News October 1999
Most of the links lead to the corresponding files at CERT or other organisations. So
changes take place immediately, especially which patches should be installed or which
changes in the configuration should be made to avoid this vulnerability. Most of the files
are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used
platform or program that doesn't mean this particular platform or program is safe to use!
| System: | Short description and further information: |
| Debian Linux | Vulnerabilities in NIS, mirror, lpr,
and amd: Debian1027,
Debian1018, Debian1030, Debian1018a Vulnerabilities found in SuSE Linux are found in Debian as well: Caused by some exploits in yp (NIS) users may gain more rights as wanted by the administrator. Using mirror leads to the effect that writing files in upper directories at the destination server is possible by using ".:" in the path. Lpr makes it possible to print files with not even a read-option and AMD opens a backdoor for users. Further information can be found in the advisories. |
| SuSE Linux | Vulnerabilities in mirror, sccw, mutt,
cdwtools, ypserv, and lprold: SUSE022, SUSE023, SUSE024, SUSE025, SUSE026, SUSE027 The mirror package is a tool to duplicate the contents of ftp servers. A vulnerability exists when attackers can create directory like " .." on the target mirror ftp server. Files can be created one level above the local target directory for the mirrored files. sccw does insufficient bounds checking, trust it's environment and calls insecure system functions. On a default installation sccw is setuid root. These bugs lead to local root compromise. A "bad guy" could run processes with the previliges of the user using mutt by sending a malicious formated e-mail. These security bug leads to local and remote non-root, and possible root, compromise of the system. The cdwtools package is a frontend for various programs used to create CDs. Several buffer overflows and /tmp vulnerabilities exist in the cdwtools package. Everyone having the cdwtools package installed and SuSE configured for "easy" security setting (which is the default) are vulnerable to a local root compromise. The package ypserv is the former "yellow pages", now called NIS information service, which is used for e.g. central network user account management. Several vulnerability exists: ypserv prior 1.3.9 allows an administrator in the NIS domain to inject password tables, rpc.yppasswdd prior 1.3.9 allows users to change GECO and login shell values of other users. If administrator access to one server in the NIS domain is compromised, access to the whole domain can be achieved. It is theoretically possible to execute arbitary code on these systems too. User information can be changed and restricted accounts opened. The file access permissions aren't properly checked by the lpr and lpd program. By exploiting this race condition a user could print files the user hasn't permissions to. It's strongly recommended to upgrade the system by installing the patches. They can be found at SuSE's Webpage for Patches. |
| Microsoft Windows NT 4.0 | Vulnerability by TCP Initial Sequence Number Randomness: MS99-046, ERS-1999.162,
K-006 The Initial Sequence Numbers (ISN) used in TCP/IP sessions should be as random as possible in order to prevent attacks such as IP address spoofing and session hijacking. Microsoft has improved the randomness of the Windows NT 4.0 TCP/IP ISN generation for all versions of NT, providing 15 bits of entropy. It's recommended to install the (US-) patch for x86 or Alpha. |
| Microsoft VM, IE | Vulnerability in Virtual Machine Verifier: MS99-045, ERS-1999.161,
K-005 The Microsoft VM ships as part of several products. Tthe primary ship vehicle is Internet Explorer. IE 4 ships with builds in the 2000 series; IE 5 ships with builds in the 3000 series. In both series a vulnerability in the bytecode verifier that could allow a Java applet to operate outside the bounds set by the sandbox. If hosted on a web site, it could cause any action to be taken on the computer of a visiting user that the user himself could take. This could include, for example, creating, deleting or modifying files, sending data to or receiving data from a web site, or reformatting the hard drive. It's recommended to install a patch for the 3000 series, a patch for the 2000 series will follow. |
| Red Hat Linux | Vulnerablities in Screen and wu-ftpd: RH1999-042, RH1999-043, ERS-1999.159,
ERS-1999.160 The version of screen that shipped with Red Hat Linux 6.1 defaulted to not using Unix98 ptys. Since screen is not setuid root, this means that it leaves the ptys with insecure permissions. The updated packages restore the Unix98 pty support. As mentioned below, three vulnerabilities were found in wu-ftpd. It's recommended to install the updates published by Red Hat: Red Hat Linux 4.2: Intel: rpm -Uvh ftp://updates.redhat.com/4.2/i386/wu-ftpd-2.6.0-0.4.2.i386.rpm Alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/wu-ftpd-2.6.0-0.4.2.alpha.rpm Sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/wu-ftpd-2.6.0-0.4.2.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/wu-ftpd-2.6.0-0.4.2.src.rpm Red Hat Linux 5.x: Intel: rpm -Uvh ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.6.0-0.5.x.i386.rpm Alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/wu-ftpd-2.6.0-0.5.x.alpha.rpm Sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/wu-ftpd-2.6.0-0.5.x.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/wu-ftpd-2.6.0-0.5.x.src.rpm Red Hat Linux 6.x: Intel: rpm -Uvh ftp://updates.redhat.com/6.1/i386/screen-3.9.4-3.i386.rpm rpm -Uvh ftp://updates.redhat.com/6.1/i386/wu-ftpd-2.6.0-1.i386.rpm Alpha: rpm -Uvh ftp://updates.redhat.com/6.1/alpha/wu-ftpd-2.6.0-1.alpha.rpm Sparc: rpm -Uvh ftp://updates.redhat.com/6.1/sparc/wu-ftpd-2.6.0-1.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/screen-3.9.4-3.src.rpm rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/wu-ftpd-2.6.0-1.src.rpm |
| all | New ISS-Summary: ISS, ERS-1999.144 ISS reports 14 new vulnerabilities: - http-teamtrack-file-read - iams-passwords-plaintext - iams-pop3-command-dos - iams-smtp-vrfy-dos - linux-cdda2cdr - ie-download-behavior - mediahouse-stats-adminpw-cleartext - mediahouse-stats-login-bo - ihtml-merchant-file-access - yahoo-messenger-dos - iis-ftp-no-access-files - nt-ip-source-route - nt-rasman-pathname - http-cgi-wwwboard-default Further information can be found at the server of ISS. |
| HP-UX | Vulnerability in automountd: HP Security Bulletin #00104, ERS-1999.157,
S-99-45 This problem was originally reported by CERT, regarding the vulnerability in automountd which allows an intruder to execute arbitrary commands with the privileges of the automountd process. Hewlett Packard has found out that HP-UX 10.X and 11.00 are vulnerable. No patch is available at this time. As a workaround it's recommended to set AutoFS = 0 in the file /etc/rc.config.d/nfsconf. |
| Microsoft Excel 97 and 2000 | Vulnerability caused by Excel SYLK: MS99-044, ERS-1999.156,
K-004 Symbolic Link (SYLK) files can contain macros; if such a file were opened in Excel 97 or 2000, the macro would run without asking for the user's permission. These macros could take any action on the computer that the user could take. It's recommended to install the patch for Excel 97 or Excel 2000. |
| many Unix | Multiple Vulnerabilities in WU-FTPD: CA-99-13, ERS-1999.155,
S-99-44 On systems running the WU-FTPD daemon or its derivatives three vulnerabilities were found: - MAPPING_CHDIR Buffer Overflow: Because of improper bounds checking, it is possible for an intruder to overwrite static memory in certain configurations of the WU-FTPD daemon. - Message File Buffer Overflow: Because of improper bounds checking during the expansion of macro variables in the message file, intruders may be able to overwrite the stack of the FTP daemon. - SITE NEWER Consumes Memory: Remote and local intruders who can connect to the FTP server can cause the server to consume excessive amounts of memory, preventing normal system operation. If intruders can create files on the system, they may be able exploit this vulnerability to execute arbitrary code as the user running the ftpd daemon, usually root. It's recommended to install the concerning patches as described in the advisory. |
| Microsoft Internet Explorer 4.01 and 5 | Vulnerability by JavaScript: MS99-043, ERS-1999.154 Client-local data that is displayed in the browser window can be made available to the server by using a redirect to a JavaScript applet running in the same window. This in effect bypasses cross-domain security and makes the data available to the applet, which could then send the data to a hostile server, if an attacker knows the name of the file and the folder in which it resided. Until Microsoft has published a Patch it's strongly recommended to disable Active Scripting at least in the Internet Zone. |
| Red Hat Linux | New Netscape and vulnerabilities in PAM and lpr/lpd:
RH1999-039, RH1999-040, RH1999-041, ERS-1999.152,
ERS-1999.153 To integrate the latest Netscape new RPM's should be installed. The PAM packages shipped with Red Hat Linux 6.1/Intel may allow access to locked NIS accounts on certain network configurations. There are potential problems with file access checking in the lpr and lpd programs. These could allow users to potentially print files they do not have access to. It's recommended to install the updates published by Red Hat: Red Hat Linux 4.2: Intel: rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/lpr-0.43-0.4.2.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/lpr-0.43-0.4.2.alpha.rpm Sparc: rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/lpr-0.43-0.4.2.sparc.rpm Source: rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/lpr-0.43-0.4.2.src.rpm Red Hat Linux 5.x: Intel: rpm -Uvh ftp://updates.redhat.com/5.2/i386/netscape-common-4.7-0.i386.rpm rpm -Uvh ftp://updates.redhat.com/5.2/i386/netscape-communicator-4.7-0.i386.rpm rpm -Uvh ftp://updates.redhat.com/5.2/i386/netscape-navigator-4.7-0.i386.rpm rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.2/i386/lpr-0.43-0.5.2.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.2/alpha/lpr-0.43-0.5.2.alpha.rpm Sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/netscape-common-4.51-0.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.2/sparc/lpr-0.43-0.5.2.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/netscape-common-4.7-0.src.rpm rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/5.2/SRPMS/lpr-0.43-0.5.2.src.rpm Red Hat Linux 6.x: Intel: rpm -Uvh ftp://updates.redhat.com/6.1/i386/netscape-common-4.7-1.1.i386.rpm rpm -Uvh ftp://updates.redhat.com/6.1/i386/netscape-communicator-4.7-1.1.i386.rpm rpm -Uvh ftp://updates.redhat.com/6.1/i386/netscape-navigator-4.7-1.1.i386.rpm rpm -Uvh ftp://updates.redhat.com/6.1/i386/pam-0.68-8.i386.rpm rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/lpr-0.43-2.i386.rpm Alpha: rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/6.0/alpha/lpr-0.43-2.alpha.rpm Sparc: rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/6.0/sparc/lpr-0.43-2.sparc.rpm Source: rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/netscape-4.7-1.1.src.rpm rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-8.src.rpm rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/lpr-0.43-2.src.rpm Neutral: rpm -Uvh ftp://updates.redhat.com/6.1/noarch/ |
| Microsoft IE 5 | Vulnerability by IFRAME ExecCommand: MS99-042, ERS-1999.151,
ERS-1999.151a The Internet Explorer's 5 security model normally restricts the Document.ExecCommand() method to prevent it from taking inappropriate action on a user's computer. However, at least one of these restrictions is not present if the method is invoked on an IFRAME. This could allow a malicious web site operator to read known files on visiting users' computers. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machine. Internet Explorer 4.01 users should apply IE 4.01 Service Pack 2, users of IE5 should install the patch for Intel or Alpha. As an interim step customers may also add sites that they trust to the Trusted Zone, and disable Active Scripting in the Internet Zone. |
| Microsoft Office | Patch available against Vulnerabilities in ODBC: MS99-030 Microsoft has published a patch against the vulnerabilities caused by ODBC. This problem was reported earlier. |
| Hybrid Network's Cable Modems | Vulnerability caused by HSMP: KSRT-012 Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP is easily spoofed, configuration changes can made anonymously. There are some known Denial-of-Service attacks. HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a trojan site. More complex and theoretical attacks could involve the running of actual code through the debugging interface. This might allow remote attackers to deploy ethernet sniffers on the cable modem. In the advisory are links noted, demonstrating the problem. It's recommended to block HSMP traffic (7777/udp) by a firewall. |
| Cactus Software | Vulnerability caused by shell-lock: l0pht, ERS-1999.150 The program "shell-lock" is used to create ELF binaries from shell scripts. A trivial encoding mechanism is used for obfuscating the shell code in the "compiled" binary. Anyone with read permissions to the file in question can decode and retrieve the original shell code. Another vulnerability exists where the user can retrieve the un-encoded shell script without needing to actually decode the binary. As written in the advisory: Do not take candy or accept car rides from strangers. If something seems too good to be true it probably is. It's recommended to write the necessary code in C or another language, but not in shell-scripts. |
| Debian Linux | Vulnerability in amd: Debian0924 The version of amd that was distributed with Debian GNU/Linux 2.1 is vulnerable to a remote exploit. Passing a big directory name to amd's logging code would overflow a buffer which could be exploited. This has been fixed in version 23.0slink1. Further information can be found in the advisory. |
Back to the News
© 1999 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: 1999-11-12, 20:54 +0100