News September 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| Microsoft Windows NT | Denial-of-Service by "Snork"-Attack:
MS-98-014,
ISS-09,
ERS-111,
J-001 As IIS reports, it is possible for a malicious attacker to send spoofed RPC datagrams to UDP destination port 135 so that it appears as if one RPC server sent bad data to another RPC server. This attack allows an attacker with minimal resources to cause a remote NT system to consume 100% CPU Usage for an indefinite period of time. The second server returns a REJECT packet and the first server (the spoofed server) replies with another REJECT packet creating a loop that is not broken until a packet is dropped, which could take a few minutes. If this spoofed UDP packet is sent to multiple computers, a loop could possibly be created, consuming processor resources and network bandwidth. It's recommended to install patches, released by Microsoft: Fix for Windows NT 4.0 x86, Windows NT 4.0 Alpha, Windows NT Server 4.0, Terminal Server Edition (available shortly) |
|||||||||||
| Microsoft Windows | Accidential installation of Backdoors
by Tools: ISS-08,
ESB-98.146,
ERS-109 Besides BoSniffer, installing Back Orifice on a system under Windows 95 and 98, another tool is avaliable in different versions: NetBus. With this tool also a remote-control of the system is possible. It works also under Windows NT. How to find out if one of these programs are installed on a PC and how to remove them ist described in the advisory. |
|||||||||||
| Cisco | Denial-of-Service: PIX and CBAC Fragmentation
Attack: Cisco,
ESB-98.145,
ERS-110 Neither Cisco's PIX Firewall, nor the Context-Based Access Control (CBAC) feature of Cisco's IOS Firewall Feature Set, protects hosts against certain denial of service attacks involving fragmented IP packets. There is no possibility to gain direct access to these hosts, but a denial of service attack is possible. The vulnerability is present in Cisco PIX firewall software up to and including version 4.2(1), and in CBAC versions of Cisco IOS software through 11.2P and 11.3T, and will be present in initial 12.0 revisions of CBAC software. In the advisory it's pointed out which patches and wordarounds should be installed. |
|||||||||||
| Solaris 2.3 - 2.3, SunOS 4.1.x | Vulnerability by MIME-attachments:
SUN Security Bulletin #00175,
S-98-58,
ERS-108,
ESB-98.143 As reported earlier (CA-98.10), there ist a vulnerybilty caused by buffer overflow in MIME-aware Mail and News Clients.Sun Microsystems has released patches which should be installed as soon as possible. |
|||||||||||
| Solaris 2.3 - 2.3, SunOS 4.1.x | Vulnerability in ping:
SUN Security Bulletin #00174,
I-092,
S-98-57,
ERS-107,
ESB-98.142 A buffer overflow has been discovered in the ping program which could be exploited by local users to gain root access. It's strongly recommended to install the patches listed in the advisory. |
|||||||||||
| Cisco PIX | Vulnerability in Cisco PIX
Firewall Manager (PFM): Cisco,
ERS-105,
ESB-98.144 Cisco PIX Firewall is shipped with a management application known as PIX Firewall Manager. PFM is a WWW-based application, and includes a limited HTTP server. The PFM HTTP server runs on Windows NT computers. A vulnerability in the PFM HTTP server allows any attacker who can connect to the server to retrieve any file known in advance to exist on the Windows NT host. In almost all cases, this means that the host is vulnerable to attack by any user inside the firewall, but not by users outside the firewall. Which versions are affected and which patches should be installed is pointed out in the advisory. |
|||||||||||
| Microsoft Internet Explorer | Cross Frame Navigate
Vulnerability: MS98-013,
ERS-106 The Cross Frame Navigate issue involves a vulnerability in Internet Explorer that could allow a malicious hacker to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious Web site operator to read the contents of files on your computer. Affected versions are: - Microsoft Internet Explorer 4.0, 4.01 and 4.01 SP1 on Windows NT 4.0, Windows 95 - Microsoft Windows 98, with integrated Internet Explorer (version 4.01 SP1) - Microsoft Internet Explorer 4.0 and 4.01 for Windows 3.1 and Windows NT 3.51 - Microsoft Internet Explorer 4.0 and 4.01 for Macintosh - Microsoft Internet Explorer 3.x First, an update to the latest version of the IE should be carried through. Then a patch should be installed. Users of Windows 98 may also get the updated patch using the Windows Update. Further information about this vulnerability can be found in the advisory or here. A demo is also available. |
|||||||||||
| HP-UX 10.x, 11.00 | Vulnerability in dtmail
and rpc.ttdbserverd: HP
Security Bulletin #00084, I-090,
ESB-140,
ERS-100 Buffer overflow conditions were found in dtmail and rpc.ttdbserverd. These programs are supplied as parts of the CDE. This does not need to be enabled for a system to be vulnerable. The following patches should be installed on HP9000 Series 7/800:
|
|||||||||||
| many Unix | Vulnerability in ToolTalk:
NAI-29,
CA-98.11,
ESB-98.141,
S-98-56,
ERS-103,
I-091 The ToolTalk service allows independently developed applications to communicate with each other by exchanging ToolTalk messages. The ToolTalk database server (rpc.ttdbserverd) is an ONC RPC service which manages objects needed for the operation of the ToolTalk service.It runs on many commercial Unix systems as root. The ToolTalk communication is done by RCP calls. By formulating a malicious RPC message directed to the server a stack overflow is possible, and thus an attacker may gain total control of the server process. Until patches are available by vendors the rpc.ttdbserverd should be removed, also be removed from any Unix startup scripts. |
|||||||||||
| Windows 95 and 98 | Back Orifice remover BoSniffer.zip
is a Trojan Horse: NTshop It's reported that a program BoSniffer.zip is able to search for existing installs of Back Orifice (BO) and can also block key points in the registriy from BO. It has been found out that this program is actually a BO server with the SpeakEasy plugin installed. BoSniffer.zip is being widely distributed as a "cure for Back Orifice infections". It is probably being distributed with other software packages and with other names too. It's strongly recommended to remove BO manually. How to remove BO has been described by ISS. |
|||||||||||
Back to the News
© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: Oktober 18, 1998, 20:23 +0200