News January 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| Microsoft Exchange Server | Denial-of Service by SMTP: Microsoft Last year Microsoft released a Service Pack for the Exchange Server 4.0 and 5.0 which protects against Denial-of-Service attacks via SMTP. In this attack, entering a syntactically incorrect address that is longer than 1KB on the MAIL FROM or RCPT TO commands will cause a buffer on the stack to overflow. This action will cause the Exchange Server to crash. This attack does not result in loss of data or unauthorized access to data held in Exchange Server. However, Exchange Server could be vulnerable to stack overwriting attempts by allowing an attacker to insert code as part of the address and have it executed. Version 5.5 is not vulnerable! It's recommended to install the Service Pack as soon as possible! |
| many Unix | Vulnerability in elm-2.4/filter: KSRT-007, ESB-98.016 The program filter, included in elm version 2.4, has two vulnerabilities. The first problem could potentially be exploited remotely depending upon how the victim's machine's Mail Transfer Agent handles From: or Reply-To: headers that are larger than 512 bytes. This would allow a remote attacker to run arbitrary commands as the user running filter, and possibly additional privileges that will allow the attacker to write to the mail spool directory. Both attacks can be performed locally, however they will only increase privileges if filter is running set-uid or set-gid (most notably Linux machines). This could allow a local user to read other users' mail spools and allows write access to the mail spool directory. The latter could potentially be used to interfere with the mail subsystem. It's recommmended to install the fix as pointed out in the Advisory or to remove filter. Version 2.5 of elm does not include this program. |
| Microsoft Windows NT and 95 | Vulnerability caused by long Filenames:
MS-Q179148,
ESB-98.15,
I-025A,
CA-98.04,
ERS-010.1,
ESB-98.17,
S-98-07,
ESB-98.019,
S-98-07 Using the Internet Information Server 4.0 or Personal Web Server 4.0 under Windows NT or Windows 95 may cause a vulnerability in combination with FAT or FAT32. Because the Files are stored in the 8.3 format and the read/write settings are not valid for this format, every File can be read by addressing the short Filename directly, even if the long Filename is protected against reading. This vulnerability does not affect Systems using NTFS with its ACLs. Microsoft recommends to wait for the next Service Pack. A supported fix (for Intel and Alpha) is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. |
| Micorsoft Word 6.x and later | Makro Virus in Word Documents: I-023,
ESB-98.14,
ERS-009.1 The number of Macro Viruses for Word Documents is rapidly increasing. The advisory mentions types and variants which can manipulate oe/and delete files. Recommendation: Scan all Word 6 or later documents before opening them or obtain a scanning tool that performs a "scan on launch" function. Install the SCANPROT.DOT macro detector in Word 6.0 through 7.0 or turn on macro virus detection in Word 7.0a and later. |
| Red Hat Linux | Vulnerability in inc and msgchk:
ESB-98.13 Red Hat Software, Inc. has released an advisory concerning buffer overflow vulnerabilities in the inc and msgchk programs which are part of the MH package. These vulnerabilities may allow users to gain root access. If the MH package is not needed, the easiest fix for this problem is to 'rpm -e mh'. If you do need it, fixes are available for users of Red Hat 5.0 i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/mh-6.8.4-5.i386.rpm , alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/mh-6.8.4-5.alpha.rpm and Red Hat 4.x i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/mh-6.8.3-14.i386.rpm, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/mh-6.8.3-14.alpha.rpm, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/mh-6.8.3-14.sparc.rpm |
| HP-UX 9.X, 10.X, and 11.00 | Security Vulnerability with land.c:
HP-076,
ESB-98.12,
ERS-007.1,
I-027 As mentioned in CA-97.28 the widely available "land" program, a denial of service tool, is effective against HP-UX systems. land sends carefully crafted TCP packets (the source and destination are identical). Patches fixing this problem have been released. The list of applicable patches is shown in the advisory. |
| HP-UX 8.X, 9.X, 10.X, and 11.0 | Vulnerability in CUE: HP-074,
ESB-98.010,
ERS-005.1,
I-027 A security vulnerability in CUE has been made public which allows non-root users to manipulate any file. This program was only needed up to HP-UX 10.30. Hewlett-Packard Company strongly recommends that system administrators disable or remove cue from their systems, due to the nature of this problem. No upgrades from existing releases currently in use are necessary. |
| many | Vulnerability in CDE: CA-98.02,
ESB-98.009,
S-98-04,
ERS-008.1,
S-98-04,
I-028 Due to a hole in the setuid-root-program "dtappgather" of the CDE (Common Desktop Environment) is's possible for local users to gain privileged acces to the system. A Denial-of-Service attack is possible also. A list of vulnerable systems and which patches should be installed is mentioned in the Advisory. For Systems running HP-UX a separate advisory has been published (HP-075, ESB-98.011, ERS-006.1, I-027). |
| Lotus Domino | Vulnerability in Domino caused by
misconfiguration: l0pht,
CNet,
Wired If the Domino Server is configured in a wrong way, any user may gain access to all harddisks and may edit the configuration of the server, delete files etc. This problem is caused by the default configuration of the server's ACLs (Access Control Lists): Any user has the right to read and to write. The write-permission has to be removed manually. The same problem occurs if templates are used (not in version 4.6a!). There is no tool for testing the security of the Domino Server available. Administrators should regard the hints released by Lotus! |
| Unix | Vulnerability in ssh-client: SNI-23,
ESB-98.008,
CA-98.03,
CNet,
ERS-004.1,
S-98-05,
I-026,
S-98-06 Theprogram "ssh-agent" is vulnerable, using the free versions up to 1.2.21 or the commercial version 1.3.3 (F-Secure). Under certain circumstances a user may use the private RSA-Key for logging into another machine. It's recommended to install the free version 1.2.22 or a patch for F-Secure version 1.3.3 as soon as possible. |
| Unix and Windows NT | Vulnerability in EWS1.1: VB-98.01,
ESB-98.007,
I-024,
S-98-02,
ERS-002.1 Excite for Web Servers, version 1.1, for Unix and Windows NT platforms, contains a security hole that could allow a malicious user of the software to execute shell commands on the the host system on which EWS has been installed. In situations where the web server is running under a user-id with sufficient access privileges, a hacker could conceivably cause damage to the host system. This bug in no way affects Excite.com! EWS's search CGI is implemented in Perl and invokes a binary program to actually perform the search against the corpus. The function of the Perl CGI is to parse the results from the search engine and render them in HTML. Because a search entered by a user into the web page is passed as command line argument to the search binary, and because the command line is interpreted by the shell before the search binary is invoked, it is possible for a hacker with sufficient know-how to craft a search that could cause commands embedded in the search string to be invoked on the host system. For Unix and Windows NT a Patch is available. |
| Amanda 2.3.0.x and 2.4.0 beta | Vulnerabilities in Amanda: Amanda-044,
ESB-98.006 In some versions of the Backup-Software Amanda some security holes were found. So a new version (Amanda 2.4.0b5) has been published. The problem with amrecover is also fixed in this version. |
| Windows NT | Denial-of-Service by teardrop: MS
Q179129, ESB-98.005 Microsoft has released the following advisory concerning a vulnerability in the way Windows NT processes fragmented UDP packets. This vulnerability may allow remote users to cause Windows NT to stop responding. The message shown is STOP 0x0000000A. A Patch has been released by Microsoft. |
| Linux | Vulnerability in deliver: KSRT-006, ESB-98.004 In the distributions Debian 1.3.1 and Slackware 2.x the program deliver ( version 2.0.12 and below ) in used for delivering mail once it has arrived at a given system. In the function copy_message(), there is a stack overwrite that can allow local users execute arbitrary code as root. The Advisory shows how to patch the Source-Code. For Debian 2.1.13-0 and 2.1.13-1 Patches are available. |
| Microsoft IE 4.x under Windows 95 or NT | Vulnerability caused by a Buffer overflow:
L0pht,
CNet,
Microsoft The Microsoft Internet Explorer 4.0(1) Suite, including all programs supplied with it that read and/or process HTML from either local machines, intranet machines, or remote internet machines are subject to a buffer overflow in the HTML decoding process. The buffer overflow can cause the application to page fault, or in the worst case, execute arbitrary precompiled native code. It has also been reported that this bug affects Internet Explorer 3.0 if you have Visual Studio (VC++/J++ etc) installed on your system. The critical problem here is a buffer overflow in the parsing of a particular new type of URL protocol. The "mk:" type of URL is meant to access proprietary Microsoft 'InfoViewer Topics', as exhibited by the InfoViewer of Visual Studio, and the Help System of IE4.0(1). For example, the URL for the Microsoft IE4.0 help system is: mk:@MSITStore:C:\WINDOWS\Help\iexplore.chm::/iexplore_welcome.htm The buffer overflow is not a standard stack overflow, but rather a _heap_ overflow. This complicated coding exploits, but is, nonetheless, do-able. This problem is unaffected by th IE Security Zones feature. This feature can be tested with IE 4.0 and with IE 4.01. , depending on the configuration of Windows and IE your PC may crash after following the link! Microsoft has released a patch for IE 4.x (a download can be done with Microsoft products only!). |
| AIX 3.2, 4.x | Vulnerability in routed: ERS-001i,
I-022,
ESB-98-001
-updated- ERS-001i A vulnerability exists on machines running the "routed" daemon: It allows acceptance of packets that cause arbitrary system files to be created and/or modified. So remote users may gain access to the system. A temporary Fix has been released by IBM, patches will follow. |
| many | Vulnerability in Apache httpd
(<1.25): SNI-1301,
ESB-98.002,
S-98-03,
VB-98.02,
ERS-003.1 As reprted by Apache, there is a vilnerability in httpd versions 1.2, 1.1 and earlier. In some configurations it's possible to compromise the machine, attackers may gain the same rights as the user running the httpd. It's recommended to make an upgrade to version 1.2.5 or 1.3b3. |
| nearly all | Denial-of-Service by ping: CA-98.01,
ESB-98.001,
I-021,
ERS-001.1,
S-98-01 Using the program "smurf" allows to send ICMP Echo Requests (ping) to the IP Broadcast Adress. Every systems answers with an ICMP Echo Reply. This leads to much network traffic, slows down the whole traffic and may make the whole network unreachable. In the advisory vulnerable systems are pointed out and it's shown how to make networks sure against this attack. |
Back to the News
© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: März 15, 1998, 14:02 +0100