News February 2000
Last Update: 2000-03-03
Most of the links lead to the corresponding files at CERT or other organisations. So
changes take place immediately, especially which patches should be installed or which
changes in the configuration should be made to avoid this vulnerability. Most of the files
are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used
platform or program that doesn't mean this particular platform or program is safe to use!
Here you find our search
engine! |
| System: | Short description and further information: |
| Microsoft Windows 9x and NT, also IE | Vulnerability in Wordpad: NTShop There is a vulnerability in Wordpad which allows executing arbitrary programs without warning the user after activating an embedded or linked object. This may be also exploited in IE for Win9x. Wordpad executes programs embeded in .doc or .rtf documents without any warning if the object is activated by doubleclick. This may be exploited under Internet Explorer for Win9x using the view-source: protocol. The view-source:protocol starts Notepad, but if the file is large, then the user is prompted to launch Wordpad instead. By creating a large .rtf document and by creating an HTML view-source: link to that document in an HTML page or HTML-based email message, the user will be prompted to use Wordpad where a program may be executed if the user doubleclicks on an object in the opened document. A link to demonstrate the problem can be found in the advisory, Microsoft is working on a patch. |
| many | New DDOS-Tool for Windows 9x: NIPC, IIS-044,
ERS-2000.038,
IN-2000-01
A new version of trin00 that runs on Microsoft Windows machines has been discovered. This Windows version of trin00 is similar to the Unix version. The daemon for Windows trin00 listens on port 34555, while the Unix version listens by default on port 27444. Unlike the Unix version of the trin00 daemon, the Windows daemon does not try to contact the master server to register. Please consult the ISS-advisory to find out if trin00 is installed on a machine. |
| Microsoft Windows Media Services 4.x | Vulnerability by misordered Windows Media Services
Handshake: MS00-013,
ERS-2000.037,
NTShop The handshake sequence between a Windows Media server and a Windows Media Player is asynchronous, because certain resource requests are dependent on the successful completion of previous ones. If the client-side handshake packets are sent in a particular misordered sequence, with certain timing constraints, the server will attempt to use a resource before it has been initialized and will fail catastrophically, causing the Windows Media Unicast Service to crash. The Windows Media Unicast Service can be put back into normal operating condition by restarting the service, but any sessions that were in effect at the time of the crash would need to be restarted. Microsoft has published a fix for Windows NT Server 4.0 and Windows 2000 Server. |
| Pragma Systems | Vulnerabilities found in InterAccess TelnetD
Server Build Release 4: NTShop,
NTShop The code that handles the login commands for a telnet session has an unchecked buffer that will allow arbitrary code to execute on the server if it the buffer is overflowed. A demonstration of the hole can be downloaded here, Pragma Systems has published a fix, which should be installed as soon as possible. |
| CiscoSecure ACS for Unix | Risk caused by unauthorized access: Cisco,
ERS-2000.036 In CiscoSecure Access Control Server (CiscoSecure ACS) for UNIX, versions 1.0 through 2.3.2, there is a database access protocol that could permit unauthorized remote users to read and write the server database without authentication. Depending on the network environment, this might permit unauthorized users to modify the access policies enforced by the CiscoSecure ACS. A utility that is capable of using this protocol to read or modify a database is shipped with the CiscoSecure ACS product. This vulnerability can be eliminated by either a CiscoSecure configuration change, or network configuration change. Cisco has provided a new release that changed a default setting, in order to ensure higher default security level. Further information and a workaround can be found in the advisory. |
| FreeBSD | Vulnerabilities in asmon/ascpu and
Delegate Proxy Server: ERS-2000.033,
ERS-2000.034,
K-022, K-023 Asmon and ascpu allow users to execute arbitrary commands as part of a user configuration file. Both applications are Linux-centric as distributed by the vendor and require patching to run under FreeBSD (specifically, using the kvm interface and setgid kmem privileges to obtain system statistics); this patching was the source of the present security problem. New packages for asmon and ascpu should be installed. Delegate is a versatile application-level proxy. It's written in an insecure style, with potentially dozens of different exploitable buffer overflows (including several demonstrated ones), each of which could allow an attacker to execute arbitrary code on the delegate server. This code will run as the user ID of the 'delegated' process, typically 'nobody' in the recommended configuration, but this still represents a security risk as the attacker may be able to mount a local attack to further upgrade his or her access privileges. It's strongly recommended to remove the delegate port/package. |
| Debian Linux | Vulnerability in make: Debian0217 The make package as shipped in Debian GNU/Linux 2.1 is vulnerable to a race condition that can be exploited with a symlink attack. Make uses mktemp while creating temporary files in /tmp which is a known potential security hole, as documented in the man page of mktemp. This has been fixed in version 3.77-5slink. The fix can be found in the advisory. |
| Microsoft Systems Management Server 2.0 | Vulnerability by Remote Agent Permissions:
MS00-012,
ERS-2000.035,
NTShop,
K-024
If the SMS 2.0 Remote Control feature has been installed and enabled on a machine, the folder in which the remote agent resides has its permissions set to Everyone Full Control by default. If a malicious user replaced the client code with code of his or her choosing, it would run automatically in a system context the next time he or she rebooted the machine and logged on. Microsoft points out thas this vulnerability exists only if the Remote Control feature has been enabled – no other SMS features are affected by it. Microsoft has published a patch for Intel and Alpha. |
| Microsoft Internet Explorer 4.x and 5.x | Vulnerability caused by ActiveX: NTShop Internet Explorer ships with an ActiveX component called MS Active Setup. The component is shipped with with IE 4.x and 5.x, and is intended to provide remote software installation over the Internet. The component will only install software authenticated with a signature. Under normal operational circumstances an installation process will inform the user about any authentication signature found within a given package before allowing that software to be installed on a given machine. However, because of Microsoft's tightly integrated desktop, packages with signatures from Microsoft are not forced to adhere to this normal operational procedure, but instead are allowed to become silently installed without user notification. Microsoft software packages are given special blind trust treatment by a Windows operating system where the user has absolutely no control over this trust. This offers the opportunity for Microsoft components to be installed without a user's knowledge. Microsoft is working on this issue. |
| Microsoft Internet Information Server 4.0 | Possible Denial-of-Service: NTShop It is possible to cause a denial of service condition against IIS under Windows NT 4.0 running the SMTP Server by manipulating file names within the SMTP service's directory structure. By creating a file name of more than 85 characters in length within the "\mailroot\pickup" directory, the mail server will generate an error and crash the INETINFO service, which supports IIS. In addition, as long as the file remains in place IIS cannot start up properly. To restore service the file must be removed. Microsoft is working on a patch. |
| SuSE Linux | Vulnerability in make: SUSE-041 In SuSE 6.1-6.3 a vulnerability in make was found. An attacker could execute commands with the privileges of the user executing make. This may lead to local root compromise if root passes Makefiles to make through stdin. It's recommended to install patches from SuSE's Webpage for Patches. |
| Microsoft Windows 9x and NT, possibly Win2k | Vulnerability caused by Autorun.Inf: NTShop A vulnerability exists because the autorun.inf file does not apply only to CD drives, or even removable media. Actually, this file can be placed on any drive, with exactly the same effects (a refresh of the drive list may be in order). So an attacker could place it on a normal hard disk and the spcific file will be executed. Microsoft is working on a patch. |
| Microsoft Internet Explorer 4.x and 5.x | Vulnerability in the Virtual Machine: MS00-011,
NTShop,
ERS-2000.032 The Microsoft VM is a virtual machine for Windows 9x and NT. The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. A malicious administrator of a web server in the Intranet can write a Java applet that could read files on the local machine of the visitors. It's necessary to know the name and the path of these files. Microsoft has published patches for IE 4.x, 5.0, and 5.01. |
| Microsoft Site Server 3.0, Commerce Edition | Vulnerability by Site Wizard Input
Validation: MS00-010,
ERS-2000.031,
NTShop Two sample web sites provided as part of Site Server 3.0, Commerce Edition do not follow security best practices; the code generated by one of the wizards is affected by the same problem. The code requests an identification number as one of the inputs, but does not validate it before using it in a database query. As a result, aa attacker could, instead of entering an appropriate input, provide SQL commands. If this were done, the SQL commands would be executed as part of the query, and could be used to create, modify, delete or read data in the database. It's recommended to install the patch published by Microsoft. |
| Windows 2000 Professional | System exposed during installation: NTShop It was found out that during the installation process of Win2K Pro a user can access the ADMIN$ share under the Administrator account without providing a password. The ADMIN$ share is mapped by default into the main Windows operating system root directory. A patch will be published soon. |
| HP-UX | Vulnerability with Ignite: HP
Security Bulletin #00111, ERS-2000.030,
S-00-07 On Machines of HP-9000 Series700/800 running release HP-UX 11.X a possible security hole was found. Each password field in /etc/passwd should be "*" in a trusted system. This is normally handled automatically. One way for the password field to be set to a blank is to create a system image of a trusted system with Ignite-UX and not save /etc/passwd. By default Ignite-UX omits /etc/passwd. In a trusted system if the system or the /etc/passwd file has been restored, the administrator should verify that the password fields in /etc/passwd are "*". If Ignite-UX is used to create an image of a trusted system, _override_the_default_ so that /etc/passwd is saved in the image. |
| Microsoft Internet Explorer 4.x and 5.x | Vulnerability caused by Image Source Redirect:
MS00-009,
ERS-2000.029,
NTShop When a web server navigates a window from one domain into another one, the IE security model checks the server's permissions on the new page. However, it is possible for a web server to open a browser window to a client-local file, then navigate the window to a page that is in the web site’s domain in such a way that the data in the client-local file is accessible to the new window. So a web site operator can view files on the client's computer for a limited time. It's necessary to know the location and the name of the file, and only file types that can be opened in a browser window are accessible. Microsoft has published a patch, which can also be downloaded via Windows Update. |
| Netopia | Denial-of-Service against Timbukto Pro: NTShop To make a DoS attack against Netopia Timbukto Pro 2.0b650 it's enough to play on an error with the authentication protocol. Netopia is working on a patch. |
| NetBSD | Security hole in procfs: NetBSD-2000.001 The procfs filesystem makes different resources of a process available under the directory /proc/<pid>/. One of these resurces is the memory image of the process. By tricking out security features, the memory image of another setuid binary can be manipulated in a way that it will be executed a shell. It's recommended to install a patch. |
| SCO OpenServer 5 | Vulnerabilities in MMDF and ARCserve:
SB-00.06,
SB-00.07 Several MMDF Vulnerabilities were found in SCO OpenServer, includnig dangerous buffer overflows. A list of programs substituted by the patch (binary, letter) can be read in the advisory. In addition to that, a symlink vulnerability was found in the ARCserve startup script for OpenServer 5. Local users may obtain root privileges and overwrite/insert data into arbitrary (normally unwritable) files. This can be circumvented by installing a patch (binary, letter). |
| BTT Software | DoS against SNMP Trap Watcher 1.16: NTShop By sending a trap string of more than 306 characters to the SNMP monitoring system, the software can be made to crash. It's recommended to upgrade to version 1.18. |
| Internet Anywhere Mail Server | Risk for Denial-of-Service: NTShop In Internet Anywhere Mail Server v3.1.3 Buld 1065 two problems were found: By sending a specific string of characters as the parameter of the RETR command the server can be made to crash. The same will result, if 3000 or more SMTP connections and ignoring the error of the server, sending another large set of connections. True North Software is working on a patch. |
| Check Point FireWall-1 | Security risk caused by the handling of PASV
FTP: NTShop In Check Point's FireWall-1 v3.x and 4.x a possibility was found to open an unauthorized TCP ports on an internal FTP server by manipulating PASV FTP packets. Typically, a user will send an FTP server the PASV command, and the response from the FTP server will be the 227 message specifying to which destination IP address and destination port the client is expected to connect for the next data connection. FireWall-1 monitors the packets sent from the FTP server to the client, looking for the string "227 " at the beginning of each packet. Upon a match, FireWall-1 will extract the destination IP address and the destination port given in the packet payload, verify that the specified IP address corresponds to the source address of the packet, and allow an incoming TCP connection through the firewall according to the destination IP address and the destination port extracted from the datagram. To avoid this vulnerability it's strongly recommended - not to enable PASV FTP if not needed (see Policy>Properties) - to use the FTP or HTTP Security Server for connections to an internal FTP Server - to make the FTP Server as sure as possible Check Point has published a patch, which is a new file base.def which will be provided by the resellers. |
| SCO UnixWare | Vulnerability in cu: SB-00.05 A local security hole in cu has been found. Exploiting this hole, a local attacker could gain root-access to the machine. It's recommended to install a patch (binary, letter) published by SCO. |
| SuSE Linux | Vulnerability caused by util for mount/umount:
SUSE-039 If an attacker executes mount/umount with a long relative pathname, it will overwrite dynamic allocated memory of the realpath function. There is a little chance that an attacker could gain root privileges by modifying the heap data. It's recommended to install patches from SuSE's Webpage for Patches. |
| Novell Groupwise 5.5 | New Denial-of-Service Attack: NTShop By sending a specific URL to the Web Access interface the server can be made to crash or to enter a condition that would require a reboot. It's recommended to install Service Pack 1 for the Groupwise Enhancement Pack. |
| many | MySQL Allows Password Bypass: NTShop In MySQL 3.22.26a and later, and possibly earlier versions, any legal user of mysql may change the password of other users, including the administrator's password of the database. Please see the advisory for further information. |
| many | Distributed Denial-of-Service Attack using TFN2K and
Stacheldraht: ISS-043,
ERS-2000.028 Over the last months, several high-capacity commercial and educational networks have been affected by distributed DoS attacks. In addition to the trin00 and TFN attacks, two new tools (TFN2K and Stacheldraht) are currently being used to implement this attack. Both of these tools are based on the original TFN/trin00 attacks described before. Attackers can install these DDoS programs on hundreds of compromised machines and direct this network of machines to initiate an attack against single or multiple victims. This attack occurs simultaneously from all of these machines, making it more dangerous than ever. |
| SuSE Linux and others | Vulnerablities in mysql and make: SUSE-038,
SUSE-040,
SUSE-0xx In SuSE Linux 6.1 - 6.3 the package of mysql is 3.22.11-29. Using this version any user of mysql can change the MySQL superuser password. The MySQL superuser can only connect to the database from localhost, so a remote attacker is just able to perform a denial-of- service. An attacker could execute commands with the privileges of the user executing make. This security hole leads to local root compromise for the attacker if root passes Makefiles to make through stdin. It's recommended to install patches from SuSE's Webpage for Patches. |
| Sun Solaris 2.3 - 7, SunOS 4.x | Vulnerablities in CDE and OpenWindows:
Sun Security Bulletin #00192 As reported in the beginning of January, there were holes found in the CDE and OpenWindows. Now, Sun Microsystems has published some patches. A list can be found in the advisory. |
| SCO Open Server | Vulnerablity in SNMPD configuration: SB-00.04 In all versions of Open Server prior to 5.0.6 the write access is due to shipping of test community strings in one of the snmpd daemon configuration files. So it might be possible to modify the System Group Description and Object-Id returned by an SNMPD query and also to modify the information returned for queries of the network interface state, IP forwarding and routing, state of network sockets (including the ability to terminate active TCP sessions and listening sockets) and the ARP cache. A patch will not be published because there are only little modifications necessary - please read it in the advisory. |
| surfControl Scout 2.6.1.6 | Bypass URL Blocking: NTShop SurfControl Scout is a package designed to block access to specified URLs. By appending a period to the end of a URL a blocked URL may still be accessed, thereby bypassing the rules defined in the surfScout application. If the access to http://www.forbidden.com. --- is blocked, the period at the end is the reason this site can be visited. The vendor has released a patch that upgrades 2.1.6.x versions to 2.6.1.7, as well as a complete version 2.6.1.7 package for download. |
| OpenLinux | Security Problems with mySQL and mount/umount:
CSSA-2000-001,
CSSA-2000-002 In OpenLinux eServer 2.3 with packages previous to mysql-3.22.30-1S anyone with access to a running MySQL server and GRANT privilege for any database or table in the MySQL server, can change any MySQL-password he wishes, including the MySQL superuser's. Even without access to run processes on the machine an attacker can mount a denial of service attack on the server by setting the MySQL superuser's password to a random string. It's recommended to install the patch (Source Code). A buffer overflow has been found in the mount and umount commands, which are setuid root on Caldera OpenLinux. The overflow does not appear to be exploitable easily, but an upgrade (Source Code) is recommended. |
| WWWThreads Message Forum Software | Privilege Elevation possible: NTShop WWWThreads is a PERL-based message forum software designed to run against an SQL server backend such as mySQL or Microsoft SQL Server. According to rain.forrest.puppy, it is possible to elevate a message board user's privileges to board Administrator within the message forum software. This is not the same as Administrator access on NT. Further information and an example can be found in the advisory. |
| Microsoft IE and Java VM | Vulnerability in Java Implementation: NTShop In Microsoft's Internet Explorer 4.x and 5.x on Windows platforms, as well as any other application that uses Microsoft's Java VM, including Outlook mail clients a security problem was found. This security risk is related to the environment setting of CLASSPATH for Java users and developers. For a Java applet it's possible to read any "known files", which are common to most configuration. A hosted Web Site is able to retrieve file Information through the applet without being noticed when users of the IE access a site. Further information can be found in the advisory. |
| Microsoft Outlook Express 5 | Vulnerability in Outlook Scripting: NTShop As reported by Gregor Guninski there is a problem in Outlook Express 5.01 and Internet Explorer 5.01 under Windows 9x which allow reading subsequently opened email messages after a hostile message is opened. The problem is assigning the document object of the email message to a variable in a newly opened window. Through this variable access is possible to open email messages. And, again the solution is: Disable Active Scripting. |
| Microsoft Windows NT | Vulnerability caused by RDISK: MS00-004,
NTShop,
ESB-2000.024
Microsoft has published new Fixes for this problems reported in January. It's recommended to install the patch for Windows NT 4.0 Workstation; Windows NT 4.0 Server; Windows NT 4.0 Server, Enterprise Edition (Intel and Alpha), and for the Windows NT 4.0 Server, Terminal Server Edition. |
| Debian Linux | Vulnerability in apcd: Debian0201 The apcd package as shipped in Debian GNU/Linux 2.1 is vulnerable to a symlink attack. If the apcd process gets a SIGUSR1 signal it will dump its status to /tmp/upsstat. However this file is not opened safely, which makes it a good target for a symlink attack. This has been fixed in version 0.6a.nr-4slink1. Debian recommends to install an updated apcd package immediately. The fix can be found in the advisory. |
| many Web Browsers | Risks due to Malicious HTML Tags: CA-2000-02,
ERS-2000.026,
K-021, NTShop,
ESB-2000.023,
ESB-2000.025,
S-00-06
Most web browsers have the capability to interpret scripts embedded in web pages downloaded from a web server. Such scripts may be written in a variety of scripting languages and are run by the client's browser. Most browsers are installed with the capability to run scripts enabled by default. Users may unintentionally execute scripts written by an attacker when they follow untrusted links in web pages, mail messages, or newsgroup postings. Users may also unknowingly execute malicious scripts when viewing dynamically generated pages based on content provided by other users. Because the malicious scripts are executed in a context that appears to have originated from the targeted site, the attacker has full access to the document retrieved (depending on the technology chosen by the attacker), and may send data contained in the page back to their site. For example, a malicious script can read fields in a form provided by the real server, then send this data to the attacker. Again, active content is the reason for this risk. For further information please see the advisory! |
| many | New ISS Summary: ISS,
ERS-2000.027 In the recent time 12 new vulnerabilities were found: - http-indexserver-dirtrans - linux-vmware-symlink (Bugtraq) - nt-rdisk-enum-file - office-malformed-convert - win-malformed-rtf-control-word - nt-spoofed-lpc-port - linux-corel-update - icq-url-bo - linux-pam-userhelper (L0pht) - winamp-playlist-bo - hp-aserver - sun-sadmind Further information can be found at the Server of ISS. |
| Microsoft Windows 4.0 | Vulnerability caused by Recycle Bin Creation: MS00-007,
ERS-2000.025,
NTShop,
ESB-2000.021 The Windows NT Recycle Bin for a given user maps to a folder, whose name is based on the owner's SID. The folder is created the first time the user deletes a file, and the owner is given sole permissions to it. If an attacker, logged into the local maschine, could create the folder before the bona fide one were created, the attacker could assign any desired permissions to it. This would allow the attacker to create, modify or delete files in the Recycle Bin, but in most cases would not enable them to read files unless he or she already were able to. Microsoft has published a patch for the US version of NT Workstation, Server, and Enterprise Edition (Intel, Alpha). |
| Several Web-Based Shopping Cart Applications | Form Tampering Vulnerabilities found: ISS-042,
ERS-2000.024,
ESB-2000.022 Many web-based shopping cart applications use hidden fields in HTML forms to hold parameters for items in an online store. These parameters can include the item's name, weight, quantity, product ID, and price. An application that bases price on a hidden field in an HTML form may be compromised by this vulnerability. An attacker could modify the HTML form on the local machine to change the price of the item and then load the page into a web browser. After submitting the form, the item is added to their shopping cart at the modified price. The ISS X-Force has identified eleven shopping cart applications that are vulnerable to form tampering. Please refer to the advisory for further information. |
Back to the News
© 2000 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: 2000-03-03, 11:17 -0000