News August 2000

Furhter links lead to the organization which reported the problem. So you can also read the original advisory and you are informed about further actions to be taken and patches to install.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

System:

Short description and further information:

August 2000

Linux Mandrake

Vulnerabilities in dhcp, glib, and xpdf: Mandrake
There was a problem with the post installation script for the updated DHCP packages. A bug was discovered in glib (ld.so) that could allow local users to obtain root privileges. There is a potential race condation when using tmpnam and fopen in xpdf versions prior to 0.91. Further information and links to patches can be found in the advisory.

Debian Linux

Vulnerabilities in ntop and xchat: Debian200830, Debian200830a
The updated version of ntop (1.2a7-10) that was released on August 5 was found to still be insecure: it was still exploitable using buffer overflows. Using this technique it was possible to run arbitrary code as the user who ran ntop in web mode. The version of X-Chat that was distributed with Debian GNU/Linux 2.2 has a vulnerability in the URL handling code: when a user clicks on a URL X-Chat will start netscape to view its target. The URL is not checked for shell metacharacters, and this could be used to trick xchat into executing arbitraty commands. Patches are available now.

OpenLinux

Vulnerability in faxrunq: CSSA-2000-029
The mgetty package contains a number of tools for sending an receiving facsimiles. One of the tools, faxrunq, uses a marker file in a world-writable directory in an unsecure fashion. This bug allows malicious users to clobber files on the system owned by the user invoking faxrunq. A patch published by Caldera is available now.

FreeBSD

Vulnerabilities in dhclient, proftpd, ntop, cvsweb, zope:, ELF Images, binary compatability mode, brouted, netscape, mopd, and xlockmore: FreeBSD, ESB-2000.216, ESB-2000.217, ESB-2000.218, ESB-2000.219, ESB-2000.220, S-00-38, S-00-39, S-00-40, S-00-41, ERS-2000.196, ERS-2000.197, ERS-2000.198, ERS-2000.199, ERS-2000.200, ERS-2000.201, ESB-2000.216, ESB-2000.217, ESB-2000.218, ESB-2000.219, ESB-2000.220, ESB-2000.233, ESB-2000.234, ESB-2000.235, ESB-2000.236, ESB-2000.237, ESB-2000.238
In the programs mentioned above security holes were found. Possible consequences are Denial-of-Service, compromise of the whole system or the publishing of the password-file. It's strongly recommendended to install the patches published by FreeBSD.

many

New CERT Summary: CS-2000-03, ESB-2000.229
CERT has published a survey of the most common attacks within the last three months:
1. Input Validation Vulnerability in rpc.statd
2. Multiple Vulnerabilities in FTP daemons
3. ActiveX Control Vulnerabilities
4. Exploitation of Hidden File extensions
5. Outlook and Outlook Express Cache Bypass Vulnerability
6. Chat Clients and Network Security
Further information is pointed out in the summary.

O'Reilly Website Pro

Vulnerability in uploader.exe: WinITSec
By default Website Pro 2.3.7 creates several directories for use during the operation of the Web server, which have loose security permissions that allow any user to access them. One directory in particular (cgi-win) contains a program (uploader.exe) that allows a user to upload files to the Web server. Because the directory and uploader.exe program have loose security permissions, an anonymous user can access the program via a URL to upload files to the Web server.

Microsoft Windows 2000

Vulnerability caused by Local Security Policy Corruption: MS-062, WinITSec, ERS-2000.195, S-00-42, ESB-2000.232
This vulnerability could allow an attacker to corrupt parts of a Windows 2000 system's local security policy, with the effect of disrupting domain membership and trust relationship information. If a workstation or member server were attacked via this vulnerability, it would effectively remove the machine from the domain; if a domain controller were attacked, it could no longer process domain logon requests. Recovering from such an attack would likely require that a known-working configuration be restored from backup. A patch is available now.

ISS

Denial-of-Service in RealSecure: WinITSec
A DoS attack can be launched against RealSecure 3.2.1 (NT, Solaris) and 3.2.2 (Solaris) by sending a flood of SYN packets (about 50 packets/s) with specific flags set. Such an attack can successfully prevent RealSecure from protecting its defined networks. The NT version of RealSecure will repeatedly crash and restart itself, where CPU loads could reach 100 percent utilization. ISS is working on a patch.

CGI Script Center

Vulnerabilities in Account Manager and Subscibe Me: WinITSec, WinITSec
Administrative level access can be obtained by overwriting the existing admistrator password by calling a specific URL and passing it the new password. Demonstrations of the problem are pointed out in the advisories.

Microsoft Money 2000 and 2001

Password not protected correctly: MS-061, WinITSec, ERS-2000.194, ESB-2000.231
Microsoft Money provides a password protection feature that prevents unauthorized access to the Money file. Due to the way the password is currently handled, the password may be written in
plaintext under certain conditions. Only data stored on a local computer are affected. A patch is available for automatic download using the "Update Internet Information" feature in Money.

Microsoft IIS 4.0 and 5.0

Vulnerability caused by IIS Cross-Site Scripting: MS-060, ERS-2000.193, ESB-2000.230
A vulnerability, known as Cross-Site Scripting (CSS), results when web applications don't properly validate inputs before using them in dynamic web pages. If a malicious web site operator were able to lure a user to his site, and had identified a third-party web site that was vulnerable to CSS, he could potentially use the vulnerability to "inject" script into a web page created by the other web site, which would then be delivered to the user. The net effect would be to cause the malicious user's script to run on the user's machine using the trust afforded the other site.
Microsoft has published fixes for Internet Information Server 4.0 and 5.0.

NAI Pretty Good Privacy (5.5.x - 6.5.3)

PGP May Encrypt Data With Unauthorized ADKs: NAI, CA-2000-18, K-070, ERS-2000.190, S-00-37, WinITSec, ESB-2000.227
Additional Decryption Keys (ADKs) is a feature of PGP (Pretty Good Privacy) that allows authorized extra decryption keys to be added to a user's public key certificate. However, an implementation flaw in PGP allows unsigned ADKs which have been maliciously added to a certificate to be used for encryption.
Solutions: PGP key servers are already updated to filter out keys with the bogus ADK packets. On client side, a fixed version is 6.5.8, non-commercial already released for US and Canadian only at MIT. A patch is available for commercial and international versions. Also test if you use ADK on encryption and take a look while importing keys in the keyring whether a key certificate contains ADKs. NAI also released some keyring repair utilities, see the Advisory for more details.

NetWin

Vulnerability in Netauth: WinITSec
Netauth does not guard against the use of relative pathnames. By using the dot-dot-slash (../) syntax, directories can be nagivated to expose file content. NetWin released a new version.

IPSwitch

DoS-Vulnerability in IMail: WinITSec
Each time a connection is made to the Web Messaging interface (port 8181 by default) a new thread is spawned to handle that connection. The thread can be made to crash by sending a string of 500 or more characters in association with an HTTP 1.1 HEAD command, which overruns the receiving buffer. Repeating such action would exhaust all available system resources leading to a Denial-of-Service attack against IMail Server 6.0 through 6.04. IPSwitch has released a patch.

Computer Associate's eTrust

Vulnerability against masquerading: WinITSec
ETrust Access Control 4.1, including SP1, is vulnerable to administrative masquerade attack, which allows an attacker to gain administrative access to the product, and thus a significant portion of the network protected. If the default encryption key is used during installation then the key can be replicated on another system in an effort to compromise security. CA has published a patch.

HP OpenView

Risk caused by passwords: WinITSec
Hewlett-Packard (HP) reported a vulnerability in its Node Manager 6.1 where local Web user passwords are not adequately protected from attack. HP has provided a patch for the NT version.

Lyris List Manager

Possible unauthorized access: WinITSec
After logging in to the Lyris List Manager 3.0 and 4.0 Web interface, a user a presented with a Web page that can be saved, modified in a particular manner, and then transmitted back to the server to gain administrative level access to the product. Lyris has published a patch.

Sun / Java Server

Java Web Server administration module vulnerable: Sun Security Bulletin #00197, ERS-2000:191, ESB-2000.226
It is possible to use the administration module to invoke servlets on a Java Web Server. With carefully crafted JSP tags it is possible to execute arbitrary commands on the Web Server. It's recommended to install the concerning patches: Version 1.1.3: Patch 3, Version 2.0: Patch 3

OpenLinux and others

ld.so unsetenv problem could allow local users to obtain super user privilege: CSSA-2000-028, ERS-2000.192
The dynamic loader ld.so is responsible for making shared libraries available within a program at run-time. Normally, a user is allowed to load additional shared libraries when executing a program; they can be specified with environment variables like LD_PRELOAD. Since this is not acceptable for applications that run setuid root, ld.so normally removes these environment variables for these. The bug causes these environment variables to not be removed completely under some circumstances. While setuid programs themselves are not vulnerable, external programs they execute can be affected by this problem. So far, no exploit has been published. However, we nevertheless recommend to update glibc (which contains ld.so) because of the potential risks. Vulnerablesystems are OpenLinux Desktop 2.3 with glibc prior to version glibc-2.1.1-2, OpenLinux eServer 2.3 and OpenLinux eBuilder with glibc prior to glibc-2.1.3-3S, OpenLinux eDesktop 2.4 with glibc prior to glibc-2.1.2-4. Because there is no workaround Caldera recommends to upgrade the glibc to the new packages, which will be found at Caldera FTP server.
Because this bug is in the glibc which is commonly used by current Linux distributions, not only Caldera Linux will be affected. Updates for other distributions are probably already in progress.
Hint: Because many running daemons and applications on a Linux system need glibc at runtime it's recommended to run the update in single user mode (normally runlevel 1, see 'man init' for details).

many Unix

Security Risk in rpc.statd: CA-2000-17, K-069, S-00-36, ERS-2000.189, ESB-2000.222
The rpc.statd program passes user-supplied data to the syslog function as a format string. If there is no input validation of this string, an attacker can inject machine code to be executed with the privileges of the rpc.statd process, typically root. It's recommended to upgrade rpc.statd and to block unneeded ports by the firewall.

Netscape Communicator

New version 4.75 available: Heise News
The security hole Java - Brown Orifice in releases prior to 4.75 is now fixed. Files are available at Netscape FTP server. In addition, for Red Hat Linux 6.0 to 6.2 platform specific packages are now available, see RHSA-2000:054 (ESB-2000.221) for details. Also Caldera Systems has released an update, see CSSA-2000-027 for more information. And also Linux-Mandrake, see Mandrake Updates for details. SuSE has released new packages for Linux 6.2 - 6.4, too. It is available now on the main SuSE FTP server. For Linux 6.0 and 6.1 there is currently no new version available because Netscape has still not published a binary linked against glibc2.0. Further mirrors of SuSE can be found here.

many Linux

xclockmore possible shadow file compromise: Debian20000816
Debian announces in an advisory, that the packages xclockmore and xclockmore-gl install xclock with setgid by default which can be used to gain read access to the shadow file. New packages for Debian 2.1 (slink) and 2.2 (potato) are available now. Linux-Mandrake also released updated packages, see Mandrake Updates for more information. SuSE has until now no update available, but on their systems xlock runs without any more privilegs than the user, therefore only the users encrypted password can be compromised (E-Mail win-sec-ssc, 23.08.2000).

many Linux

XChat can pass URLs from IRC to a shell: RHSA-2000:055-03, ESB-2000.228
Red Hat announces in an advisory that the application XChat can pass URLs from IRC to a shell. A malicious URL could execute arbitrary shell commands as the user running XChat. The new version bypass the shell and execute the browser directly. New packages for Red Hat Linux 6.2 are available now. Linux-Mandrake has also released now updated packages for version 7.1, see here for more details. SuSE has until now no update available (source: e-mail from win-sec-ssc at 230800) and recommends to deinstall Xchat.

Microsoft Internet Explorer 4.x & 5.x

Microsoft's Java VM Exposes User Credentials: WinITSec, MS00-059, ERS-2000.188, ESB-2000.224, ESB-2000.225
By design, the browser-based Java VM runs untrusted Java applets within a security sandbox that restricts the applet's access to user's system. A flaw in the sandbox design could allow a Web site operator to use a visiting user's credentials to gain access to protected data. For the versions shipped with IE 4.x and 5.x Microsoft has published patches: Java VM 2000 and Java VM 3100. It's recommended to install the concerning security patch also.

Microsoft IIS 5.0 using FrontPage Server Extensions

Vulnerable to Cross Site Scripting: WinITSec
IIS 5.0 and FrontPage Server Extensions are vulnerable to an issue that allows a script to be passed to the Web server for execution. The problem could allow data inside a protected network to be transmitted offsite. Microsoft has fixed the problem with FrontPage Server Extensions, users should load SR1.2. Please see CA-2000-02. In addition, be sure to review the Cross Site Scripting Overview from Microsoft.

Microsoft IIS

New Automated Web Interface Scans IIS: K-068, ERS-2000.186, S-00-35
Several vulnerabilites may be exploited in Microsoft's Internet Information Server. Now a tool with automated Web Interface may be used for scanning the IIS for multiple vulnerabilities. It's recommended to install the patches published by Microsoft and to install SP1 for Windows 2000.

SGI IRIX

Vulnerability in WorldView: SGI-20000803
Omron WorldView is an optional purchased product used by SGI customers that require foreign language support in IRIX. A vulnerability may lead to root access through a buffer overflow exploit. A workaround by changing ownership of the jserver to a non-privileged user is pointed out in the advisory.

WatchGuard Firebox II

Vulnerability leads to Denial-of-Service: WinITSec
If a user sends a malformed URL to the firewall's authentication service, which runs on port 4100 of the appliance, then the firewall will shutdown thereby denying service to users. A reboot is required to reestablish proper functionality. WatchGuard has made a service pack available.

Linux Mandrake

Vulnerability in zope and MandrakeUpdate: Mandrake
Zope has (as for other systems too) a vulnerability, which resides in the getRole method. Another problem was found in MandrakeUpdate: A possible race condition has the potential for users to tamper with RPMs downloaded by MandrakeUpdate prior to them being installed. This is due to files being stored in the /tmp directory. Upgraded versions are available.

FreeBSD

Vulnerability in dhclient: FreeBSD-SA-00:34, K-067, ERS-2000.185
As in other systems also, FreeBSD is vulnerable against an attack from a DHCP Server because the DHCP client does not correctly validate input from the server. Attackers may execute arbitrary commands as root on the client.

BEA Systems

Vulnerability in WebLogic: BEA0814, WinITSec
An unchecked buffers exist within Weblogic 5.x logic plug-in that can allow arbitrary code to execute on the server in the same security context that Weblogic proxy server runs under. BEA Systems has released a patch.

MediaHouse

Vulnerability in Statistics Server Live Stats: WinITSec
Due to an unchecked buffer within the code the process Web-based GET commands the buffer can be overflowed to cause the execution of arbitrary code on the server. By sending a string of approximately 2033 bytes in length the buffer will overflow. MediaHouse has released a 5.03 patch that corrects for the Statistics Server (LiveStats) 5.02x memory overflow bug.

many Linux

Vulnerability in kernel: Sendmail, SGI-20000802, S-00-33, K-064, S-00-33, ERS-2000.183
There is a bug in the Linux kernel capability model for versions from 2.XXX through 2.2.15 that allows local users to get root. Sendmail is one of the programs that can be attacked this way. Please note that this is not a Sendmail security issue, but rather a Linux issue. The correct fix is to update the Linux kernel to version 2.2.16. This is the only way to ensure that other programs running on Linux cannot be attacked.

SGI IRIX

Vulnerability in telnetd: SGI-20000801, S-00-32, K-066, ERS-2000.184
In telnetd a vulnerability was found and widely discussed in the Internet. A Buffer Overflow exists in a logging function of the telnetd, so remote attackers may execute arbitrary code on the system as root. At the moment SGI is investigating and recommends to disable the telnetd.

Microsoft IIS 5.0

Vulnerability caused by Specialized Header: MS00-058, WinITSec, K-065, ERS-2000.182, ESB-2000.215
If an Internet Information Server running under Windows 2000 receives a file request that contains a specialized header as well as one of several particular characters at the end, the expected ISAPI extension processing may not occur. The result is that the source code of the file would be sent to the browser. Microsoft has published a fix and recommends to install Windows 2000 SP1.

NetBSD

Vulnerability in Netscape: NetBSD2000-011, ESB-2000.211
The vulnerability in Netscape, mentioned for other systems too, is also present in NetBSD. Patches are available.

Debian Linux

Vulnerabilities in mailx and zope: Debian200810, Debian200812
Mailx is widely used by other programs to send E-Mail. Mailx as distributed in Debian GNU/Linux 2.1 (slink) and Debian 2.2 (potato) has some features that made it possible to execute system commands if a user can trick a privileged program to send E-Mail using /usr/bin/mail. This has been fixed in version 8.1.1-10.1.1slink.2 (for Debian 2.1) and version 8.1.1-10.1.3 (for Debian 2.2). On versions of Zope prior to 2.2beta1 it's possible for users with the ability to edit DTML to gain unauthorized access to extra roles during a request. Debian 2.2 (potato) pre-release does include zope and is vulnerable to this issue. A fixed package is available.

TurboLinux

Vulnerability in pam: TLSA2000009
A denial of service attack can be made against the PAM auth system. This was reported before, now an update of the advisory has been published.

Red Hat Linux

Vulnerabilities in mopd, usermode, and Zope: RHSA-2000:050, RHSA-2000:053, RHSA-2000:052, ERS.2000.177, ESB-2000.208, ESB-2000.213, ESB-2000.214, ERS-2000.187, ESB-2000.223
New packages have been released, fixing a buffer overflow in mopd-linux and a vulnerability in usermode. The usermode package allows unprivileged users logged in at the system console to run the halt, poweroff, reboot, and shutdown commands without needing to know the superuser's password. A HotFix for zope corrects issues in the getRoles method of user objects contained in the default UserFolder implementation. Users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request processing. It's recommended to install the patches.
Red Hat Linux and Powertools 6.x:
Intel:
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/i386/mopd-linux-2.5.3-15.i386.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/i386/usermode-1.28-2.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/alpha/mopd-linux-2.5.3-15.alpha.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/usermode-1.28-2.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/sparc/mopd-linux-2.5.3-15.sparc.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/usermode-1.28-2.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/SRPMS/mopd-linux-2.5.3-15.src.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/usermode-1.28-2.src.rpm
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/SRPMS/Zope-Hotfix-DTML-08_09_2000-1.src.rpm
NoArch:
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/noarch/Zope-Hotfix-DTML-08_09_2000-1.noarch.rpm

SCO OpenServer 5

Vulnerability in scohelp: SB-00.16
Local users running any graphical setuid program that invokes scohelp can read and write admin privileged files. SCO has published a fix (ltr) to solve this problem.

Linux Mandrake

Vulnerability in perl: Mandrake
As reported for other systems too, a hole has been found in Perl when using setuidperl together with the mailx program. For Mandrake-Linux an upgrade is available.

Microsoft IIS 4.0 and 5.0

Vulnerability by File Permission Canonicalization: MS00-057, ERS-2000.180, WinITSec, ESB-2000.207
A canonicalization error can cause the Internet Information Server 4.0 or 5.0 to apply incorrect permissions to certain types of files. If an affected file residing in a folder with restrictive permissions were requested via a "special" URL, the permissions actually used would be those of a folder in the file's parentage chain, but not those of the folder the file actually resides in. If the ancestor folder's permissions were more permissive than those of the correct folder, the attacker would gain additional privileges to the affected file. Microsoft has published a patch to fix this vulnerability in the ISS 4.0 and ISS 5.0.

Microsoft Office 2000

Vulnerability caused by HTML Object Tag: MS00-056, WinITSec, ERS-2000.179, ESB-2000.205, ESB-2000.210
Microsoft Office 2000 applications are capable of reading HTML files saved as Office documents. A malformed data object tag embedded in one of these documents could cause the Office application to crash and allow arbitrary code to be executed. An attacker would need to entice a user into opening the malformed Office document - but this is mostly no problem, because "attractive" Mail attachments are "always interesting". Microsoft has published a patch for Microsoft Word 2000, Excel 2000, PowerPoint 2000. Office 2000 SR-1 is required before this patch can be applied.

Microsoft Internet Explorer 4.x and 5.x

Vulnerabilities caused by Scriptlet Rendering and new variant of Frame Domain Verification: MS00-055, WinITSec, ERS-2000.178, ESB-2000.204
The ActiveX control that is used to invoked scriptlets is essentially a rendering engine for HTML. It will render any file type, rather than rendering HTML files only - and so are the doors wide open for malicious web site operators. The second vulnerability found is a variant of the Frame Domain Verification vulnerability (originally posted in MS00-033). This new variant involves an additional function with the same flaw. The effect of the vulnerability is enabling s web site operator to open two frames, one in his domain and another on the user's local file system. A patch to solve the two problems is available. It also solves the IE-problems reported in MS00-49. They are also topic of ESB-2000.203, ESB-2000.212, CA-2000-16 and S-00-34.

TurboLinux

Vulnerability in perl: TLSA2000018
A for other Linux also, a vulnerability has been found in perl. The latest versions of perl as well as past shipping versions of perl in TurboLinux distributions are susceptible to this local root exploit. A patch is available now.

Red Hat Linux

OpenLinux

Vulnerability in sperl: CSSA-2000-026
Sperl is a setuid copy of the perl interpreter that can be used to execute perl scripts with the privilege of the file's owner. In order to be able to do so, sperl must be setuid root. When sperl detects that an attacker is trying to spoof it, it sends a mail message to the super user account using /bin/mail. By exploiting a flaw in the way sperl interacts with /bin/mail, any local user is able to obtain root privilege on the local machine. Affested Caldera Systems are OpenLinux eServer 2.3, OpenLinux eBuilder perl-5.005_03-6S, and OpenLinux eDesktop 2.4. New packages are available now.

Netscape

New Security hole caused by Java - Brown Orifice: ISS-058, WinITSec, K-063, S-00-31, ERS-2000.176, CA-2000-15, ERS-2000.181, ESB-2000.197, ESB-2000.206
A new security flaw has been found in Netscape Java distribution. This vulnerability allows a hostile web site to start a server process on the browser system. That server can access arbitrary files on the browser system and locally connected networks through "file:" URLs. All versions of Netscape Navigator and Netscape Communicator versions 4.74 and earlier are vulnerable when Java is enabled. Netscape 6P1 is expired, so it could not be tested. It's strongly recommended to turn off Java until this problem is fixed!

Sun Solaris

Vulnerability in Answerbook2: Sun Security Bulletin #00196, ESB-2000.198
AnswerBook2 ships with an HTTP server (dwhttpd) that allows users to access Solaris documentation using a web browser. In versions before 1.4.2 a vulnerability exists that allows attackers to access the administration of AnswerBook2 as well as the ability to run arbitrary commands on the remote host as the webserver user (daemon). It's recommended to install the appropirate patch:

Answerbook2 Version	Patch-ID
1.4.2	110011-02
1.4.2_x86	110012-02

Microsoft Word, Microsoft Access 2000

Vulnerability caused by Visual Basic: WinITSec
As Georgi Guninski reports, Microsoft Word can accept an MS Access 2000 database as input for a mail merge operation. The database file could contain Visual Basic code that could be made to run when the database is opened by MS Word. Such code could perform actions on the system without the user's knowledge. Micrsoft seems to work on a patch.

FTP Serv-U

Vulnerability causing Denial-of-Service: WinITSec
The Serv-U FTP 2.5e service can be made to generate stack faults by sending the service approximately 5000 null bytes. Such an attack could render the underlying operating system unstable where it may eventually crash. A demonstation is pointed out in the advisory. It's recommended to install version 2.5f, published by Deerfield.

Check Point FireWall-1/VPN-1

New SP protects against 10 possible vulnerabilities: CP, ESB-2000.196
10 possible vulnerabilities were discussed widely. They can be avoided by installing the latest Service Packs: 4.1-SP2, 4.1/4.0Mix-SP2 Back Compatibility, 4.0-SP7, CP Appliance 4.0-SP5.

Lotus Notes Domino

Problems found with passwords and IE: Lotus, K-062, AL-2000.10
At the DefCon 8 convention some vulnerabilities in Lotus Notes Domino Server and Client were demonstrated. They involve weak encryption on the http password, cached passwords, and a vulnerability to malicious code when Internet Explorer is used as the reader. The first two vulnerabilities require physical access to the machine being attacked while the last concerns problems generic to Internet Explorer. It's recommended to upgrade the encryption of the Notes http passwords, not to leave a system unattended while it is logged into Notes, and not to run applications that are unexpectedly attached to web pages or E-Mail documents.

Microsoft Windows 9x

DoS by IPX Ping Packet: MS00-054, ERS-2000.172, WinITSec, VN-2000-03, ESB-2000.195
The Microsoft IPX/SPX protocol implementation (NWLink) supports the IPX Ping command via the diagnostic port 0x456. Because of a flaw in the implementation of the protocol in Windows 95, Windows 98 and Windows 98 Second Edition, NWLink in these systems will respond to an IPX ping packet even when the source network address has been purposely modified to a broadcast address. This would give an attacker the opportunity to launch an attack by broadcasting a single ping request - each affected machine that received the ping would respond to it, potentially resulting in a broadcast storm. This could result in a Denial-of-Service for the whole network. Microsoft has published a patch for Windows 95 and Windows 98.

Cisco 12xxx Gigabit Switch Router

Risk of Access Control Bypass and DoS: Cisco, ERS-2000.171, ESB-2000.193
A defect in Cisco IOS running on all models of Gigabit Switch Routers configured with Gigabit Ethernet or Fast Ethernet cards may cause packets to be forwarded without correctly evaluating configured ACLs. In addition to circumventing the access control lists, it is possible to stop an interface from forwarding any packets, thus causing a denial of service. Cisco is offering free software upgrades to circumvent these problems.

NAI Net Tools

Vulnerability in PKI Server 1.0 for NT: WinITSec
An unchecked buffer exists that could allow arbitrary code to operate under the security context of the SYSTEM account. In addition, the default installation could allow an intruder to download any file located on the system. It's recommended to install Hotfix 3, published by NAI.

many

New ISS Summary: ISS
Within the last month, 38 new vulnerabilities were found:

- analogx-proxy-ftp-crash	- analogx-proxy-pop3-crash	- analogx-proxy-socks4-crash
- roxen-null-char-url	- wftpd-stat-info	- bair-security-removal
- roxen-admin-pw-readable	- wftpd-stat-dos	- wftpd-rest-dos
- wftpd-mlst-dos	- outlook-express-mail-browser-link	- winamp-playlist-parser-bo
- outlook-date-overflow	- tomcat-error-path-reveal	- tomcat-snoop-info
- website-webfind-bo	- alibaba-cgi-script-directory-listing	- alibaba-get-dos
- website-httpd32-bo	- alibaba-script-file-overwrite	- zeroport-weak-encryption
- linux-usermode-dos	- blackboard-courseinfo-dbase-modification	- lsoft-listserv-querystring-bo
- linux-nfsutils-remote-root	- iis-absent-directory-dos	- blackboard-courseinfo-plaintext
- cvsweb-shell-access	- webactive-long-get-dos	- worldclient-dir-traverse
- http-cgi-bigbrother-bbhostsvc	- apache-source-asp-file-write	- netware-port40193-dos
- netscape-admin-server-password-disclosure	- cisco-pix-firewall-tcp	- mssql-manager-password
- gatekeeper-long-string-bo	- minivend-viewpage-sample

Sun Solaris 2.6 - 8

Vulnerabilities in libprint and netpr: Sun Security Bulletin #00195, ERS-2000.170, ESB-2000.192
The lpset utility sets printing configuration information in the system configuration databases. A buffer overflow has been discovered in libprint.so.2 which may be exploited by a local attacker through lpset to gain root access. A buffer overflow vulnerability was also discovered in /usr/lib/lp/bin/netpr which may be exploited by a local attacker to gain root access. Sun Microsystems has published patches, it's strongly recommended to install them:

System	Patch-ID
SunOS 5.8	109320-01
SunOS 5.8_x86	109321-01
SunOS 5.7	107115-05
SunOS 5.7_x86	107116-05
SunOS 5.6	106235-06
SunOS 5.6_x86	106236-06

Microsoft Windows 2000

Vulnerability caused by Service Control Manager Named Pipe Impersonation: MS00-053, WinITSec, ERS-2000.169, ESB-2000.191
The Service Control Manager (services.exe) is an administrative tool provided in Windows 2000 that allows system services (Server, Workstation, Alerter, ClipBook, etc.) to be created or modified. The SCM creates a named pipe for each service as it starts. Should a malicious program predict and create the named pipe for a specific service before the service starts, the program could impersonate the privileges of the service. This could allow the malicious program to run in the context of the given service, with either specific user or LocalSystem privileges. A patch is available now.

TurboLinux

Vulnerabilities in kernel-2.2.15, wu-ftpd, dhcp, cvsweb and Netscape: TLSA2000013, TLSA2000014, TLSA2000015, TLSA2000016, TLSA2000017
Problems reported for other Unix-System were also found in Turbo-Linux. Current and previous version of the DHCP client is vulnerable to malicious DHCP servers. The client can execute arbitrary commands given to it in responses from a DHCP server. Current and previous version of cvsweb allow remote users to access/write files as the default web user via the cvsweb.cgi script. Patches are available and pointed out in the advisories.

Linux Mandrake

Vulnerabilities in Netscape, kon2/fld, and pam: Mandrake
Previous versions of Netscape, from version 3.0 to 4.73 contain a serious overflow flaw due to improper input verification in Netscape's JPEG processing code. There is a vulnerable suid program called fld. This program accepts option input from a text file and it is possible to input arbitrary code into the stack, thus spawning a root shell. A problem with the pam_console was found. This module incorrectly identifies remote X logins for displays other than :0 (for example, :1, :2, etc.) as being local displays, thus giving control of the console to the remote user. Patches are available now and should be installed as soon as possible.

Bajie Web Server

Vulnerability by File System Exposure: WinITSec
A Java servlet that ships with the Bajie Web server 0.03a can be made to reveal critical physical path information. A new version will be released, further information can be found here.

AnalogX

Vulnerability in SimpleServer: WinITSec
SimpleServer 1.07 protects against directory traversal when attempted via the typical dot dot slash (../) syntax. If the ASCII characters for the dots are replaced with their hexidecimal equivalent (%2E) then directory traversal can succeed. A patch is not available yet.

Red Hat Linux

BEA Systems

Vulnerability in WebLogic: WinITSec
WebLogic (WebLogic Enterprise 5.1.x, WebLogic Server Express 4.5.X and 5.1.x ) can be caused to display source code by using specific syntax to invoke the SSIServlet or FileServlet applications, which ship as part of the platform. A demonstration of the problem is given in the advisory. BEA System released a patch for the problem, available by contacting their support.

Adobe Acrobat

Vulnerability by Buffer Overflow: Adobe, WinITSec, ESB-2000.201
A buffer overrun will occur if excessive characters are stored within the Ordering or Regsitry data fields of a Portable Document File (PDF). The overrun allows arbitrary code to become executed on the desktop. Under Windows 9x, NT, and 2000 is affected: Acrobat Reader 3.0J, 4.0j, 4.05j, Acrobat 3.0J, 4.0j, 4.05j, Adobe Acrobat Business Tools ,and Adobe Acrobat FillIn.