SAFER S E C U R I T Y A LERT F O R E NTERPRISE R E S O U R C E S Volume 3 Issue 6 June 2000 A monthly publication of The Relay Group. Copyright © 2000 All rights reserved. For further information or comments please contact security@relaygroup.com The Relay Group produces this newsletter to aid and assist security-concerned executives and IT professionals. The Relay Group’s comments are opinions only.
CONTENTS CONTENTS.................................................................................................................................................... 2 EXECUTIVE NEWS...................................................................................................................................... 5 GENERAL NEWS ............................................................................................................................................ 5 EUROPE – MIDDLE-EAST ................
MICROSOFT IIS SHTML.EXE PATH DISCLOSURE VULNERABILITY ....................................................................22 NETWIN DNEWS NEWS SERVER BUFFER OVERFLOW VULNERABILITY............................................................22 GOSSAMER THREADS DBM AN INFORMATION LEAKAGE VULNERABILITY ......................................................23 ALADDIN KNOWLEDGE SYSTEMS ETOKEN PIN EXTRACTION VULNERABILITY ...............................................
HP SECURITY ADVISORY #00104 REVISED: SEC. VULNERABILITY REGARDING AUTOMOUNTD (REV. 01) .........41 DENIAL-OF-SERVICE ................................................................................................................................42 CERBERUS INFORMATION SECURITY ADVISORY (CISADV000527): WINDOWS NT BROWSER SERVICE DOS...42 DEERFIELD MDAEMON MAIL SERVER DOS VULNERABILITY .........................................................................42 HP WEB JETADMIN 6.0 PRINTING DOS VULNERABILITY ..
EXECUTIVE NEWS What follows is the author’s selection of rumors and noises of concern to the security community. We welcome your comments and opinions. General News - - A computer virus dubbed the "Love Bug" caused havoc with computer systems worldwide, shutting down email servers at major companies and penetrating the Pentagon and Britain's parliament.
- The European ministers of Foreign Affairs are expected to decide to lift all barriers to the export of encryption software to countries outside the European Union. Till now, companies wanting to export encryption products had to ask for permission. The authorities first investigated if the buyer was 'secure'. Intelligence services also investigated the products, which made it possible to copy the keys or demand weakening of the encryption standard as a condition for approval.
- SECURITY ALERTS We try to inform you of vulnerabilities as soon as they become a threat to your resources, not when the vendors decide to report them. Initialized Data Overflow in Xlock Released May 29, 2000 Affects All systems running xlock Reference http://www.nai.com/covert Problem - An implementation vulnerability in xlock allows global variables in the initialized data section of memory to be overwritten.
Security Vulnerability in IPFilter 3.3.15 and 3.4.3 Released May 26, 2000 Affects IPFilter 3.3.15 and 3.4.3 Reference http://www.prettyhatemachine.obfuscation.org/ Problem - A weakness exists in the IPFilter firewalling package in all versions up to and including 3.3.15 and 3.4.3 that allows an attacker to penetrate the firewall when a common, yet admittedly flawed, configuration is used. SAFER - A patch has been made available for all versions of IPFilter.
Omnis Studio 2.4 Weak Database Field Encryption Vulnerability Released May 25, 2000 Affects Omnis Studio 2.4 Reference http://www.securityfocus.com/bid/1255 Problem - The encryption scheme used in Omnis Studio is weak and easily broken with any scientific calculator or even pen and paper, if the attacker has a good knowledge of hex and ASCII. Each unencrypted byte is simply replaced with a value dependent on that byte's original value and the remainder of its position in the string divided by 4.
MDBMS Buffer Overflow Vulnerability Released May 24, 2000 Affects MDBMS .9xbx Reference http://www.securityfocus.com/bid/1252 Problem - By supplying a line of sufficient length to the MDBMS server, containing machine executable code, it is possible for a remote attacker to execute arbitrary commands as the user the db is running as. - It is believed all versions of MDBMS are susceptible, up to and including .99b6, which is the latest release. SAFER - Unofficial patch is available. MailSite 4.2.1.
PGP5i Automatic Key Generation Routine Vulnerability Released May 24, 2000 Affects PGPi 5.0i Reference http://www.securityfocus.com/bid/1251 Problem - Vulnerability exists in the way PGP5i generates random keying material, when used without user input. When a keypair is generated using: pgpk -g pgp will automatically generate the key without any user intervention.
Cobalt RaQ2/RaQ3 Web Server Appliance cgiwrap bypass Vulnerability Released May 23, 2000 Affects Cobalt RaQ 3.0, 2.0 Reference http://www.securityfocus.com/bid/1238 Problem - There is a security problem with FrontPage extensions on the Cobalt RaQ2 and RaQ3 web hosting appliances. It allows any user on the system to change, delete, or overwrite a FrontPage site. - When a site is uploaded with FrontPage to a RaQ2/3, all of the files are owned by user "httpd" instead of a site-specific user.
MetaProducts Offline Explorer Directory Traversal Vulnerability Released May 19, 2000 Affects MetaProducts Offline Explorer 1.2x, 1.1x, 1.0x Reference http://www.securityfocus.com/bid/1231 Problem - By default Offline Explorer listens on port 800 on which a remote user can gain read-access to a remote host's web cache and from their directory traverse. - Performing a GET request containing "../..\" will allow the remote user to browse the cache and the upper directory structure.
Lotus Domino Server ESMTP Buffer Overflow Vulnerability Released May 18, 2000 Affects Lotus Domino Enterprise Server and Mail Server 5.0.3, 5.0.2, 5.0.1 Reference http://www.securityfocus.com/bid/1229 Problem - The code that handles the 'from' command in the ESMTP service of Lotus Domino Server 5.0.1 has an unchecked buffer. - If Lotus Domino Server receives an argument of more than 4 KB to the 'from' command, the system will crash and will require a reboot in order to regain normal functionality.
KDE kscd SHELL Environmental Variable Vulnerability Released May 16, 2000 Affects KDE 2.0 BETA, 1.2, 1.1.1, 1.1 Reference http://www.securityfocus.com/bid/1206 Problem - Some linux distributions (S.u.S.E. 6.4 reported) ship with kscd (a CD player for the KDE Desktop) sgid disk. kscd uses the contents of the 'SHELL' environment variable to execute a browser. This makes it possible to obtain an sgid 'disk' shell.
Multiple Vendor Kerberos 5/4 Compatibility krb_rd_req() Buffer Overflow Vulnerability Released May 16, 2000 Affects MIT Kerberos Reference http://www.securityfocus.com/bid/1220 Problem - Several buffer overflow vulnerabilities exist in Kerberos 5 implementations due to buffer overflows in the Kerberos 4 compatibility code. These include MIT Kerberos 5 releases 1.0.x, 1.1 and 1.1.1, MIT Kerberos 4 patch level 10 (and, most likely, prior releases), and Cygnus KerbNet and Network Security (CNS).
Seattle Lab Emurl 2.0 Email Account Access Vulnerability Released May 15, 2000 Affects Seattle Lab Software Emurl 2.0 Reference http://www.securityfocus.com/bid/1203 Problem - Emurl software creates a unique identifier for each user, based on their account name. This identifier is encoded using the ascii value of each character in the account name and augmented by its position.
Solaris netpr Buffer Overflow Vulnerability Released May 12, 2000 Affects Sun Solaris 2.6, 7.0, 8.0 Reference http://www.securityfocus.com/bid/1200 Problem1 - A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7, on both Sparc and x86 have been confirmed as being vulnerable. - The overflow is present in the -p option, normally used to specify a printer.
NTMail Server 5.x Proxy Access Vulnerability Released May 12, 2000 Affects NTMailserver.com NTMail 5.0 Reference http://www.securityfocus.com/bid/1196 Problem - NTMail server can be configured as a proxy server as well as a web configuration server. By default each function is assigned a port. The configuration function uses port 8000 and the proxy function uses port 8080.
Microsoft Windows 2000 Default SYSKEY Configuration Vulnerability Released May 11, 2000 Affects Microsoft Windows NT 2000 Reference http://www.securityfocus.com/bid/1198 Problem - The default configuration of SYSKEY allows any local user to decrypt data encrypted with the Encrypted File System (EFS). - A known vulnerability exists in Windows 2000 where the SAM database can be deleted if the system is booted with a different operating system.
Matt Wright FormMail Environmental Variables Disclosure Vulnerability Released May 10, 2000 Affects Matt Wright FormMail 1.6 Reference http://www.securityfocus.com/bid/1187 Problem - An unauthorized remote user is capable of obtaining CGI environmental variable information from a web server running Matt Wright FormMail by requesting a specially formed URL that specifies the email address to send the details to.
NetStructure 7110 Undocumented Password Vulnerability Released May 08, 2000 Affects Intel Corporation NetStructure 7110.0 Reference http://www.securityfocus.com/bid/1182 Problem - This internet equipment is designed for businesses with multiple Web site locations, routing traffic to the best available site from a single URL. Certain revisions of this package have an undocumented supervisor password.
Gossamer Threads DBMan Information Leakage Vulnerability Released May 05, 2000 Affects DBMan 2.0.4 Reference http://www.securityfocus.com/bid/1178 Problem - Requesting an invalid database file from a web server implementing Gossamer Threads DBMan scripts will return a CGI error message containing environmental variables to a remote user without any authorization. - The parameters displayed include the local document root path, server administrator account name, web server software, platform, etc.
Multiple Linux Vendor pam_console Vulnerability Released May 03, 2000 Affects RedHat Linux 6.0 up to 6.2 Reference http://www.securityfocus.com/bid/1176 Problem - pam_console exists to own certain devices to users logging in to the console of a Linux machine. It is designed to allow only console users to utilize things such as sound devices. It will chown devices to users upon logging in, and chown them back to being owned by root upon logout.
L-Soft Listserv 1.8 Web Archives Buffer Overflow Vulnerability Released May 03, 2000 Affects L-Soft Listserv 1.8 Reference http://www.securityfocus.com/bid/1167 Problem - The Web Archive component of L-Soft Listserv contains unchecked buffer code exploitable by sending specially crafted requests to the Web Archive. - This weakness will allow execution of arbitrary code by remote attackers. SAFER - L-Soft has created an update to ListServ to address this issue.
FileMaker Pro 5.0 Web Companion Software Multiple Vulnerabilities Released May 02, 2000 Affects FileMaker FileMaker Pro 5.0 Reference http://www.securityfocus.com/bid/1159 Problem - Web Companion Software is part of the Filemaker Pro 5.0 database package. Included in that package is the XML publishing capability, which does not make use of Filemaker Pro's web security features.
SECURITY ADVISORIES This section contains official advisories as released by various vendors or security organizations. This list addresses the problems found during May 2000. Red Hat Security Advisory 2000:005-05: New majordomo packages available Released May 31, 2000 Affects Red Hat Powertools 6.1 Reference http://www.redhat.com/ Problem - A vulnerability in /usr/lib/majordomo/resend and /usr/lib/majordomo/wrapper will allow execution of arbitrary commands with elevated privileges.
Microsoft Security Bulletin (MS00-035) Released May 30, 2000 Affects Microsoft SQL Server 7.0 Service Packs 1 and 2 Reference http://www.microsoft.com/technet/security/bulletin/fq00-035.asp Problem - When SQL Server 7.0 Service Packs 1 or 2 are installed on a machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the file \%TEMP%\sqlsp.log.
SuSE Security Announcement: mufti Released May 29, 2000 Affects SuSE Linux 6.1-6.4 Reference http://www.suse.com/ Problem - The KDE CD player skid is setgid disk to be able to access the device file of the CDROM. To perform some action skid calls the unix command shell specified in the environment variable SHELL with the privileges of group disk. - An adversary could set SHELL to his own program to get local root access to the system by writing directly to the raw HDD device. SAFER - Update the package.
NetBSD Security Advisory 2000-003: Exploitable Vulnerability in Xlockmore Released May 27, 2000 Affects NetBSD pkgsrc prior to 11th May 2000 Reference http://www.netbsd.org/ Problem - The xlock program locks an X server until a valid password is entered. The command line option mode provides a user with a mechanism to change the default display shown when the X server is locked. Xlock is installed with privileges to obtain password information, although these are dropped as early as possible.
TurboLinux Security Announcement TLSA2000011-1: gpm-1.19.1 and earlier Released May 26, 2000 Affects TurboLinux 6.0.4 and earlier Reference http://www.turbolinux.com/ Problem - The gpm-root program, included in the gpm package, contains a programming error whereby a call to setgid() fails, and defaults to the group of the gpm-root binary. The group for the gpm-root binary in the affected installations is root.
Microsoft Security Bulletin (MS00-036) Released May 25, 2000 Affects Microsoft Windows NT4.0, 2000 Reference http://www.microsoft.com/technet/security/bulletin/fq00-036.asp Problem - Windows NT 4.0 and Windows 2000 implement the CIFS Computer Browser protocol. Two vulnerabilities exist because of the inability of administrators to limit whether Master Browsers respond to certain frames. - The ResetBrowser Frame vulnerability, which affects both Windows NT 4.0 and Windows 2000.
SGI Security Advisory 20000501-01-P: Vulnerability in infosrch.cgi Released May 22, 2000 Affects IRIX 6.5-6.5.7 Reference http://www.sgi.com/ Problem - The Infosearch(1) subsystem is used to search and browse virtually all SGI on-line documentation. The infosrch.cgi(1) is a program that allows access to infosearch(1) through a default installed HTTP web server on port 80. - Unfortunately, vulnerability has been discovered in infosrch.
RatHat Security Advisory-2000:028-02: Netscape 4.73 available Released May 19, 2000 Affects Netscape Communicator 4.05 up to 4.72 Reference http://www.redhat.com/ Problem - Vulnerability exists in the manner in which versions of Netscape Communicator up to, but not including, 4.73, validate SSL certificates. This vulnerability could make it possible for the integrity of an SSL connection to be compromised. SAFER - Upgrading to Netscape Communicator 4.73 will solve this problem.
Microsoft Security Bulletin (MS00-033) Released May 17, 2000 Affects Microsoft Internet Explorer 4.0, 4.01, 5.0, 5.01 Reference http://www.microsoft.com/technet/security/bulletin/fq00-033.asp Problem - The bulletin is related with three security vulnerabilities unrelated to each other except by the fact that they all occur in the same .dll. - "Frame Domain Verification" vulnerability.
CERT Advisory CA-2000-06: Multiple Buffer Overflows in Kerberos Authenticated Services Released May 17, 2000 Affects Systems running Kerberos 4/5 Reference http://www.cert.org/ Problem - Serious buffer overrun vulnerabilities exist in many implementations of Kerberos 4, including implementations included for backwards compatibility in Kerberos 5 implementations. Other less serious buffer overrun vulnerabilities have also been discovered.
Microsoft Security Bulletin (MS00-034) Released May 12, 2000 Affects Microsoft Office 2000 Reference http://www.microsoft.com/technet/security/bulletin/fq00-034.asp Problem - An ActiveX control that ships as part of Office 2000 is incorrectly marked as "safe for scripting". This control, the Office 2000 UA Control, is used by the "Show Me" function in Office Help, and allows Office functions to be scripted.
Microsoft Security Bulletin (MS00-031) Released May 10, 2000 Affects Microsoft IIS 4.0 and 5.0 Reference http://www.microsoft.com/technet/security/bulletin/fq00-031.asp Problem - The bulletin is related with two security vulnerabilities that are unrelated except by virtue of the fact that both exist in the ISAPI extension that provides web-based password administration via .HTR scripts. - The "Undelimited .HTR Request" vulnerability is a denial of service vulnerability.
NetBSD Security Advisory 2000-002: IP options processing Denial of Service Released May 07, 2000 Affects NetBSD 1.4 up to 1.4.2 Alpha and SPARC Reference http://www.netbsd.org/ Problem - Vulnerability exists in the 1.4.x NetBSD kernel that may allow remote attackers to cause the machine to kernel panic on certain architectures.
NAI Security Advisory-May042000: Trend Micro InterScan VirusWall Remote Overflow Released May 04, 2000 Affects Trend Micro InterScan VirusWall 3.0.1 up to 3.32 Reference http://www.nai.com/covert/ Problem - InterScan VirusWall includes the ability to scan for virii in uuencoded files. Due to an unchecked buffer in the code, if a uuencoded file is sent that includes an embedded final filename of more than 128 characters, arbitrary remote code can be executed at the privilege level of the VirusWall software.
HP Security Advisory #00104 revised: Sec. Vulnerability regarding automountd (rev. 01) Released May 02, 2000 Affects HP-9000 Series 700/800 HP-UX releases 10.20 and 11.00 Reference http://us-support.external.hp.com/ Problem - This problem was originally reported in CERT Advisory CA-99-05, regarding the vulnerability in automountd, which allows an intruder to execute arbitrary commands with the privileges of the automountd process.
D E N I A L - O F -S E R V I C E Denial-of-Service attacks are becoming an increasing concern. Below is a compilation of denial-ofservice security problems found in May 2000. Cerberus Information Security Advisory (CISADV000527): Windows NT Browser Service DoS Released May 30, 2000 Affects Microsoft Windows NT 4.0 Reference http://www.cerberus-infosec.co.uk/advisories.
Nite Server FTPd Multiple DoS Vulnerabilities Released May 19, 2000 Affects Nite Server 1.7, 1.6, 1.5 Reference http://www.securityfocus.com/bid/1230 Problem - Multiple denials of service vulnerabilities exist in Nite Server FTP daemon. - Requesting an unusually long string of characters in the user command will cause the daemon to utilize all available memory, leaving the server to hang.
XFree86 Xserver Denial of Service Vulnerability Released May 18, 2000 Affects XFree86 X11R6 4.0, 3.3.6, 3.3.5 Reference http://www.securityfocus.com/bid/1235 Problem - A remote user can send a malformed packet to the TCP listening port, 6000, which will cause the X server to be unresponsive for some period of time. During this time, the keyboard will not respond to user input, and in some cases, the mouse will also not respond.
Allaire ColdFusion 4.5.1 Cached File Request DoS Vulnerability Released May 10, 2000 Affects Allaire ColdFusion Server 4.5.1 Reference http://www.securityfocus.com/bid/1192 Problem - It is possible to remotely halt the operation of Allaire ColdFusion Server by requesting a cached file that is no longer stored in memory and contains a tag.
SECURITY BUGS Many security problems are too specific to become a full advisory. Below is a list of security problems discovered in various softwares during the month of May 2000, which we advise you to check against your IT environment. Remote Dos attack against Intel express 8100 router Intel express 8100 isdn router vulnerable for remote icmp fragmented packets and oversize packets. Download libnet and isic-0.05 test following exploit.
UNDERGROUND TOOLS Here are the new tools that hackers/crackers will soon use against your systems. We do not recommend that you use such tools against any resources without prior authorization. We only list new tools published since the last issue of SAFER. SCANNERS nmap-2.54BETA1.tar.gz New, very cool, option –sO has been added (scan for protocols). magdalena.pl Small utility written in perl that will scan a list of hostnames for a certain CGI. twwwscan.exe Windows based WWW vulnerability scanner. sara-3.
lo.c Exploit for AntiSniff DNS Overflow Vulnerability antisniffexpl2.c Exploit for AntiSniff DNS Overflow Vulnerability klogin-bsdi.c Exploit for Multiple Vendor Kerberos 5/ 4 Compatibility krb_rd_req() Buffer Overflow Vulnerability ksux.c Exploit for Multiple Vendor Kerberos 5/ 4 Compatibility krb_rd_req() Buffer Overflow Vulnerability kshux.c Exploit for Multiple Vendor Kerberos 5/ 4 Compatibility krb_rd_req() Buffer Overflow Vulnerability 7350kscd.
DENIAL-OF-SERVICE cproxy_expl.c Exploit for CProxy 3.3 SP2 Buffer Overflow DoS Vulnerability RFProwl.c Exploit for Axent NetProwler Malformed IP Packets DoS Vulnerability netprowl.casl Exploit for Axent NetProwler Malformed IP Packets DoS Vulnerability jolt2.c Exploit for Microsoft Windows 9x / NT 4.0 / 2000 Fragmented IP Packets DoS Vulnerability mdbms-exp-linux.c Exploit for MDBMS Buffer Overflow Vulnerability arpgen.tar.