News May 2000

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

System:

Short description and further information:

Microsoft Windows Media Encoder 4.x

Vulnerability by malformed Windows Media Encoder request: MS00-038, ERS-2000.103
Windows Media Encoder is a component of the Windows Media Tools, which are part of the Windows Media Technologies. Windows Media Encoder is used to convert digital content into Windows Media Format for distribution by Windows Media Services in Windows NT and Windows 2000 Server. If a request with a particular malformation were sent to an affected encoder, it could cause it to fail, thereby denying formatted content to the Windows Media Server. This vulnerability would primarily affect streaming media providers that supply real-time broadcasts of streaming media. Microsoft has published a patch.

Microsoft SQL Server 7.0 SP 1 and 2

Vulnerability caused by SQL Server 7.0 Service Pack Password: MS00-035, ERS-2000.101
When SQL Server 7.0 Service Packs 1 or 2 are installed on a machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the file \%TEMP%\sqlsp.log. The default permissions on the file would allow any user to read it who could log onto the server interactively.
Microsoft has published a patch for SQL Server 7.0 Service Pack 2.

SuSE Linux

Vulnerabilities in gdm and kmulti/kscd: SUSE-049, SUSE-050, ERS-2000.098
The GNOME package includes gdm, a xdm replacement, for handling graphical console and network logins. The gdm code may be tricked into writing data from the network right into the stack. This condition exists while gdm is running with root privileges and before the user is authenticated. So an attacker could crash gdm or execute his own code, which leads to root compromise of the system running gdm.
The KDE CD player kscd is setgid disk to be able to access the device file of the CDROM. To perform some action kscd calls the unix command shell specified in the environment variable SHELL with the privileges of group disk. An attakcer could set SHELL to his own program to get local root access to the system by writing directly to the raw HDD device.
It's strongly recommended to install patches from SuSE's Webpage for Patches.

NetBSD

Vulnerabilities in SysV semaphore, cpu-hog, ftpchroot, and Xlockmore: ERS-2000.096, ERS-2000.095, ERS-2000.097, ERS-2000.099
The first two vulnerabilities reported may lead to a Denial-of-Service: An undocumented system call permits any user process to lock up the entire semaphore subsystem, preventing processes using semaphores from locking or unlocking them, and preventing processes holding semaphores from exiting. Untrusted local processes can hog cpu and kernel memory by tricking the kernel into running exclusively on their behalf, denying other processes the CPU.
An earlier fix which attempted to make ftpd's parsing of /etc/ftpusers more robust is incorrect, and brakes parsing of /etc/ftpchroot, allowing users listed in /etc/ftpchroot access to files outside their home directory. NAI has published an advisory concerning xclock. This program can be manipulated to print the shadow password information even though it drops root privileges before an overflow occurs.
Patches for fixing these problems are available. Further information can be found in the advisories.

many Unix

Vulnerablility in xclock: ERS-2000.100
An implementation vulnerability in xlock allows global variables in the initialized data section of memory to be overwritten. This creates the potential for local users to view the contents of xlock's memory, including the shadowed password file, after root privileges have been dropped.
Information about affected sytems and the availability of patches can be found in the advisory.

TurboLinux

Vulnerablility in gpm: TLSA2000011, ERS-2000.094
The gpm-root program, included in the gpm package, contains a security flaw concerning stegid. So local users may gain increased privileges on the machine. Patches are available, further information can be found in the advisory.

FreeBSD

Vulnerabilities in ipcs and krb5 (Kerberos): SA-00:19, SA-00:20, ERS-2000.090, ERS-2000.091
System V IPC is a set of interfaces for providing inter-process communication, in the form of shared memory segments, message queues and semaphores. These are managed in user-space by ipcs and related utilities. An undocumented system call is incorrectly exported from the kernel without access-control checks. An unprivileged local user can cause every process on the system to hang during exiting. No process on the system will be able to exit completely until another user issues the "unblock" call or the system is rebooted. A patch is available.
As mentioned before, several security holes exist in Kerberos. Local or remote users can obtain root access on the system running krb5. It's recommended to upgrade the entire port collection.

PGP 5.0

Securit risk in key generation: CA-2000-09, ERS-2000.089, ERS-2000.102
Generating keys automatically for PGP 5.0 under Unix systems may cause the risk of an easy compromise of these keys. Only systems using version 5.0 are affected.
Keys produced non-interactively with PGP v5.0 on a system with a /dev/random device may be predictable, especially those produced in an environment without a pre-existing randseed.bin file. Documents encrypted with a vulnerable key may recoverable by an attacker. Additionally, an attacker may be able to forge a digital signature corresponding to a vulnerable key. Signatures produced using a vulnerable key, including signatures in certificates, may be untrustworthy. It's recommended to invoke those keys and to generate a new key pair interacively.

Microsoft Windows

New Melissa Variant: ERS-2000.003i
W97M.Melissa.BG is a macro virus which has an unusual payload. When a user opens an infected document, the virus will attempt to e-mail a copy of this document to everyone in the user's address book, using Microsoft Outlook. The virus also drops 2 copies of itself. One is dropped to C:\Data\Normal.dot and C:\WINDOWS\Start Menu\Programs\StartUp\Explorer.doc. After this, he will start to delete files on the harddisk. So the danger of attachments is shown again - be careful opening attachments of E-Mails...

Microsoft Windows NT 4.0 and 2000

Denial-of-Service caused by “ResetBrowser Frame” or “HostAnnouncement Flooding”: MS00-036, ERS-2000.092 , NTShop, NTShop
The “ResetBrowser Frame” vulnerability affects both Windows NT 4.0 and Windows 2000. Like most implementations, the Windows implementation provides the ability for a Master Browser to shut down other browsers via the ResetBrowser frame. There is no capability to configure a browser to ignore ResetBrowser frames. This could allow an attacker to shut down browsers on his subnet as a denial of service attack against the browser service, or, in the worst case, to shut down all browsers and declare his machine the new Master Browser.
The “HostAnnouncement Flooding” vulnerability doesn't affect Windows 2000. Because there is no means of limiting the size of the browse table in Windows NT 4.0, an attacker could send a huge number of bogus HostAnnouncement frames to a Master Browser. The resulting replication traffic could consume most or all of the network bandwidth and cause other problems in processing the table as well.
It's recommended to block traffic to Port 138/udp by a firewall. Microsoft has published patches for Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition and Windows 2000.

Netscape Navigator incl. 4.73

Inconsistent Warning Messages: CA-2000-08, ERS-2000.093
A flaw exists in Netscape Navigator that could allow an attacker to masquerade as a legitimate web site if the attacker can compromise the validity of certain DNS information. If a user visits a web site in which the certificate name does not match the site name and proceeds with the connection despite the warning produced by Netscape, then subsequent connections to any sites that have the same certificate will not result in a warning message. It's strongly recommended to check certificates manually and to reject certificates that don't match the host name.

SGI IRIX

Vulnerability in infosrch.cgi: SGI20000501, K-045
The infosrch.cgi program is installed by default on IRIX. It's used to search and browse virtually all SGI on-line documentation. The infosrch.cgi is a program that allows access to infosearch through a default installed HTTP web server on port 80. A vulnerability has been discovered in infosrch.cgi which could allow any remote user to view files on the vulnerable system with privileges of the user "nobody". Patches are available as well as a temporary solution, further information can be found in the advisory.

NAI Gauntlet Firewall

Security flaw caused by Cyber Patrol: SecFocus40, NAI
Running the Gauntlet Firewall under Unix, combined with the Cyber Patrol can cause serious security problems. That server contains a buffer overflow bug, and, further, mistakenly accepts connections from the outside world. So a Denial-of-Service attack may be successful and in addition to that an attacker may gain root access to the firewall.
It's strongly recommended to turn off the Cyber Patrol Server and/or to install a patch.

Red Hat Linux

Meta Products Offline Explorer

Risk by publishing files: NTShop
MetaProducts Offline Explorer 1.3.241starts a service on port 800 that allows a Web user's cache to be viewed remotely. The service is vulnerable to directory traversal bugs, which allows a remote users to connect to a system and view files outside of the cache directory using long-known "GET ..\.." command sequences. A patch should be published soon.

Nite FTP Server

Several risks for Denial-of-Service: NTShop
The Nite FTPd is written in Visual Basic and shows several denial of service conditions. Some examples: When the daemon is sent 40 or more "USER" commands the system runs out of memory and crashes. When a password command (PASS) is not terminated and the service is continually sent characters, the system will allocate memory for those characters until it runs out of memory. Some other risks were found. The vendor is aware of the problem.

Lotus Domino

Denial-of-Service using SMTP: NTShop
Lotus Domino Server 5.0.x has an unchecked buffer that could allow arbitrary code to run on the server. During the an SMTP mail session, the command MAIL FROM is required by the client in order to instruct the server who the mail is from. By appending four kilobytes of characters on the end of the email address in the MAIL FROM command, the server can be made to crash (me@<four-kilobytes-of-junk>). Lotus seems to work on a patch.

Axent Technologies

Denial-of-Service against NetProwler: NTShop
Sending two fragmented packets to machine monitored by NetProwler 3.0, the service can be made to crash. The packets must be sent to machine being mornitored by NetProwler using a spoofed source address of the actual NetProwler monitoring system. A patch will be published soon.

IBM AIX

Vulnerability in Filesystem: ERS-2000.087
On systems running under AIX 3.2.x, 4.1.x, 4.2.x, 4.3.x local users could gain write access to some files on local or remotely mounted AIX filesystems, even though the file permissions do not allow write access. Patches for all systems, except AIX 4.3.2, are available here.

Cisco IOS

Denial-of-Service by HTTP Server: Cisco, S-00-12
A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled and browsing to "http://<router-ip>/%%" is attempted. This defect can be exploited to produce a denial of service (DoS) attack. Patches are available now.

Sun Solaris 2.6 and 7

Buffer Overflow in lp/lpset/lpstat: AL-2000.04
There is a buffer overrun vulnerability in the lp/lpset/lpstat commands on affected Solaris systems which may be exploited by local users to gain root privileges. A "pre-patch" (not fully tested yet) has been published by Sun Microsystems. Administrators should install #T107115-04 on Solaris 7, #106235-05 on Solaris 2.6.

Cold Fusion

Vulnerability found in ClusterCATS: ASB00-12
ClusterCATS may append stale query string arguments to a URL when performing a HTTP redirect. This may be a security problem if the stale information includes usernames and passwords. A patch is available.

SuSE Linux

Vulnerability in Kernel: SUSE-048
The masquerading feature ipchains in the Linux kernel has got a vulnerability in the udp and ftp masquerading code which allows arbitary backward connections to be opened. In addition to that users can crash the machine.
It's strongly recommended to install patches from SuSE's Webpage for Patches.

TurboLinux

Vulnerability in OpenLDAP: TLSA2000010
OpenLDAP follows symbolic links when creating files. The default location for these files is /usr/tmp, which is a symlink to /tmp, which in turn is a world-writable directory. So local users can destroy the contents of any file on any mounted
filesystem. A patch has been published, links can be found in the advisory.

Microsoft Windows 9x, NT, and 2000

DoS during IP Fragment Reassembly: MS00-029, ERS-2000.088, NTShop
If a packet can't be transported as a whole packet over a network, routers will fragment it and these fragments are transported to the destination. Here, these fragments are to be reassembled to the original packet. Windows systems contain a flaw in the code that performs IP fragment reassembly. If a continuous stream of fragmented IP datagrams with a particular malformation were sent to an affected machine, it could be made to devote most or all of its CPU availability to processing them. This may lead to a total Denial-of-Service (DoS) of the machine.
Microsoft has published patches for Windows 95, Windows 98, Windows NT 4.0 Workstation, Server and Server, Enterprise Edition, Windows NT 4.0 Server, Terminal Server Edition, and Windows 2000 Professional, Server and Advanced Server.

Microsoft Internet Explorer 4.x and 5.x

Three new vulnerabilities found: MS00-033, ERS-2000.086, NTShop, NTShop, NTShop, S-00-18, K-044
Three new vulnerabilities were found in the IE's by Mircoroft:
- The "Frame Domain Verification" vulnerability, which could allow a malicious web site operator to read, but not change or add, files on the computer of a visiting user.
- The "Unauthorized Cookie Access" vulnerability, which could allow a malicious web site operator to access "cookies" belonging to a visiting user.
- The "Malformed Component Attribute" vulnerability, which could allow a malicious web site operator to run code of his choice on the computer of a visiting user.
A patch has been published to fix these problems. The patch requires IE 4.01 Service Pack 2 or IE 5.01 to install.

Kerberos 4 and 5

Multiple Buffer Overflows found: CA-2000-06, K-043, S-00-13
The CERT Coordination Center has recently been notified of several buffer overflow vulnerabilities in the Kerberos authentication software. The most severe vulnerability allows remote intruders to gain root privileges on systems running services using Kerberos authentication. If vulnerable services are enabled on the Key Distribution Center (KDC) system, the entire Kerberos domain may be compromised.
Further information can be found in the advisory.

SeattleLab Emurl

Users Mailboxes exposed: NTShop
Emurl 2.0 allows Web-based access to user mailboxes via an encoded URL. Due to a flaw in the product design, a user who can properly encode a user account number can also access any mailbox on the system without the use of a password. Furthermore, if identical mailboxes exist on two or more systems, the same URL could be used to access the mailbox on all those systems. A demonstration can be found in the advisory. SeattleLab has published an updated version.

NTmail

Vulnerability by Open Proxy: NTShop
NTmail version 5.x contains a Web configuration interface and can also serve as a proxy for Web access. By default, the Web service listens on port 8000 while the proxy service listens on port 8080. If NTMail is configured to turn off the proxy then the proxy will stop listening on port 8080, however a user could point to the default Web port (8000) and gain open access to the Internet. NTMail does no prohibit use of the proxy on the Web-based configuration port. NTMailUSA is working on a patch.

AntiSniff version 1.01 and AntiSniff Researchers version 1.0

Vulnerability caused by buffer overflow: l0pht
AntiSniff is a program that was released by L0pht Heavy Industries in July of 1999. It attempts, through a number of tests, to determine if a machine on a local network segment is listening to traffic that is not directed to it (commonly referred to as sniffing). During one particular test there is a problem if a packet that does not adhere to DNS specifications is sent to the AntiSniff machine. This can result in a buffer overflow on the system running AntiSniff. If the packet is crafted appropriately this overflow scenario can be exploited to execute arbitrary code on the system.
Further information can be found in the advisory.

Matt Kruse Calendar Script

Vulnerability using cgi's: SUID-011
This problem concerns Web Server running unter Unix as well as NT. Both the calender.pl and the calendar_admin.pl scripts fail to perform proper input validation. So remote users can execute arbitrary commands on the Web Server with the priviledge level of the httpd process. A demonstration is given in the advisory. It's recommended not to use these scripts and to be careful with cgi's.

Many parts of Microsoft Office 2000

Vulnerability in Office 2000 UA Control (ActiveX): l0pht, MS00-034, ERS-2000.084, K-042, NTShop, S-00-14, S-00-17, CA-2000-07
An ActiveX control that ships as part of Office 2000 is incorrectly marked as "safe for scripting". This control, the Office 2000 UA Control, is used by the "Show Me" function in Office Help, and allows Office functions to be scripted. A malicious web site operator could use the control to carry out Office functions on the machine of a user who visited his site. The control ships only as part of Office 2000. It's recommended to install a fix Microsoft has published. A demonstration of the problem can be found here.

FileMaker Web Companion

Security Hole by showing "Don't Show": K-038, S-00-16
On those platforms used to publish Filemaker 5 databases via the Web Companion the field restriction "Don't show" may fail to prevent the exposure of the contents of data fields. So users may be able to gain unauthorized access to fields containing sensitive information. It's recommended to install an update.

Netscape Navigator

Inproper validatation of SSL Sessions: Netscape, CA-2000-05, ERS-2000.085, S-00-11, K-040
It seems that all versions of the Netscape Navigator (including 4.72) are vulnerable in the validation of SSL Sessions. Netscape Navigator allows bypassing the warning about an invalid SSL certificate. SSL protection is used in most major Internet-based financial services (e-banking, e-commerce). The flaw found effectively disables one of the basic SSL functionalities: to assure users that they are really communicating with the intended web server - and not with a fake one. Using this flaw, the attacker can make users send secret information (like credit card data and passwords) to his web server rather than the real one - even if the communication is protected by the SSL protocol. Netscape has provided a Navigator Add-on called Personal Security Manager (PSM).

Microsoft IIS 4.0 and 5.0

Denial-of-Service by Malformed Extension Data in URL: MS00-030, ERS-2000.083, K-041, NTShop, S-00-15
In compliance with RFC 2396, the algorithm in Internet Information Server that processes URLs has flexibility built in to allow it to process any arbitrary sequence of file extensions or subresource identifiers (referred to in the RFC as path_segments). By providing an URL that contains specially-malformed file extension information, an attacker could misuse this flexibility in order to arbitrarily increase the work factor associated with parsing the URL. This could consume much or all of the CPU availability on the server and prevent useful work from being done. Microsoft has published patches for IIS 4.0 and IIS 5.0.

Microsoft IIS 4.0 and 5.0

Vulnerabilities by HTR scripts: MS00-031, ISS-052, ERS-2000.081, ERS-2000.082, K-041, NTShop, S-00-15
In Microsoft IIS 4.0 and 5.0 two vulnerabilities were found in the ISAPI extension that provides web-based password administration via .HTR scripts.
- The "Undelimited .HTR Request" vulnerability is a denial of service vulnerability. If an attacker provided a password change request that was missing an expected delimiter, the algorithm would conduct an unbounded search. This would prevent it from servicing additional .HTR requests, and could also slow the overall response of the server.
- The ".HTR File Fragment Reading" vulnerability could allow fragments of certain types of files to be read by providing a malformed request that would cause the .HTR processing to be applied to them.
Microsoft has published patches for IIS 4.0 and IIS 5.0.

FreeBSD

Vulnerabilities in golddig port, libmytinfo, and gnapster: ERS-2000.078, ERS-2000.079, ERS-2000.080
Golddig is an X11 game provided as part of the FreeBSD ports collection. The golddig port erroneously installs a level-creation utility setuid root, which allows users to overwrite the contents of arbitrary local files. Libmytinfo is part of ncurses, a text-mode display library. This is a security vulnerability for binaries which are linked against libmytinfo and which are setuid or setgid (i.e. run with elevated privileges). Gnapster is a client for the Napster file-sharing network. The gnapster port (version 1.3.8 and earlier) contains a vulnerability which allows remote gnapster users to view any file on the local system which is accessible to the user running gnapster. Patches are available and should be installed.

NetBSD

Denial-of-Service caused by IP Options: NetBSD2000-002
Receiving IP packets with special sequences of malformed IP options may cause an unaligned access in kernel mode or data corruption, resulting in a kernel panic or other problems. Two problems are the reason: One is the result of an interaction between GCC and a code fragment which violates ANSI C, the other is a result of several incorrect range checks. Patches for NetBSD 1.4.1 and 1.4.2.

Netwin

Vulnerabilities in DNewsWeb and DMailWeb: NTShop, NTShop
In Netwin DNewsWeb v5.3e1 a remotely exploitable buffer overrun was found. By using overly long URL parameter (group and utag) a buffer can be overflowed which allows the execution of arbitrary code on the web server. Also in Netwin DMailWeb v2.5d a remotely exploitable buffer overrun has been found. By using overly long URL parameter (utoken) a buffer can be overflowed which allows the execution of arbitrary code on the web server. Patches are available now.

Quake3Arena

Vulnerability in Auto-Download feature: ISS-050
Quake3Arena version 1.16 for Windows allows read or write access to files and allows code to be automatically downloaded to the user's system for the purpose of manipulating files. A vulnerability allows an attacker to have read or write access to a Quake3Arena user's filesystem when the user connects to a server run by the attacker. This could allow attackers to install Trojan horse programs, gather passwords, and read or write files.
It's recommended to install a patch, a link is pointed out in the advisory.

many

New ISS Summary: ISS
In the recent time 35 new vulnerabilities were found:
- eudora-warning-message
- icradius-username-bo
- postgresql-plaintext-passwords
- aix-frcactrl-file-modify
- cisco-ios-http-dos
- meetingmaker-weak-encryption
- pcanywhere-tcpsyn-dos
- piranha-passwd-execute
- piranha-default-password
- solaris-lp-bo
- solaris-xsun-bo
- solaris-lpset-bo
- zonealarm-portscan
- cvs-tempfile-dos
- imp-wordfile-dos
- imp-tmpfile-view
- suse-file-deletion
- qpopper-fgets-spoofing
- adtran-ping-dos
- emacs-local-eavesdrop
- emacs-tempfile-creation
- emacs-password-history
- irix-pmcd-mounts
- irix-pmcd-processes
- irix-pmcd-dos
- iis-myriad-escape-chars
- freebsd-healthd
- beos-syscall-dos
- linux-trustees-patch-dos
- pcanywhere-login-dos
- beos-networking-dos
- win2k-unattended-install
- mssql-agent-stored-pw
- webobjects-post-dos
- allaire-forums-allaccess
Further information can be found at the Server of ISS.

Microsoft Outlook

New Virus/Worm: ILOVEYOU/Joke: CA-2000-04, ISS-049, ISS-051, K-039, S-00-10, AL-2000.05, S-00-13, ERS-i-2000.02
On May, 4th, very many E-Mails were transmitted, having the subject ILOVEYOU and the text kindly check the attached LOVELETTER coming from me. The attachment ist a file called LOVE-LETTER-FOR-YOU.TXT.vbs. Some consequences are sending Mails (itself attached) to the whole addressbook of the user, making some "optimizations" on the system by trying to download files from http://www.skyinet.net/..., sending information to the Internet using mIRC, adding Registry Keys and changing files (.vbs, .vbe, .js, .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, mp3, .mp2 und script.ini) on the harddisks. All suffixes are .vbs afterwards and they include a header:
rem barok -loveletter(vbe) <i hate go to school>
rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines
To remove the worm you may use the following steps:
- Delete the files $WIN\system32\MSKernel32.vbs, $WIN\system32\LOVE-LETTER-FOR-YOU.TXT.vbs, $WIN\system32\LOVE-LETTER-FOR-YOU.HTM and $WIN\Win32DLL.vbs.
- Delete the following Registry-Keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
- Change the Registry-Key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
to it's original value.
Rebooting the system should have removed the worm then. A script for the desinfection is also available. This worm needs the Windows Scripting Host enabled.
In addition to that a modified version has been found in the wild: Subject Joke and the attachment is called VeryFunny.vbs. It's the same source code, but Tab's are changed to spaces, so not all AntiVirus tools will detect it.
A good collection of countermeasurements (including links to updates of AV-tools) can be found here.

LSoft Listserv Web Archives

Pufferüberlauf entdeckt: NTShop
Das Cerberus Security Team hat in LSoft's Listserv Web Archive Komponente (wa.exe, Version 1.8d und früher) einen über das Netzwerk ausnutzbaren Pufferüberlauf gefunden. Hiervon ist sowohl die Unix, als auch die Windows Version betroffen. Listserv ist ein weit verbreitetes Softwarepaket für Mailing-Listen. Das Web Archive gestattet die Administration über ein Web Interface.
LSoft arbeitet an einem Patch. Detaillierte Informationen über die gefundene Lücke finden sich hier, im Advisory ist eine Demonstration des Problems zu finden.

Aladdin eToken USB Key 3.3.3.x

Possibility to avoid the use of PIN: l0pht, NTShop
Aladdin Knowledge Systems' eToken is a portable USB (Universal Serial Bus) authentication device providing complete access control for digital assets. eToken stores private keys, passwords or electronic certificates in a hardware token the size of a house key. The attacke requires physical access to the device circuit board and will allow all private information to be read from the device without knowing the PIN number of the legitimate user. By using any number of low-cost, industry-standard device programmers to modify the unprotected external memory, the User PIN can be changed back to a default PIN. Aladdin points out that version 3.3.3.x of their eToken is a demo and "proof-of-concept" product. Detailed information can be found in the advisory.

HP-UX

Vulnerabilities in automountd and shutdown: HP Security Bulletin #00114 and #113, ERS-2000.076, ERS-2000.077
There is a vulnerability in automountd (HP-9000 Series 700/800 HP-UX releases 10.20 and 11.00) which allows an intruder to execute arbitrary commands with the privileges of the automountd process. HP-9000 Series700/800 running HP-UX releases 11.x and 10.x show a vulnerability in shutdown, which does not handle its input correctly. Hewlett Packard has published new patches:

System	Patch
HP-UX 10.20	PHNE_20628
HP-UX 11.00	PHNE_20371
HP-UX 10.20, 10.10	PHCO_21574
HP-UX 11.00	PHCO_21534
HP-UX VirtualVault (VVOS) 10.24	PHCO_21566
HP-UX VirtualVault (VVOS) 11.04	PHCO_21567

OpenLinux

Vulnerabilities in OpenLDAP and LISA: CSSA-2000-09, CSSA-2000-10
As Caldera Systems reports, OpenLinux 2.3 Desktop is shipped with a misconfigured OpenLDAP package. By default, the LDAP daemon slapd would create various files in /usr/tmp. While doing this, it does not properly check for symbolic links. Any local user can therefore trick slapd into overwriting arbitrary files on the system.
LISA is a non-graphical administration tool for users working at the console, or remotely through e.g. a telnet session. Versions of LISA prior to version 4.1 have several problems in the way they handle temporary files. These allow a local user to execute shell commands under the identity of the user running LISA, usually root.
It's strongly recommended to install patches, which are available now.

Cart32 Software

Backdoor found: NTShop
Cerberus Security Team has discovered a backdoor in McMurtrey/Whitaker & Associates, Inc's Cart32 software - a Web-based shopping cart software. Versions related are Cart32 v2.6 and 3.0. This backdoor can be used to gain access to sensitive information such as passwords and credit card information. In addition, arbitrary commands may be run on a remote server, and the administratrive password may be changed without knowledge of the current administrative password. A demonstration can be found in the advisory, a patch has been published.

many

Using Nameservers for Denial-of-Service: IN-2000-04
The US-CERT is receiving an increasing number of reports of intruders using nameservers to execute packet flooding denial of service attacks. The most common method involves an intruder sending a large number of UDP-based DNS requests to a nameserver using a spoofed source IP address. Any nameserver response is sent back to the spoofed IP address as the destination. The spoofed IP address represents the victim of the denial of service attack. Because nameserver responses can be significantly larger than DNS requests, there is potential for bandwidth amplification. Further information can be found in the advisory.

Atrium Cassandra NNTP Server

Denial-of-service possible: NTShop
Cassandra NNTP Server Version v1.10 contains an unchecked buffer that could allow an attacker to crash the service on port 119. By sending a large buffer of approximately 10,000 characters in conjunction with the AUTHINFO command, the DoS attack is successful. Atrium Software International is working on a patch.

SuSE Linux

Vulnerability caused by aaabase: SUSE-047
Aaa_base is the basic package which comes with any SuSE Linux installation. Two vulnerabilities were found:
1) The cron job /etc/cron.daily/aaa_base does a daily checking of files in /tmp and /var/tmp, where old files will be deleted if configured to do so. If the /tmp cleanup is activated (which is not done by default), any file or directory can be deleted by any local user.
2) Some system accounts have their homedirectories set to /tmp by default. These are the users games, firewall, wwwrun and nobody on a SuSE 6.4. If an attacker creates dot files in /tmp (e.g. bash profiles), these might be executed if someone uses e.g. "su - nobody" to switch to the nobody user. This can lead to a compromise of that userid. This vulnerability might be present in several other unix systems as well.
It's strongly recommended to install patches from SuSE's Webpage for Patches.

many

New DDoS Tool mstream: ISS-048, K-037, IN-2000-05
A new Distributed Denial of Service (DDoS) tool called mstream has been discovered and it's source code has been published to Mailinglists. The tool includes a "master controller" and a "zombie." The master controller is the portion of the tool that controls all of the zombie agents. An attacker connects to the master controller using telnet to control the zombies. The attack the zombie performs is a modification of the "stream.c" attack. Further information can be found in the advisory and at the site of packetstorm.