News July 1999

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Cobalt Networks RaQ2 single rack unit Internet servers

Insecure Default Configuration on RaQ2 Servers: Cobalt Networks, CA-99-10, ERS-1999.104
A vulnerability has been discovered in the default configuration of Cobalt Networks RaQ2 servers that allows remote users to install arbitrary software packages to the system. RaQ2 servers are configured with an administrative webserver to process remote requests to manage the unit. Systems installed with the default configuration have insufficient access control mechanisms to prevent remote users from adding arbitrary software packages to the system using this webserver.
It's recommended to install one of the patches: RaQ2, RaQ2 - japanese version.

Windows NT

Vulnerability by Malformed Dialer Entry: MS99-026, ERS-1999.103
Dialer.exe has an unchecked buffer in the portion of the program that processes the dialer.ini file. This vulnerability could be used to run arbitrary code via a classic buffer overrun technique. It's recommended to install the Hotfixes, published by Microsoft: Windows NT Workstation and Server, Windows NT Terminal Server Edition.

HP-UX

Security Vulnerability in Software Distributor (SD): HP Security Bulletin #00101, ERS-1999.102
HP9000 Series 700/800 running HP-UX 10.XX, and 11.00, plus SD OpenView/ITA on other specific vendor platforms are vulnerable against an attack where users can gain increased privileges. It's recommended to install the patchens listed in the advisory.

AIX 3.x, 4.2.x, 4.3.x

Vulnerability in ptrace: ERS-1999.002i
A denial of service vulnerability has been discovered in the ptrace system call allowing non-root users to crash the system. Users of AIX 3.x should make an update to version 4, official patches will be published soon. A temporarily patch is also available.

Red Hat Linux 6.0

Vulnerabilities in enlightenment and gnumeric:
New enlightenment package is available to correct problem which prevents Oracle8i installer (and possibly other Java applications) from running correctly on a Red Hat Linux 6.0 machine. A potential security problem has been fixed in the gnumeric spreadsheet package. It's recommended to install the updates:
i386:
rpm -Uvh ftp://updates.redhat.com/6.0/i386/enlightenment-0.15.5-36.i386.rpm
rpm -Uvh ftp://updates.redhat.com/6.0/i386/gnumeric-0.27-1.i386.rpm
Alpha:
rpm -Uvh ftp://updates.redhat.com/6.0/alpha/enlightenment-0.15.5-36.alpha.rpm
rpm -Uvh ftp://updates.redhat.com/6.0/alpha/gnumeric-0.27-1.alpha.rpm
Sparc:
rpm -Uvh ftp://updates.redhat.com/6.0/sparc/enlightenment-0.15.5-36.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/6.0/sparc/gnumeric-0.27-1.sparc.rpm
Source:
rpm -Uvh ftp://updates.redhat.com/6.0/SRPMS/enlightenment-0.15.5-36.src.rpm
rpm -Uvh ftp://updates.redhat.com/6.0/SRPMS/gnumeric-0.27-1.src.rpm

Red Hat Linux

Unix

Vulnerability in tiger: ERS-1999.101
Tiger is a public domain package developed and maintained by Texas A&M University, used for checking security problems on a Unix system. Due to lack of checking, a local user can craft a command in such a way that he may have the command executed with the privileges of the process running Tiger (usually root).
It's recommended to install the concerning patches.

Microsoft IIS 3.0 and 4.0 using Data Access Components 1.5

Vulnerability by ODBC Data Access with RDS: MS99-025 (corr.), ERS-1999.099-1 and 2, S-99-21 and 21a, J-054
The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC), exposes unsafe methods. When installed on a system running Internet Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise unauthorized web user to perform privileged actions, including:
- Allowing unauthorized users to execute shell commands on the IIS system as a privileged user.
- On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network.
- Allowing unauthorized accessing to secured, non-published files on the IIS system.
It's recommended to install the latest version of MDAC (2.1 SP2), to delete the /msadc virtual directory or to apply correct registry settings.
If the RDS functionality is needed the Anoymous Access for the /msdac directory in the default Web should be disabled and a Custom Handler should control incoming requests. Further information about this can be found here.

IRIX

Vulnerability in arrayd: SGI19990701, CA-99-09, ERS-1999.100, S-99-20, J-052
A vulnerability has been discovered in the default configuration of the Array Services daemon, arrayd running under IRIX and UNICOS. Array Services are used to manage a cluster of systems. The default configuration file, arrayd.auth, disables authentication and does not provide adequate protection for systems connected to an untrusted network. So remote and local users can execute arbitrary commands as root. It's recommended to reconfigure arrayd to use "SIMPLE" authentication as described in the advisory.

many

Vulnerability in Calendar Manager Service: CA-99-08, J-051, ERS-1999.098, S-99-19, J-051
A buffer overflow vulnerability has been discovered in the Calendar Manager Service daemon, rpc.cmsd. The rpc.cmsd daemon is frequently distributed with the Common Desktop Environment (CDE) and Open Windows. Which systems are affected and what to do against this risk is pointed out in the advisory.

Windows NT and 9x

Back Orifice 2000 released: ISS-031, Microsoft, ERS-1999.097
Back Orifice is a client/server application that can gather information, perform system commands, reconfigure machines, and redirect network traffic. By executing the Back Orifice server program on a machine, a user can connect remotely to that specific IP address and perform any of the above actions. Earlier versions of BO only worked on systems under Windows 9x - the latest version, published on July 10th, runs also under Windows NT.
Further description of the features are mentioned in the advisory. We recommend not to install any dubious software, because the risk of installing a Trojan Horse is immense.

HP-UX

CDE leaves Current Directory in root PATH: HP Security Bulletin #00100, ERS-1999.096, J-053
The PATH environemnt variable is constructed from several sources including dtsearchpath and scripts in /etc/dt/config/Xsession.d/ and /usr/dt/config/Xsession.d/. The resulting PATH contains the string "::" which will be interpreted as the current directory. The root user should not have the current directory in the PATH, the recommended solution is to clean up the root user's PATH after is has been created.

HP-UX

Vulnerability HP Visualize Conference: HP Security Bulletin #0099, ERS-1999.090, J-050
HP Visualize Conference is a T-120 conference solution for HP-UX Workstations. The HP Visualize Conference ftp capability allows a conference participant to push a file to all other participants. As a general comment not specifically related to this vulnerability, the user should establish some means of authenticating conference participants.
It's recommended to install the available patch:

HP-UX Series 700, release 10.20:

PHSS_17168

Windows NT and 9x

New list of Backdoors: ISS-030, ERS-1999.095
ISS has published updates on backdoors for Windows 95, 98, and NT. Because of the number of backdoors mentioned in the advisory, there is only a brief description of each backdoor's features and communications protocol.

Windows NT 4.0

Unprotected IOCTLs Vulnerability: MS99-024, ERS-1999.094
The IOCTLs that are used to obtain services from the keyboard and mouse drivers in Windows NT do not require that the calling program have administrative privileges. A user-level program could use legitimate calls to disable the mouse and keyboard, after which the machine would need to be rebooted to restore normal service. On a terminal server, such a program could disable the keyboard and mouse on the console.
It's recommended to install the hotfix for NT 4.0 Server and Workstation or Terminal Server Edition.

Windows NT 4.0, SP4

Vulnerability by Malformed Image Header: MS99-023, ERS-1999.091
If an executable file with a malformed image header is executed, it will cause a system failure. The affected machine will need to be rebooted in order to place it back in service. Any work that was in progress when the machine crashed could be lost.
If not using SP5 it's recommended to install the hotfix for NT 4.0 Server and Workstation or Terminal Server Edition.

Debian Linux

Vulnerability in mailman: Debian0623, python
The version mailman as supplied in Debian GNU/Linux 2.1 has a problem with verifying list administrators. The problem is that the cookie value generation used was predictable, so using forged authentication cookies it was possible to access the list administration webpages without knowing the proper password. This has been fixed in version 1.0rc2-5.

Windows NT

Vulnerability in WebTrends Software: ISS-029, ERS-1999.093
The vulnerability only applies to systems using the MAPI and NT service features in WebTrends Software on the Windows NT platform. It's recommended to download the latest versions of the programs or, at least, make following change in Windows NT: Remove the 'Everyone: Full Control' permission and add 'Administrators: Full Control', so only administrators have access to the file WebTrends.INI.
Further information about the vulnerable products can be found in the advisory.

all

New ISS Summary: ISS, ERS-1999.092
ISS reports 8 new vulnerabilities found within the two weeks:
- webtrends-bad-perms
- hp-visualize-conference-ftp
- accelx-bo
- linux-vmware-buffer-overflows
- iis-double-byte-code-page
- eastman-cleartext-passwords
- msrpc-lsa-lookupnames-dos
- nt-csrss-dos
Further information can be found at the site of ISS.

Red Hat Linux