News June 2000

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

System:

Short description and further information:

Microsoft Internet Explorer 4.x, 5.x

Vulnerability because of Active Setup Download: MS00-42, ERS-2000.146, K-057
The Active Setup Control allows .cab files to be downloaded to a user's computer as part of the installation process for software updates. This control has two risks. First, it treats all Microsoft-signed .cab files as trusted, thereby allowing them to be installed without asking the user's approval. Second, it provides a method by which the caller can specify a download location on the user's hard drive. In combination, these two flaws would allow a malicious web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on the user's machine. By overwriting system files, this could allow the malicious user to render the machine unusable. It's recommended to install a patch published by Mircosoft.

Microsoft Windows 9x

Vulnerability by ARP: NTShop
If a Windows 9x system receives an Address Resolution Protocol (ARP) packet designed to update a static entry in the system's ARP table, that system will update the table per the information provided in the ARP packets. A patch is not available yet.

Microsoft Windows 9x

Vulnerability caused by iMesh: NTShop
iMesh is a service that enables people to locate and share files. iMesh 1.02, builds 116 and 177 are vulnerable to a buffer overflow. Upon connecting to a given server, iMesh listens on a variable TCP port. An attacker could connect to that arbitrary port and then instigate a buffer overrun to execute on the remote machine. iMesh is aware of the issue and will provide a fix in the next release of their product.

Debian Linux

Vulnerability in DHCP Client: Debian200628
The versions of the ISC DHCP client in Debian 2.1 (slink) and Debian 2.2 (potato) are vulnerable to a root exploit. It has been reported that the client inappropriately executes commands embedded in replies sent from a DHCP server. This means that a malicious DHCP server can execute commands on the client with root privileges. Patches should be installed. Further information can be found in the advisory.

SuSE Linux

Vulnerability in wu-ftpd and kernel: SUSE053, SUSE054
The wu-ftp FTP server does not do proper bounds checking while processing the SITE EXEC command. A remote attacker could execute arbitrary machine code as root on a FTP server using wu-ftpd. The implementation of the capability feature of kernel 2.2.x < 2.2.16 has a security flaw. A bug concerning setuid makes it possible for local users to their privileges. It's strongly recommended to install patches from SuSE's Webpage for Patches.

WinProxy

Security risk by Buffer Overflow: NTShop
Multiple unchecked buffers exist in the POP3 and HTTP Proxy components of SapporoWorks WinProxy 2.0.0 and 2.0.1, which could open up the possibilities of Denial-of-Service attacks or remote execution of arbitrary code. A demonstration written in C is available - but no patch.

Microsoft IE, Powerpoint, Access, and Excel

Vulnerability caused by Active Scripting and ActiveX: NTShop
As Georgi Guninski reports, Internet Explorer 5.01, Excel 2000 and PowerPoint under Windows 98, and perhaps other versions, allow the execution of programs when a user views a web page or HTML E-Mail message. The problem may allows an intruder to gain full control over the user's computer. The reason for this problem is a functionality in IE that allows obtaining dangereous ActiveX objects with the help of the <OBJECT> tag and associated Office 2000 applications. A demonstration, but not a patch is available. It's recommended to deactivate Active Scripting and to Disable Run ActiveX Controls.

Fortech

Proxy+ allows administrative access: NTShop
Proxy+ 2.40 configure its remote administration interface to only accept connections from "localhost". The administrative interface does not allow connections which come through the server's HTTP proxy, however it does allow connections that come through the server's Telnet proxy. A patch is not available yet.

Fortech

LeafChat IRC Client vulnerable to DoS: NTShop
If an invalid response is sent to LeafChat IRC Client 1.7, the client will stop responding. A demonstration of the problem is pointed out in the advisory, a patch is not available yet.

BlackICE Systems

No real help against Back Orifice: NTShop
BlackICE Defender 2.1 and BlackICE Agent 2.0.23 configured at security level NERVOUS or lower are vulnerable to Back Orifice 1.2 since UDP ports above 1021 are not blocked by the BlackICE software. Information about fixes and workarounds can be found in the advisory.

NetBSD

Vulnerability in libdes: NetBSD, ERS-2000.141
A new version of "libdes" was imported into NetBSD-current, US domestic. This version was derived from version 4 of Eric Young's libdes, and replaced the previous version. Certain functions required for compatibility with the DES library included with MIT's Kerberos v4 distribution were not included in the new version of Eric Young's libdes. The replacement versions have a serious bug. If /dev/urandom is not present and functioning correctly, des_init_random_number_generator seeds the random number generator with constant data, causing the generation of keys which are easy to determine. Hints for a workaround are pointed out in the advisory.

OpenLinux

Vulnerability in wu-ftpd: CSSA-2000-20, ERS-2000.143
There is a problem in wu-ftpd handling of the SITE EXEC command that allows remote attackers to gain root access. This attack is possible in the default configuration of the wu-ftpd. Caldera has published patches and hints for a workaround. It's pointed out in the advisory.

Allaire

Security risk in JRun 2.3.x: Allaire, NTShop
JRun 2.3.x ships with several servlet examples, which are located in the JRUN_HOME/servlets directory. The directory is used by JRun to load and execute servlets. The .java and .class files in this directory can potentially expose sensitive information from a Web site. Until the maintenance release is available, Allaire customers should protect themselves by removing the problematic files from their servers.

Microsoft Windows NT 4.0, Windows 2000

Denial-of-Service in Web JetAdmin 6.0: HP Security Bulletin #00116, ERS-2000.140, K-055, ERS-2000.144, S-00-24
HP Web JetAdmin provides the ability to install, configure, manage, and troubleshoot TCP/IP and IPX connected devices on an intranet. It contains support for all HP JetDirect-connected printers and plotters. This product allows users to manage HP JetDirect-connected printers using just a browser.
A potential of a denial of service (DoS) on networked peripherals for Microsoft Windows NT 4.0 and Windows 2000 was found. It's recommended to install the latest version of Web JetAdmin 6.0, which is version 6.0.1233.

many

Information about Chat Clients and Network Security: IN-2000-08
The US-CERT has published information about security issues inherent in the use of chat clients. These facts may be quite important for security policies and the daily security.

BEA WebLogic Server and Express

Any file exposed: NTShop
Due to an improperly exposed directory, Foundstone Weblogic allows the contents of any file within the Web root directory to be shown in clear text. A demonstration can be found in the advisory, further information has been bublished by Foundstone.

SGI IRIX

Vulnerability in WorkShop cvconnect: SGI20000601, K-056, ERS-2000.145, S-00-23
WorkShop is a suite of software tools to aid in debugging programs. The cvconnect program is invoked by WorkShop and is not normally directly run by users. A vulnerability has been discovered in WorkShop (below 2..6.* and below) cvconnect which will allow users to overwrite any file on the system. A workaround and a patch is available. Further information can be found in the advisory.

Cisco IOS

Denial-of-Service by Telnet Options: Cisco, ERS-2000.139, S-00-25
A defect in multiple Cisco IOS software versions will cause a Cisco router to reload unexpectedly when the router is tested for security vulnerabilities by security scanning software programs. The defect can be exploited repeatedly to produce a consistent denial of service (DoS) attack. A patch is available, further information can be found in the advisory.

Red Hat Linux

IBM AIX

Vulnerability in cdmount: ISS-055, ERS-2000.137
AIX systems with the LPP UMS.objects 2.3.0.0 and below installed show this vulnerability. The AIX cdmount program allows regular users to mount CD-ROM filesystems. This program is basically a SUID to root wrapper of the mount command. Insecure handling of the arguments to cdmount may allow a local regular user to execute commands as root. Local users may gain root privileges. ISS recommends removing the SUID bit from cdmount. A patch will be published soon.

WebBBS

Risk by Buffer Overflow: NTShop
An unchecked buffer condition exists in the WebBBS v1.15 where parameter strings with a length of 549 characters sent with GET commands can allow arbitrary code to execute on the system. It's recommended to upgrade to v1.17 as soon as possible.

TIS Net Tools PKI Server

Vulnerabilities causing Unauthorized Access and Denial-of-Service: NTShop, NTShop
A vulnerability exists in OEM version of software incorporated into the Net Tools PKI Server 1.0. An intruder may gain unauthorized access to the system hosting the Enrollment and/or Administrative Web servers of the Net Tools PKI package. The vulnerability involves the XUDA template files, which are included with the package. The templates do not reference absolute pathnames when refering to other files. A patch has been published.
A buffer overflow condition exists in the same server. This could lead to a denial of service attack against the system. URLs with abnormally long parameters may cause the service to stop responding. A patch has been published to fix this problem also.

Microsoft platforms for E-Mail

New Script Worm VBS.Stages.A: ERS2000-04i
SHS types of files are executable and can contain a wide variety of objects. The SHS extension doesn't appear in Windows Explorer even if all file extensions are displayed. Upon executing this worm, the system is modified in many different ways showed in the advisory. It's recommended to update the patterns of the anti-virus software.

Dragon Server

Vulnerability causes Denial-of-Service: NTShop
The Dragon Server v1.0 and 2.0 consists of services which include Telnet and FTP. By sending the Telnet or FTP service 16500 characters as the user name during a login process, the service will crash. A patch is not available yet.

Small HTTP Server

Vulnerability causes Denial-of-Service: NTShop
By sending an extremely large URL of 65000 characters in association with a GET command the Small HTTP Server ver. 1.212 can be made to crash. At least it's recommended to install version 2.001, even if it's not sure, if this version doesn't show the same effect.

AnalogX SimpleServer

Vulnerability causes Denial-of-Service: NTShop
A denial of service condition exists in AnalogX SimpleServer:WWW v1.05 by sending a malformed URL with xxx characters the service can be made to crash. It's recommended to install a new version 1.06.

Mindstorm SmartFTP

FTP Server Exposes File System: NTShop
When a user logs into the server, SmartFTD-D v0.2 checks for a special user file and if it exists configuration information (such as the user's password, rights, etc.) will be read from the file. During the login process the service doesn't check for illegal characters, and therfore by using "..\" characters an intruder can switch to other directories, so an attacker may gain full access to the server if he has write access to files on the server. This will be fixed with the next build.

NAI PGP Certificate Server

Vulnerability causes Denial-of-Service: NTShop
PGP Certificate Server uses port 4000 for server management. If a user connects to that port from an IP address that has an unresolvable host pointer address the service may crash. Network Associates has published a patch which is available for registered customers.

NAI McAfee VirusScan

Risk of Spoofing VirusScan Alerts: NTShop
By default, McAfee VirusScan 4.03 uses a shared network directory for storing inbound alerts. The directory allows all VirusScan users to read, write and delete files in the shared directory. Because of the loose directory permissions and alert files that are formatted in plain text, valid virus alerts could be deleted and bogus alerts could be spoofed. A patch will be published soon.

Microsoft Windows 2000

Vulnerability in Desktop Separation: MS00-20, ERS-2000.135, NTShop
In the Windows 2000 security model, a hierarchy of container objects is used to separate processes. Every session contains one or more windows stations; every windows station contains one or more desktops. By design, processes are constrained to run within a windows station, and the threads in the process run in one or more desktops. A process in one windows station should not be able to access desktops belonging to another windows station. Because of an implementation error, exactly this could happen. This could allow a process belonging to a low-privilege user to view inputs or output that belong to another desktop within the same session, and potentially obtain information such as passwords. Microsoft has published a patch.

Check Point FireWall-1

IP-Fragments lead to Denial-of-Service: CheckPoint, NTShop, ERS-2000.133
Lance Spitzner has found a vulnerability in FireWall-1 V. 4.0 and 4.1. It has been determined that a stream of large IP fragments can cause the FireWall-1 code that logs the fragmentation event to consume most available host system CPU cycles of the system where the firewall itself is running - not the Management Module. Check Point notes, that no unauthorized access, information leakage, or fragment passing occurs.
As an interim workaround the console logging should be disabled by using the following command line on their FireWall-1 module(s): $FWDIR/bin/fw ctl debug -buf
New binaries will be released shortly in Service Pack 2 of FireWall-1 version 4.1, for 4.1 users, and as a Service Pack 6 Hot Fix for FireWall-1 version 4.0 users.

Unity eWave ServletExec

Source Code exposed: NTShop
The ServletExec 3.0 software exposes source code for its files if ".JSP" is appended to the end of a generated URL. The vendor has not published a patch until now.

Microsoft SQL Server 7.0

Security risk by DTS Password: MS00-41, ERS-2000.131
Data Transformation Service (DTS) packages in SQL Server 7.0 allow database administrators to create a package that will perform a particular database action at regular intervals. As part of the creation of a DTS package, the administrator provides the account name and password under which the action should be taken. The password can be retrieved by programmatically interrogating the package's Properties dialogue. Microsoft states, that this vulnerability occurs only, if the SQL Server is not set up correctly. Microsoft has published a fix for Intel and Alpha.

Etype Eserv

Vulnerability caused by Buffer Overflow: NTShop
The Etype Eserv 2.9.2 service can be made to crash by sending it long queries. Because of an unchecked buffer condition, arbitrary code could be made to run on the server. A demonstration can be found in the advisory, a patch is not available yet.

Many

Vulnerability in BIND: K-050, ERS-2000.130
There are security issues with older releases of BIND and it should should be upgraded to the latest release - 8.2.2-P5. If it is not possible to upgrade from version 4.x, for whatever reason, it is recommended that 4.9.7 be used. Scanning activity has increased on port 53 (named service). The scans are looking for systems running BIND version 8.2, 8.2.1 or 8.2.2 which show the NXT buffer overflow.

Many

Denial-of-Service against MIT Kerberos system: MIT, CA-2000-11, ERS-2000.128, K-051, S-00-20, ERS-2000.134
Systems with MIT-derived implementations of the Kerberos 4 KDC and systems with MIT-derived implementations of the Kerberos 5 KDC enabled to handle krb4 ticket requests are vulnerable against several new Denial-of-Service attacks. Some Buffer Overflows can be exploited with the consequences that the KDC to issue invalid tickets for all principles, genrate a "principal unknown" error, or to crash the KDC process. These attacks are new and don't cover the vulnerabilities pointed out in CA-2000-06. Further information can be found in the advisory.

Microsoft Windows NT 4.0

Vulnerability by Remote Registry Access Authentication: MS00-40, NTShop, ERS-2090.127
Before a request to access the registry from a remote machine can be processed it must first be authenticated by the Remote Registry server, which is contained within the winlogon.exe process. If the request is malformed in a specific fashion it could be misinterpreted by the remote registry server which may cause the entire system to crash.
Microsoft has published a patch for Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition. A fix for Microsoft Windows NT 4.0 Server, Terminal Server Edition will be published soon.

OpenLinux

Vulnerabilities found in setuid, Netscape, and BRU: CSSA-2000-14, CSSA-2000-17, CSSA-2000-18, CSSA-2000-19, ERS-2000.126, ERS-2000.129, ERS-2000.132
As Caldera Systems reports, two security risks were found in setuid(). The Linux kernel allows local users to obtain root privilege by exploiting certain setuid root applications. As reported before, there are some flaws in the SSL transaction handling of Netscape Version 4.72 which could compromise encrypted SSL sessions. An update upgrades Netscape to version 4.73, which also fixes some annoying crashes during common usage. A serious vulnerability was found in the commandline option and logfile handling of the BRU Backup Utility which can be exploited by a local attacker to gain root access to the machine. Patches are available and should be installed as soon as possible.

Microsoft Windows NT 4.0

Security risk by User Session Key Resuse: NTShop
When an administrator uses USRMGR.EXE or SRVMGR.EXE to remote add users or workstations to a domain, or changes a user's password, the tool sends an encrypted 516-byte password block over the network. The data block can be intercepted and systematically taken apart to reveal a User Session Key, which can then be used decrypt further communication intercepted between the administrator and the domain controllers. Microsoft will publish a patch soon.

Microsoft Windows NT, Windows 2000

Denial-of-Service using SMB: NTShop, NTShop
Sending SMB requests to an NT or Windows 2000 system without acknowledging those requests will causes denial of service conditions against the system. If the unacknowledged packets are sent to an NT 4.0 system then that system will stop responding to all TCP/IP traffic until the system has become rebooted. If the unacknowledged packets are sent to a Windows 2000 system, that system will not respond to SMB traffic while the faulty session sending the unacknowleded packets persists. Normal system operation ensues 20 seconds after the offending session terminates.
In addition to that, if a DCE/RPC request is encapsulated inside an SMB request along with an invalid data length field the system will crash where a reboot is necessary to restore functionality.
Microsoft will publish patches soon.

HP - Windows NT

Denial-of-Service by using OmniBack NT Clients: HP Security Bulletin #00115, ERS-2000.125
The OmniBack inet daemon running on an HP OpenView OmniBack II NT client does not release all used memory resources after it has closed a remote connection. If such a client system is contacted repeatedly and very often through the OmniBack port number, it can run out of system resources and crash. It's recommended to install the concerning patches, published by Hewlett Packard.

SuSE Linux

Security hole found in qpop: SUSE-051
The qpop 2.53 does not check the mail header for invalid input. So an attacker could send a mail with a special mail header to a person, that reveives it's mail via qpop 2.53. Then it's possible to execute code with the privileges of user 'mail' at the qpop server. It's strongly recommended to install patches from SuSE's Webpage for Patches.

Imate WebMail

Denial-of-Service possible: NTShop
The SMTP mail service of Imate WebMail 2.5 can be made to crash by sending a string of 1119 characters as a parameter to the HELO command. Concatus is aware of the problem and has released a patch.

ITHouse Mail Server

Security risk by Buffer Overflow: NTShop
The SMTP mail service of ITHouse Mail Server v1.04 can be made to crash by sending a string of 2270 characters as a parameter to the RCPT TO command. During the crash characters beyond 2270 overwrite the EIP register making it possible to run abritrary code on the remote system. ITHouse has published a patch.

Sambar Server

Security risk by Buffer Overrun: NTShop
In Sambar Server 4.3 it's possible to crash the Sambar server by using the default finger and whois scripts provided with the Sambar server software. By sending a long string of 32290 characters to either of the scripts, an unchecked buffer in the sambar.dll file can be overflowed where arbitrary code could be run on the machine.
A patch will not be published, but the problem will be solved with version 4.4 which will be published in June.

HP Openview Network Node Manager v6.1

Vulnerability by Buffer Overflow: DST2K0012, ERS-2000.124
By using the Alarm service which is shipped and installed by default with HP openview network node manager under NT it is possible to cause a Buffer overrun in OVALARMSRV overwriting the EIP allowing the execution of arbitry code. This is done be connecting to post 2345 which the port resides on by default and sending a large string. No patch is available, but it's recommended to drop port 2345 at the firewall.

CMail v2.4.7 WebMail

Vulnerability by Buffer Overflow: DST2K0011, ERS-2000.123
The web interface of CMail which resides by default on port 8002 can be used to consume 95% of CPU time in two locations. By default the New user creation option is disabled even though this is the case it is possible to enter long username of 196k which will cause the CMail process to site at 91 - 95% CPU time. This is only temporary as the process seems to release the CPU after as of yet undefined amount of time. The web server which drives the web interface of CMail it is possible to cause a Buffer overrun in NTDLL.DLL overwriting the EIP allowing the execution of arbitry code. This is done be connecting to port 8002 which the service resides on by default and sending a large GET string. It should be noted that NTDLL is authored by ComputaLynx and not Mircosoft. Patches are not yet available.

Lolikoi Software

Vulnerabilities in Ceilidh 2.6.0 found: DST2K0010, ERS-2000.122, NTShop
Ceilidh is a threaded bulletin board with file attachment and E-Mail running under several systems. At least the version for Microsoft Windows NT has some vulnerabilities. The HTML code which is generated by ceilidh.exe contains a hidden form field by the name of "translated_path". This path is the REAL location of the Ceilidh files. By using a specially crafted POST statement it is possible to spawn multiple copies of ceilidh.exe each taking 1% of CPU and 700k of memory. This can be sent multiple times to cause a Denial-of-Service condition. Patches are not yet available.

Conectiva Linux

Buffer Overflow in gdm: ERS-2000.121
The gdm program is one of the graphical login choices available for Conectiva Linux users. A vulnerability has been found in version 4.1, 4.2 and 5.0 of Conectiva Linux during the XDMCP protocol processing. It could lead to remote root compromise. It's recommended to install the patches mentioned in the advisory.

many Linux

New problems with sendmail: sendmail, ERS-2000.120
There is a bug in the Linux kernel capability model for versions through 2.2.15 that allows local users to get root. Sendmail is one of the programs that can be attacked this way. The correct fix is to update your Linux kernel to version 2.2.16. This is the only way to ensure that other programs running on Linux cannot be attacked by this bug. Sendmail 8.10.2 has added a check to see if the kernel has this bug, and if so will refuse to run.

FreeBSD

Vulnerabilities in sshd and gpsfilter: ERS-2000.117, ERS-2000.118
A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly configured the SSH daemon to listen on an additional network port, 722, in addition to the usual port 22. This change was made as part of a patch to allow the SSH server to listen on multiple ports, but the option was incorrectly enabled by default. This may cause a violation of security policy if the additional port is not subjected to the same access-controls (e.g. firewallling) as the standard SSH port.
The apsfilter port, versions 5.4.1 and below, contain a vulnerability which allow local users to execute arbitrary commands as the user running lpd, user root in a default FreeBSD installation. Patches are available now.

i-drive Filo Software

Risk caused by Buffer-Overflow: ISS-054
i-drive.com provides web storage services. The browser-based tool, Filo, allows users to clip and save any web page to their i-drive account. Filo is designed for saving important pages found on the web such as investment research, travel confirmations, and e-commerce receipts. In version 1.0.0.1 for Windows NT a security hole was found. When the Filo software is installed, the setup program also installs an HTTP proxy server. An attacker can send the proxy server an overly long HTTP GET request, overflowing a heap buffer in the Filo server software. This vulnerability allows an attacker to remotely execute arbitrary code. It's recommended to upgrade to version 1.5.3.

Microsoft Internet Explorer

Exploitation of "Scriptlet.Typelib" ActiveX Control by viruses: IN-2000-06
As reported in MS00-32, the Microsoft ActiveX control Scriptlet.Typelib allows local files to be created or modified, so it is unsafe to allow untrusted programs to access this control. The control is incorrectly marked "safe for scripting" as shipped with Internet Explorer versions 4 and 5. Two email-borne viruses were found, they are designed to exploit this vulnerability. Malicious VBScript programs known as Bubbleboy and kak are designed to infect systems by altering the Windows registry and propagating themselves through E-Mail. In both cases, a malicious VBScript is delivered in the form of an HTML-format email message with characteristics that might entice a user to view the message. If the HTML in the email message is rendered by Internet Explorer, the VBScript may be executed. In vulnerable configurations, the Scriptlet.Typelib ActiveX control can be called by the malicious program to create and modify local files. A patch is available and the links are shown in Microsoft's Advisory MS00-32.

Microsoft Internet Explorer 4.x, 5.x

Security risk by inproper SSL Certificate Validation: CA-2000-10, MS00-39, ERS-2000.112, S-00-19, ERS-2000.113, K-049, NTShop
Several flaws exist in Microsoft Internet Explorer that could allow an attacker to masquerade as a legitimate web site if the attacker can compromise the validity of certain DNS information. The IE fails to validate certificates in images or frames as well as the revalidation of certificates within the same session. Microsoft has published a patch that requires IE 5.01 to install. A version that supports IE 4.01 Service Pack 2 will be released shortly.

BSD based Unix

DoS using IPCS: K-046, ERS-2000.115
Using a System V Unix like FreeBSD, NetBSD or OpenBSD on a x86 has a security risk. Using an undocumented system call local users can disable a system process from exiting. The result is a Denial-of-Service against the system - no process could run until the "unblock" call is issued to the system, or the system is rebooted. Patches and workarounds are shown in the advisory.

Open Linux

Vulnerabilities in kdelibs and INN: CSSA-2000-015, CSSA-2000-016, ERS-2000.114, ERS-2000.119, ERS-2000.119-2
News from Caldera: A serious vulnerability was found in the way KDE starts applications that allows local users to take over any file in the system by exploiting setuid root KDE application. KISDN is the only vulnerable application with OpenLinux. There is a buffer overflow in the handling of control articles in some configurations of the InterNet News package (INN). This lets attackers tailor control message that might give them access to the local 'news' account.
Workarounds and patches are pointed out in the advisories.

Debian Linux

Vulnerabilities in mailx, splitvt, and majordomo: Debian0605, Debian0605a, ERS-2000.110
The version of mailx distributed in Debian GNU/Linux 2.1 (a.k.a. slink), as well as in the frozen (potato) and unstable (woody) distributions is vulnerable to a local buffer overflow while sending messages. This could be exploited to give a shell running with group "mail". The version of splitvt distributed in Debian GNU/Linux 2.1 (a.k.a. slink), as well as in the frozen (potato) and unstable (woody) distributions, is vulnerable to a local buffer overflow. This could be exploited to give a shell running as root. The majordomo package as shipped in the non-free section accompanying Debian GNU/Linux 2.1/slink allows any local user to trick majordomo into executing arbitrary code or to create or write files as the majordomo user anywhere on the filesystem. Patches to fix these problems are available now.

Linux Mandrake

Vulnerabilities in kdesud, cdrecord, bind, and xclockmore: Mandrake, ERS-2000.109, ERS-2000.111
A vulnerability in kdesud will allow any user to exploit a buffer overflow. This user then can have a root group access on the machine, by exploiting a bug in the kdesud program. The linux cdrecord binary is vulnerable to a locally exploitable buffer overflow attack with similar consequences. By default bind is launched as user and group root. This setting can give the possibility to easily exploit vulnerabities in bind. Xlock is an X11 utility used to lock X-Window displays until the password of the user running X is entered correctly. Also here, a possibility for a buffer overflow has been found. It's strongly recommended to install the concerning patches.

Microsoft Internet Explorer 4.x, 5.x

Vulnerability by HTML Help File Code Execution caused by HHCtrl ActiveX Control: MS00-37, ERS-2000.108, NTShop, CA-2000-12, S-00-22, ERS-2000.136
The HTML Help facility provides the ability to launch code via shortcuts included in HTML Help files. If a compiled HTML Help (.chm) file were referenced by a malicious web site, it could potentially be used to launch code on a visiting user's computer without the user's approval. Such code could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote web site.
Microsoft has published patches for Internet Explorer 4.0, 4.01, 5.0, or 5.01 running on Windows 95, Windows 98, Windows 98 Second Edition, or Windows NT 4.0 - and Internet Explorer 5.01 on Windows 2000.

Microsoft Windows 2000

Vulnerability in Protected Store Key Length: MS00-32, ERS-2000.107, NTShop
A Protected Store is provided as part of CryptoAPI (Windows 2000 Professional, Server and Advanced Server), in order to provide secure storage for sensitive information such as private keys and certificates. By design, the Protected Store should always encrypt the information using the strongest cryptography available on the machine. However, the Windows 2000 implementation uses 40-bit key to encrypt the Protected Store, even if stronger cryptography is installed on the machine. This vulnerability weakens the protection on the Protected Store.
To increase the security, Microsoft has published a patch and a tool, which should be installed under Windows 2000.

Many Web Servers (Unix and NT)

Permissions Problems with FrontPage Extensions: K-048, ERS-2000.106
Over the last few weeks many defacements of web pages were seen. A remote user may deface web pages of any given site when the permissions are not set properly. Especially for the IIS under NT, where these extensions are installed by default, administrators should take good care about the permissions for files and directories. But also Web Server under Unix (e.g. Apache 1.1.3, Netscape Commerce Server 1.12, Netscape Communications Server 1.12, Netscape Enterprise 2.0 and 3.0, Netscape FastTrack 2.0...) may be vulnerable.
Further information about this problem and how to solve it is described in the advisory.

NAI Web Shield

Buffer Overflow in Management Agent: NTShop
By telneting to a machine that runs the NAI Management Agent for WebShield SMTP an attacker may gain current server configuration information. The information is displayed by sending a GET_CONFIG command. In addition, an unchecked buffer exists that could allow code can be passed to the service for execution. If 208 bytes or more is sent in conjunction with one of the configuration parameters the service will crash, thereby overwriting the stack. A demonstration is shown in the advisory, a patch will be published soon.

PDGSoft

Vulnerability in Shopping Cart: NTShop
PDGSoft's shopping cart comes with the executables redirect.exe and changepw.exe. Both are accessible via WWW and contain a buffer overflow - so any code may be executed on the server. It's recommended to install a patch.

Rockliffe Mailsite

Security Risk by Buffer Overflow: NTShop
Mailsite allows remote users to access POP3 accounts to read mail via the Web. The service, which listens on port 90, contains a buffer overrun condition that can allow an attacker to execute arbitrary code on the server. It's recommended to install a patch.

All

New CERT Summary: CS-2000-02, ERS-2000.105
Since the last Summary in February 2000 US-CERT has received many calls. The main topics were:
1. Multiple Vulnerabilities in BIND
2. Multiple Buffer Overflows in Kerberos Authenticated Services
3. Netscape Navigator Improperly Validates SSL Sessions
4. Love Letter Worm
5. Denial-of-Service Attacks Using Nameservers
6. Exploitation of Unprotected Windows Shares
Further information will follow.

Many

New ISS Summary: ISS
In the last month 78 (!) new vulnerabilities were found:

- linux-cdrecord-execute	- xlock-bo-read-passwd	- bsd-syscall-cpu-dos
- win-browser-hostannouncement	- nai-webshield-config-mod	- nai-webshield-bo
- mdbms-bo	- mailsite-get-overflow	- hp-jetadmin-malformed-url-dos
- hp-jetadmin-directory-traversal	- deerfield-mdaemon-dos	- cayman-dsl-dos
- carello-file-duplication	- netscape-ssl-certificate	- cobalt-cgiwrap-bypass
- gnome-gdm-bo	- linux-fdmount-bo	- qualcomm-qpopper-euidl
- cart32-price-change	- gauntlet-cyberdaemon-bo	- ip-fragment-reassembly-dos
- domino-doc-modify	- domino-web-apps-access	- axent-netprowler-ipfrag-dos
- lotus-domino-esmtp-bo	- linux-masquerading-dos	- netice-icecap-alert-execute
- netice-icecap-default	- beos-tcp-frag-dos	- ie-frame-domain-verification
- ie-malformed-component-attribute	- kerberos-krb-rd-req-bo	- kerberos-krb425-conv-principal-bo
- kerberos-ksu-bo	- kscd-shell-env-variable	- cproxy-http-dos
- emurl-account-access	- eudora-long-attachment-filename	- ie-active-movie-control
- antisniff-dns-overflow	- delphi-ics-dot-attack	- netscape-invalid-ssl-sessions
- sol-netpr-bo	- ie-cookie-disclosure	- iis-malformed-information-extension
- iis-url-extension-data-dos	- netscape-import-certificate-symlink	- ssh-zedz-consultants
- coldfusion-cfcache-dos	- http-cgi-formmail-environment	- libmytinfo-bo
- netopia-snmp-comm-strings	- gnapster-view-files	- netstructure-root-compromise
- netstructure-wizard-mode	- allaire-clustercats-url-redirect	- aolim-file-path
- iis-shtml-reveal-path	- http-cgi-dbman-db	- http-cgi-dnews-bo
- ultraboard-cgi-dos	- aladdin-etoken-pin-reset	- http-cgi-dmailweb-bo
- interscan-viruswall-bo	- quake3-auto-download	- ultraboard-printabletopic-fileread
- cart32-expdate	- cisco-online-help	- hp-shutdown-privileges
- http-cgi-listserv-wa-bo	- aaabase-execute-dot-files	- aaabase-file-deletion
- macos-appleshare-invalid-range	- win-netbios-source-null	- linux-knfsd-dos
- macos-filemaker-anonymous-email	- macos-filemaker-email	- macos-filemaker-xml

Red Hat Linux

Vulnerabilities in majordomo: ERS-2000.104
A vulnerability in /usr/lib/majordomo/resend and /usr/lib/majordomo/wrapper will allow execution of arbitrary commands with elevated privileges. It's recommended to install the concerning patches:
Red Hat Powertools 6.1:
Intel:
rpm -Fvh ftp://ftp.redhat.com/redhat/updates/powertools/6.1/i386/majordomo-1.94.5-2.i386.rpm
Alpha:
rpm -Fvh ftp://ftp.redhat.com/redhat/updates/powertools/6.1/alpha/majordomo-1.94.5-2.alpha.rpm
Sparc:
rpm -Fvh ftp://ftp.redhat.com/redhat/updates/powertools/6.1/sparc/majordomo-1.94.5-2.sparc.rpm
Sources:
rpm -Fvh ftp://ftp.redhat.com/redhat/updates/powertools/6.1/SRPMS/majordomo-1.94.5-2.src.rpm