Network Security News

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

System:

Short description and further information:

many

Continuing Compromises of DNS servers: CA-2000-03, ERS-2000.074
US-CERT reports about compromises of machines running the Domain Name System (DNS) server software that is part of BIND ("named"), including compromises of machines that are not being used as DNS Servers. Some sites with compromised systems have found one of the following empty directories ( /var/named/ADMROCKS, /var/named/O) on systems where the NXT record vulnerability was successfully exploited. Other commonly "effects" are:
- inetd started with an intruder-supplied configuration file in /tmp that provides a backdoor into the system
- modified /etc/inittab and/or system startup files to load intruder processes at boot time
- Trojan horse versions of sshd and /bin/login designed to provide a backdoor into a compromised system
- complete rootkits that include Trojan horse replacements for system binaries, sniffers, denial-of-service tools, vulnerability scanners, exploits, etc.
It's strongly recommended to run the latest version of BIND and to configure it correctly.

IBM AIX 4.3 with APAR IY02669

Insecurity in frcactrl: ISS-047, ERS-2000.075
The AIX Fast Response Cache Accelerator (FRCA) is a kernel extension module that improves the performance of a web server by using a memory cache to store data being served from the web server. FRCA is used primarily with the Apache-based IBM HTTP server, but it may also be used with other web servers. The frcactrl program is used to manage the FRCA configuration and is distributed as part of the base operating system in AIX 4.3.
A security risk exists on systems with AIX fix IY02669 applied and with the FRCA kernel extension loaded. The setuid bit of the frcactrl file is turned on by APAR (Authorized Problem Analysis Report) IY02669, which allows non-root users to configure the module. An attacker may use frcactrl to manipulate the configuration of the FRCA log files to create, append, or overwrite files as root. IBM is working on a patch. If the functionality is not needed, FRCA should be unloaded.

FreeBSD

Security risks in imap: ERS-2000.072, ERS-2000.073
Imap-uw is a popular IMAP4/POP2/POP3 mail server from the University of Washington. Numerous buffer overflows were found. Has an imap user successfully logged into their mail account, imapd has dropped root privileges and is running as the user ID of the mail account which has been logged into, so the buffer overflow can only allow code to be executed as that user. This vulnerability is only relevant on a "closed" mail server, i.e. one which does not normally allow interactive logins by mail users. The imap-uw port also supplies a "libc-client" library which provides various functionality common to mail servers. The algorithm used for locking of mailbox files contains a weakness which allows an unprivileged local user to lock an arbitrary local mailbox. There are no patches available at the moment. If not needed, the imapd should be deinstalled.

Allaire Spectra 1.0 and 1.0.1

No object security by using Container Editor Preview: ASB00-10
In Spectra, the Container Editor Preview tool does not enforce object security. Any object-method placed in the container object array by a publishing rule is invoked with security disabled by the container editor preview tab. Allaire has published a patch to fix this problem.

Microsoft FrontPage 2000

Windows 2000 Accounts published: NTShop
Using FrontPage 2000 Extensions for Internet Information Server 5.0 allows valid FrontPage users connected to a remote Web using a FrontPage Client to obtain a list of account names. This problem was found on NT 4.0 / IIS 4.0 and Windows 9x also, but the workarounds don't work for Windows 2000. Microsoft is working on a patch.

Real Networks Real Server

Denial-of-Service possible: NTShop
By sending the Real Server (7, pro, Intranet, Plus, Basic, G2 1.0 as well as for Linux and Windows) 471 bytes of malformed data on port 7070, the service can be made to crash. USSRLabs have published a demonstration of this problem. Real Networks seem to work on a patch.

Netscape Communicator 4.x

Local Files exposed by using Cookies and JavaScript: NTShop
Netscape Communicator 4.x allows a Web site to read HTML files on a user's hard drive, including the user's bookmarks file and browser cache files. The exploit works by setting a cookie whose value contains JavaScript code. A detailed description has been published by Bennett. Netscape will fix this problem with the next minor version.

Novell Netware 5.1

Buffer Overflow in Remote Admin: NTShop
The Remote Administration service contains a buffer overflow condition that could allow an attacker to launch a denial of service attack against the system, or possibly inject code into the operating system for execution. Novell is working on a patch, a demonstration can be found in the advisory.

Panda Security 3.0

Panda Security can be bypassed: NTShop
Panda Security 3.0 for Windows 95 and 98 is vulnerable to indirect registry key modifications, which allow Panda Security keys to be manipulated by any logged-on user. A demonstration has been published by Deep Zone and Panda Software has released a patch.

Red Hat Linux

SCO Unixware 7.x and OpenServer 5.0.x

Problems with sendmail/SMTP anti-relay: SB-00.11, SB-00.12
It is a common tactic among spammers to use other machines as an SMTP relay to make their mail appear as if does not come from their site. The sendmail configuration for UnixWare 7 Release 7.0 and 7.0.1 and SCO OpenServer Release 5.0.x does not have the SMTP anti-relay enabled by default. It's strongly recommended to change the configuration in the way pointed out in the advisories.

OpenLinux

Vulnerabilities in dump, inews, majordomo, rpm_query, and telnetd: CSSA-2000-04, CSSA-2000-05, CSSA-2000-06, CSSA-2000-07, CSSA-2000-08
As Caldera Systems reports, there were some security holes found in OpenLinux. There is a buffer overflow in the way the dump command handles certain arguments. This bug can be exploited to obtain group tty privilege. The INN (InterNetNews) package contains the 'inews' binary, which is used for injecting news articles into the server. Several buffer overflows were found which allows any local user to gain group 'news' access. There are several bugs in majordomo that allow arbitrary users to execute commands with the privilege of majordomo. The OpenLinux package contains a CGI script called rpm_query that allows a user to obtain a list of all RPM packages installed on that machine, provided the Apache Web server is running. The telnet daemon from the Linux netkit supports a command line option -L that lets the administrator specify a login program other than /bin/login. An unintended interaction with some other piece of code in telnetd has the effect that the memory location holding the name is overwritten with information obtained from the client host. This bug can be abused by an attacker to bypass authentication completely.
It's recommended to install the patches mentioned in the advisories.

Microsoft FrontPage 97 and 98 Server Extensions and more

Vulnerability in Server-Side Image Map Components: MS00-028, ERS-2000.069, NTShop
The FrontPage 97 and 98 Server Extensions include two components, Htimage.exe and Imagemap.exe, that provide CERN- and NCSA-compliant server side image mapping support, respectively, for legacy browsers. Both components contain unchecked buffers that could be used to run arbitrary code. Although part of the Server Extensions, these components also install as part of several other web server products. Microsoft recommends to eliminate this vulnerability by deleting all copies of the files Htimage.exe and Imagemap.exe from the servers.

Microsoft Windows NT 4.0 and 2000, all versions

Vulnerability by Malformed Environment Variable Handling by cmd.exe: MS00-027, ERS-2000.068, NTShop
CMD.EXE, the command processor for Windows NT 4.0 and Windows 2000, has an unchecked buffer in part of the code that handles environment strings. The vulnerability could allow a malicious user to make some or all of the memory on an affected server unavailable, potentially slowing or stopping an affected server's response time. Microsoft has published fixes for Windows NT4 and Windows 2000.

Microsoft Windows 2000 Server, Advanced Server

Vulnerability by Mixed Object Access: MS00-026, ERS-2000.066, NTShop
Active Directory allows for access control of directory objects on a per-attribute basis. A vulnerability was found, which could allow an attacker to modify object attributes that he does not have permission to modify, as long as he combined the operation in a particular way with ones involving attributes that he does have permission to modify. Microsoft has published a patch to fix this problem.

FreeBSD

Security risk by generic-nqs: ERS-2000.065
Generic-NQS versions 3.50.7 and earlier contain a security vulnerability which allow a local user to easily obtain root privileges. A workaround is to remove the generic-nqs port, but patches are also available.

Cisco IOS

Denial-of-Service by using telnet options: Cisco, ERS-2000.067, NTShop
Using Cisco IOS version 11.3AA, 12.0 releases: 12.0(2) up to and including 12.0(6) may cause a denial-of-service condition when these routers are scanned by security scanners. The router may reload unexpectedly, which can be exploited repeatedly to produce a consistent denial of service (DoS) attack. Further information about fixes can be found in the advisory.

Microsoft IE 5.01

Cross-Frame Navigation possible: NTShop
As Georgi Guninski reports, the Microsoft Internet Explorer 5.01 allows the circumvention of its cross-frame security policy by accessing the DOM (document object model) of documents using Java or JavaScript. The problem exposes the whole DOM of the target document and opens a lot of additional security risks. Microsoft seems to work on a patch.

Cisco Catalyst

Bypassing the enable password possible: Cisco, ERS-2000.064, K-034
On Cisco Catalyst 4000, 5000, 5500, 6000 and 6500 with the software version 5.4(1) anyone who can obtain ordinary console access can bypass password authentication to obtain "enable" mode access without knowing the "enable" password. In version 5.4(2) this problem is fixed. There are no known workarounds for this vulnerability. Strictly limiting telnet access to the device will prevent the initial connection required to exploit this vulnerability:
set ip permit <address> <mask> telnet
set ip permit enable

TurboLinux

Vulnerabilities in PAM and usermode: TLSA2000:09
Both pam and userhelper are setuid binary and they follow ".." in the path. Using pam any file on the disk can be opened and in combination with userhelper a local attacker may gain root rights on the system. Further information and links to patches can be found in the advisories.

Microsoft Visual Interdev 1.0

Vulnerability by Link View Server-Side Component: MS00-025, ERS-2000.063, NTShop
In Windows NT 4.0 Option Pack, which is the primary distribution mechanism for Internet Information Server 4.0, Personal Web Server 4.0, which ships as part of Windows 95 and 98, and Front Page 98 Server Extensions a hole was found. Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. However, it contains an unchecked buffer. If overrun with random data, it could be used to cause an affected server to crash. Microsoft is investigating further effects. Until a patch is published, Microsoft recommends to delete all copies of the file Dvwssr.dll from the server. The only functionality lost by deleting this file is the ability to generate link views of .asp pages using Visual Interdev 1.0.

Red Hat Linux

Vulnerabilities in gpm and kernel: RHSA-2000:009, RHBA-2000:013
Gpm is a cut and paste utility and mouse server for virtual consoles. As part of this package, the gpm-root program allows people to define menus and actions for display when clicking on the background of current tty. The current gpm-root program fails to correctly give up the group id 0 membership for user defined menus. If you are running gpm-root on your system then you are at risk.
Under extremely heavy load, data corruption can occur if a page fault occurs during a task switch between kernel space and user space on x86 platforms. This problem may affect very heavily loaded systems. Lightly loaded servers are unlikely to be affected. This issue affects all x86 compatible systems.
It's recommended to install the concerning patches. Patches for the problem in kernel for different systems are pointed out in the second advisory.
Red Hat Linux 6.x:
Intel:
rpm -Fvh ftp://updates.redhat.com/6.2/i386/gpm-1.19.1-1.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/gpm-1.19.1-1.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/gpm-1.19.1-1.sparc.rpm
Source:
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/gpm-1.19.1-1.src.rpm
Red Hat Linux 5.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/5.2/i386/gpm-1.19.1-0.5.2.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/gpm-1.19.1-0.5.2.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/gpm-1.19.1-0.5.2.sparc.rpm
Source:
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/gpm-1.19.1-0.5.2.src.rpm
Red Hat Linux 4.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/4.2/i386/gpm-1.19.1-0.4.2.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/4.2/alpha/gpm-1.19.1-0.4.2.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/4.2/sparc/gpm-1.19.1-0.4.2.sparc.rpm
Source:
rpm -Fvh ftp://updates.redhat.com/4.2/SRPMS/gpm-1.19.1-0.4.2.src.rpm

Microsoft Windows NT 4.0

Vulnerability caused by OffloadModExpo Registry Permissions: MS00-024, ERS-2000.062, NTShop
This vulnerability involves a registry key used by the CryptoAPI Base CSPs to specify the driver DLL for a hardware accelerator. By design, such a DLL would have access to users’ public and private keys. Although only administrators should have permission to add such a DLL, the permissions on the key actually would allow any user who could interactively log onto the machine to do so. By writing a bogus DLL and installing it, an attacker could compromise the keys of other users who subsequently used the machine. All versions of NT 4.0 are affected, but not Windows 2000. Microsoft has published a patch for X86 and Alpha.

Microsoft IIS 4.0 and 5.0

Vulnerability by Myriad Escaped Characters: MS00-023, NTShop, K-033, ERS-2000.061
A Internet Information Server reading a malformed URL will suffer a denial of service attack. Special characters can be embedded in URLs by use of so-called escaped character sequences. By providing a malformed URL with an extremely large number of escaped characters, an attacker could increase the work factor associated with parsing the escaped characters, thereby consuming much or all of the CPU availability on the server - a classical Denial-of-Service attack against the Internet Information Server. Microsoft has published patches for IIS 4.0 and IIS 5.0.

CRYPTOAdmin 4.1 server on any platform, CRYPTOCard PT-1 token 1.04

PalmToken PIN Extraction possible: l0pht
CRYPTOCard's CRYPTOAdmin software is a user authentication administration system which uses various hardware and software token devices for challenge/response. Using the user's PIN number and the token, the correct response will be calculated based on the challenge prompted from the CRYPTOAdmin server. The PT-1 token, which runs on a PalmOS device, generates the one-time-password response. A PalmOS .PDB file is created by the CRYPTOAdmin software for each user. The .PDB file is loaded onto the Palm device. The user name, serial number, key, and PIN number are all stored in this file in either encrypted or plaintext form. By gaining access to the .PDB file, the legitimate user's PIN can be determined through a series of DES decrypts-and-compares. Having both the .PDB and the PIN number will allow an attacker to clone the token on another Palm device and generate the proper responses given the challenge from the CRYPTOAdmin server. Using a demonstration tool, the PIN can be determined in under 5 minutes on a Pentium III 450MHz. It's strongly recommended to delete the .PDB file after it has been loaded onto the palm and to change the PIN regulary.

FreeBSD

Vulnerabilities in ircII and healthd: ERS-2000.059, ERS-2000.060
IrcII is a popular text-mode IRC client. Version 4.4 contains a remotely-exploitable buffer overflow in the /DCC CHAT command which allows remote users to execute arbitrary code as the client user. It's recommended to install a patch or to remove the program from the system.
Healthd is a small utility for monitoring the temperature, fan speed and voltage levels of certain motherboards. Healthd v0.3 installs a utility which is setuid root in order to monitor the system status. This utility contains a trivial buffer overflow which allows an unprivileged local user to obtain root privileges on the system. Also here, it's recommended to install a patch or to remove the program from the system.

Microsoft Windows 9x

New Worm called 911: IN-2000-03, K-031
A worm with variants known as "chode," "foreskin," "dickhair", "firkin," or "911" has received some attention in the last time. The "chode" worm affects Windows 98 systems with unprotected shares. The worm consists of several batch files and will delete all files on the C drive on the 19th day of the month. Further information can be found in the advisory.

Real Player

Denial of Service possible: NTShop
There is a buffer overflow in the Win32 RealPlayer Basic client, versions 6 and 7. This appears to occur when more than 299 characters are entered as a 'location' to play. Real is working on a patch, until it's released it's recommeded to disable ActiveX in the browser.

SCO UnixWare 7.x

Vulnerabilities caused by telnet and ftp: SB-00.09, SB-00.10
In UnixWare 7.0.0 through UnixWare 7.1.1 a buffer overflow is caused by the handling of environment data which allows telnet to execute arbitrary commands with the privileges it is set to run with. A patch (letter) has been published.
The same problem was found for ftp, patches have been published for 7.0.0 (patch, letter) and 7.0.1-7.1.1 (patch, letter).

SuSE Linux

Vulnerabilities in gpm and kreatecd: SUSE-045, SUSE-046
Gpm is a cut and paste utility and mouse server for virtual consoles. The gpm-root command, which is part of the gpm package, allows local users to define menus and commands to be executed on mouse events. When a command is executed via gpm, the group id 0 priviliged is not dropped correctly, so local users may gain root-access to the system.
Kreatecd is a KDE tool used to burn cd-roms. An exploitable buffer overflow was found in this tool, so here also local usersmay gain root privilige.
It's recommended to install patches from SuSE's Webpage for Patches.

HP-UX

Vulnerability with VirtualVault and Aserver: HP Security Bulletin #00112, ERS-2000.058
On HP9000 Series 7/800 running only HP-UX 11.04 (VVOS) a vulnerability in the network layer of the operating system that could allow data to be delivered via a network interface to unprivileged processes if multiple IP addresses are assigned to the interface. It's recommended to install a patch published by HP:

System	Patch-ID
HP-UX 11.04 (VVOS)	PHNE_21261

In addition, HP has published another workaround for the problem in Aserver which was published before.

many

New ISS Summary: ISS, ERS-2000.056
In the recent time 33 new vulnerabilities were found:
- windmail-pipe-command
- windmail-fileread
- simpleserver-exception-dos
- linux-domain-socket-dos
- linux-gpm-root
- outlook-manipulate-hidden-drives
- vqserver-dir-traverse
- vqserver-passwd-plaintext
- iis-chunked-encoding-dos
- nav-email-gateway-dos
- netscape-server-directory-indexing
- mercur-webview-get-dos
- officescan-admin-pw-plaintext
- officescan-admin-access (also here)
- linux-kreatecd-path
- win-dos-devicename-dos
- wmcdplay-bo
- nt-registry-permissions
- staroffice-scheduler-fileread
- staroffice-scheduler-bo
- iis-root-enum
- mssql-query-abuse
- clipart-cil-bo
- oracle-installer
- linux-rpm-query
- thebat-mua-attach
- irix-infosrch-fname
- linux-dosemu-config
- coldfusion-reveal-pathname
- netscape-enterprise-command-bo (also here)
- nmh-execute-code
- htdig-remote-read
- ie-html-shortcut
Further information can be found at the Server of ISS.

Microsoft Excel 97 and 2000

Vulnerability by XLM Text Macro: MS00-022, ERS-2000.057, NTShop
When an Excel user starts a macro (.XLM) that resides outside of the current spreadsheet (for example, in another spreadsheet), Excel by design will generate a warning dialogue. This dialogue is not generated if the macro consists of Excel 4.0 Macro Language (XLM) commands in an external text file. The vulnerability only affects whether a warning dialogue is displayed, it does not change any other aspects of the macro's operation. But, an attacker could use this "feature" to run arbitrary commands in the context of the user - if he calls this macro.
Microsoft has published a patch for Excel 97 SP2 and Excel 2000 SP1.

Allaire Forums 2.x

Security hole in Forums: ASB00-06, NTShop
Due to this hole users are allowed to view and post to secure discussion threads via unsecured conferences and/or through E-Mail. This issue affects multiple templates in the Forums software. It's recommended to install a patch.

very many

Advisory about DDoS: K-032
CIAC has published an article about Distributed Denial of Service (DDoS) attacks. Many of the network administrators are only concerned with being the target of a DDoS attack. Although with the current TCP/IP implementation, there is little that can be done to prevent your network from suffering the effects of a DDoS, there are steps pointed out that can be taken to help reduce the chances that networks are used as a source of an attack against another network. Some countermeasurements are pointed out in the advisory and another paper published by CIAC gives further information about DDoS.