News January 2000
Last Update: 2000-02-10
Most of the links lead to the corresponding files at CERT or other organisations. So
changes take place immediately, especially which patches should be installed or which
changes in the configuration should be made to avoid this vulnerability. Most of the files
are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used
platform or program that doesn't mean this particular platform or program is safe to use!
Here you find our search
engine! |
| System: | Short description and further information: |
| Allaire Spectra 1.0 | Hole in Security Authentication System: ASB00-04 There is a security hole in the Spectra 1.0 Remote Access Service invoke.cfm template. Normally users must be authenticated in the webtop security context in order to even attempt to use the Remote Access Service. If the user passes a parameter called "bAuthenticated" via the URL, a form field, or a WDDX packet, and the user does not specify a username, a bug allows them to use the Remote Access Service even if they are not in the webtop user directory. A patch to fix this problem is available now. |
| Cobalt Qube and RaQ | Vulnerabilities in syslogd, CGIWrapper, Kernel,
Majordomo Wrapper, and siteUserMod.cgi: Cobalt113,
Cobalt113b,
Cobalt113c,
Cobalt114,
Cobalt131 In syslogd a potential Denial-of-Service hole was found: By opening a lot of local syslog connections a user with shell acces could stop the system from responding. Patches are available for Qube 1, Qube 2, RaQ1, RaQ2, and RaQ3. The current version of cgiwrap that runs on RaQ 3 and RaQ 2, runs under incorrect effective permissions, which could let an attacker view or modify data in another virtual site on the same unit. Patches for RaQ2 and RaQ3. CacheQube, CacheRaQ 1, CacheRaQ 2, NASRaQ, Qube 1, Qube 2, RaQ 1, and RaQ 2 should have an updated MIPS kernel installed. There is a potential security problem with the majordomo wrapper which could allow a local user to gain higher privilages. Patches were published for Qube2, RaQ2, and RaQ3. Finally, for RaQx a security hole is fixed now: Due to improper permissions checking in /.cobalt/siteUserMod/siteUserMod.cgi unprevileged Administrators could change passwords of any regular user, in RaQ1 and RaQ2 even the password of root. Experimental patches are available for RaQ1, RaQ2, and RaQ3. |
| SCO UnixWare 7.0 - 7.1.1 | Vulnerabilities in scohelp and rtpm: SB-00.02,
SB-00.03 A shared object that allows internationalization of the scohelp system contains an exploitable overflowable buffer. Without the patch (letter), systems are vulnerable to network-based system intrusions via this security hole. Two security holes were found in rtpm. Both of them can lead to local system compromises. It's recommended to install the patch (letter). |
| Microsoft Index Server 2.0 and Indexing Service in Windows 2000 | Vulnerability by Malformed Hit-Highlighting Argument:
MS00-006,
ERS-2000.022,
NTShop,
CISADV000126,
ESB-2000.019
Two security vulnerabilities were found in Microsoft Index Server. The first is the “Malformed Hit-Highlighting Argument” vulnerability. The ISAPI filter that implements the hit-highlighting (also known as “WebHits”) functionality does not adequately constrain what files can be requested. By providing a deliberately-malformed argument in a request to hit-highlight a document, it is possible to escape the virtual directory. This would allow any file residing on the server itself, and on the same logical drive as the web root directory, to be retrieved regardless of permissions. The second vulnerability involves the error message that is returned when a user requests a non-existent Internet Data Query file. The error message provides the physical path to the web directory that was contained in the request. Although this vulnerability would not allow an attacker to alter or view any data, it could be a valuable reconnaissance tool for mapping the file structure of a web server. It's recommended to install the patch for the Index Server (Intel, Alpha) and the Indexing Services for Windows 2000. |
| HP-UX | Vulnerability with PMTU strategy: HP Security Bulletin
#00110, S-00-05,
ERS-2000.019,
ESB-2000.017,
K-018
HP provides a proprietary method for determining PMTU (Path MTU). When traffic needs to be routed to a destination for which the optimum MTU has not been determined, ICMP packets are used to discover the MTU for that path while data traffic is shipped in parallel. Depending upon the amount and nature of inbound traffic, an HP-UX 10.30/11.00 system can be used to flood a target system with IP packets which could result in a denial of service. It's recommended to set the NDD parameter ip_pmtu_strategy to 1. How to do this is pointed out in the advisory. |
| FreeBSD | Insecure temporary file handling in make: ERS-2000.014,
ERS-2000.023,
ESB-2000.013 The make(1) program is typically used to schedule building of source code. It has a switch ('-j') to allow parallel building, using temporary files in /tmp to communicate with its child processes by storing the shell command the child should execute. This is handled in an insecure way, repeatedly deleting and reusing the same file name for the entire life of the program. This makes it vulnerable to a race condition wherein a malicious user could observe the name of the temporary file being used, and replace the contents of a later instance of the file with her desired commands after the legitimate commands have been written. It's recommended to install a patch. |
| INetSrv 2.0 and 3.0 | Buffer Overflow in INetSrv: NTShop Greg Hoagland located a buffer overflow using an HTTP GET request with 537 byte path. Afterwards an attacker has control over the system. Further information and code demostrating the problem can be found in the advisory. a patch is not available yet. |
| HP-UX 11.04 | Multiple vulnerabilities in wu-ftp: HP Security Bulletin #00106,
ERS-2000.012,
ESB-2000.011
As reported before, multiple vulnerabilities were found in wu-ftpd shipped with HP9000 Series 700/800 servers. Now a VVOS patch for HP-UX release 11.04 has been published: PHNE_2068. It should be installed as soon as possible. |
| many | Distributed Denial-of-Service tools, again: NIPC,
ERS-2000.009 During the past few weeks also the NIPC has seen multiple reports of intruders installing distributed denial of service tools on various computer systems, to create large networks of hosts capable of launching significant coordinated packet flooding denial of service attacks. Further information can be found in the advisory. |
| many | Vulnerablity in majordomo: AA-2000.01,
ERS-2000.016,
K-020 The majordomo program is a popular application which automates the management of Internet mailing lists. A vulnerability exists in majordomo versions up to and including 1.94.4. This vulnerability may allow local users to gain the privileges under which majordomo and the local mail delivery agent executes. Depending on the local majordomo configuration this may be leveraged to gain additional privileges. Sites using affected versions should immediately upgrade to majordomo 1.94.5. Information about Caldera Linux: CSSA, Red Hat Linux: ESB-2000.018 |
| Microsoft Windows NT 4.0, Terminal Server Edition | Vulnerability caused by RDISK: MS00-004,
ERS-2000.018,
NTShop,
ESB-2000.015 The RDISK utility is used to create an Emergency Repair Disk (ERD) in order to record machine state information as a contingency against system failure. During execution, RDISK creates a temporary file containing an enumeration of the registry. The ACLs on the file allow global read permission, and as a result, an attacker who knew that the administrator was running RDISK could open the file and read the registry enumeration information as it was being created. RDISK erases the file upon successful completion. A patch is available. |
| OpenBSD and FreeBSD | Vulnerability in procfs: OpenBSD Systems running with procfs enabled and mounted are vulnerable to having the stderr output of setuid processes directed onto a pre-seeked descriptor onto the stack in their own procfs memory. Note that procfs is not mounted by default in OpenBSD. It's recommended to install a patch. Further information about FreeBSD is available in ESB-2000.020. |
| Microsoft Office (East Asian Versions) | Vulnerability by Malformed Conversion Data: MS00-002,
ERS-2000.015,
ERS-2000.017,
ESB-2000.014 Microsoft Office includes a conversion utility that converts older Word documents to more recent formats. The conversion utility for Word 5 documents in East Asian languages (Japanese, Korean, Simplified Chinese and Traditional Chinese) has an unchecked buffer. By using a hexadecimal editor to insert specially-malformed information into a document, an attacker could cause Word to run code of his or her choice when the document was opened using an affected version of the converter. Please see the advisory for patches and further information. |
| Super Mail | Possible Denial-of-Service: NTShop In the Super Mail Transfer Package (PORT 25) Server for WinNT Version 1.9x a memory leak was detected, which leads to a denial-of-service condition. At the moment a fix is not available. |
| SCO OpenServer | Vulnerabilities in pkg* tools: SB-00.01 There was recently a report of a vulnerability in UnixWare7 that allowed acccess to read restricted files (/etc/shadow) via an exploit using crafted buffer overflows against some of the pkg* suite of tools. While OpenServer version 5.0.5 does not have exactly the same security vulnerability it does supply these tools and they are susceptible to the same set of buffer overflow issues. It's recommended to install the new set of binaries (letter) published by SCO. |
| SuSE Linux | Vulnerability in lprold: SUSE-037 In SuSE Linux (including v 6.3) lprold is the default daemon for printing. If the hosts.lpd mechanism is used to permit printing to remote hosts, it can be circumvented if the attacker controls a DNS server: No double-reverse lookup is done for authentication. A second vulnerability involves the manipulation of the control file of a print job: statements are sent to sendmail as arguments, so an attacker may specify a special (own) sendmail config file and eventually get root-access to the machine. It's recommended to install patches from SuSE's Webpage for Patches. |
| Microsoft Windows 9x and NT | Vulnerability by malformed RTF control word: MS00-005,
ERS-2000.013,
K-017, ESB-2000.012 RTF files consist of text and control information. The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. As Microsoft points out the most serious risk from this vulnerability would result if a user had preview mode enabled on a E-Mail program like Outlook, and received an email that exploited the vulnerability. Because preview mode causes the mail to be parsed without user assent, the mail program would crash. As seen, the preview mode has some risks, not only for RTF but also for HTML - so it's better to turn it off. Mocrosoft has published patches fixing the vulnerability in RTF, for Windows 95, Windows 98, and for Windows NT (Intel and Alpha). A fix for the NT Server, Terminal Edition, will be published soon. |
| Microsoft Windows NT 4.0 | Vulnerability by Spoofed LPC Port Request: MS00-003,
NTShop,
ERS-2000.011,
ESB-2000.010,
K-019 LPC Ports is a facility that allows Local Procedure Calls on a machine. One of the functions in the LPC Ports API set enables a server thread to impersonate a client thread on the same machine. An hole in the validation portion of the function would allow an attacker to create both the client and server threads, and manipulate the request to allow it to run in the context of any desired user on the local machine, including the System itself. The risk from this vulnerability is that a local user could gain additional privileges on the machine. It also could be used to cause audit logs to indicate that certain actions were taken by another user. It's recommended to install a patch for Microsoft Windows NT 4.0 Workstation, Server and Server, Enterprise Edition (Intel or Alpha). A patch for Microsoft Windows NT 4.0 Server, Terminal Server Edition will be released shortly. |
| Debian Linux | Vulnerabilities in nvi and lpr: Debian0108,
Debian0109 The version of nvi that was distributed with Debian GNU/Linux 2.1 has an error in the default /etc/init.d/nviboot script. It doesn't handle filenames with embedded spaces correctly, so it's possible to remove files in the root directory by creating entries in /var/tmp/vi.recover. The version of lpr that was distributed with Debian GNU/Linux 2.1 and the updated version released in 2.1r4 has two security problems. The client hostname isn't verified properly, so if someone is able to control the DNS entry for their IP he could fool lpr into granting access and it's possible to specify extra options to sendmail which could be used to specify another configuration file. This can be used to gain root access. It's strongly recommended to update both packages immediately, links are available in the advisories. |
| OpenBSD | Problems with Y2k in at and adduser: OpenBSD In at(1) and adduser(8) some minor problems concerning Y2k were found. It's recommended to install the patches for at and adduser. |
| Microsoft IE 5.01 | Vulnerability caused by Circumvention of Domain Security:
NTShop Microsoft Internet Explorer 5.01 under Windows 95 and 5.5 under WinNT 4.0 allows circumventing "Cross Frame Security Policy" by accessing the DOM of "old" documents JavaScript and a design flaw in IE. This exposes the whole DOM of the target document and opens lots of security risks. The problem allows reading local files, reading files from any host, window spoofing, getting cookies, etc. This exploit was discovered by Georgio Guninski, and on his site an example can be found. |
| IMail IMonitor | Denial- of-Service condition in IMail IMONITOR: NTShop UssrLabs discovered a denial of service condition in IMail IMONITOR Server for WinNT Version 5.08 and possibly other versions as well. A cgi script entitle status.cgi checks to see if the server services are running. By executing the script numerous times in a short period of time IMONITOR will crash citing an "Invalid Memory Address". IPSwitch has been informed of the issue. |
| Red Hat Linux | Vulnerability in lpr: RHSA2000:002,
l0pht, ERS-2000.007,
ERS-2000.008,
ERS-2000.009,
ESB-2000.009 Two security vulnerabilities exist in the lpd (line printer daemon) shipped with the lpr package. First, authentication was not thorough enough. If a remote user was able to control their own DNS so that their IP address resolved to the hostname of the print server, access would be granted, when it should not be. Secondly, it was possible in the control file of a print job to specify arguments to sendmail. By careful manipulation of control and data files, this could cause sendmail to be executed with a user-specified configuration file. This could lead very easily to a root compromise. It's recommended to install the concerning patches: Red Hat Linux 6.x: Intel: rpm -Uvh ftp://updates.redhat.com/6.1/i386/ lpr-0.48-1.i386.rpm Alpha: rpm -Uvh ftp://updates.redhat.com/6.1/alpha/lpr-0.48-1.alpha.rpm SPARC: rpm -Uvh ftp://updates.redhat.com/6.1/sparc/lpr-0.48-1.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/lpr-0.48-1.src.rpm Red Hat Linux 5.x: Intel: rpm -Uvh ftp://updates.redhat.com/5.2/i386/lpr-0.48-0.5.2.i386.rpm Alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/lpr-0.48-0.5.2.alpha.rpm Sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/lpr-0.48-0.5.2.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/lpr-0.48-0.5.2.src.rpm Red Hat Linux 4.x: Intel: rpm -Uvh ftp://updates.redhat.com/4.2/i386/lpr-0.48-0.4.2.i386.rpm Alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/lpr-0.48-0.4.2.alpha.rpm Sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/lpr-0.48-0.4.2.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/lpr-0.48-0.4.2.src.rpm |
| HP-UX | Security Vulnerability with Audio Security File: HP
Security Bulletin #00109, ERS-2000.006,
ESB-2000.006 The Audio Security File, /etc/opt/audio/audio.sec, is created by the asecure program with 666 permissions. This allows root to add any user as a privileged user via the asecure program. Those privileged users can make changes to their audio security File via asecure. Since asecure has 555 permissions, audio.sec must be world writable to implement the privileged user feature. Until patches are available, the recommended solution is to run as root: chmod 444 /etc/opt/audio/audio.sec This must be done each time the audio.sec is created via the "asecure -C" command. After the permission is changed, only the root user will be able to modify audio.sec. |
| ColdFusion 4.x | Potential Security risk caused by CFCACHE Tag: ASB00-03,
K-015, S-00-04,
ERS-2000.021,
ESB-2000.016 The CFCACHE tag is a feature available in ColdFusion 4.x to perform template caching to increase page delivery performance by intelligently compiling and storing the output of CFML pages for faster access. When this tag is utilized in a .CFM page it creates several temporary files, including one that contains absolute filenames with directory path information, URL parameters and timestamps. In ColdFusion 4.0x, these files are stored in the same directory as the .CFM page, usually in a publicly accessible web document directory. Because these files are accessible to browsers in the web document directory, users wishing to do so could download this file with a browser and obtain information about the web document directory structure or URL parameters used to call site pages that would not otherwise be accessible. Allaire has released a new version of the CFCACHE tag that is also available in ColdFusion 4.5 that allows users to specify a non-web document directory to store the temporary file, making them inaccessible to browsers. |
| Allaire Spectra 1.0 | Vulnerabilities by Authenticated Webtop User and by
the Installation: ASB00-01,
ASB00-02 The Allaire Spectra 1.0 Webtop allows authenticated users to access sections of the Webtop they may not have been granted access to by typing explicit URLs. This exploit does not give anyone access to the Webtop who does not already have permissions to at least one section of the Webtop. When installing Allaire Spectra 1.0, a web-based Configuration Wizard is used to finalize a number of configuration settings, including a step which indexes data collections on the server. This step of the Configuration Wizard can be accessed via URL and the collections can be resubmitted for indexing. This could be used in a denial of service attack on an Allaire Spectra server. Further information and countermeasurements can be found in the advisories. |
| Microsoft Commercial Internet System 2.0 and 2.5 | IMAP-Vulnerability in MCIS Mail server: MS00-001,
S-00-03,
ESB-2000.003,
ERS-2000.003,
NTShop,
K-016, ERS-2000.020
The IMAP service included in MCIS Mail has an unchecked buffer. If a malformed request containing random data were passed to the service, it could cause the web publishing, IMAP, SMTP, LDAP and other services to crash. If the malformed request contained specially crafted data, it could also be used to run arbitrary code on the server via a classic buffer overrun attack. It's recommended to install the concerning patch for Intel or Alpha. |
| Red Hat Linux | Vulnerability in userhelper and pam: RHSA2000:001,
l0pht, ESB-2000.004,
ERS-2000.004,
ESB-2000.008
A security bug was found in userhelper; the bug can be exploited to provide local users with root access. Both pam and userhelper follow paths including "..". Since pam_start calls down to _pam_add_handler(), an attacker can open any file on disk. It's recommended to install the following patches: Red Hat Linux 6.x: Intel: rpm -Uvh ftp://updates.redhat.com/6.1/i386/ pam-0.68-10.i386.rpm rpm -Uvh ftp://updates.redhat.com/6.1/i386/ usermode-1.17-1.i386.rpm rpm -Uvh ftp://updates.redhat.com/6.0/i386/SysVinit-2.77-2.i386.rpm Alpha: rpm -Uvh ftp://updates.redhat.com/6.1/alpha/ pam-0.68-10.alpha.rpm rpm -Uvh ftp://updates.redhat.com/6.1/alpha/ usermode-1.17-1.alpha.rpm rpm -Uvh ftp://updates.redhat.com/6.0/alpha/SysVinit-2.77-2.alpha.rpm SPARC: rpm -Uvh ftp://updates.redhat.com/6.1/sparc/ pam-0.68-10.sparc.rpm rpm -Uvh ftp://updates.redhat.com/6.1/sparc/ usermode-1.17-1.sparc.rpm rpm -Uvh ftp://updates.redhat.com/6.0/sparc/SysVinit-2.77-2.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/ pam-0.68-10.src.rpm rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/ usermode-1.17-1.src.rpm rpm -Uvh ftp://updates.redhat.com/6.0/SRPMS/SysVinit-2.77-2.src.rpm |
| many | New denial-of-service tool called "Stacheldraht":
CA-2000-01, S-00-02,
ERS-2000.002,
ESB-2000.002, Sun
Security Bulletin #00193,
ESB-2000.005,
ERS-2000.005
CERT continues to receive reports of new developments in denial-of-service tools. The advisory provides pointers to documents discussing some of the more recent attacks and methods to detect some of the tools currently in use. For information on how to protect your systems, see the advisory. A distributed denial-of-service tool called "Stacheldraht" has been discovered on multiple compromised hosts at several organizations. In addition, one organization reported what appears to be more than 100 different connections to various Stacheldraht agents. Further information about this can be found here. |
| SuSE Linux | Vulnerability in pine: SUSE-036 A security hole was discovered in pine prior 4.21. The pine mail agent doesn't filter special shell characters in URLs. So an attacker can trick a user using pine to executing shell commands by sending an email with malicious formatted URL embedded in it. It's recommended to install patches from SuSE's Webpage for Patches. |
| Caldera Linux | Denial-of-Service vulnerability in INN: CSSA-1999-038 In OpenLinux are two problems in INN that can be exploited in a denial of service attack. In both cases, an article with bad formatting will cause the INN daemon (innd) to crash. It's recommended to upgrade to the latest packages. |
| HP-UX | Vulnerability in Aserver: HP
Security Bulletin #00108, ERS-2000.001,
S-00-01,
K-014, ESB-2000.001,
ESB-2000.007 On HP9000 Series 7/800 running HP-UX releases 10.X and 11.X the program /opt/audio/bin/Aserver can be used to gain root access. Until a patch is available, the only two temporary fixes currently available are to disable the Aserver by removing the file, or to remove execute permissions. |
Back to the News
© 2000 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: 2000-02-10, 21:41 +0100