News October 2000

Furhter links lead to the organization which reported the problem. So you can also read the original advisory and you are informed about further actions to be taken and patches to install.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

System:

Short description and further information:

Microsoft IIS with Index Server

Vulnerability caused by .HTW-Files: WinITSec
Georgi Guninski has discovered a security issue that he believes in present in Internet Information Server 5.0. By using specifically designed URLs a malicious attacker could retrieve specific content. One such scenario could lead to cookie stealing. The user sends an URL to the Internet Information Server with the Microsoft Index Server installed. This URL contains a JavaScript which is executed on the server. Microsoft is working on a patch.

Microsoft Windows NT and 2000

Buffer Overflow in Network Monitor: ISS-067
A vulnerability caused by a remotely exploitable buffer overflow condition in one of Network Monitor's protocol parsers has been found. This may allow a remote attacker to gain privileged access and execute arbitrary code on any machine running Network Monitor that displays captured data.

OpenLinux

Vulnerability in ypbind: CSSA-2000-039
There are several security problems in ypbind, the daemon used by NIS clients for binding to their NIS server(s). First, there is a potential buffer overflow; it is not clear whether it is possible to exploit it at all. Second, there is a denial of service attack against ypbind that can make it run out of file descriptors. A patch is available now.

IBM AIX 3.2.x - 4.3.x

Vulnerability in locale: L-014
AIX allows user specified locale file to be used for displaying messages. Due to a format string vulnerability in format string in locale, local users may gain root-access to the system. IBM is working on a patch, a temporary fix is available.

Red Hat Linux

Vulnerabilities in cyrus-sasl and Secure Web Server: ERS-2000.269, ERS-2000.270
In the authorization checks in the version of cyrus-sasl shipped with Red Hat Linux 7 an error has been found. Due to this bug, users who are successfully authenticated could be allowed access to resources even if the system had been configured to deny these users access. Security bugs in versions of Apache prior to 1.3.14 also affect Secure Web Server. It's recommended to install the patches published by Red Hat:
Red Hat Linux 6.x:
Intel:
rpm -Fvh ftp://updates.redhat.com/secureweb/3.2/i386/secureweb-3.2.2-4.i386.rpm.rhmask
rpm -Fvh ftp://updates.redhat.com/secureweb/3.2/i386/secureweb-devel-3.2.2-4.i386.rpm
rpm -Fvh ftp://updates.redhat.com/secureweb/3.2/i386/secureweb-manual-3.2.2-4.i386.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/secureweb/3.2/SRPMS/secureweb-3.2.2-4.nosrc.rpm
Red Hat Linux 7.0:
Intel:
rpm -Fvh ftp://updates.redhat.com/7.0/i386/cyrus-sasl-1.5.24-11.i386.rpm
rpm -Fvh ftp://updates.redhat.com/secureweb/3.2/SRPMS/secureweb-3.2.2-4.nosrc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/7.0/SRPMS/cyrus-sasl-1.5.24-11.src.rpm

NetBSD

Vulnerablities in NIS, cfengine, Global-3.55, and passwd/libutil: NetBSD, ERS-2000.265, ERS-2000.266, ERS-2000.267, ERS-2000.268
NIS client nodes may be vulnerable to a remote buffer overflow attack. The cfd daemon in GNU CFEngine contains several format string vulnerabilities in syslog() calls. When using the CGI interface of the Global v3.55 package, it's possible to execute random commands. The pw_error() function of the system libutil library, used by several programs including the setuid passwd program, is vulnerable to a format string attack. Patches are available now and should be installed as soon as possible.

Cisco IOS

Denial-of-Service caused by HTTP service: Cisco, ERS-2000.263, L-012, S-00-47
For IOS 12.0 to 12.1 with HTTP Service enabled another possibility for a DoS has been found. When a URI containing "?/" is presented to the HTTP service on the router and a valid enable password is supplied, the router enters an infinite loop. A watchdog timer expires two minutes later and forces the router to crash and reload. The router continues to be vulnerable to this defect as long as it is running an affected IOS software release and the enable password is known - this means known, guessed or not set by the administrator. An update is available.

Microsoft Win32 operating environment and IE

Security risk in Virtual Machine: MS-081, ERS-2000.264
The Microsoft VM is a virtual machine for the Win32 operating environment. It runs atop Microsoft Windows 95, 98, Me, Windows NT 4.0, and Windows 2000. It's also as part of Microsoft Internet Explorer.
The version of the Microsoft VM that ships with Microsoft Internet Explorer 4.x and Internet Explorer 5.x contains a security vulnerability that could allow a Java applet to operate outside the bounds set by the sandbox. An attacker could write a Java applet that could read arbitrary files from the computer of a person who visited his site or read web content from inside an intranet if the malicious site is visited by a computer from within that intranet.
Microsoft has published a patch for the VM of the 3000-series included in Internet Explorer 5.x. A patch for the 2000-series (included in Internet Explorer 4.x) will be published soon. Microsoft recommends an update to IE 5.x.

Linux Mandrake

Vulnerabilities in ypbind, ypserv, and gnupg: MDKSA-2000:064, MDKSA-2000:063
A format string parsing bug exists in ypbind 3.3 if it is run in debug mode which leaks file descriptors under certain circumstances which can lead to a DoS. In addition, ypbind may suffer from buffer overflows. A problem exists in all versions of GnuPG prior to and including 1.0.3: it may report files which have been signed with multiple keys (one or more of which may be incorrect) to be valid even if one of the signatures is in fact valid. Updates are available now.

Many

Vulnerability in Oracle listener program: ISS-066
The Oracle listener program releases 7.3.4, 8.0.6, and 8.1.6 on all platforms accepts remote commands from remote listener controllers. This is protected by a password. The default Oracle installation does not allow a password for the listener program to be indicated. If a password has not been set, the Oracle listener program can be configured to append log information to a file. Due to a problem with the SET TRC_FILE and SET LOG_FILE commands, these values can be changed to any file name. This allows an attacker to create a new file or corrupt an existing file. A patch to fix this bug (ID 1361722) should be installed soon.

HP-UX

Vulnerability in bf and bdf: HP Security Bulletin #00127, ERS-2000.262, L-011, S-00-46
On HP9000 servers running HP-UX releases 10.XX and 11.XX bdf(1m) and df(1m) have misuse potential. So users can gain unauthorized privileges. It's recommended to install the patches provided by Hewlett Packard, further information can be found in the advisory.

Sun Microsystems

Problems with Browser Certificates: Sun Security Bulletin #00198, CA-2000-19, L-013, S-00-48
Web browsers accept security certificates from trusted sources. A specific certificate from Sun may have received outside exposure. Affected are the serial numbers:
3181 B12D C422 5DAC A340 CF86 2710 ABE6 (Internet Explorer)
17:05:FB:13:A2:2F:9A:F3:C1:30:F5:62:6E:12:50:4C (Netscape)
Sun Microsystems recommends to follow these guidelines.

Element InstantShop

Vulnerability by Price Modification: WinITSec
Element InstantShop is vulnerable to price modification. A malicious user could modify the pricing information before submitting the order form. A demonstration is shown in the advisory.

Microsoft IIS 4.0 and 5.0

Vulnerability by Session ID Cookie Marking: MS-080, WinITSec, ERS-2000.261, L-010
The Internet Information Server supports the use of a Session ID cookie to track the current session identifier for a web session. ASP in IIS does not support the creation of secure Session ID cookies as defined in RFC 2109. As a result, secure and non-secure pages on the same web site use the same Session ID. If a user initiated a session with a secure web page, a Session ID cookie would be generated and sent to the user, protected by SSL. But if the user subsequently visited a non-secure page on the same site, the same Session ID cookie would be exchanged, this time in plaintext. It's recommended to install the patches for IIS 4.0 and 5.0.

Allaire

Vulnerabilities in JRun: ASB00-27, ASB00-28, ASB00-29
The JRun HTTP Server 3.0 and 2.3.3 may improperly handle leading path-specifying characters and a deliberately malformed URI will allow browser access to otherwise-forbidden JRun resources. In addition to that, using JRun 2.3.3 it's possible to insert executable code in the form of JSP tags and cause the code to be compiled and executed using JRun's handlers. Patches are available and pointed out in the advisory.

Microsoft IE 5.5, Outlook Express and Outlook

Vulnerability by Remote File Reading: WinITSec
As Georgi Guninski reports, a vulnerability could allow an attacker to read local files, arbitrary URL's, and local directory structure. A demonstration is available at http://www.guninski.com/javacodebase1.html - but not yet a patch.

Microsoft Windows 98 (incl. SE), Me, and 2000

Security hole by HyperTerminal Buffer Overflow: MS-079, L-008, WinITSec, ERS-2000.257
Hilgraeve HyperTerminal is shipped with Microsoft Windows 2000, Windows ME, Windows 98SE, and Windows 98. A buffer overrun has been discovered in the HyperTerminal Telnet module that can allow a malicious user to launch arbitrary commands. This exploit, in theory, could be launched remotely by way of an E-Mail containing the buffer overrun. A demonstration is available as well as patches by Microsoft for Windows 98, Me, and 2000.

OpenLinux

Vulnerability in gnupg: CSSA-2000-038
As Caldera reports, there is a bug in the signature verification of GNUpg, the GNU replacement for PGP. Normally, signature verification with gnupg works as expected; gnupg properly detects when digitally signed data has been tampered with. Affected is OpenLinux eDesktop 2.4 only, a patch is available.

Linux Mandrake

Vulnerability in Apache: MDKSA-2000:060-1, MDKSA-2000:060-2
The Apache web server comes with a module called mod_rewrite which is used to rewrite URLs presented by the client prior to further processing. There is a flaw in the mod_rewrite logic that allows an attacker to view arbitrary files on the server system if they contain regular expression references. Patches are available now.

Red Hat Linux

Vulnerability in ping, ypbind, and gnupg: RHSA-2000:087, ERS-2000.255, RHSA-2000:086, L-009, RHSA-2000:089, ERS-2000.256
Several problems in ping were found: Root privileges are dropped after acquiring a raw socket. An 8 byte overflow of a static buffer "outpack" is prevented. An overflow of a static buffer "buf" is prevented and a non-exploitable root only segfault is fixed as well. The logging code in ypbind is vulnerable to a printf string format attack that may lead to local root access. If not needed, it's recommmended to remove ypbind. A problem has been found in GnuPG versions (up to and including 1.0.3). Due to this problem, GnuPG may report files which have been signed with multiple keys (one or more of which may be incorrect) to be valid even if one of the signatures is invalid. It's recommended to install the patches published by Red Hat.
Red Hat Linux 5.x:
Intel:
rpm -Fvh ftp://updates.redhat.com/5.2/i386/ypbind-3.3-10.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/ypbind-3.3-10.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/ypbind-3.3-10.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/ypbind-3.3-10.src.rpm
Red Hat Linux 6.x:
Intel:
rpm -Fvh ftp://updates.redhat.com/6.2/i386/iputils-20001010-1.6x.i386.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/i386/ypbind-1.7-0.6.x.i386.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/i386/gnupg-1.0.4-4.6.x.i386.rpm
Alpha:
rmp -Fvh ftp://updates.redhat.com/6.2/alpha/iputils-20001010-1.6x.alpha.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/ypbind-1.7-0.6.x.alpha.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/gnupg-1.0.4-4.6.x.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/iputils-20001010-1.6x.sparc.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/ypbind-1.7-0.6.x.sparc.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/gnupg-1.0.4-4.6.x.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/iputils-20001010-1.6x.src.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/ypbind-1.7-0.6.x.src.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/gnupg-1.0.4-4.6.x.src.rpm
Red Hat Linux 7.0:
Intel:
rmp -Fvh ftp://updates.redhat.com/7.0/i386/iputils-20001010-1.i386.rpm
rpm -Fvh ftp://updates.redhat.com/7.0/i386/gnupg-1.0.4-5.i386.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/7.0/SRPMS/iputils-20001010-1.src.rpm
rpm -Fvh ftp://updates.redhat.com/7.0/SRPMS/gnupg-1.0.4-5.src.rpm

Turbo Linux

Vulnerability in traceroute: TLSA2000023
There is a bug in the traceroute command that can possibly be use by local users to obtain super user privilege. A patch is available now.

TransSoft

DoS in TransSoft Broker FTP Server: WinITSec
TransSoft's Broker FTP Server 3.x and 4.x is vulnerable to a buffer overflow that can allow an attacker to consume all available memory and computing resources. A demonstration is shown in the advisory and TransSoft has published a patch.

Microsoft IIS 4.0 and 5.0

Vulnerability by Web Server Folder Traversal: MS-078, ERS-2000.251, WinITSec, L-007, ASB00-26
Due to a canonicalization error in the Internet Information Server 4.0 and 5.0, a particular type of malformed URL could be used to access files and folders that lie anywhere on the logical drive that contains the web folders. This would potentially enable an attacker to gain additional privileges on the machine. Further information can be found in the advisories. Microsoft has published a patch for IIS 4.0 and 5.0.

Wingate

Vulnerability by Exposed File-System: WinITSec
The Wingate log file server (version 2.1, 3.0, 4.01, 4.1beta) allows logs to be viewed remotely via HTTP. A vulnerability found in the process can allow an attacker to retrieve files other than the log files. A demonstration is shown in the advisory, a patch is not available yet.

WinU

Backdoor Passwords found: WinITSec
In all versions of WinU backdoor passwords have been found. At the moment there is no workaround or patch available. A demonstration is shown in the advisory.

HP-UX

Vulnerabilities in VVOS NSAPI, lpspooler, ftpd, and Praesidium Web Proxy 1.0: HP Security Bulletin #00124, HP Security Bulletin #00125, HP Security Bulletin #00117/3, HP Security Bulletin #00126, ERS-2000.249, ERS-2000.252, ERS-2000.253, ERS-2000.254, L-006
HP9000 Series 7/800 running HP-UX 10.24 and 11.04 (VVOS) with VirtualVault are vulnerable against a DoS-attack: The NSAPI plugin versions of the TGA and the Java Servlet proxy demonstrate high CPU utilization under certain conditions. The lpspool subsystem of HP9000 running HP-UX 10.XX and 11.XX show a security hole which allows users to increase their privileges. As reported before, the ftpd has a security hole that can be exploited by users to gain root access. HP has published new patches. Apache 1.3.12 included in the HP Praesidium Web Proxy, contains a vulnerability. Users can gain unauthorized file access if the proxy were to be used to serve static web pages that exist on the VirtualVault. How to increase security is described in the advisory. For the other problems, it's recommended to install the patches, published by Hewlett Packard:

System	Patch-ID
HP-UX 10.01	PHCO_22365 PHNE_22058
HP-UX 10.10	PHCO_22411 PHNE_22058
HP-UX 10.20	PHCO_22364 PHNE_22057
HP-UX 10.24	PHSS_22187 PHNE_22059
HP-UX 11.00	PHCO_22365 PHNE_21936
HP-UX 11.04	PHNE_22060

many Linux

Vulnerability in tmpwatch: L005
The tmpwatch utility is used in Red Hat and other Linux to remove temporary files. This utility has an option to call the "fuser" program, which verifies if a file is currently opened by a process. The fuser program is invoked within tmpwatch by calling the system() library subroutine. Insecure handling of the arguments to this subroutine could potentially allow an attacker to execute arbitrary commands as Root. Patches are available now (for Red Hat: See RHSA-2000:080)

FreeBSD

Vulnerability in LPRng: L004
A vulnerability exists in the syslog(3) function of LPRng, versions prior to 3.6.24. Exploiting this vulnerability it's possible to gain Root-Access to the system as well as locally as remote. It's recommended to de-install the software or to install a patch.

Linux Mandrake

Vulnerabilities in cfengine and mod_php3: MDKSA-2000:061, MDKSA-2000:062
The GNU cfengine is an abstract programming language for system administrators of large heterogeneous networks, used for maintenance and administration. There are a number of string format vulnerabilities in syslog() calls that can be abused to either make the cfengine program segfault and die or to execute arbitrary commands as the user the cfengine program runs as (usually root). PHP version 3 which ships with Linux-Mandrake are vulnerable to format string attacks due to logging functions that make improper use of the syslog() and vsnprintf() functions. This renders PHP3-enabled servers vulnerable to compromise by remote attackers. Patches are available now.

Microsoft Windows 2000 and Windows NT 4.0

Vulnerability in NetMeeting: MS-077
A remote Denial-of-Service vulnerability has been discovered in a component of NetMeeting. The DoS can occur when an attacker sends a particular malformed string to a port which the NetMeeting service is listening on and with Remote Desktop Sharing enabled. It's recommended to install the patch provided by Microsoft.

Debian Linux

Vulnerabilities in traceroute, curl and curl-ssl, nis, php3, and php4: Debian201013, Debian201013a, Debian201014, Debian201014a, Debian201014b
Traceroute packages before 1.4a5-3, give local user a chance to gain root access by exploiting an argument parsing error. The version of curl as distributed with Debian GNU/Linux 2.2 has a bug in the error logging code: when it creates an error message it failed to check the size of the buffer allocated for storing the message. This could be exploited by the remote machine by returning an invalid response to a request from curl which overflows the error buffer and trick curl into executing arbitrary code. The version of nis as distributed in Debian GNU/Linux 2.1 and 2.2 contains an ypbind package with a security problem. In versions of the PHP 3 packages before version 3.0.17 and PHP4 before 4.0.3, several format string bugs could allow properly crafted requests to execute code as the user running PHP scripts on the web server, particularly if error logging was enabled. Patches are available now.

OpenLinux

Vulnerability in PHP: CSSA-2000-037
As Caldera reports, there is a format bug in the logging code of the mod_php3 module. It uses apache's aplog_error function, passing user-specified input as the format string. This can be exploited by a remote attacker to execute arbitrary shell commands under the HTTP server account (user httpd). A patch is available now.

Microsoft Internet Explorer 4.x, 5.x

Vulnerability by Cached Web Credentials: MS-076, WinITSec
When a user authenticates to a secured web page via Basic Authentication, IE caches the userid and password that were used, in order to minimize the number of times the user must authenticate to the same site. By design, IE should only send the cached credentials to secured pages on the site. However, it will actually send them to non-secure pages on the site as well. This can be used for exploiting the user's account. A patch has been published by Microsoft. It requires IE 5.01 SP1. IE 5.5 is not affected by this problem.

Microsoft Win32 operating environment and IE

Vulnerability in Virtual Machine: MS-075, WinITSec
The Microsoft Virtual Machine (VM) is used in Windows 95, 98, Windows Me, Windows NT 4.0, and Windows 2000. It's part of the Microsoft Internet Explorer.
This VM contains functionality that allows ActiveX controls to be created and manipulated by Java applications or applets. A security hole allows ActiveX controls to be created and used from a web page, or from within a HTML based E-Mail message, without requiring a signed applet. If a user visited a web site that exploited this vulnerability, a Java applet on one of the web pages could run any desired ActiveX control, even ones that are marked as unsafe for scripting. This would enable an web site operator to take any desired action on the user's machine.
Patches have been published for different versions of VM: 2000-series (will be published soon), the others should upgrade to build 3318 or later.

SuSE Linux

Vulnerability in esound: SUSE111000
Versions of SuSE Linux 6.3 and higher are also affected by the chance of a race condition in esound, the sound player for the Gnome Desktop. Now patches have been published, they are pointed out in the advisory.

many Linux

Data Overflow in Xlockmore: L-001
An implementation flaw in xlock allows global variables in the initialized data section of memory to be overwritten. This opens a security hole where local users can view the contents of xlock's memory - including the shadowed password file - after root privileges have been dropped. Which Linux is affected is pointed out in the advisory. An official xlockmore patch has been released.

Microsoft Windows 98, Me

DoS in WebTV for Windows: MS-07 4, WinITSec
There is a Denial-of-Service vulnerability in WebTV for Windows that may allow an attacker to remotely crash either the WebTV for Windows application and/or the computer system running WebTV for Windows. Micrsoft has published patches for Windows 98 and 98SE as well as for Windows Me.

Microsoft Windows 9x, Me

DoS caused by Malformed IPX NMPI Packets: MS-073, ERS-2000.244
The Microsoft IPX/SPX protocol implementation (NWLink) includes an NMPI (Name Management Protocol on IPX) listener that will reply to any requesting network address, even to a network broadcast address. Such a reply would in turn cause other IPX NMPI listener programs to also reply. This sequence of broadcast replies could generate a large amount of unnecessary network traffic - which means a Denial-of-Service. Microsoft has published patches for Microsoft Windows 95, Microsoft Windows 98 and 98 Second Edition, and Microsoft Windows Me.

Linux Mandrake

Vulnerabilities in modutils, openssh, logrotate/sysklpgd, and apache: MDKA-2000:010, MDKSA-2000:057, MDKA-2000:009, MDKSA-2000:060
There was a problem with modutils crashing constantly when used in higher Linux-Mandrake security levels due to a problem with the libsafe library which is used in those higher security levels. A problem exists with openssh's scp program. If a user uses scp to move files from a server that has been compromised, the operation can be used to replace arbitrary files on the user's system. The problem is made more serious by setuid versions of ssh which allow overwriting any file on the local user's system. There is a problem with logrotate because the archives are never removed and can cause the device to fill up. The Apache web server comes with a module called mod_rewrite which is used to rewrite URLs presented by the client prior to further processing. There is a flaw in the mod_rewrite logic that allows an attacker to view arbitrary files on the server system if they contain regular expression references. Patches are available now.

Microsoft Windows 9x, Me

Vulnerability caused by Share Level Password: MS-072, ERS-2000.243, WinITSec
Microsoft Windows 9x/Me provides a password protection feature referred to as (share level access) for the File and Print Sharing service. Due to the way the password feature is implemented, a file share could be compromised by an attacker who uses a special client utility, without knowing the entire password required to access that share. Patches are available for Microsoft Windows 98 and 98 Second Edition and Microsoft Windows Me. A patch for Windows 95 will follow.

OpenLinux

Vulnerabilities in mod_rewrite and ncourses: CSSA-2000-035, CSSA-2000-036
Caldera reports about a hole in the Apache HTTP server which comes with a module named mod_rewrite. This can be used to rewrite URLs presented by the client before further processing. The processing logic in mod_rewrite contains a flaw that allows attackers to view arbitrary files on the server system. A patch is available now.
Another security hole has been found in ncourses. Due to a buffer overflow local users may gain more rights than wanted. Also for this problem a patch has been published.

Debian Linux

Vulnerability in boa - and NO vulnerability in esound: Debian201008, Debian201009
Debian points out that the vulnerability in esound, which was found in many Linux, does not affect Debian Linux. But, a vulnerability was found in boa. In versions of boa before 0.94.8.3, it is possible to access files outside of the server's document root by the use of properly constructed URL requests. Patches are available now.

Many

New ISS Summary: ISS
Within the last month, 91 (!) new vulnerabilities were found:

- apache-rewrite-view-files	- win2k-simplified-chinese-ime	- xinitrc-bypass-xauthority
- slashcode-default-admin-passwords	- quotaadvisor-quota-bypass	- hinet-ipphone-get-bo
- netscape-ie-password-dos	- traceroute-heap-overflow	- glibc-unset-symlink
- lpr-checkremote-format-string	- netscape-messaging-list-dos	- palm-weak-encryption
- mediaplayer-outlook-dos	- unixware-scohelp-format	- ie-getobject-expose-files
- webplus-example-script	- lprng-format-string	- openview-nmm-snmp-bo
- alabanza-unauthorized-access	- pine-check-mail-bo	- ciscosecure-tacacs-dos
- suse-installed-packages-exposed	- ciscosecure-csadmin-bo	- ciscosecure-ldap-bypass-authentication
- rbs-isp-directory-traversal	- wincom-lpd-dos	- webplus-reveal-path
- webplus-expose-internal-ip	- webplus-reveal-source-code	- du-kdebugd-write-access
- glint-symlink	- mdaemon-url-dos	- browsegate-http-dos
- klogd-format-string	- office-dll-execution	- cisco-pix-smtp-filtering
- horde-imp-sendmail-command	- exchange-store-dos	- doublevision-dvtermtype-bo
- sambar-search-view-folder	- camshot-password-bo	- websphere-header-dos
- win2k-telnet-ntlm-authentication	- http-cgi-multihtml	- hp-openview-nnm-scripts
- freebsd-eject-port	- webtv-udp-dos	- imp-attach-file
- fastream-ftp-dos	- fur-get-dos	- 602prolan-telnet-dos
- 602prolan-smtp-dos	- as400-firewall-dos	- eftp-bo
- eftp-newline-dos	- sco-help-view-files	- win2k-rpc-dos
- mailform-attach-file	- linux-mod-perl	- pam-authentication-bo
- siteminder-bypass-authentication	- mailto-piped-address	- winsmtp-helo-bo
- yabb-file-access	- linux-tmpwatch-fork-dos	- muh-log-dos
- documentdirect-username-bo	- documentdirect-get-bo	- documentdirect-user-agent-bo
- interbase-query-dos	- suse-apache-cgi-source-code	- phpphoto-dir-traverse
- apache-webdav-directory-listings	- eudora-path-disclosure	- phpphotoalbum-getalbum-directory-traversal
- lpplus-permissions-dos	- lpplus-process-perms-dos	- lpplus-dccscan-file-read
- xmail-long-apop-bo	- xmail-long-user-bo	- w2k-still-image-service
- irc-trinity	- wftpd-long-string-dos	- wftpd-path-disclosure
- iis-invald-url-dos	- screen-format-string	- ntmail-incomplete-http-requests
- wavelink-authentication	- php-file-upload	- unix-locale-format-string
	- aix-clear-netstat

Many

Widespread incidents of SubSeven DEFCON8 2.1 Backdoor: ISS-065
ISS has discovered over 800 computers infected with the SubSeven DEFCON8 2.1 backdoor. This backdoor is an updated version of SubSeven. It has been distributed on Usenet newsgroups with file names such as "SexxxyMovie.mpeg.exe". It seems that this tool is used to test new Distributed Denial-of-Service methods and strategies. Infected parties can identify this version of the SubSeven backdoor by verifying that TCP port 16959 is listening and that a connection to that port responds with "PWD". The SubSeven 2.1 client can be used to connect to the infected machine using the password "acidphreak". To remove the server, go to the Connection menu, select Server options, and click the Remove server button.
Further information can be found in the advisory.

FreeBSD

Vulnerability caused by weak initial sequence numbers: HERT#03, FreeBSD, ERS-2000.238, L-003, S-00-45
TCP network connections use an initial sequence number as part of the connection handshaking. According to the TCP protocol, an acknowledgement packet from a remote host with the correct sequence number is trusted to come from the remote system with which an incoming connection is being established, and the connection is established.
Systems derived from 4.4BSD-Lite2 including FreeBSD include code which attempts to introduce an element of unpredictability into the initial sequence numbers to prevent sequence number guessing by a remote attacker. The pseudo-random number generator used is a simple linear congruent generator, and based on observations of a few initial sequence values from legitimate connections with a server, an attacker can guess with high probability the value which will be used for the next connection.
Workarounds and Patches are discussed in the advisory.

Microsoft IE 5.5 and Outlook Express

Security Problems with ActiveX: WinITSec
As Georgi Guninski reports, a problem with the com.ms.activeX.ActiveXComponent java object can cause Internet Explorer 5.5 and Outlook Express to execute arbitrary programs. It's important to understand that Outlook Express with "security update", although more difficult, can also be exploited. A demonstration of the problem is available (1, 2). Microsoft seems to work on a patch.

Red Hat Linux

Linux Mandrake

Vulnerability in tmpwatch: MDKSA-2000:056
Some versions of tmpwatch contain local Denial-of-Service and root exploits. This is due to using the fork() command to recursively process subdirectories which would allow a local user to perform a Denial-of-Service attack. Updated packages are available now.

Microsoft IIS 5.0, with Index Server

IIS exposes File System: WinITSec
Microsoft Internet Information Server 5.0, with Microsoft Index Server installed has been found to be vulnerable to an exploit that allows unauthorized directory listings to be leaked. A demonstration can be found in the advisory, Microsoft has released a knowledge base article about it.

SmartWin

Multiple vulnerabilities in CyberOffice Shopping Cart: WinITSec
Some vulnerabilities were found in CyberOffice v2 running on Windows NT Server. The first vulnerability makes it possible for an attacker to modify the hidden unit price field in the HTML source then submit the form. A second vulnerability exposes sensitive customer information including credit card data. In its default configuration, customer order information, including credit card information is left unprotected and un-encrypted. The information is stored in a Microsoft Access Database and is stored in a unprotected directory, /_private/
SmartWin has made some recommendations on fixing these problems.

Microsoft Word 97 and 2000

Vulnerability by Word Mail Merge: MS-071, ERS-2000.237
If an Access database is specified as a data source via DDE in a Word mail merge document, macro code can run without the user's approval when the user opens that document. This may happen if a user opens a document "unknowingly", e.g. as attachment of an E-Mail or a link at a web server. Microsoft has published patches for Microsoft Word 2000. A patch for Word 97 will be published soon.

HP UX

Vulnerability in net.init: HP Security Bulletin #00123, ERS-2000.236
HP9000 Servers running HP-UX release 11.0X have the problem that /sbin/init.d/net.init uses /tmp files. So users can overwrite any file. It's recommended to install a patch:

HP-UX 11.00	PHNE_21767
HP-UX 11.04	PHNE_21155

OpenBSD

Vulnerability in libutil pw_error: OpenBSD, ERS-2000.233
A format string vulnerability present in the pw_error() function of OpenBSD 2.7's libutil library can yield localhost users root access through the setuid /usr/bin/chpass utility. This vulnerability only affects OpenBSD users with a system dated before July 1st. Patches are available now.

Many Unix

Vulnerability in GNU Groff: ISS-063
Troff is a document processor that ships with most Unix systems. Among other functions, it formats system manual pages into human-readable form. The GNU Groff package includes "troff", the main processing program, and "groff", a front-end for troff. Troff supports a set of potentially dangerous macros. It's configuration is read out of its "troffrc" initialization file in the current working directory. So unsuspecting users ( including root) could be coerced into running arbitrary commands on the system. It's recommended not to run "groff", "troff", or even the "man" command from untrusted directories.

Red Hat Linux

Vulnerabilities in lpr and LPRng: RHSA-2000:065, RHSA-2000:066, ERS-2000.234, ERS-2000.235
Lpr has a format string security bug. It also mishandles any extension to the lpd communication protocol, and assumes that the instructions contained in the extension are a file it should try to print. It also has a race condition in the handling of queue interactions. In Red Hat Linux 7.0 LPRng is affected. It's recommended to install the concerning patches:
Red Hat Linux 5.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.5.x.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.5.x.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.5.x.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/lpr-0.50-7.5.x.src.rpm
Red Hat Linux 6.x:
Intel:
rpm -Fvh ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.6.x.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.6.x.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.6.x.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/lpr-0.50-7.6.x.src.rpm
Red Hat Linux 7.0:
Intel:
rpm -Fvh ftp://updates.redhat.com/7.0/i386/LPRng-3.6.24-2.i386.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/7.0/SRPMS/LPRng-3.6.24-2.src.rpm

Microsoft Windows NT 4.0 and 2000

Multiple vulnerabilities in LPC and LPC Ports found: MS-070, ERS-2000.232, WinITSec
Several vulnerabilities have been identified in the Windows NT 4.0 and Windows 2000 implementations of LPC (Local Procedure Calls) and LPC ports, their communication channels.
By sending an invalid LPC request, on NT 4.0 it's possible to make the affected system fail. By sending many LPC requests, it could be possible to increase the number of queued LPC messages to the point where kernel memory would be depleted. Any process that knows the identifier of an LPC message can access it - the identifiers can be predicted. In the simplest case, an attacker could access other process' LPC ports and feed them random data as a denial of service attack. In the worst case, it could be possible to send bogus requests to a privileged process in order to gain additional local privileges. A new variant of the previously-reported "Spoofed LPC Port Request" vulnerability has been found also. Because LPC can only be used on the local machine, Microsoft states that none of these vulnerabilities could be exploited remotely, only when logged in interactively.
Microsoft has published patches for Microsoft Windows NT 4.0 Workstation, Server, and Server, Enterprise Edition and Microsoft Windows 2000 Professional, Server, Advanced Server, and Datacenter Server. A patch for NT 4.0 Terminal Server will be published soon.

Linux Mandrake

Vulnerabilities in xinitrc, traceroute and lpr: MDKSA-2000:052, MDKSA-2000:053, MDKSA-2000:054
Problems were found in the /etc/X11/Xsession file which disables the Xauthority mechanism of the localhost. So anyone logged into the localhost can arbitrarily connect to an X server running on the localhost. This is only a problem with systems that allow remote logins. There is a bug in the traceroute program which causes segment faults and could be exploited to provide root privilege because the traceroute command is suid root. A format string bug in lpr was found in its calls to the syslog facility. Patches are available now.

OpenLinux

Vulnerability caused by traceroute: CSSA-2000-034
As Caldera reports, a special feature in the traceroute command was found which may possibly be used by local users to obtain super user privileges. Updated packages are available now.

Microsoft Windows 2000

Vulnerability in Simplified Chinese IME State Recognition: MS-069, ERS-2000.231
Input Method Editors (IMEs) enable character-based languages such as Chinese to be entered via a standard 101-key keyboard. When an IME is installed as part of the system setup, it is available by default as part of the logon screen. In such a case, the IME should recognize that it is running in the context of the LocalSystem and not in the context of a user - the IME for Simplified Chinese does not correctly recognize the machine state, and exposes inappropriate functions as part of the logon screen. As a result, an attacker may gain LocalSystem privilege even without logging onto the machine. Microsoft has published a patch for the Simplified Chinese version as well as for the English version.