News October 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| Netscape Communicator | Problems with Java-Script Another hole has been found in Communicator and Navigator using malicious Java-Script. Using a special code the cache (visited sites and entries in forms) and a local directory can be read remotely and e.g. sent by e-mail to another server. This vulnerability may also be exploited sending a mail to any user using an insecure Mail-System. Java-Script should be disabled (even if it's not always possible in some versions), otherwise the cache or a local directory may be read (the links lead to demos in the Internet). |
|||||||||||||||||||||||
| HP-UX | Vulnerability with SharedX:
HP
Security Bulletin #00086, J-015,
ERS-131,
ESB-98.168 HP SharedX Receiver Service (recserv) provides a method for a receiver to allow the sharing of windows without explicitly performing any xhost commands. The Internet daemon, inetd, executes recserv when it receives a service request at the port listed in the services database. Certain messages to the port can cause recserv to enter a tight processing loop. For HP-UX revisions prior to 10.01, update to 10.X, or 11.X and install the applicable patch.
|
|||||||||||||||||||||||
| AIX 4.3.x | Vulnerability in automountd:
ERS-004i,
J-014,
S-98-71,
ESB-98.167 The automountd daemon processes requests from the local AutoFS filesystem kernel extension. It uses local files or name service maps to locate file systems to be mounted. Because the daemon does not verify that requests are actually from the kernel extension, local non-root users and remote users can request automountd services. So local and remote users can cause arbitrary commands to run as root. To determine if the daemon is active on your system, run the following command: # lssrc -s automountd, to disable the daemon until the fix can be applied (run as root): # stopsrc -s automountd IBM is working on fixes. Until then a temporary fix is available. How to install this patch is described in the advisory. |
|||||||||||||||||||||||
| IRIX, Unicos | Silicon Graphics about mountd-problems
mentioned in CA-98.12:
SGI-19981006,
ERS-130,
ESB-98.166 Silicon Graphics Inc. has investigated the issue and finds all versions of IRIX, Unicos and Unicos/mk are not vulnerable to this issue and no further action is required. |
|||||||||||||||||||||||
| Windows NT 4.0 | Microsoft Windows NT Service Pack
4 available (US-version): Microsoft Windows NT Service Pack 4 collects the latest fixes for Windows NT Server 4.0 and Windows NT Workstation 4.0. In addition, Service Pack 4 includes the latest Year 2000 updates and support for the Euro currency. SP 4 also contains a number of new components, which add functionality to the Windows NT platform. Before installing Service Pack 4 a backup shhould be carried through, because the installation may cause some problems (reported e.g. here). |
|||||||||||||||||||||||
| Microsoft IE 4 | "Dotless IP Address"
Issue in Microsoft Internet Explorer: MS-98-016,
ESB-98.165 The "Dotless IP Address" issue involves a vulnerability in Internet Explorer that could allow a malicious person to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious web site operator to misrepresent the URL of an Internet web site and make it appear as if the machine is in the user's "Local Intranet Zone". Internet Explorer has the ability to set security settings differently between different zones. By exploiting this vulnerability, a malicious site could potentially perform actions that had been disabled in the Internet Zone or Restricted Sites Zone, but which are permitted in the local Intranet Zone. The nature of this vulnerability lies in the way that Internet Explorer evaluate URLs. Internet Explorer interprets a 32-bit number in the host identifier portion of the URL (e.g. http://3247778079) as a valid host name, while the IP stack resolves this address to its equivalent dotted IP format (http://193.149.41.131 or http://www.leu.de in this example). Internet Explorer incorrectly considers this machine to be in the Local Intranet Zone, rather than in the Internet Zone. It would therefore apply the security settings for the Local Intranet Zone, rather than those for the Internet Zone. Depending on the settings in the user's Local Intranet Zone, this could allow the web site to take actions that it ordinarily could not take. It's recommended to install the patch issued by Microsoft. |
|||||||||||||||||||||||
| IRIX 6.2 - 6.5 | Vulnerability in autofsd:
RSI.0010,
SGI-19981005,
ERS-128,
J-013,
ESB-98.164 Autofs is an RPC server which answers file system mount and umount requests from the autofs file system. It uses local files or name service maps to locate file systems to be mounted. Upon receiving a map argument from a client, the server will attempt to verify if it is executable or not. If autofsd determines the map has an executable flag, the server will append the client's key and attempt to execute it. By sending a map name that is executable on the server, and a key beginning with a semicolon or a newline followed by a command, unprivileged users can execute arbitrary commands as the superuser. It's recommended to disable autofsd or to use automount until patches are available. |
|||||||||||||||||||||||
| Sun Internet Mail Server | IMAP Security risk: SUN
Security Bulletin #00177,
ERS-127,
ESB-98.163 Sun Internet Mail Server (SIMS) provides support for IMAP, POP and mailtool clients. The IMAP server available with certain versions of SIMS is vulnerable to the buffer overflows referenced in CERT Advisory CA-98.09. Affected versions of SIMS are 3.2, 3.2_x86, 3.1, 3.1_x86, 2.0 and 2.0_x86. It's recommended to install one of the following patches, available at the Server of Sun Microsystems.:
|
|||||||||||||||||||||||
| IRIX 3.x - 6.4 | Vulnerability in routed:
SGI-19981004,
ERS-126,
J-012,
ESB-98.162 The routed(1M) daemon is used to manage network routing tables and is is installed by default on IRIX. A vulnerability has been discovered in routed(1M) which allows a malicious user to append debug and tracing information to arbitrary files on the system. There are no workarounds for this routed(1M) vulnerability. The routed(1M) daemon must be disabled or patches installed. |
|||||||||||||||||||||||
| Microsoft IE 4.01 | Untrusted Scripted Paste
in Internet Explorer: MS-98-015,
VB-98.12,
ERS-125,
J-011,
ESB-98.161 A vulnerability in the Internet Explorer was found, that could allow a malicious person to circumvent certain Internet Explorer security safeguards. This vulnerability makes it possible for a malicious Web site operator to read the contents of a file on the user's computer if the attacker knows the exact name and path of the targeted file. Due to istallations using default paths it's often quite easy to guess the name and location of a file. The nature of this problem is that a script is able to use the Document.ExecCommand function to paste a filename into the file upload intrinsic control, which should only be possible by explicit user action. Cuartango has published further information about this hole, if your IE is vulnerable can be tested here. It's strongly recommended to install a patch of Internet Explorer 4.01 or at least to disable Active Scripting. How to do this is pointed out in the advisory. |
|||||||||||||||||||||||
| IRIX 5.x - 6.5 | Vulnerability in Xaw library :
VB-98.04,
SGI-19981003,
J-010,
ESB-98.160,
S-98-70,
ERS-124 As reported by the Open Group via CERT, an exploitable buffer overflow vulnerability in Xaw library can lead to a root compromise. A local user account on the vulnerable system is required in order to exploit this vulnerability. The Xaw Text widget must be used in a setuid root program in order to be vulnerable. It's recommended to remove the setuid permissions of the Xaw Text widget or to install a patch, released by Silicon Graphics. |
|||||||||||||||||||||||
| IRIX 3.x - 6.5.1 | Vulnerability in xterm: VB-98.04,
SGI-19981002,
J-010,
ESB-98.159,
S-98-69,
ERS-123 As reported by the Open Group via CERT, an exploitable buffer overflow vulnerability can lead to a root compromise. A local user account on the vulnerable system is required in order to exploit xterm(1) program. It's recommended to remove the setuid permissions of the xterm(1) program or to install a patch, released by Silicon Graphics. |
|||||||||||||||||||||||
| Cisco IOS | Command History Release
at Login Prompt: Cisco,
VB-98.11,
J-009,
ERS-122,
ESB-98.156,
S-98-68 An error in Cisco IOS software makes it possible for untrusted, unauthenticated users who can gain access to the login prompt of a router or other Cisco IOS device, via any means, to obtain fragments of text entered by prior interactive users of the device. This text may contain sensitive information, possibly including passwords. This vulnerability exposes only text entered at prompts issued by the IOS device itself; the contents of data packets forwarded by IOS devices are not exposed, nor are data entered as part of outgoing interactive connections, such as TELNET connections, from the IOS device to other network nodes. Which versions and devices are affected is as well as a workaround and patches is described in the advisory. |
|||||||||||||||||||||||
| FreeBSD 2.2.x | Denial-of-Service by TCP RST
packets: BSD-SA-98.07,
J-008,
ERS-121,
ESB-98.158,
S-98-67 TCP/IP connections are controlled through a series of packets that are receieved by the two computers involved in the connection. Old, stale connections or packets not expected are reset with a packet having the RST flag set. The RST packets have a sequence number in them that must be valid according to certain rules in the standards. Using a flaw in the interpreation of sequence numbers in the RST packet, malicious users can terminate connections of other users at will. This attack has been reported most often as being used against people connected to IRC servers. BSD has published a patch (tcp_input.c), a workaround is not possible. |
|||||||||||||||||||||||
| SCO UNIX | Vulnerability in mscreen:
SCO-98.05,
VB-98.10,
ERS-120,
ESB-98.153,
ESB-98.155,
S-98-66 Security vulnerabilities have been discovered in the SCO "mscreen" serial multiscreens utility. One vulnerability could allow local users to gain root privileges. The following systems are affected: - SCO Open Desktop/Open Server 3.0 (all, also SCO UNIX 3.2v4) - SCO OpenServer 5.0 (all, also SCO Internet FastStart) - SCO CMW+ 3.0 For SCO OpenServer 5 and SCO Open Desktop/Open Server 3, SCO is providing information and an interim patch to address this issue in the form of a System Security Enhancement (SSE) package. Further information can be found in the advisory. |
|||||||||||||||||||||||
| many Unix, mainly Linux | Vulnerability in NFS mountd
(rpc.mountd): CA-98.12,
J-006,
ERS-119,
ESB-98.154,
S-98-65 NFS is a distributed file system in which clients make use of file systems provided by servers. When a client makes a request to use a file system and subsequently makes that file system available as a local resource, the client is said to "mount" the file system. The vulnerability lies in the software on the NFS server that handles requests to mount file systems. Intruders are able to gain administrative access to the vulnerable NFS file server after causing a buffer overflow in mountd. This vulnerability can be exploited remotely and does not require an account on the target machine. It's recommended to install a patch or, if the vendor has not published it until now, to install the workaround described in the advisory. |
|||||||||||||||||||||||
| HP-UX 9.x, 10.x, 11.00 and more | Vulnerability with HP
OpenView Omniback II: HP
Security Bulletin #00085, J-007,
ERS-118,
ESB-98.157,
S-98-64 The HP OpenView OmniBack II (OB) has defects that allow users to gain additional privileges. A user can increase privileges or gain invalid access to files on an HP OpenView OmniBack II client host. The OB program runs native on HP-UX yet also executes on other platforms as noted below. OB provides Server support of HP9000 Series 700/800 with HP-UX and PC with Windows NT. OB provides client support of HP9000 Series 700/800 running HP-UX, SunSparc running Solaris, SunSparc running SunOS, RS/6000 running AIX, Novell, PCs running Windows 95, PCs running NT, SNI running Sinix, SGI IRIX (only EFS and XFS filesystems) and Digital Unix. The following versions of OB are affected on all supported platforms: OB 2.10 / OB 2.30 / OB 2.55. OmniBack II 2.50 has been replaced by 2.55. The following patches should be installed on the system:
The patches contain all binaries for
all client platforms. |
|||||||||||||||||||||||
| IRIX 6.2, 6.4, 6.5.x | Vulnerability in at: SGI-19981001,
J-005,
S-98-63,
ERS-117,
ESB-98.151 The at(1) program is used to execute commands at a later time. A vulnerability has been discovered in the at(1) program that allows any file on the system to be read. A local account is required in order to exploit this vulnerability locally and remotely. How to avoid this risk by patches or workarounds is described in the advisory. |
|||||||||||||||||||||||
| Solaris 2.3 - 2.6, SunOS 4.1.x | Vulnerability in ftp:
SUN Security Bulletin #00176,
ESB-98.150,
ERS-116,
S-98-62,
J-004 The ftp command is the user interface to the Internet standard File Transfer Protocol (FTP). ftp transfers files to and from a remote network site. A vulnerability has been discovered in ftp client software whereby a malicious ftp server can trick the ftp client into executing arbitrary commands. The following patches should be installed:
|
|||||||||||||||||||||||
| IRIX 3.x - 6.5.1m | Vulnerabilities in Mail
und mailx: SGI-19980605,
ERS-114,
ESB-98.149,
S-98-61,
J-002 Some problems of these programs were discussed in Usenet newsgroups and mailing lists. Both programs are installed by default on IRIX. Having an account on the machine, local and remote users may get mail group privileges, using the exploit in mailx(1). The Mail(1) exploit can lead to root compromise of the system. Which patches and workarounds should be installed is pointed out in the advisory. |
|||||||||||||||||||||||
| IRIX | mail(1)/rmail(1M)/sendmail(1M)
Security Vulnerabilities: SGI-19980604,
ERS-113,
ESB-98.148,
S-98-60 Against the risks, pointed out in CA-96.20, Silicon Graphics has replaced patches: 2309 (IRIX 5.3), 2231 (IRIX 6.2) and 2310 (IRIX 6.3 & 6.4) with patches: 3347 (IRIX 5.3), 3348 (IRIX 6.2), 3394 (IRIX 6.3 & 6.4) and 3393 (IRIX 6.5 with IRIX 6.5.1 Maintenance Release). These new patches close a new Mail(1) security issue and fix some bugs in sendmail 8.8.8 anti-spam configuration. |
|||||||||||||||||||||||
| IRIX 6.2 - 6.5 | On-Line Customer Registration
Vulnerabilities: SGI-19980901,
ERS-112,
ESB-98.147,
S-98-59,
J-003 The IRIX On-Line Customer Registration software is used to establish an information link with Silicon Graphics and submit your End User Registration form electronically. Several vulnerabilities were discovered in On-Line Customer Registration software subsystem which can lead to a root compromise on a local machine. Which patches and workarounds should be installed is pointed out in the advisory. |
|||||||||||||||||||||||
Back to the News
© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: November 16, 1998, 20:01 +0100