News September 1999

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

System:

Short description and further information:

Debian Linux

Vulnerabilities in cron and INN: Debian0830, Debian0907
Cron sends mail as root without checking the parameters passed to sendmail on the command line. This can lead to a root compromise. A buffer overflow in the inews program as provided by the INN news server is reported. This program is used by local clients to inject news articles to the server. In order to be able to connect to the news server through a Unix domain socket it needs to run setgid "news". By exploiting this bug local users can gain "news" privileges. After that they are able to modify the configuration for the INN server as well as destroy News databases and files.
It's recommended to install patches as pointed out in the advisories.

Windows NT 4.0

Vulnerability in RASMAN Security Descriptor: MS99-041, ERS-1999.149
In all versions of NT 4.0 (TS included) the security descriptor that secures the Remote Access Connection Manager, RASMAN.EXE, contains an inappropriate ACE in its DACL and would allow an unprivileged user to levy requests on it via the Service Control Manager. Among the actions that could be requested is to change the location and name of the executable code for the service. By doing so, a malicious user with a valid user-ID and password could substitute arbitrary code for the legitimate service, which then would run in a System Context.
It's recommended to install a hotfix published by Microsoft.

IBM AIX 4.3.x

Remote buffer overflow in ftpd daemon: ERS-1999.004i, J-072, S-99-41
A buffer overflow vulnerability has been found in the AIX 4.3.x ftpd daemon that allows remote attackers to gain root access. Example exploit code has been publically released. It's recommended to install a temporary fix as soon as possible.

Microsoft IE 5

Vulnerability caused by Active Scripting: MS99-040, ERS-1999.148
The Internet Explorer 5 includes a feature called "download behavior" that allows web page authors to download files for use in client-side script. By design, a web site should only be able to download files that reside in its domain. A server-side redirect can be used to bypass this restriction, thereby enabling a malicious web site operator to read files on the user's machine or the user's local intranet.
As an immediate measure, customers can prevent the download behavior function from operating by disabling Active Scripting or to install a patch published by Microsoft (US-Version).

SuSE Linux

Vulnerabilities in mars_nwe, sccw, and pbpg: SUSE019, SUSE020, SUSE021
The mars_nwe tools are vulnerable to several buffer overflows so an attacker might get root access to the system. Patches are available for Intel-SuSE 5.3, 6.1, and 6.2. SuSE 6.1 on Alpha is also supported.
The /usr/bin/sccw tool can be used to read any file on the system, so an attacker can read e.g the /etc/shadow file or private E-Mail. It's recommended to update Intel-SuSE 6.2.
The /usr/bin/pg and /usr/bin/pb tools can be used to read any file on the system, so an attacker can read e.g the /etc/shadow file or private E-Mail. It's recommended to update Intel-SuSE 6.2.

all

New ISS-Summary: ISS, ERS-1999.144
ISS reports 22 new vulnerabilities:
- http-powerdynamo-dotdotslash
- inn-inews-bo (RedHat, SUSE, Caldera)
- amd-bo (RedHat, Caldera)
- wu-ftpd-dir-name
- nt-sequence-prediction-sp4
- ibm-gina-group-add
- linux-pt-chown
- oracle-dbsnmp
- oracle-dbsnmp-trace
- jet-text-isam
- jet-vba-shell
- lotus-ldap-bo
- smtp-refuser-tmp
- ciscosecure-read-write
- linux-telnetd-term (RedHat, Caldera)
- qms-2060-no-root-password
- trn-symlinks (Debian, SUSE)
- aix-pdnsd-bo
- bsdi-smp-dos
- linux-termcap-tgetent
- suse-identd-dos
- win-ie5-telnet-heap-overflow
Further information can be found at the server of ISS.

HP-UX

Vulnerability in ttsession: HP Security Bulletin #00103, ERS-1999.139, S-99-36
Ttsession uses weak RPC authentication mechanism, so local and remote users may execute arbitrary programs with the privileges ttsession is running. It's recommended to install the applicable patch:

HP-9000 Series 700/800, HP-UX 10.10	not available yet
HP-9000 Series 700/800, HP-UX 10.20	PHSS_19747
HP-9000 Series 700/800, HP-UX 10.24	not available yet
HP-9000 Series 700/800, HP-UX 11.00	PHSS_19748

Microsoft IIS 4.0

Vulnerabilities in Domain Resolution and FTP Download: MS99-039, ERS-1999.147, S-99-39, K-002
IIS 4.0 provides the ability to restrict access to a web site based on the user's domain. However, if IIS cannot resolve a user's IP address to a domain, it will grant the user's first request for a session. It will correctly deny them thereafter.
A user who accesses an FTP site via a browser will be able to download files even if they are marked No Access. This vulnerability was introduced in hotfixes released after Windows NT 4.0 Service Pack 5; it does not exist in SP5 or in previous versions.
It´s recommended to install the (US-)patch published by Microsoft.

Windows 9x and NT

Vulnerability by Source-Routing: MS99-038, ERS-1999.145, ERS-1999.146
Windows NT 4.0 Service Pack 5 introduced the ability to disable source routing on a multi-homed Windows NT machine that acts as a router. However, even if source routing is disabled, it is possible to bypass it by including a specific type of incorrect information within the route pointer in the data packet. Windows 95 and 98 also provide this capability, and are affected by the same vulnerability. Patches for Windows 9x and NT 4.0 TSE will be published soon. A hotfix for the US-Version of NT Workstation and Server ist available.

many Unix

Buffer Overflow in amd: CA-99-12, ERS-1999.143, IN-99-05, J-071, S-99-38
Systems running amd, the Berkeley Automounter Daemon have a security risk, so remote intruders can execute arbitrary code as the user running the amd daemon (usually root). Further information about affected systems and the availability of patches is pointed out in the advisory.

FreeBSD

Vulnerabilities in ftpd, kernel, and fts: FreeBSD03, FreeBDS04, FreeBSD05, ERS-1999.140, ERS-1999.141, ERS-1999.142, J-067, J-068, S-99-37
Wuftpd, beroftpd and proftpd are all optional portions of the system designed to replace the stock ftpd on a FreeBSD system. There are different security problems which can lead to remote root access in these ports or packages. The standard ftp daemon which ships with FreeBSD is not impacted by either of these problems.
As a diagnostic aid to help programmers find bugs in their programs, the system creates core files when an illegal instruction or other fatal error happens. A flaw in the kernel allowed it to follow symbolic links when creating core files. A workaround is described in the concerning advisory, a patch is available.
In the fts library functions three problems were found, giving an attacker possibilities to create or overwrite arbitrary files on the system and to get administrative rights on this machine. A patch has been published.

SuSE Linux

Vulnerabilities in pine, proftpd, and lynx: SUSE0909, SUSE017, SUSE018
The pine-package published in June had a malfunction in IMAP. Now patches are available for Intel-SuSE 5.3, 6.1, and 6.2. Further patches are available here.
A vulnerablity was found In proftpd. Remote users can get root-access to the machine. SuSE is working on a patch. Until then, it's strongly recommended to deinstall proftpd or to use the anon-ftpd from Bernstein (read only).
In lynx-2.8.2 was found out, that remote users can modify files and execute arbitrary commands on the local machine. So it's strongly recommendend to install patches for Intel-SuSE 5.3, 6.1, 6.2.

Red Hat Linux

many Unix

Vulnerabilities in the Common Desktop Environment (CDE): CA-99-11, ERS-1999.137, S-99-34, K-001
Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE). These are
- ToolTalk ttsession uses weak RPC authentication mechanism
- CDE dtspcd relies on file-system based authentication
- CDE dtaction buffer overflow
- CDE ToolTalk shared library buffer overflow in TT_SESSION
How to avoid the mentioned security problems and which systems/vendors are affected is pointed out in the advisory.

Microsoft IE 5

Vulnerability by ImportExportFavorites: MS99.037, ERS-1999.136
The Microsoft Internet Explorer 5 includes a feature that allows users to export a list of their favorite web sites to a file, or to import a file containing a list of favorite sites. The method that is used to perform this function, ImportExportFavorites(), should only allow particular types of files to be written, and only to specific locations on the drive. However, it is possible for a web site to invoke this method, bypass this restriction and write files that could be used to execute system commands. The net result is that a malicious web site operator potentially could take any action on the computer that the user would be capable of taking. The vulnerability can be prevented by disabling Active Scripting. How to do this is described here.

Windows NT 4.0

Installation parameters left: MS99.036, ERS-1999.135, K-003
When an unattended installation of Windows NT 4.0 completes, a copy of the file Unattend.txt that contains installation parameters remains on the hard drive in system32. Depending on the method that was to perform the installation and the specific installation parameters that were selected, the file could contain sensitive information, potentially including the local Administrator password. In any case this file should be deleted after completing the installation.

Microsoft Site Server and MCIS

Vulnerability caused by Set Cookie Header Caching: MS99.035, ERS-1999.134
When certain versions of Site Server or Microsoft Commercial Internet System (MCIS) send a web page that contains a Set Cookie Header, they do not flag the page with an expiration header. As a result, such pages may be cached by a web proxy. Multiple users accessing the same site via a web proxy might be served the same page, containing the same Set Cookie Header. If the cookie information includes a GUID that is used as an index for the server's database, one user's personal data might be viewable by the others. When using a browser and no Cookies are needed, they should be turned off. For server administrators it's recommended to install a hotfix published by Microsoft.

Solaris 2.6 and 7

Vulnerability by LC_MESSAGES: Sun Security Bulletin #00189, ERS-1999.132, J-069, S-99-40
In libc, the LC_MESSAGES environment variable affects the behavior of messaging functions. A vulnerability exists where a buffer overflow could be exploited to gain root access. The patches listed in this bulletin address both libc and the ufsrestore and rcp binaries which are statically linked against libc. It's recommended to install the concerning patch:

System	Patch-ID
SunOS 5.7, 5.7 ufsrestore, 5.7 rcp	106541-07, 106793-03, 107972-01
SunOS 5.7_x86, 5.7_x86 ufsrestore, 5.7_x86 rcp	106542-07, 106794-03, 107973-01
SunOS 5.6, 5.6 ufsrestore, 5.6 rcp	105210-24, 105722-03, 107991-01
5.6_x86, 5.6_x86 ufsrestore, 5.6_x86 rcp	105211-22, 105723-03, 107992-01

OpenBSD

Vulnerability by various flags to files in the file system: OpenBSD, ERS-1999.131, J-066, S-99-35
BSD 4.4 added various flags to files in the file system. A user can set these flags and mode on the device which they logged into. Since a bug in login and other similar programs causes the normal chown to fail, this first user will own the terminal of any login. Local users can execute a man-in-the-middle attack against any other user (including root) when the other users logs in.
It's recommended to modify the source-code as described in the advisory.

Debian Linux

Vulnerabilities in rsync, termcap-compat, smtp-refuser, and tm: Debian0823, Debian0823a, Debian0823b, Debian0823c
Due to security problems in these programs/packages, an update should be installed, as pointed out in the advisories.

Windows 9x and NT (all versions)

Vulnerability caused by Fragmented IGMP Packet: MS99.034, ERS-1999.129
By sending fragmented IGMP packets to a Windows 9x or Windows NT 4.0 machine, it is possible to disrupt the normal operation of the machine. This vulnerability primarily affects Windows 9x machines. Depending on a variety of factors, sending such packets to a Windows 9x machine may elicit behavior ranging from slow performance to crashing. Windows NT contains the same vulnerability, but other system mechanisms compensate and make it much more difficult to mount a successful attack.
It's recommended to install the concerning patch for Windows 95, Windows 98, Windows NT (Workstation 4.0, Windows NT Server 4.0, Windows NT Server, Enterprise Edition), and Windows NT Server 4.0, Terminal Server Edition.

Windows 9x

Vulnerability by Malformed Telnet Argument: MS99.033, ERS-1999.133, J-070
The Telnet client that ships as part of Windows 95 and 98 has an unchecked buffer. A specially-malformed argument could be passed to the client via a web page in order to cause arbitrary code to execute on the computer via a classic buffer overrun technique. It's recommended to install the hotfix for Windows 95 and Windows 98 (also Second Edition).

All

New CERT-Summary: CS-99-03, S-99-33
Since the last summary in May 1999 the following tendencies were obtained:
1. Many RPC Vulnerabilities:
Such exploitations can lead to root compromise on systems that implement these RPC services. The vulnerable services are rpc.cmsd, statd, automoutd, and ttbserverd
2. Virus and Trojan Horse Activity:
It is important to take great caution with any email or Usenet attachments that contain executable content.
3. Continued Widespread Scans

Red Hat Linux

All

Denial of Service attacks using the Domain Name System (DNS): AL-1999.004, J-063, ERS-1999.130, S-99-31
There is a new form of denial of service attack based on exploiting the difference in size between a Domain Name System (DNS) query and a DNS response and the willingness of DNS servers to answer queries from any source. Any platform connected to the Internet may be the target of the denial of service. Service is denied by occupying all link bandwidth with responses to bogus DNS queries and potential ICMP port unreachable responses to these bogus responses. The DNS server should be set up secure. How to do this is pointed out in the advisory.

Microsoft IE 4.0, 5.0

ActiveX: Scriptlet.typlib/Eyedog Vulnerability: MS99-032, J-064, ERS-1999.124
This issue involves two ActiveX controls, Scriptlet.typlib and Eyedog. These controls are not in any way related to each other; their only relationship is that both are incorrectly marked as "safe for scripting" and can therefore be called from Internet Explorer.
- Scriptlet.typlib is a control used by developers to generate Type Libraries for Windows Script Components. It is marked as "safe for scripting", but should not be because it allows local files to be created or modified.
- Eyedog is a control used by diagnostic software in Windows. It is marked as "safe for scripting", but should not be because it allows registry information to be queried and machine characteristics to be gathered. In addition, one of the control's methods is vulnerable to a buffer overrun attack.
The patch sets the so-called "kill bit", which prevents it from loading within IE. A patch for the US-version patch is available.

HP-UX

Security Vulnerability in rpc.cmsd: HP Security Bulletin #00102, ERS-1999.123
A buffer overflow vulnerability in the CDE Calendar Manager Service Daemon, rpc.cmsd allows remote and local users to execute arbitrary code with root privileges. Patches are available from Hewlett Packard. Version 10.30 is vulnerable too, but a patch will not be published.

HP-9000 Series 700/800, HP-UX 10.20	PHSS_19482
HP-9000 Series 700/800, HP-UX 11.00	PHSS_19483