Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FWD: SANS Windows Security Digest Vol. 3 Num. 9
- From: Paul Howell
- Date: Sat Sep 30 10:14:34 2000
------- Forwarded Message
Date: Fri, 29 Sep 2000 14:53:10 -0600 (MDT)
Message-Id: <200009294108.QGA05697@server1.SANS.ORG>
From: The SANS Institute <sans@sans.org>
Subject: SANS Windows Security Digest Vol. 3 Num. 9
Precedence: bulk
Errors-To: bounce@sans.org
Re: SANS Windows Security Digest Vol. 3 Num. 9
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
**********************************************************************
The SANS Windows Security Digest
A Resource for Computer and Network Security Professionals
Volume 3, Number 9
September 30, 2000
Dr. Jesper M. Johansson (Boston University)
Editorial Board:
Dr. Matt Bishop (Univ. California, Davis)
Jeff Brown (Merrill Lynch)
Phil Cox (SystemExperts Corp.)
Mark T. Edmead (MTE Software)
Chris Lalka (Exxon)
Steve Lewis (GRCI)
Eric Maiwald (Fortrex)
Rob Marchand (Array Systems),
Dr. Gene Schultz (Global Integrity Corporation, an SAIC Company)
Copyright 2000. The SANS Institute. All rights reserved.
You may forward this issue to your co-workers and encourage them to
subscribe. To do so, send a note with the subject "NT Digest" to
digest@sans.org
We are now signing the Windows Security Digest with PGP. The new SANS'
PGP key is posted at
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can also be accessed from the SANS web site (http://www.sans.org)
**********************************************************************
This month has been calmer than some recent months. Only six new
Microsoft security bulletins were issued. However, there are a couple
that warrant immediate attention, such as MS00-066 and MS00-067. As
usual, we also have a couple of vulnerabilities in Internet Explorer,
along with the usual third-party problems. Perhaps the most surprising
revelation this month was a new method of exploiting a very old
technique for loading dynamic link libraries. See item 2.3.2 for more
on that.
JMJ
*** This issue sponsored by surfCONTROL, Inc. ***
TAKE BACK CONTROL OF YOUR NETWORK
It only takes a few employees to drag down network performance for the
entire company. We're talking about the CyberSlackers, MP3 Heads, Day
Traders, Gamers and Shop-a-holics. Install SurfControl & you'll know
exactly WHO's doing WHAT, WHEN and WHERE on the Web. SurfControl
monitors, records and manages all TCP/IP protocols. You've got
responsibility for the network, download an easy way to manage it.
Try SurfControl FREE for 30 days.
http://www.SurfControl.com/promo/SNT928
************************************************************************
Table of Contents
1. Microsoft Security Bulletins
1.1. MS00-063 - Patch Available for "Invalid URL" Vulnerability
1.2. MS00-064 - Patch Available for "Unicast Service Race Condition"
Vulnerability
1.3. MS00-065 - "Still Image Service Privilege Escalation" Vulnerability
1.4. MS00-066 - Patch Available for "Malformed RPC Packet" Vulnerability
1.5. MS00-067 - Patch Available for "Windows 2000 Telnet Client NTLM
Authentication" Vulnerability
1.6. MS00-068 - Patch Available for "OCX Attachment" Vulnerability
2. Microsoft Software Issues
2.1. IE Issues
2.1.1. Cross-frame navigation allows reading local files
2.1.2. User data persistence in Internet Explorer
2.1.3. User data exposure possible using getObject() function
2.2. Windows 2000 Only
2.2.1. Using cacls to set permissions on volume mount points will not
work
2.2.2. Terminal Server user settings not replicated properly
2.3. All/Other Microsoft Software Issues
2.3.1. vCard DOS in Outlook 2000
2.3.2. Programs load DLLs at startup
2.3.3. Microsoft releases security tool for IIS 5.0
2.3.4. Alternate Data Streams can hide viruses
2.3.5. Erasing individual event log entries possible
2.3.6. Denial of Service Attack in Exchange Server 5.5
2.3.7. New Outlook Security Update for Outlook 98
3. Third Party Software Issues
3.1. Buffer overflows discovered this month
3.2. Other Remote Denial of Service (DOS) Attacks discovered this month
3.3. YABB 9.1.2000 can be used to gain unauthorized access to files
3.4. Extent RBS directory traversal vulnerability
3.5. Multiple vulnerabilities in Cisco CiscoSecure ACS for Windows NT
Server
3.6. Multiple vulnerabilities in Talentsoft Web+ Server Version: 4.6
3.7. WQuinn QuotaAdvisor 4.1 fails to enforce quotas on alternate data
streams
4. Tip of the month: Considering allowing file uploads and downloads on
your web server? Read this Allaire article first.
=======================================================================
1. Microsoft Security Bulletins
1.1. MS00-063 - Patch Available for "Invalid URL" Vulnerability
This patch fixes a vulnerability in Windows NT 4.0 only. Peter Gründl,
of Vigilante discovered that by sending a certain malformed URL to a
web server running IIS 4.0 the server would consume all available
processor cycles and memory, and eventually the inetinfo.exe service
would crash. When Microsoft started investigating the problem, it
determined that the issue is in Windows NT 4.0 itself, not IIS. No
exploit scenarios other than the IIS one have been discovered.
Nevertheless, Microsoft recommends users to apply the patch to all
Windows NT 4.0 systems, in case a future exploit scenario would enable
a different vector of attack.
WARNING:
This patch requires at least Service Pack 5. Do not install it on a
Service Pack 4 system. If you do, the system will most likely not
reboot. In general, Microsoft no longer supports Service Pack levels
earlier than 4.
The patches are/will be available at:
* Microsoft Windows NT 4.0 Workstation, Server and Server, Enterprise
Edition
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24079
* Microsoft Windows NT 4.0 Server, Terminal Server Edition
This patch is not yet released. When it is, the bulletin should be
updated to reflect this.
For more information see:
* Microsoft Security Bulletin MS00-063
http://www.microsoft.com/technet/security/bulletin/MS00-063.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-063
http://www.microsoft.com/technet/security/bulletin/fq00-063.asp
* Microsoft Knowledge Base (KB) article Q271652 "Patch Released for
Malformed URL Vulnerability That Disables Web Server Response"
http://www.microsoft.com/technet/support/kb.asp?ID=271652
1.2. MS00-064 - Patch Available for "Unicast Service Race Condition"
Vulnerability
This bulletin describes a denial of service attack in the Windows Media
Services. By sending a malformed request to the media server an attacker
can cause the server to enter a race-condition. While in that race
condition, any request to the media services can cause the unicast
service to crash necessitating a restart of that service.
A patch is available only for Media Services 4.1:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24167
Media servers running version 4.0 of the media services must be upgraded
to version 4.1 before applying the patch. The upgrade is available at:
http://download.microsoft.com/download/winmediatech40/Update/4.1/WIN98/EN-US/wmserver.exe
For more information see:
* Microsoft Security Bulletin MS00-064
http://www.microsoft.com/technet/security/bulletin/MS00-064.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-064
http://www.microsoft.com/technet/security/bulletin/fq00-064.asp
* Microsoft Knowledge Base (KB) article Q 273014 "Windows Media Services
Unicast Service May Become Unresponsive"
http://www.microsoft.com/technet/support/kb.asp?ID=273014
1.3. MS00-065 - "Still Image Service Privilege Escalation" Vulnerability
This bulletin announces a patch for a buffer overflow condition in the
Still Image service of Windows 2000. The issue, discovered by Dildog of
@Stake, involves the postMessage() function. That function allows a
process to send WM_USER messages to a window created by the Still Image
service. One of these messages has a buffer overflow.
The still image service is not installed by default on Windows 2000. It
is installed when a user plugs in a camera, scanner, or other still
image device. To check whether the service is installed open Task
Manager (CTRL+SHIFT+ESC), click the Processes tab and check for the
stisvc.exe service. This service runs as system.
The patch is available for all versions of Windows 2000 at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24200
For more information see:
* Microsoft Security Bulletin MS00-065
http://www.microsoft.com/technet/security/bulletin/MS00-065.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-065
http://www.microsoft.com/technet/security/bulletin/fq00-065.asp
* Microsoft Knowledge Base (KB) article Q272736 is not yet available
at:
http://www.microsoft.com/technet/support/kb.asp?ID=272736
1.4. MS00-066 - Patch Available for "Malformed RPC Packet" Vulnerability
This bulletin announces a patch for a vulnerability in the Microsoft
RPC service of Windows 2000. By sending a specially malformed RPC
request to a Windows 2000 host, an attacker can crash the RPC services,
necessitating a reboot of the system to get the services running again.
While crashed, the server would be unable to respond to client requests.
For example, a logon server would be unable to service logons.
While the RPC service runs on all Windows 2000 computers, the machines
where the vulnerability cause the greatest problem are those that have
two characteristics:
1. They are Internet connected and the normal security precautions of
blocking ports 135-139 and 445 have not been followed
2. They are servers servicing clients, such as domain controllers,
Exchange servers, SQL servers, etc.
The patch is available as follows:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24229
For more information see:
* Microsoft Security Bulletin MS00-066
http://www.microsoft.com/technet/security/bulletin/MS00-066.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-066
http://www.microsoft.com/technet/security/bulletin/fq00-066.asp
* Microsoft Knowledge Base (KB) article Q272303 "RPC Server Service
Stops Responding"
http://www.microsoft.com/technet/support/kb.asp?ID=272303
1.5. MS00-067 - Patch Available for "Windows 2000 Telnet Client NTLM
Authentication" Vulnerability
This bulletin announces a patch for the telnet client that ships with
Windows 2000. A few years ago, it was discovered that Internet Explorer
would automatically submit challenge response credentials to a secured
web site, without asking the user before doing so. This was fixed about
three years ago. However, the telnet client in Windows 2000 exhibits
the same behavior. When the client connects to a telnet server that
supports NTLM, the client will automatically respond to a
challenge/response query. This can cause leakage of the user's NTLM
credentials. Note that the password itself is not leaked, nor is any
hashed representation of the password. What is leaked is the client's
response to a challenge, which is computed from the challenge and the
password hash. Using that challenge, it is possible to brute force the
user's password.
Microsoft has issued a patch for this issue. The patch was recalled and
re-issued on September 15. All customers who applied an earlier version
of the patch are advised to apply the new version. It is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24399
The patch will cause a prompt to be issued when the server requests NTLM
authentication. It is also possible to work around this issue by
blocking NTLM authentication altogether. To do so:
1. Open a command prompt
2. Type: telnet
3. Type: unset ntlm
4. Type: quit
The telnet client will now not perform NTLM authentication at all. To
turn this ability on again perform the same steps but type set ntlm
instead of unset ntlm.
For more information see:
* Microsoft Security Bulletin MS00-067
http://www.microsoft.com/technet/security/bulletin/MS00-067.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-067
http://www.microsoft.com/technet/security/bulletin/fq00-067.asp
* Microsoft Knowledge Base (KB) article Q272743 "HTML E-mail Link
Transmits User Name and Password to Unauthorized Server"
http://www.microsoft.com/technet/support/kb.asp?ID=272743
1.6. MS00-068 - Patch Available for "OCX Attachment" Vulnerability
This bulletin announces a patch for a Denial of Service attack using
the Windows Media Player 7. The vulnerability, discovered by USSR Labs,
manifests itself if an attacker constructs a Rich Text Format e-mail
message that contains an OXC control associated with the media player.
When the user closes the e-mail containing the control, or switches to
another e-mail message, the e-mail application will crash. This affects
Outlook and Outlook Express, even though the flaw itself is actually in
the OCX control.
The patch is available at:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24421
For more information see:
* Microsoft Security Bulletin MS00-068
http://www.microsoft.com/technet/security/bulletin/MS00-068.asp
* Frequently Asked Questions: Microsoft Security Bulletin MS00-068
http://www.microsoft.com/technet/security/bulletin/fq00-068.asp
* Microsoft Knowledge Base (KB) article Q274303 is not yet available
http://www.microsoft.com/technet/support/kb.asp?ID=274303
2. Microsoft Software Issues
2.1. IE Issues
2.1.1. Cross-frame navigation allows reading local files
Yet another cross-frame navigation vulnerability was posted by Georgi
Guninski this month. This one uses the webBrowser ActiveX control to
read files local to the system the browser is running on. A JavaScript
can be used to open a window with a local file in it. The webBrowser
control is then pointed at that window and the contents of the window
can be managed using a JavaScript in the original page.
Microsoft was not given the opportunity to respond before Guninski
issued the report. No response from them is known at this time. There
are two ways to guard against the problem. The first is to disable
Active Scripting. The second is to disable scripting of ActiveX controls
that are marked as safe for scripting. Setting either of these to prompt
would allow the user to decide whether the web site s/he is visiting is
trusted enough to allow scripting of this control.
2.1.2. User data persistence in Internet Explorer
Microsoft has provided a different method of making user data persist
across sessions in Internet Explorer. Normally Cookies are used for this
purpose. However, since many users turn off cookies, there is another
method to do something similar in Internet Explorer 5.x. A web page can
save user data to a file in <user profile>\user data\<random name>.
Turning off User Data Persistence in the security tab of the options
dialog for the security zone in question disables this behavior. For
more information on user data persistence see the Microsoft developer
Network documentation:
http://msdn.microsoft.com/workshop/author/persistence/overview.asp
2.1.3. User data exposure possible using getObject() function
Georgi Guninski announced this month that user's data can be read by a
malicious web site operator using the getObject() function in JScript.
An attacker can use the getObject() function in a web page to create an
HTML document object. By specifying that the object be created from a
file on the user's hard drive the attacker now has a reference to a
local file. A script on the web page can now be used to read the
contents of the file.
There are two ways to work around this problem. One is to turn off
Active Scripting. The other is to set the "Script ActiveX Controls
Marked Safe For Scripting" setting for the Internet Security Zone to
either prompt or disable. Setting it to prompt causes the user to
receive a prompt before the exploit fired. Setting it to disable
prevents the exploit from firing at all.
========================================================================
Also Sponsored by VeriSign - The Internet Trust Company
========================================================================
Pinpoint the right security solution for your company - FREE Guide from
industry leader VeriSign gives you all the facts.
Learn how to:
* Add the most powerful online encryption - 128-bit
* Quickly authenticate your site
Get your FREE Guide now at:
http://www.verisign.com/cgi-bin/go.cgi?a=n061110560013000
========================================================================
2.2. Windows 2000 Only (Note, these are issues that affect only Windows
2000. Win2K may also be affected by issues listed under All/Other
Microsoft Software Issues below)
2.2.1. Using cacls to set permissions on volume mount points will not
work
Lee Wilbur reported a problem with setting permissions on a volume mount
point. He had taken the following steps:
1. Create a volume mount point for a new volume, and mount it to a
directory on another volume, say c:\junction
2. Secure c:\junction so that only Administrators have access to it
3. Create a Macintosh volume pointed to c:\junction
4. Map that volume on a Macintosh client
At this point, the Macintosh client will have complete access to the
data on the volume.
The problem is actually in the method that was used to set the
permissions. Wilbur used the cacls tool to set the permissions. The
cacls tool does not understand volume mount points (also variously
referred to as junction points or by the technical term reparse points)
and so while the permissions appear to be set correctly, they are not.
Cacls only applies the permissions to the directory that hosts the mount
point, not to the volume underneath the mount point. The workaround is
to either not use cacls to set permissions on volume mount points or to
map the mount point to a drive letter before using cacls.
Microsoft has published a knowledge base article that discusses the
issue:
Microsoft Knowledge Base (KB) article Q237701 "Cacls.exe Cannot Apply
Security to Root of a Volume Mount Point"
http://www.microsoft.com/technet/support/kb.asp?ID=237701
2.2.2. Terminal Server user settings not replicated properly
Andy Stadelmann reported a possible bug in Windows 2000 Terminal
Services. In order to properly be able to run applications on a terminal
server, certain Registry keys must be copied into the user's Registry
hives. To do this, keys underneath this value:
Hive: HKEY_LOCAL_MACHINE
Key: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal
Server\Install\Software\
Were copied into HKEY_DEFAULT_USER when the users logged on. This worked
in Windows NT 4.0 Terminal Server Edition. However, it does not appear
to work in Windows 2000, even though the documentation states that it
should. Microsoft has stated that this is a documentation bug, and the
documentation will be changed. However, no workaround has been offered
for the problem.
2.3. All/Other Microsoft Software Issues
2.3.1. vCard DOS in Outlook 2000
Joel Moses reported a problem in how Outlook 2000 processes vCards. A
vCard is an Internet standard for a virtual business card. By
specifically constructing certain malformed fields in a vCard
attachment, an attacker can cause Outlook to overflow a buffer and crash
or to consume all available CPU cycles, depending on which field is
modified. The overflow is not exploitable, however. Microsoft has not
responded publicly to this issue yet. Currently the work-around is to
not open vCards.
2.3.2. Programs load DLLs at startup
Georgi Guninski reported this on 9/18/2000. When a user opens a document
by double-clicking it in Explorer or using the start:run menu, some
programs will attempt to locate several DLLs. If any of these DLLs are
found in the directory where the document is located, they will be
executed as part of the document load process. Note that the DLL and
the Office program must not be loaded into memory already for this to
happen. That is why this exploit does not work when using the file:open
menu inside the program. At present, there is no patch for this issue.
However, several work-arounds can be used to mitigate the problem.
1. Do not put documents on shares that are writeable by untrusted users
2. Educate users to examine directories for DLLs before launching
documents. Note that many of these DLLs are hidden by default.
Therefore, the users' Explorer applications must be set to show all
files for this to work.
3. Perhaps the best work-around is to remove the execute bit from the
permissions inherited from the directory by files. This was proposed by
David LeBlanc. In Windows 2000 you can deny Everyone the right to
Traverse Directory/Execute File on files only in the hierarchy you want
to protect. In Windows NT 4.0, set special file permissions on the
hierarchy to not include execute. Ensure that this permission is
propagating to existing files and directories, and also that it is not
applied as a special directory permission. The execute bit is used to
open directories.
Guninski's original advisory only pertained to Microsoft Office
programs. However, this problem is by no means restricted to Microsoft
programs. For example, a rogue cscui.dll in the document directory will
be launched by Adobe Acrobat if a PDF file in that directory is
double-clicked and by WinZip if a zip file is double-clicked. The
problem stems from the search order that is used to locate DLL files.
That order dictates that the program will search for DLLs in the program
executable directory, then the document directory, then to system32
directory. If the application is already running, no DLLs are loaded
when a document is opened. You could also place a copy of all the
affected DLLs in the application binary directory. The problem with that
is making sure that all affected DLLs are present, which is very
difficult.
This can also be exploited using e-mail. Certain e-mail programs,
notably Eudora, put all attachments into a known directory as soon as
they are received. They are then executed from there. That means that
an attacker can exploit this by sending a DLL and then a few minutes
later send a document. When the user opens the document in the e-mail,
the DLL fires. This does not work in Outlook, because Outlook does not
store attachments in the file system until they are opened. It is very
important that Eudora is set to filter DLLs as attachments. Russ Cooper
posted a very good summary of security measures to take to mitigate this
problem. It is available at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0009&L=ntbugtraq&F=&S=&P=3447
The next version of Eudora, 5.01, will have a different default working
directory, pointed to the system directory, to avoid this kind of
exploit.
2.3.3. Microsoft releases security tool for IIS 5.0
Microsoft has released a tool to help administrators of IIS 5.0 machines
stay up to date on hotfixes. The tool, dubbed HFCheck is a Windows
Scripting Host script that checks the hotfix state of the machine
against a list of hotfixes at Microsoft's web site. If a hotfix has not
been installed, the information will be reported on stdout as well as
in the application event log of the machine. The source of the events
in the event log is WSH. The messages also includes the link to the
security bulletin in question.
Currently the tool is designed to run on servers only. However, in our
testing, changing one line in a function called IsServer() allows it to
run on Windows 2000 Professional machines as well. Change this line in
HFCheck.wsf:
if (e.item().Caption.search(/Server/i) >= 0)
To:
if ( (e.item().Caption.search(/Server/i) >= 0) ||
(e.item().Caption.search(/Professional/i) >= 0) )
Of course, we have not thoroughly tested this change, and specifically
disclaim any liability if it does not work in your environment. However,
it did work for us.
The tool is available at:
http://www.microsoft.com/technet/security/tools.asp.
2.3.4. Alternate Data Streams can hide viruses
A flash warning from the SANS institute this month warned users about
the ability for viruses to hide code in Alternate Data Streams (ADS).
At about the same time, Kaspersky Labs issued a warning to the same
effect. An ADS is simply a sub-filesystem on NT platforms that allows
a file to hold several streams of data. They are primarily used by the
Service For Macintosh to store resource fork data, and by some picture
formats, such as JPEG and GIF.
The warnings essentially state that viruses can hide their payloads in
the ADS. However, viruses cannot execute from there. Therefore, some
payload in the main data stream would have to execute the code in the
ADS.
A virus scanner will detect viruses in the ADS just like viruses in the
main data stream, as long as the signature is known to them. Therefore,
the additional risk from this is minimal. The main concern is if an
attacker manages to somehow add the virus code to an ADS attached to
crucial system executables. If the virus scanner is configured to delete
the infected files, it would delete these executables when the virus
definition file is updated to find this virus code. Of course, a virus
scanner should probably never be configured to delete any infected file.
Either attempt to clean them, or move them to a quarantine directory.
It would appear that on properly configured systems, this vulnerability
is minimal. If a proper ACL is applied to the system binaries, the
attempt to write to them would be foiled. In addition, the virus scanner
should probably never attempt to delete infected files.
It may still be prudent to scan systems for ADS using one of the many
scanners out there. They include:
* Crucial Security's CrucialADS:
http://www.crucialsecurity.com/downloads.html
* J.D. Glasers SFind:
http://www.ntobjectives.com/forensic.htm
* Pedestal Software's Security Expressions
http://www.pedestalsoftware.com
Both SecurityExpressions (http://www.pedestalsoftware.com) and Tripwire
for NT (http://www.tripwire.com) will detect modifications to ADS.
2.3.5. Erasing individual event log entries possible
Arne Vidström published a tool this month to demonstrate the ability to
erase individual event log entries. This tool, available at
http://ntsecurity.nu/toolbox/winzapper/, does not in and of itself
demonstrate any new vulnerabilities in the operating system. However,
what it does demonstrate is that once an attacker has obtained
Administrator level privileges, the event log is not reliable any
longer. Any administrator has been able to add events to the event log
using the logevent.exe utility in the resource kit. Now it has been
shown that they can also selectively delete entries from the event log.
This should be kept in mind when using the event log to investigate a
break-in.
2.3.6. Denial of Service Attack in Exchange Server 5.5
Christer Enberg and 3APA3A appear to have discovered a denial of service
vulnerability in Exchange Server 5.5. If the Internet Mail Connector
receives a message that contains multiple MIME parts but a null boundary
value, the information store crashes. Currently no workaround for this
issue is known. The only way to restart Exchange appears to be to stop
all Exchange services, remove the contents of the IMCDATA directory,
and restart Exchange.
2.3.7. New Outlook Security Update for Outlook 98
Microsoft has released a new version of the Outlook Security Update for
Outlook 98. You may recall the Outlook Security Update that was released
in June (see the June SANS Windows Security Digest for details:
http://www.sans.org/newlook/digests/ntarchives/063000.htm#2.3.1). The
Outlook 98 version did not remove Collaboration Data Objects (CDO)
functionality. Therefore, Microsoft has released a new version of the
update that does remove CDO. The new update is available at:
http://officeupdate.microsoft.com/downloadDetails/Cdoup98.htm
3. Third Party Software Issues
3.1. Buffer overflows discovered this month
Buffer overflows can generally be used to execute arbitrary code on the
victim host. Many buffer overflows are discovered each month. We report
the ones we know about here. In addition, we have tried to give you a
little more information in a concise format. To that end, certain items
are marked with an (F) and/or (E). (E) means that an exploit for this
issue is publicly available. (F) means that a fix is available
currently. We have also, in some cases, included a URL after the item.
That URL points to either a fix, if one is available, or to the vendor's
web-site, if we know it.
* (EF) Mobius DocumentDirect for the Internet 1.2
(http://www.mobius.com)
* (EF) HP Openview Node Manager v6.1 (patch at
http://ovweb.external.hp.com/cpe/patches/)
* (F) IBM Net.Data (patch at
ftp://ftp.software.ibm.com/software/net.data/fixes)
* (E) WinSMTP v. 1.06f and 2.X (http://www.wildbear.on.ca)
* (F) Mdaemon 3.1.1 (patch at
ftp://ftp.altn.com/MDaemon/Release/md312.exe)
3.2. Other Remote Denial of Service (DOS) Attacks discovered this month
Buffer overflows can also be used to perpetrate DOS attacks. But, there
are many other ways to launch a DOS attack. In this section, we report
new DOS attacks that we know about. Some are discussed in more detail
below. An (F) means that there is a vendor-supplied fix available
* EFTP (http://www.eftp.org)
* LocalWeb HTTP Server (http://www.west-street.co.uk)
* NetMailshar (http://www.pppindia.com)
* WebClerk (http://www.webclerk.com)
* Faststream FTP++ 2.0 (http://www.fastream.com/)
* FUR HTTP Server v1.0b (http://www.fastream.com/)
* (F) EServ 2.92 Build 2982 (http://www.eserv.ru/, fixed in 2.93 beta:
ftp://ftp.eserv.ru/pub/Eserv293pr.exe)
* (F) BrowseGate(Home) v2.80(H) (Fixed in version 2.80.001:
http://www.netcplus.com)
* WinCOM LPD V1.00.90 (http://www.ipswitch.com)
* (F) Content Technologies MailSweeper for SMPT (fixed in version 4.1_5
http://www.contenttechnologies.com/)
* Netscape Navigator
3.3. YABB 9.1.2000 can be used to gain unauthorized access to files
YABB is a bulletin board program available at http://www.yabb.org. In
an advisory by Pestilence, it was revealed that YABB can be fooled into
returning arbitrary files on the host to an attacker. In addition, most
of the scripts used by YABB (the system is written in PERL) do not do
any security checks. A new version of YABB that protects against these
problems is forthcoming.
3.4. Extent RBS directory traversal vulnerability
Extent RBS is an Operations Support System for Internet Service
Providers that includes RADIUS, user account management, and other
features. However, according to someone calling him/herself "Obscure,"
the system includes a web signup feature that apparently does not check
for directory traversal attacks. Consequently, an attacker can connect
to the signup system and use a ..\ attack to retrieve any known file on
the system. Extent has stated that they will produce a patch. The Extent
web site is http://www.extent.com.
3.5. Multiple vulnerabilities in Cisco CiscoSecure ACS for Windows NT
Server
Cisco announced three vulnerabilities in their CiscoSecure Access
Control Server for Windows NT Server.
* There is a Denial of Service attack possible in the CSAdmin module.
An attacker can send an oversized URL to the module, causing it to
crash.
* By sending an oversized TACACS+ packet to CiscoSecure ACS the entire
system can be forced into an unstable state
* Attackers can gain unauthorized privileges on a router or switch when
the module is used with an LDAP server that allows null passwords. In
that case, an interaction with CiscoSecure ACS and the LDAP server can
cause the attacker to bypass the authorization process.
All of these problems are fixed in version 2.4(3). All customers should
upgrade to that version. For customers with contracts, the upgrade is
downloadable from http://www.cisco.com. Customers without a contract
are advised to call the Technical Assistance Center. Phone numbers are
available in the bulletin, which can be found at:
http://www.cisco.com/warp/public/707/csecureacsnt-pub.shtml
3.6. Multiple vulnerabilities in Talentsoft Web+ Server Version: 4.6
An advisory by Delphis Consulting announced several vulnerabilities in
Talentsoft's Web+ Server Version: 4.6.
* Local path discovery - by passing a single . to the Web+ script the
script will return an error message with the local path in it.
* IP address discovery - by calling the about option of the Web+ script
the script will return the servers IP address. This is useful to
discover the true IP address of a server behind a NAT router
* ::$DATA source leakage - Web+ is apparently susceptible to the old
::$DATA alternate data stream leakage. By requesting the ::$DATA stream,
the source of Web+ WML files are returned to the attacker.
Build 542 of Web+ fixes the third problem. That build is available from
http://www.talentsoft.com. We are not aware of whether that build fixes
the other two problems.
3.7. WQuinn QuotaAdvisor 4.1 fails to enforce quotas on alternate data
streams
An advisory from Delphis Consulting, Plc. detailed a problem with
QuotaAdvisor from WQuinn (http://www.wquinn.com). The program apparently
fails to recognize data stored by a user in an alternate data stream.
This data does not count against the user's quota. The vendor is aware
of the problem, and states that it was a design decision to not support
alternate data streams. In future versions of the product, they should
be supported.
4. Tip of the month: Considering allowing file uploads and downloads on
your web server? Read this Allaire article first.
If you are allowing, or considering allowing, users to upload files to
your web servers, you should probably read this document from Allaire:
http://www.allaire.com/handlers/index.cfm?ID=17407&Method=Full
While the document deals specifically with Allaire's products, it gives
some general guidelines on the security implications on allowing uploads
of documents to your servers.
=======================================================================
The SANS Windows Security Digest is available at no cost to all system,
network, and security professionals who work with Windows. To subscribe,
email digest@sans.org with the subject Windows Security Digest. Back
issues are available at http://www.sans.org/newlook/digests/ntdigest.htm
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE51Ouk+LUG5KFpTkYRAkFTAJ9brMaUQtG6v4xMSE+O2CkogXf6IwCeLPn2
EzCM4JvGobwdhi+tv2V8KIo=
=5QiQ
- -----END PGP SIGNATURE-----
------- End of Forwarded Message
|
