Patch for Remote
Registry Access Authentication Vulnerability"
http://www.microsoft.com/technet/support/kb.asp?ID=264684
1.2.6. MS00-041 - Patch Available for "DTS Password" Vulnerability
There is a vulnerability in the Data Transformation Services (DTS) of
Microsoft SQL Server 7.0 that could allow an attacker to compromise the
passwords used to execute DTS packages. Under the following conditions
the passwords could be retrieved programmatically:
1. The creator of the package configured it to use a username and
password instead of using Windows NT integrated authentication
2. There are no restrictions on who can edit the DTS package
3. Guest users can access the MSDB where the DTS package is stored
If all three of these conditions are met, an attacker can open the
properties of the DTS package and query it for the password. Note that
all three of these conditions are security practices to be avoided.
Microsoft has posted a fix for SQL Server 7.0 as follows:
* Intel
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21905
* Alpha
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=21906
For more information see:
* Microsoft Security Bulletin MS00-040
http://www.microsoft.com/technet/security/bulletin/MS00-040.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-040
http://www.microsoft.com/technet/security/bulletin/fq00-040.asp
* Microsoft Knowledge Base (KB) article Q264880 "FIX: Passwords May Be
Retrieved From DTS Package With No Owner Password"
http://www.microsoft.com/technet/support/kb.asp?ID=264880
* A white paper on SQL Server 7.0 security
http://www.microsoft.com/technet/SQL/Technote/secure.asp
2. Microsoft Software Issues
2.1. IE Issues
2.1.1. IE 5 cross-frame navigation vulnerability
Georgi Guninski issued an alert regarding IE 5.x. Using an IFRAME an
attacker can capture events to the Web Browser control. This control
allows local files in known locations to be read and sent to the web
server. This could allow an attacker to read files on a victim's
computer. Currently, the only workaround is to disable Active Scripting.
No fix for this problem is currently available.
2.2. Windows 2000 Only (Note, these are issues that affect only Windows
2000. Win2K may also be affected by issues listed under All/Other
Microsoft Software Issues below)
2.2.1. shell:// chrashes explorer
Several reports on vuln-dev
(http://archives.neohapsis.com/archives/vuln-dev/) indicate that
Internet Explorer and Windows Explorer will both crash when a user tries
to open a url beginning with shell://. It is unclear at this point why
this happens. However, only Windows 2000, not Windows NT 4.0, is
vulnerable. Microsoft has not commented on this problem.
2.3. All/Other Microsoft Software Issues
2.3.1. Security update for MS Outlook 98 and 2000 available
Microsoft released the security update for Outlook 98 and 2000. The
patch significantly improves the default security (or rather lack
thereof) of Outlook 98 and 2000. However, no update is provided for
Outlook Express. The updates are available at:
* http://officeupdate.microsoft.com/2000/downloadDetails/Out2ksec.htm
* http://officeupdate.microsoft.com/downloadDetails/Out98sec.htm
The Outlook 2000 update requires SP1 for Office 2000. The updates
actually implement a number of steps:
* E-mail attachment security - Prevent users from accessing certain
types of attachments. The complete list is too long to include here but
it is listed in Knowledge Base articles Q262617 and Q262631. Users will
receive a message stating that access to these attachments is restricted
if they are sending or receiving an e-mail with one.
* Prompts users when Visual Basic for Applications code attempt to
access the entire address book or harvest addresses from folders
* Set the security zone in Outlook to the Restricted Sites zone and
turns of Active Scripting in that zone
Administrators and users should be aware that methods to trick users
into circumventing these measures have already been published. A post
by Cassius to BugTraq (http://www.securityfocus.com) detailed how an
attacker could use an IFRAME in an HTML e-mail message to make the
client attempt to open a document on a web site. This document is on
the web site, not included in the message and hence is not affected by
the security update. The document could be a program, a VBScript file,
or any other file type that is blocked by Outlook and not shown in a
browser. When a user opens the e-mail s/he is presented with a standard
file download dialog. Note however that this should look completely
different from the interface when an e-mail contains an attachment. Any
savvy user should realize that they have been re-pointed to a web site.
Of course, savvy users are few and far between.
Organizations using Exchange Server can take advantage of customization
features of the security update. For example, the list of extensions
that are blocked is customizable. However, these features are not
customizable without Exchange Server. For more information, see the
administrative tools documentation at:
* Microsoft Knowledge Base (KB) article Q263297 "OL2000: Administrator
Information About the Outlook E-mail Security Update"
http://www.microsoft.com/technet/support/kb.asp?ID=263297
* Microsoft Knowledge Base (KB) article Q263297 "OL98: Administrator
Information About the Outlook E-mail Security Update"
http://www.microsoft.com/technet/support/kb.asp?ID=263296
For more information on this update, see:
* OL98: Information About the Outlook E-mail Security Update
http://www.microsoft.com/technet/support/kb.asp?ID=262617
* OL98: Known Issues with the Outlook E-Mail Security Update
http://www.microsoft.com/technet/support/kb.asp?ID=262618
* OL98: Developer Information About the Outlook E-mail Security Update
http://www.microsoft.com/technet/support/kb.asp?ID=262700
* OL2000: Known Issues with the Outlook E-Mail Security Update
http://www.microsoft.com/technet/support/kb.asp?ID=262634
* OL2000: Information About the Outlook E-mail Security Update
http://www.microsoft.com/technet/support/kb.asp?ID=262631
* OL2000: Developer Information About the Outlook E-mail Security Update
http://www.microsoft.com/technet/support/kb.asp?ID=262701
* Outlook E-mail Security Update - Frequently Asked Questions
http://officeupdate.microsoft.com/2000/articles/Out2ksecFAQ.htm
* ISVs Affected by Outlook 98/2000 SR-1 E-mail Security Update
http://officeupdate.microsoft.com/2000/articles/o2ksecISV.htm
* Customizing the Outlook 98/2000 E-mail Security Update
http://www.microsoft.com/office/ork/2000/journ/outsecupdate.htm
* How to Use Security Zones in Internet Explorer
http://www.microsoft.com/technet/support/kb.asp?ID=174360
2.3.2. Reasons to upgrade your systems from SP3 to SP4 or Win2k
Luke Kenneth Casson Leighton posted a fascinating article this month.
The article described the process by which Windows NT 4.0 Service pack
3 and earlier domain controllers transfer the user accounts database
between them. When the BDC connects to a PDC the two machines establish
a 16-byte session key (although the top 8 bytes are all zeros). The BDC
then requests the SAM database, which the PDC forwards. The PDC stacks
the hashes in pairs and encrypts them with the same RC4 keystream. This
is very similar to the bug found in Syskey last year. When two encrypted
values encrypted using RC4 with the same keystream are XORed they yield
the same value as the unencrypted values when they are XORed. Thus, the
values that are traversing the wire between SP3 or earlier systems are
vulnerable to a password cracking attack. To mitigate this attack,
upgrade your domain controllers to SP4 or higher.
Furthermore, when computer trust accounts are set, they use only the NT
hash. The LM password field in the SAM database is set to all zeros.
Those 16 zeros get encrypted the same way as all other hashes and sent
to a BDC. XORing them with the rest of the encrypted obfuscated LM
passwords can allow someone to retrieve all the obfuscated LM hashes,
which can then be fed to a password cracker. Similarly, if we can find
even one NT hash we can find all the rest of them.
For more information see Luke's posting:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0006&L=ntbugtraq&F=&S=&P=1931
2.3.3. Buffer overflow in Windows Explorer
There is a buffer overflow vulnerability in Windows Explorer that
appears to affect all Windows operating systems. The original report
came from Zoa_Chien. However, we have determined that the problem also
affects Windows 2000, which was originally thought to be immune.
The problem involves a file with a very long file extension. In Windows
NT 4.0 and Win9x the file could not be created in Windows Explorer. If
such a file was created some other way, Explorer would crash when the
mouse hovered over the file. However, in Windows 2000 the file can be
created in the shell. If the file is copied and pasted Explorer will
crash. This overflow is exploitable. Microsoft is aware of the problem,
and is working on a fix.
2.3.4. Unauthenticated SMB DOS vulnerabilities
Luke Kenneth Casson Leighton released two vulnerabilities in the Windows
2000 and NT 4.0 implementations of the Server Message Block (SMB) file
sharing algorithms. The first vulnerability is the most serious,
allowing an attacker to remotely crash the SMB server (any host running
the Server service (NT4.0) or the File and Print Services for Microsoft
Networks in Windows 2000). The exploit involves sending a specially
malformed SMB write packet.
The second exploit simply ties up the SMB server until the attack is
over. It involves sending requests without reading the responses from
the server.
Microsoft has not released an official response to either of these
problems.
2.3.5. Windows DNS server leaks administrator account name
1.1. In a report to BugTraq Roy Hills reported that the Windows NT 4.0
DNS server will include the account name of the Administrator account
in the Start Of Authority (SOA) record for each zone it hosts. In fact,
it includes the account name of the account used to create the zone. We
have verified that the same problem exists with the DNS server in
Windows 2000. It would be prudent to examine your SOA records and change
the contact name to an account that does not have administrative
privileges to keep this information from leaking to an attacker. For
more information on recommended mailbox name configurations, see RFC
2142: "Mailbox names for common services, roles and functions" at
http://www.imc.org/rfc2142
3. Third-party software issues
3.1. Buffer overflows and DOS attacks discovered this month were covered
in the table of contents above
3.2. Firewall-1 IP Fragmentation vulnerability
Lance Spitzner posted an advisory about Check Point Software's
Firewall-1 versions 4.x. When the firewall receives a fragmented packet
it is designed to re-assemble the packet. However, if the remainder of
the fragment never arrives the firewall gets hung at 100% CPU
utilization, thereby blocking all legitimate traffic. The packets cannot
be blocked by the firewall because it is programmed not to inspect them
until they are complete. Check point is working on a fix.
3.3. Weak encryption of passwords in PassWD 1.2
Daniel Roethlisberger issued an advisory about the password encryption
employed in a product called PassWD 1.2. This product uses extremely
weak encryption of its stored data. This is especially problematic
because its stored data is user passwords for various systems. The
product is a password management system. Mr Roethlisberger also
published exploit code for recovering the passwords. The author of the
program has stated that version 1.2 is no longer supported. He is
addressing this issue in PassWD 2000, soon to be available from
http://web.tiscalinet.it/gbigarelli/.
3.4. Allaire Security Bulletin ASB00-014: Cold Fusion Denial of Service
vulnerability
Allaire released a bulletin apprising customers of a vulnerability in
Allaire Cold Fusion 4.x that was discovered by Foundstone. By sending
a very large password to the Cold Fusion administrator pages, an
attacker can overwhelm a server and keep it from processing legitimate
requests. Allaire recommends that customers either remove the Cold
Fusion administrator application (/CFIDE/Administrator) or that it be
secured using operating system access control lists to keep unauthorized
users from accessing the pages.
For more information see:
* ASB00-014 "Workaround available for Denial of Service attack against
ColdFusion Administrator"
http://www.allaire.com/handlers/index.cfm?ID=16122&Method=Full
* Allaire KBase article 10954 "Security Best Practice: Securing the
ColdFusion Administrator"
http://www.allaire.com/Handlers/index.cfm?ID=10954&Method=Full
* The Foundstone advisory:
http://www.foundstone.com/FS-060700-1-CFM.txt
3.5. Allaire Security Bulletin ASB00-015: Allaire JRun sample file
vulnerabilities
Allaire released a bulletin discussing vulnerabilities in sample files
that ship with Allaire JRun 2.3.x. The following sample files that ship
with JRun cause vulnerabilities:
* All class and java files in /JRUN_HOME/servlets
* All files in /JRUN_HOME/jsm-default/services/jws/htdocs
We would like to repeat the number one rule for web servers:
*NEVER LEAVE OR RUN ANY SAMPLE CODE OF ANY KIND WHATSOEVER FROM ANY
PROGRAM ON YOUR PRODUCTION SERVERS!!!*
Samples are not designed to be used in a production environment; they
are designed to demonstrate functionality of a program. As such, they
often demonstrate functionality that would be dangerous in a production
environment.
3.6. Code exposure vulnerability in interpreters for JSP and/or JHTML
pages
It was discovered this month that several Java Server Pages (JSP)
interpreters have code-exposure vulnerabilities. The vulnerabilities
are very similar:
If a request to a page is made using a jsp lower-case extension (such
as http://www.someserver.com/notvulnerable.jsp) the page gets parsed by
the interpreter. However, if a user requests a page using an upper-case
extension (such as http://www.someserver.com/vulnerable.JSP) the
interpreter never parses the page and the source code is returned to
the requester. This is a serious problem as the source code may contain
sensitive information. Windows NT is not a case-sensitive operating
system and upper and lower case requests should both be interpreted the
same way. However, the jsp interpreters do interpret lower and upper
case differently.
3.6.1. Unify's ServletExec JSP interpreter
Niclas Vikström discovered the vulnerability in ServletExec
(http://www.servletexec.com). Unify has not produced a fix, but rather
recommends users to create a servlet that takes care of these kinds of
requests and presents an error-message to the user. The problem is that
this servlet has to take into account every possible permutation of
upper and lower case extensions.
3.6.2. BEA WebLogic
The bug in BEA WebLogic was discovered by Foundstone
(http://www.foundstone.com). Administrators can configure WebLogic to
be case insensitive. For more information on that procedure see:
http://www.weblogic.com/docs51/admindocs/properties.html or
http://www.weblogic.com/docs51/admindocs/lockdown.html.
To do so you need to set this property in the weblogic.properties file:
weblogic.httpd.servlet.extensionCaseSensitive=true
3.6.3. IBM WebSphere
The IBM WebSphere vulnerability was also discovered by Foundstone
(http://www.foundstone.com). IBM is producing a fix that will be posted
to:
http://www-4.ibm.com/software/webservers/appserv/efix.html
3.7. Vulnerabilities and fixes in Norton Antivirus for Exchange
Jim Rosenberg posted a couple of problems with Norton Antivirus for
Exchange v. 1.5. The causes for the first issue is a little unclear.
Under certain circumstances the NavExchange service will stop
responding. In that situation e-mail messages will be passed through
the virus scanner uninspected. The workaround is to stop and restart
the NavExchange service. Symantec has fixed this problem in version
2.01. The second issue is a long-file name problem with zip archives.
If a zip archive contains a file with a long file name the NavExchange
service will fail. This has been fixed by the Symantec Antivirus
Research Center and should have been included in a scan engine update
according to Symantec. However, it is unclear which update this was
fixed in.
3.8. NAI Webshield SMTP scanner unable to block Base64 attachments
The Network Associates (NAI) Webshield SMTP scanner has the ability to
bounce messages with certain attachments. However, Chris Paget reported
that it fails to do so if the attachments are Base64 encoded.
Attachments with a known virus are blocked successfully, but Webshield
is unable to block attachments that do not contain known viruses if they
are Base64 encoded. NAI has not responded to this issue.
4. Tip of the month: Can't figure out how to secure user objects in
Active Directory?
When we installed an Active Directory server we could not find the
promised ability to secure individual user objects (or computers, or
anything else for that matter) in Active Directory. Right-clicking the
objects in Active Directory Users and Computers gave us a properties
option. However, there was no security tab, until we found out that
security is apparently an advanced property in Active Directory. If you
click the View button in the MMC and then select Advanced Features you
now get a security tab on the property sheet for individual objects.
This allows you to secure the objects and to apply permissions to the
properties that Microsoft wants to you secure.
========================================================================
The SANS Windows Security Digest is available at no cost to all system,
network, and security professionals who work with Windows. To subscribe,
email digest@sans.org with the subject Windows Security Digest. Back
issues are available at http://www.sans.org/newlook/digests/ntdigest.htm
------- End of Forwarded Message
|
