News February 1999
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| SLMail version 3.1 and 3.2 | By-pass NTFS permissions on machines
running SLMail: mnemonix,
NTshop The Remote Administration Service in SLMail allows changes to mail services to be performed using the HTTP protocol over TCP port 180, by default. NTLM authentication can be enabled so that only users with an account and corresponding password may access this service. Once authenticated however, they do not need to be an Administrator to make changes to the mail services and user account information. This happens because the service does not impersonate the logged on user and every change made is performed under the SYSTEM account. Because of this Remote Administration should be DISABLED. If this is not viable then the only way to prevent an unauthorized users (those with accounts) is to remove the "Access this computer from the Network" user right from the "Everybody" group and give this privilege to Administrators only. |
||||||||||||||||||||||||||||
| Internet Information Server 4.0 | IIS allows password attacks over NetBIOS:
mnemonix,
NTshop Internet Information Server 4.0 has a feature that can allow a remote attacker to attack user accounts local to the Web Server as well as other machines across the Internet. By default every install of IIS 4 creates a virtual directory "/IISADMPWD". This directory contains a number of .htr files. Anonymous users are allowed access to this files, they are not restricted to the loopback address (127.0.0.1). The files in the mentioned directory are variants of the same file and allow a user to change their password via the Web. If an IP address followed by a backslash precedes the account name then the IIS server will contact the remote machine, over the NetBIOS session port, and attempt to change the user's password. (IPADDRESS\ACNAME). This may lead to a compromise of this account. If this service is not required, it's recommended to remove the /IISADMPWD virtual directory or to limit NetBIOS based traffic over TCP port 139. |
||||||||||||||||||||||||||||
| Computer Associates | Vulnerability in ArcServeIT: NTshop ARCserve passes account information (usernames and passwords) in almost-clear text (they're simply XOR'd) when performing backups over a TCP/IP network. Under many circumstances, these accounts are granted Administrator rights. A detailed description of the problem is pointed out in the advisory. Similar risks may exist on IPX/SPX and NetBEUI networks -- this was only tested with TCP/IP. It's recommended to download the patch released by CA. |
||||||||||||||||||||||||||||
| Red Hat Linux | Vulnerability in lsof: ESB-1999.022 As reported before (HERT-02), some Unix show a buffer overflow that will lead to direct root compromise. Unix Red Hat Linux 5.2 is shipping with a vulnerable version of lsof. It's recommended to install the concerning patch: Red Hat Linux 5.2: alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/lsof-4.40-1.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/lsof-4.40-1.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/lsof-4.40-1.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/lsof-4.40-1.src.rpm |
||||||||||||||||||||||||||||
| all | New CERT-Summary: CS-99.01,
ESB-1999.027,
S-99-09,
ERS-1999.031 Since the last CERT summary, issued in December 1998 (CS-98.08), CERT has seen these trends in incidents: 1. Widespread Scans: CERT continues to receive numerous daily reports of intruders using tools to scan networks for multiple vulnerabilities. Intruder scanning tools continue to become more sophisticated. 2. Back Orifice and NetBus: Daily reports of incidents involving Windows-based "remote administration" programs such as Back Orifice and NetBus are received. 3. Trojan Horse Programs: Over the past few months, CERT has seen an increase in the number of incident reports related to Trojan horse programs affecting both Windows and UNIX platforms. 4. FTP Buffer Overflows: Very recently, they have received a few reports of intruders scanning for and exploiting a remote buffer overflow vulnerability in various FTP servers. |
||||||||||||||||||||||||||||
| Microsoft Windows 98 and Back Office Resource Kit | Taskpads Scripting Vulnerability: MS99-007,
ESB-1999.026,
ERS-1999.030,
NTshop Taskpads is a feature provided by several Microsoft Windows Resource Kit products. It is part of the Resource Kits' Tools Management Console Snap-in, and allows users to view and run Resource Kit Tools via an HTML page rather than through the standardLarge Icon, Small, Icon, List, and Detailed Views. A vulnerability exists because certain methods provided by Taskpads are incorrectly marked as "safe for scripting" and can be misused by a web site operator to invoke executables on a visiting user's workstation without their knowledge or permission. It's recommended to install the concerning patch: - Windows 98 Resource Kit, Windows 98 Resource Kit Sampler, and BackOffice, second Edition for Windows 95 and 98 - Microsoft BackOffice Resource Kit, second edition for Windows NT: x86 version, Alpha version These patches remove the Taskpad feature. |
||||||||||||||||||||||||||||
| Debian Linux | Vulnerabilities in wget and lsof:
Debian0220,
Debian0220a When lsof is setuid-root or setgid kmem, it is vulnerable to a buffer overflow that could lead to direct root compromise or root compromise through live kernel patching. lsof 4.37-3 will be available shortly. The version of wget in slink (2.1 Beta) and potato incorrectly attempts to chmod symlinks when invoked with the -N option. The version in hamm (Debian 2.0) is not affected. Only the wget package in the unreleased Debian versions is affected, a fixed wget_1.5.3, which will be released shortly. |
||||||||||||||||||||||||||||
| Windows | Windows Backdoors Update II: ISS-020,
ERS-1999.028,
J-032,
ESB-1999.030 ISS has published their quarterly update on backdoors for the Windows 9x and Windows NT. A detailed description of NetBus 2.0 Pro is given (it can be downloaded here). Another backdoor is opened with the WM97/Caligula virus, a Microsoft Word macro virus that steals your Pretty Good Privacy (PGP) secret key ring and uploads it to a Codebreakers FTP site. The Picture.exe trojan horse program has been circulating around the Internet via an E-Mail attachment. If run, this executable will send information about your Windows NT or 95/98 system to any of several e-mail addresses in China. The file has also been seen with the name Manager.exe. All backdoors are described and contermeasurements recommended in the advisory. |
||||||||||||||||||||||||||||
| IRIX | Vulnerability in ToolTalk RPC
Service: SGI-19981101,
ERS-1999.027,
ESB-1999.023,
I-091 As reported before (SGI-9981101 and CA-98.11) some IRIX are vulnerable against a Stack Overflow in the ToolTalk RPC Service. Now Silicon Graphics has published some patches, pointed out in the advisory. |
||||||||||||||||||||||||||||
| Windows NT up to v4.0 with SP4 | File Mapping Objects Cache ("KnownDLLs
List") Vulnerability: L0pht,
NTshop,
MS99-006,
ERS-1999.029,
ESB-1999.024 In Windows NT, core operating system DLLs are kept in virtual memory and shared between the programs running on the system. This is done to avoid having redundant copies of the DLLs in memory, and improves memory usage and system performance. When a program calls a function provided by one of these DLLs, the operating system references a data structure called the KnownDLLs list to determine the location of the DLL in virtual memory. The Windows NT security architecture protects in-memory DLLs against modification, but by default it allows all users to read from and write to the KnownDLLs list. A user can load into memory a malicious DLL that has the same name as a system DLL, then change the entry in the KnownDLLs list to point to the malicious copy. From that point forward, programs that request the system DLL will instead be directed to the malicious copy. When called by a program with sufficiently high privileges, it could take any desired action, such as adding the malicious user to the Local Administrators group. For an exploit a local account is necessary. To enable stronger protection on system base objects such as the KnownDLLs list, add the following value to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager: Name: ProtectionMode Type: REG_DWORD Value: 1 A hotfix will be published soon. |
||||||||||||||||||||||||||||
| Debian Linux | Root Exploit in eterm: Debian0218 Version 0.8.8 in the unreleased debian "potato" distribution was vulnerable. The earlier version 0.7 and 0.8.7 are not vulnerable. This hole is fixed in the currently available potato (eterm_0.8.8-5 or higher). |
||||||||||||||||||||||||||||
| many Linux | Buffer Overflow in lsof: HERT-02 Lsof lists information about files opened by processes for most UNIX dialects. When lsof is setuid-root or setgid kmem, it is vulnerable to a buffer overflow that will lead to direct root compromise or root compromise through live kernel patching. It's recommended to remove the setuid-root by chmod 0755 lsof |
||||||||||||||||||||||||||||
| Unix, NFR | Vulnerability in NFR Web Server: ERS-1999.024,
ERS-1999.025 The Network Flight Recorder (NFR) custom web server is used to present an HTTP front-end to the NFR system. By default, the web server is called "webd", and is bound to TCP port 2001. In the absence of external network access control, arbitrary remote attackers can conduct transactions with the NFR web server. Due to an implementation fault in "webd", it is possible for a remote attacker to formulate an HTTP transaction that will cause the web server to overflow an automatic variable on the stack. By overwriting activation records stored on the stack, it is possible to force a transfer of control into arbitrary instructions provided by the attacker in the HTTP transaction, and thus gain total control of the web server process. It's strongly recommended to install patch No. 2.0-p3 for NFR Version 2.0.2 Research. How to install it is pointed out in the advisory. |
||||||||||||||||||||||||||||
| Unix | Vulnerability in mSQL (Mini SQL)
2.0.6 and below: KSRT#10
mSQL is a database engine (available from http://www.hughes.com.au) that supports a subset of the ANSI SQL query specifications. If remote access is enabled (as of 2.0.4.1 remote access is disabled by default) a remote user can retrieve sensitive information: 1. The connection table 2. The server version 3. The current and maximum number of connections 4. The user name and user id of the msqld process These information may enable an attacker to gain unauthorized to the database. A fix will be included in the latest version of mSQL (2.0.7). |
||||||||||||||||||||||||||||
| Debian Linux | Security problems in cfengine: Debian0215 The maintainer of Debian GNU/Linux cfengine package found a error in the way cfengine handles temporary files when it runs the tidy action on homedirectories, which makes it susceptible to a symlink attack. It's recommended to install a fixed version pointed out in the advisory. |
||||||||||||||||||||||||||||
| Debian Linux | Buffer Overflow in "Super"
package: Debian0215a,
ISS-019,
J-031,
ERS-1999.026,
ESB-1999.025,
S-99-07 Super is a utility that allows authorized users to execute commands with root privileges. It is intended to be an alternate to setuid scripts, which are inherently dangerous. A buffer overflow exists in Super that may allow attackers to take advantage of its setuid configuration to gain root access. Version 3.11.7 should be installed immediately. Administrators should take care to disable setuid root utilities that are not used by regular users. To disable Super permanently, execute the following command as root to disable the setuid bit: # chmod 755 /usr/bin/super |
||||||||||||||||||||||||||||
| BackOffice Server 4.0 | BackOffice Server 4.0 doesn't delete Installation
Setup File: MS99-005,
ERS-1999.023,
J-030,
ESB-1999.021,
S-99-08 When a user chooses to install SQL Server, Exchange Server or Microsoft Transaction Server as part of a BackOffice 4.0 installation under Windows NT, the BackOffice installer program requests the name and password for the accounts associated with these services. Specifically, it asks for the account name and password for the SQL Executive Logon account, the Exchange Services Account, and the MTS Remote Administration Account. These values are stored in <systemdrive>\Program Files\Microsoft Backoffice\Reboot.ini and used to install the associated services. BackOffice Server does not erase this file when the installation process is completed. The fix for this problem is to delete the file. |
||||||||||||||||||||||||||||
| many Unix | Vulnerabilties in many ftpd: CA-99.03,
ERS-1999.022,
J-029,
S-99-02,
ESB-1999.020 Software that implements FTP is called an "ftp server", "ftp daemon", or "ftpd". On most vulnerable systems, the ftpd software is enabled and installed by default. There is a general class of vulnerability that exists in several popular ftp servers. Due to insufficient bounds checking, it is possible to subvert an ftp server by corrupting its internal stack space. By supplying carefully designed commands to the ftp server, intruders can force the the server to execute arbitrary commands with root privilege. Any server running the latest version of ProFTPD (1.2.0pre1) or the latest version of Wuarchive ftpd (2.4.2-academ[BETA-18]). wu-ftpd is installed and enabled by default on most Linux variants such as RedHat, Debian, and Slackware Linux. Further vendor specific information can be found in the advisory. |
||||||||||||||||||||||||||||
| DIGITAL UNIX V4.0x | Vulnerabilities in at and inc:
J-027,
ERS-1999.021,
ESB-1999.019 A potential potential security vulnerability has been discovered with the "at" and "inc" for Compaq's Tru64/DIGITAL UNIX software, where under certain circumstances, an user may gain unauthorized privileges. It's recommended to install a patch published by Digital. |
||||||||||||||||||||||||||||
| Solaris with CDE | Vulnerabilities in the Common Desktop
Environment (CDE): SUN Security Bulletin #00185,
ERS-1999.020,
J-028,
S-99-05,
ESB-1999.018 As reported before (CA-98.02), several vulnerabilities in the Common Desktop Environment (CDE) may be be exploited to gain root access and remove arbitrary files. Sun recommends that you install the respective patches immediately on affected systems (Solaris 7 is not affected).
|
||||||||||||||||||||||||||||
| Solaris 2.3 - 7 (SPARC and x86), SunOS 4.1.4 and 4.1.3_U1 | Vulnerability in man/catman: SUN
Security Bulletin #00184,
ERS-1999.019,
J-028,
S-99-06,
ESB-1999.017 The man command displays information from the reference manuals. The catman utility creates preformatted versions of the on-line manuals. Vulnerabilities have been discovered with these commands that may be exploited to overwrite arbitrary files when man or catman is executed by root. Sun recommends to install the respective patches immediately on affected systems.
|
||||||||||||||||||||||||||||
| Solaris with CDE | Vulnerability in sdtcm_convert: SUN
Security Bulletin #00183,
ERS-1999.018,
J-028,
S-99-04,
ESB-1999.016 sdtcm_convert is a setuid-root calendar data conversion utility which converts version 3 (OpenWindows) calendar data format to version 4 (extensible calendar data format), and vice versa. A buffer overflow has been discovered which may be exploited to gain root access. Sun recommends that you install the respective patches immediately on affected systems.
|
||||||||||||||||||||||||||||
| NetBSD | Security problem with netstat: NetBSD,
ERS-1999.017,
ESB-1999.015 In some versions of netstat a security hole exists which will allow non-root users to examine any kernel memory location. It's recommended to install a patch or to disable netstat for non-root users by chmod 555 /usr/bin/netstat |
||||||||||||||||||||||||||||
| Windows NT 4.0 SP4 | Authentication Processing Error in
Windows NT 4.0 Service Pack 4: MS99-04,
ESB-1999.014,
ERS-1999.016,
NTshop There is a logic error in Service Pack 4 for Windows NT 4.0 that could, under certain conditions, allow a user to log on interactively and connect to network shares using a blank password. The vulnerability primarily, but not exclusively, affects Windows NT servers that serve as domain controllers in environments with DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh clients. Windows NT, Windows 95 and Windows 98 client workstations are not affected. It's recommended to install the patch for x86 or Alpha. |
||||||||||||||||||||||||||||
| HP-UX | Security Vulnerability with rpc.pcnfsd:
HP Security Bulletin
#00091, ESB-1999.013,
ERS-1999.015, J-026,
S-99-03 rpc.pcnfsd is a remote procedure call used by NFS clients which is a service providing username and password authentication for system which have NFS client software installed. If exploited, this defect allows the main printer spool directory used by rpc.pcnfsd to be made world writeable. It's recommended to install a patch:
This problem is fixed
fully in HP-UX release 11.01.
|
||||||||||||||||||||||||||||
| Microsoft IIS 3.0 and 4.0 | Vulnerability in Internet Information Server (IIS) FTP
service: MS99-003,
ESB-1999.009,
ERS-1999.012 The FTP service in IIS has an unchecked buffer in a component that processes "list" commands. This results in a vulnerability that poses two threats to safe operation. The first is a denial of service threat; a malformed "list" request could overflow the buffer causing the server to crash. The second is more esoteric and would be far more difficult to exploit. A carefully-constructed "list" request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither variant could be exploited accidentally. Users need an account (at least a guest-account) to exploit these holes. It's recommended to install one of the following patches (which require NT 4.0 SP4): x86 IIS 3.0, Alpha IIS 3.0, x86 IIS 4.0, Alpha IIS 4.0 |
||||||||||||||||||||||||||||
| Red Hat Linux | Patches for minicom packages: ESB-1999.011 Current minicom packages have permissions set to allow all users to access a modem on a system. This update fixes this problem limiting users to those listed in the minicom configuration file. It's recommended to install a patch: Red Hat Linux 5.1 and 5.2: alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/minicom-1.82-3.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/minicom-1.82-3.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/minicom-1.82-3.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/minicom-1.82-3.src.rpm Red Hat Linux 5.0: alpha: rpm -Uvh ftp://updates.redhat.com/5.0/alpha/minicom-1.82-0.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.0/i386/minicom-1.82-0.i386.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/5.0/SRPMS/minicom-1.82-0.src.rpm Red Hat Linux 4.2: alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/minicom-1.81-2.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/minicom-1.81-2.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/minicom-1.81-2.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/minicom-1.81-2.src.rpm |
||||||||||||||||||||||||||||
| all | Information about Trojan Horses: CA-99.02,
ESB-1999.012,
ERS-1999.014 Over the past few weeks, we have received an increase in the number of incident reports related to Trojan horses. In the advisory the dangers combined in Trojan Horses are as well described as some recent incidents: False Upgrade to Internet Explorer Trojan Horse Version of TCP Wrappers Trojan Horse Version of util-linux |
||||||||||||||||||||||||||||
| IRIX 6.5 | Security Features of IRIX 6.5: SGI-19990201,
ESB-1999.008,
ERS-1999.011 There has been some confusion on what security features are available in the IRIX 6.5 operating system. Silicon Graphics point out additions and changes in the base set of IRIX 6.5: 1) Access Control Lists (ACLs), /sbin/chacl 2) Least-Privilege Capabilities, /etc/capability and /etc/irix.cap 3) System Manager, /usr/sysadm/bin/sysmgr 4) Trusted IRIX (TRIX or TIRIX) Compartmented Mode Workstation (CMW) 6.5 |
||||||||||||||||||||||||||||
| all | Detection the worm Happy99.exe: CIAC-C A computer worm called Happy99.exe has been discovered in the wild in Europe. Most of the major anti-virus vendors now have updates that will allow their software to detect the malicious code. See the advisory for the corresponding links. |
||||||||||||||||||||||||||||
| all | Testing Mailservers against Spam: Under http://maps.vix.com/tsi/ar-test.html you can test if your Mailserver is protected against Mail-Spamming. | ||||||||||||||||||||||||||||
| Microsoft Word 97 v8 | New Macro Virus detected: J-025,
ESB-1999.010,
ERS-1999.013 The W97M.Footprint Word macro virus has been seen within the DOE complex. This macro virus attaches to Word objects in Word 97 in much the same way as W97M.Class. Because of this method of infection, this virus will not infect older versions of Microsoft Word. Finding the two footprint files C:\footprint.$$$ C:\footprint.$$1 on the C: drive is strong evidence that the system is infected. This virus is known since January '99, first categorized as W97M/CAP.GL, now in W97M/Footer. Some, but not all Anti-Virus products recognize this Macro-Virus. Use an updated antivirus product when one is available. Until then, password the normal.dot file, turn on macro virus detection in Word, and take care when opening files containing macros. |
Back to the News
© 1999 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: 1999-03-11, 23:21 +0000