News January 1999
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| all | New "sscan" scanning tool:
AL-1999.001,
IN-99-01 Recently a new scanning tool named "sscan" was announced on various public mailing lists. The tool is currently at version 0.1 (alpha) release level. This tool is a derivative of the "mscan" tool (see also IN-98-02) that was widely used against a large number of sites in 1998. The sscan tool performs probes against victim hosts to identify services which may potentially be vulnerable to exploitation. Further recommendations for protection against this tool can be found in the advisory. |
| MS Windows with CA ControlIT 4.5 and earlier | Vulnerabilities in ControlIT: ISS-018,
ERS-1999.010 ControlIT (formerly Remotely Possible/32) is a remote management application that allows users to have full remote control over machines running Microsoft Windows. Some vulnerabilities were found in this software: Password encryption vulnerability: ControlIT does not effectively encrypt the username or password transmission between a client and a server on a network. So accounts can be compromised, even a administrator on Windows NT machines. CA suggests that customers address the weak encryption problem by adding CryptIT(tm) software to ControlIT installations since no patch to ControlIT exists that repairs the weak encryption problem. Reboot vulnerability: ControlIT allows authenticated remote users or local users to either reboot the machine or force the current user of the remote machine to logout. Caused by a vulnerability anybody can connect and disconnect without authenticating to trigger the timer of this option if it is enabled by the local user. A patch (#TF73073) exists for the Reboot Vulnerability, a specific URL to the patch is not available. It can be obtained through Computer Associates support. Access to the address book file: The ControlIT address book function allows ControlIT users to store frequently used usernames and passwords in a file. The passwords in this file are encrypted using the same weak mechanism employed during remote connections. Under Windows NT, this file has permissions of Everyone:Read, meaning any local user can read the file and decrypt passwords. A patch exists for the address book vulnerability, which disables password storage in the ControlIT address book. In addition to it we recommend to control/block port 799/tcp by a firewall. |
| Unix | Trojan horse version of TCP Wrappers:
CA-99-01,
S-99-01,
ERS-1999.009,
ESB-1999.006,
ESB-1999.007 TCP Wrappers is a tool commonly used on Unix systems to monitor and filter connections to network services. Some copies of the file tcp_wrappers_7.6.tar.gz have been modified by an intruder and contain a Trojan horse. This Trojan horse version of TCP Wrappers provides root access to intruders initiating connections which have a source port of 421. Additionally, upon compilation, this Trojan horse version sends email to an external address. This email includes information identifying the site and the account that compiled the program. Specifically, the program sends information obtained from running the commands 'whoami' and 'uname -a'. Please regard the MD5 checksums mentioned in the advisory! |
| Microsoft Word 97 | "Word 97 Template"
vulnerability: MS99-002,
ERS-1999.008,
ESB-1999.005 A standard safety feature of Word 97 is that it warns users when a document containing macros is opened. If that document does not itself contain macros, but is linked to a template that does contains macros, no warning is issued. A hacker could exploit this vulnerability to cause malicious macro code to run without warning if a user opens a Word document. Malicious macro could possibly be used to damage or retrieve data on a user's system. It's recommended to install the patch released by Microsoft. |
| Microsoft VBA | Exposure in Forms 2.0 TextBox Control:
MS99-001,
ERS-1999.007,
ESB-1999.004 The Forms 2.0 ActiveX control has a vulnerability that allows text to be pasted from a user's Clipboard into a Forms 2.0 Text Box or Combo Box. A hacker could use the Forms 2.0 Control to read or export text on a user's Clipboard when that user visits a web site set up by the hacker or opens a HTML email created by the hacker. The following software installs the Forms 2.0 control: - Microsoft Office 97 - Microsot Outlook 98 - Microsoft Project 98 - Microsoft Visual Basic 5.0 - Any third-party product that includes Visual Basic for Applications 5.0 The Forms 2.0 Security Patch for Office Products should be installed. |
| all | New ISS Summary: ISS, ERS-1999.006 ISS reports about 17 new vulnerabilities within the last month: - backweb-polite-agent-protocol - http-cgic-library-bo - hp-series5-crash - http-request-method-garble - acc-tigris-login - datalynx-suguard-relative-paths - novell-intranetware-dos - sco-calserver-remote-bo - ssh-privileged-port-forward - oracle-tnslsnr-dos - linux-random-read-dos - bnc-proxy-bo - http-cgi-nlog-metachars - sims-slapd-logfiles - backweb-cleartext-passwords - http-frame-spoof - linux-pam-passwd-tmprace Further information can be found at the site of ISS. |
| NetBSD | Race condition in TCP servers: NetBSD.1999-001,
ERS-1999.005,
ESB-1999.003 Many TCP servers open a TCP socket in the default blocking mode, use select(2) to wait for connections, and then accept(2) connections in blocking mode. Under some circumstances, the accept(2) may hang waiting for another connection, denying service to clients trying to connect to other ports. Two workarounds are possible: 1) Modify all TCP servers to use non-blocking listening sockets. Unfortunately, this requires changing a large amount of code, much of it maintained by third parties. 2) Modify the kernel to not remove sockets from the accept(2) queue when they are closed. A change that implements this has been added to NetBSD-current, and is available at the site of NetBSD. |
| Microsoft Office 95/97 and most Browsers | Russian New Year (“s’Novim
Godom”) Exploit: FRA99-001, ERS-1999.003 Finjan Software has released a patch for its SurfinGate 4.02 content inspection server to protect against a mobile code vulnerability associated with the Microsoft Excel function, CALL. The Excel CALL function allows executables to be run from a worksheet. Some HTML statements enable the transfer of various source files from a remote Web server to a client Web browser. This feature can be used, for example, to allow Web pages to be included inside other Web pages; or, to enable multiple application support for more robust Web interaction. All 3.x and 4.x versions both the Microsoft and Netscape browsers (except Navigator 4.5) are vulnerable. HTML aware email readers, such as Microsoft Outlook 98, are also vulnerable. You can read more about this security vulnerability at Microsoft's site. |
| all BackWeb clients | Vulnerability in the BackWeb Polite Agent
Protocol: ISS-017,
ERS-1999.004 The BackWeb Polite Agent Protocol is a UDP-based protocol that BackWeb clients use to communicate with BackWeb servers. BackWeb's "anti-spoofing mechanism" for delivery of UDP data to the client and server is the exchange of a 32-bit integer, randomly generated by the client each time it requests data from the server. This integer is appended to each packet of a specific piece of BackWeb data (InfoPak). By examining these packets in transport, an attacker may send false data to a BackWeb client, acting as the real BackWeb server. Until a suitable security mechanism is made available by the vendor, ISS recommends upgrading to BackWeb 5.0, which supports VeriSign digital certificates for enhanced security. |
| Windows 95/98 | Vulnerability by Network File Sharing:
L0pht,
NTshop Windows 95/98 network file sharing reuses the cryptographic challenges used in SMB challenge/response authentication. The reuse of the challenge enables an attacker, who has captured a legitimate network authentication, to replay the authentication and establish a connection impersonating a valid user. For further information please read the advisory. |
| Windows NT | New Virus: Remote Explorer (also
called RICHS): ISS-016,
IN-98-07,
ERS-1999.001,
J-024 Remote Explorer is capable of running both as an executable and as a Windows NT service. When present in executable form, the virus will store the host executable as a resource, along with a copy of PSAPI.DLL. Resources are how a Windows executable stores icons, dialogs, and other information that might be needed. When the virus executes, it first attempts to install itself as a service, and copies itself to ie403.sys. Ie403.sys is typically found in c:\winnt\system32\drivers. If the user who invokes the virus is not an administrator, the virus cannot be installed as a service. It will then copy the host executable to a temporary file and start the application. As a result, applications might not behave normally. A further description and what to do against is can be found in the advisory as well as at the sites of Datafellows, Microsoft, Central Command, and NAI. |
| Red Hat Linux | Vulnerability in pam packages: ESB-1999.001 A race condition that can be exploited under some particular scenarios has been identified in all versions of the Linux-PAM library shipped with all versions of Red Hat Linux. The vulnerability is exhibited in the pam_unix_passwd.so module included in Red Hat Linux, but not used by either of the 4.2 or 5.x releases. Red Hat Linux uses the pam_pwdb.so module for performing PAM authentication. It's recommended to install the concerning patches: Red Hat Linux 5.0, 5.1 and 5.2: alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/pam-0.64-4.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/pam-0.64-4.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/pam-0.64-4.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/pam-0.64-4.src.rpm Red Hat Linux 4.2: alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/pam-0.57-5.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/pam-0.57-5.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/pam-0.57-5.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/pam-0.57-5.src.rpm |
| IRIX 6.4 and higher | Vulnerability in IRIX fcagent
daemon: SGI-19981201,
J-020 The IRIX fcagent(1m) service is an RPC based daemon which is called to service requests about status or configuration of a FibreVault enclosure. It is installed by default on Origin and Onyx2 platforms running IRIX 6.4 and higher. A vulnerability in the fcagent(1m) daemon has been discovered which can lead to a denial of service that can disable the FibreVault by using carefully crafted RPC packets that are sent to the fcagent(1m) daemon. A local user account on the vulnerable system is not required in order to exploit the fcagent(1m) daemon. A workaround and a list of patches which should be installed can be found in the advisory. |
| Netscape Communicator | Vulnerability caused by Frame-Spoofing:
NT060198,
Netscape As reported for Microsoft IE in MS98-020, the Netscape Communicator is also vulnerable for this problem. A demonstration of the vulnerability can be found here. Netscape is working on a fix. |
| Cisco IOS | Syslog crash by nmap UDP scans: Cisco,
ESB-98.197,
J-023,
S-98-81,
ESB-1999.002 Nmap UDP scans may crash Cisco routers running Cisco IOS software version 12.0 and may be some more versions. The problem appears to be caused by packets sent to the router's syslog port (UDP port 514). A tested workaround is to use an access list to block incoming syslog traffic. You'd do this with something like this: ! Deny all multicasts to port 514 access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514 ! Deny old-style broadcasts access-list 101 deny udp any host 0.0.0.0 eq 514 ! Deny network-specific broadcasts (*example*; depends on local netmasks) access-list 101 deny udp any 192.31.7.255 eq 514 ! Deny router's own addresses access-list 101 deny udp any host <router-addr-1> eq 514 access-list 101 deny udp any host <router-addr-2> eq 514 access-list 101 deny udp any host <router-addr-3> eq 514 ... access-list 101 permit ip any any interface <interface-1> ip access-group 101 in interface <interface-2> ip access-group 101 in ... The access list needs to block syslog traffic destined for any of the router's own IP addresses, or for any broadcast or multicast address on which the router may be listening. Don't forget to block all-zeroes broadcasts as well as all-ones broadcasts. It should be applied on all interfaces running IP, including virtual interfaces and subinterfaces (but not loopback interfaces). This workaround has a performance impact that may be significant. Further information can be found in the advisory. |
| Unix | Denial-of-Service in TCP: CA-98-13,
ESB-98.195,
S-98-80,
ERS-156,
NT231298 By carefully constructing a sequence of packets with certain characteristics, an intruder can cause vulnerable systems to crash, hang, or behave in unpredictable ways. This vulnerability is similar in its effect to other denial-of-service vulnerabilities, including the ones described in CA-97.28. Affected systems and countermeasurements are listed in the advisory. |
| Microsoft IE 3.x - 4.01SP1 | Vulnerability caused by Frame-Spoofing:
MS98-020,
ESB-98.198,
ERS-157 A vulnerability exists in the Internet Explorer because it's cross domain protection does not extend to navigation of frames. This makes it possible for a malicious web site to insert content into a frame within another web site's window. If done properly, the user might not be able to tell that the frame contents were not from the legitimate site, and could be tricked into providing personal data to the malicious site. Non-secure (HTTP) and secure (HTTPS) sites are equally at risk from this vulnerability. More information can be found at Microsoft's site. It's recommended to install a patch. Users of version 3.x and 4.0 have to upgrade to 4.01 with Service Pack 1, then the patch for IE 4.01SP1 can be installed. |
| Red HAT Linux | Vulnerability in ftp client: ESB-98.191 A security vulnerability has been identified in all versions of the ftp client binary shipped with Red Hat Linux. An exploit for this vulnerability would have to rely on getting the user to connect using passive mode to a server running a ftp daemon under the attacker's control. It's recommended to install the new packages: Red Hat Linux 5.0, 5.1 and 5.2: alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/ftp-0.10-4.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/ftp-0.10-4.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/ftp-0.10-4.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/ftp-0.10-4.src.rpm Red Hat Linux 4.2: alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/NetKit-B-0.09-9.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/NetKit-B-0.09-9.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/NetKit-B-0.09-9.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/NetKit-B-0.09-9.src.rpm |
| Microsoft IIS 3.0 and 4.0 (Intel and Alpha) | Denial-of-Service attacks against
Internet Information Server: MS98-019,
ESB-98.196,
ERS-155 This vulnerability involves the HTTP GET method, which is used to obtain information from the IIS web server. Malformed GET requests can create a denial of service situation that consumes all server resources. In some cases, the server can be put back into service by stopping and restarting IIS; in others, the server may need to be rebooted. Data on the server can't be compromised by this attack. Further information can be found at Microsoft's Site. It's recommended to install the concerning patch: IIS 3.0 x86, IIS 3.0 alpha, IIS 4.0 x86, IIS 4.0 alpha |
Back to the News
© 1999 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: Februar 12, 1999, 11:01 +0000