News March 2000

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

System:

Short description and further information:

many

Article about Mobile Malicious Code: K-031
CIAC has published an advisory about mobile malicious code which is often attached to E-Mails. The most common of theses viruses and worms use Microsoft Outlook, Outlook Expert, or Exchange to spread. It's strongly recommended not to open attachments to E-Mail messages that are not expected, especially if they are executable files. Further information should be read in the advisory.

Microsoft Windows NT 4.0, 2000

Vulnerability by Malformed TCP/IP Print Request: MS00-021, NTShop, ERS-2000.055
TCP/IP Printing Services is designed for environments that use LPD and LPR. A malformed print request to port 515/tcp could cause TCPSVC.EXE to crash, which would not only prevent the server from providing printing services, but also would stop several other services (also DHCP). Any affected services could be put back into service by restarting them. TCP/IP Printing Services is different from the native Windows NT 4.0 and Windows 2000 printing services.
Microsoft has published Patches for Windows 2000 ( Professional, Server, and Advanced Server), Windows NT 4.0 (Workstation, Server, and Server, Enterprise Edition) for Intel and Alpha. A patch for Windows NT 4.0 Server, Terminal Server Edition will be published soon.

Red Hat Linux

Vulnerability in IRCII: RHSA2000:008
A buffer overflow exists in ircii's dcc chat capability. An attacker could use this overflow to execute code as the user of ircii. It's recommended to install a patch:
Red Hat Linux 6.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/6.2/i386/ircii-4.4M-1.i386.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/ircii-4.4M-1.sparc.rpm
Source:
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/ircii-4.4M-1.src.rpm
Red Hat Linux 5.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/5.2/i386/ircii-4.4M-0.5.2.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/ircii-4.4M-0.5.2.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/ircii-4.4M-0.5.2.sparc.rpm
Source:
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/ircii-4.4M-0.5.2.src.rpm
Red Hat Linux 4.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/4.2/i386/ircii-4.4M-0.4.2.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/4.2/alpha/ircii-4.4M-0.4.2.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/4.2/sparc/ircii-4.4M-0.4.2.sparc.rpm
Source:
rpm -Fvh ftp://updates.redhat.com/4.2/SRPMS/ircii-4.4M-0.4.2.src.rpm

SGI IRIX 5.3 and 6.2

Vulnerability in the objectserver daemon: K-030
The objectserver(1M) daemon manages Cadmin objects like disks, tapes and user accounts. Cadmin(1M) applications like cpeople(1) use the objectserver to add, remove or modify user accounts. A vulnerability in the objectserver daemon has been discovered which can lead to unauthorized non-privileged user accounts being created. How to disable the objectserver daemon or which patches should be installed is described in the advisory.

Microsoft Internet Information Server

Vulnerability caused by Virtualized UNC Share: MS00-019, ERS-2000.054, NTShop
Microsoft has released a patch against a security vulnerability in the IIS and other products based on it. These are:
- Microsoft Internet Information Server 4.0 and 5.0
- Microsoft Proxy Server 2.0
- Microsoft Site Server and Site Server, Commerce Edition 3.0
- Microsoft Commercial Internet System 2.0 and 2.5
Under certain conditions a web server can be able to send the source code of .ASP and other files to a visiting user. A patch is available for the IIS 4.0 (Intel, Alpha) and IIS 5.0. Proxy Server, Site Server, Site Server Commerce Edition and Microsoft Commercial Internet System run atop IIS, so the IIS has to be patched.

IBM AIX

Possible vulnerability in sendmail: sendmail, ESB-2000.045
The Sendmail Consortium points out a potentially dangerous side-effect of the AIX 4.X linker. Unlike most other linkers, the AIX linker uses the paths specified at compile time for the program's shared library search path at run time. Therefore, AIX compilations which use the -L flag with the AIX linker must use extra precautions to prevent security problems. Further information and a workaround can be found in the advisory.

Sun Solaris 7

Vulnerability in BIND: Sun Security Bulletin #00194, ERS-2000.053
As reported before (CA-99-14), some vulnerabilities were found in BIND. This concerns only Solaris 7, other versions are not affected. Sun Microsystems has published a patch, it's strongly recommended to install it:

System	Patch-ID
Solaris 7 (Sparc)	107018-02, 106938-03
Solaris 7 (Intel)	107019-02, 106939-03

SuSE Linux

Vulnerabilities in IMAP and IRCII: SUSE-043, SUSE-044
A vulnerability in the IMAP Server was found: It allows remote users to circumvented the imap authentication, so an attacker can receive imap administrator privilige which can be used e.g. to create or delete folders.
The package ircii is an irc client which is used to connect to irc servers and chat with other users. A buffer overflow in the dcc chat feature of ircii < 4.4M was found which is exploitable by remote users: They may execute commands as the user running ircii.
It's recommended to install patches from SuSE's Webpage for Patches.

TurboLinux

Vulnerabilities in mtr, man, htdig, MySQL, dump, and nmh: TLSA2000:03, TLSA2000:04, TLSA2000:05, TLSA2000:06, TLSA2000:07, TLSA2000:08
All problems concern TurboLinux version 6.0.2 and earlier, except the vulnerability in htdig (version 6.0 and earlier).
mtr: Older versions of mtr do not properly drop root privileges, so an attacker may take control over mtr and then execute arbitrary code as root.
man: The program ' man ' is setguid man. It uses system() for most calls, so a local user may gain the same rights as man or root.
htdig: A vulnerability in the htsearch script may allow remote users to read any file on the webserver that is readable by the uid under which the server is running, including e.g. /etc/passwd
MySQL: The MySQL database server has a flawed password authentication mechanism. Anyone who can connect to the server can access databases without knowing an exact password.
dump: The dump utility is setuid and setgid root. Some versions of dump do not correctly drop the effective gid settings. An attacker could use an overrun to execute code with the gid of root.
nmh: A buffer overrun exists in nmh: Due to improper MIME header parsing, an attacker could create a MIME message such that the mhshow utility may be used to execute shell code when the message is viewed. An attacker can use this exploit to remotely execute code on the machine where nmh is being used to read mail. This could easily lead to a remote root compromise.
Further information and links to patches can be found in the advisories.

Microsoft Internet Information Server 4.0

Denial-of-Service caused by Chunked Encoding Post: MS00-018, ERS-2000.052, NTShop, ESB-2000.053
Microsoft IIS 4.0 supports chunked encoding transfers, but does not limit the size of the buffer that can be reserved. This would allow an attacker to request an extremely large buffer for a POST or PUT operation, but never actually send data, thereby blocking memory on the server that had been allocated to the session. So the server might stop to work normally. Microsoft has published a patch for Intel and Alpha.

Cisco Secure PIX Firewall

Vulnerabilities in FTP: Cisco, ERS-2000.050, ESB-2000.051
Cisco Secure PIX Firewalls with software versions up to and including 4.2(5), 4.4(4), and 5.0(3) that provide access to FTP services are at risk from two vulnerabilities, version 5.1(1) is affected by the second vulnerability only.
The first vulnerability happens when the firewall receives an error message from an internal FTP server containing an encapsulated command such that the firewall interprets it as a distinct command. This vulnerability can be exploited to open a separate connection through the firewall.
The second vulnerability is exercised when a client inside the firewall browses to an external server and selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP connection as expected and at the same time unexpectedly executes another command opening a separate connection through the firewall.
Some changes have been made to the "fixup protocol FTP" behavior of the PIX Firewall, further information can be found in the advisory.

Microsoft Windows Media Technologies 4.1 and 4.0

Vulnerability caused by Malformed Media License Request: MS00-016, ERS-2000.051, NTShop, ESB-2000.052
Windows Media License Manager is part of Windows Media Rights Manager, a component of Windows Media Technologies that enables content providers to distribute copyrighted digital media in encrypted form. When Windows Media Player opens protected digital media, it contacts the provider's server, presents the user's license request information, and obtains a license that allows it to play the media. However, a specially-malformed license request can cause License Manager to halt - Denial-of-Service. Microsoft has published a patch to solve this problem.

Microsoft Windows 9x

Vulnerability by DOS Device in Path Name: MS00-017, ERS-2000.049, ESB-2000.046
DOS device names are reserved words, and cannot be used as folder or file names. When parsing a reference to a file or folder, Windows correctly checks for the case in which a single DOS device name is used in the path, and treats it as invalid. However, it does not check for the case in which the path includes multiple DOS device names. When Windows attempts to interpret the device name as a file resource, it performs an illegal resource access that usually results in a crash.
Microsoft has published patches for Windows 95 and Windows 98 (also SE).

Netscape Communicator 4.0

Denial-of-Service by simple HTML: NTShop
Simple HTML code can cause Netscape Communicator 4 to crash. An example can be found in the advisory. Netscape is working on a patch.

FreeBSD

Vulnerabilities in mh, nmh, ja-mh, exmh, exmh2, ja-exmh2, lynx, mtr, and orville-write: ERS-2000.045, ERS-2000.046, ERS-2000.047, ERS-2000.048, K-028, ESB-2000.047, ESB-2000.048, ESB-2000.049, ESB-2000.050, ESB-2000.055
MH and NMH are popular Mail User Agents. EXMH and EXMH2 are TCL/TK-based front-ends to the MH system. The mhshow command used for viewing MIME attachments contains a buffer overflow which can be exploited by a specially-crafted E-Mail attachment, which will allow the execution of arbitrary code as the local user when the attachment is opened.
Lynx is a popular text-mode WWW browser. The lynx software is written in an insecure style and contains numerous security vulnerabilities exploitable by a malicious server.
Mtr ("Multi Traceroute") combines the functionality of the "traceroute" and "ping" programs into a single network diagnostic tool. The mtr program (versions 0.41 and below) fails to correctly drop setuid root privileges during operation, allowing a local root compromise.
Orville-write is a replacement for the write(1) command, which provides improved control over message delivery and other features. One of the commands is incorrectly installed with setuid root permissions. The 'huh' command should not have any special privileges since it is intended to be run by the local user to view his saved messages.
It's recommended to install the updates given in the advisories.

Microsoft SQL Server 7.0

Vulnerability in password encryption: ISS-045, NTShop, K-026
When a database administrator logs into a workstation with a roaming profile, the login ID and password are stored in a registry key. This information is stored as the file NTUSER.DAT (for Windows NT) or USER.DAT (for Windows 95 or Windows 98) when the user logs off. An attacker can open this file in a text editor to view the DBA login ID and password encrypted. So he might reverse this encryption to gain access to the login ID and password.
To securely use SQL Server, Microsoft recommends using Windows Integrated Security. In Windows Integrated Security mode passwords are never stored, as your Windows Domain sign-on is used as the security identifier to the database server. If a SQL Server login ID is specified for logging into a server in the Enterprise Manager, Microsoft recommends using the option 'Always prompt for login name and password' to prevent passwords from being stored in the registry.

SCO UnixWare 7.1.x

Security hole in EELS: SB-00.08
In UnixWare 7.1.0 and 7.1.1 a possibility for a network based denial of service attack in the EELS system has been found. It's recommended to install SSE064 which is available now (letter, binary).

Atrium Software

Denial-of-Service against Mercur Mail: NTShop
A possible DoS was found in MERCUR Mailserver 3.2, POP3-Server (v3.20.01) for Windows 98/NT, and IMAP4-Server (v3.20.01) for Windows 98/NT: Several buffer overflow conditions were discovered within Mercur mail software. According to USSRLabs report, sending a command string of 3000 characters could result in a denial of service condition against such a server. Atrium Software is aware of this issue.

Microsoft Internet Explorer 5.0

Denial-of-Service caused by HTML Code: NTShop
Certain HTML code can cause IE 5.0 under Windows NT to crash or consume all available CPU cycles until the offending process is terminated manually. In one instance, an E-Mail that contained this kind of code caused Eudora Pro to consume 100% CPU when the E-Mail was opened. Microsoft seems to work on a patch. A demonstration is being shown in the advisory.

IRIX

Vulnerability in fam service: NAI-016, ESB-2000.036
The fam daemon is an RPC server that tracks changes to the filesystem, installed by default on IRIX 5.X and 6.X. The vulnerability can be exploited remotely by using RPC packets that are sent to the fam daemon, it leads to unauthorized access to the names of files and directories of the system. A workaround has been published in the advisory.

Microsoft Windows NT

Risk due to Registry Permissions: MS00-008, ESB-2000.044, NTShop, ERS-2000.044, K-029
In three sets of registry keys, which have too permissive default permissions, are the reason for this vulnerability. These permissions could allow an attacker who could interactively log onto a target machine to:
- Cause code to run in a local system context.
- Cause code to run the next time another user logged onto the same machine.
- Disable the security protection for a previously-reported vulnerability.
These three key sets are not related to each other. A tool (Intel, Alpha) is available that will reset all of the affected keys to the correct default value. Windows 2000 is not affected by this vulnerability.

Debian Linux

Vulnerability in mtr: Debian0309
The version of mtr as distributed in Debian GNU/Linux 2l1 (aka slink) doesn't drop root privileges correctly. While there are no known exploits it is conceivable that a weakness in gtk or ncurses could be used to exploit this. This has been fixed in version 0.28-1, which can be found in the advisory.

Microsoft SQL Server 7.0 and MSDE 1.0

Vulnerability caused by SQL Query Abuse: MS00-014, ESB-2000.041, NTShop, ERS-2000.043, K-027
Microsoft SQL Server 7.0 and the Microsoft Data Engine (MSDE) 1.0 perform incomplete argument validation on certain classes of remotely submitted SQL statements. So if a user can submit a special form of a Select statement to the database or if the database is using the Administrator account any command with these rights is accepted by the operating system. To exploit this vulnerability, the user would have to have the right to submit queries to the SQL Server or MSDE via ODBC, OLE DB, or DB-Library and be logged on using SQL Server Security. The user would not require any special privileges beyond the right to submit SQL queries. Microsoft has published a patch, which should be installed as soon as possible.

Microsoft Windows

Vulnerability by Unprotected Windows Networking Shares: IN-2000-02
An advise of the US-CERT: Intruders are actively exploiting Windows networking shares that are made available for remote connections without requiring password authentication. This is not a new problem, but the potential impact on the overall security of the Internet is increasing. Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised system not only creates problems for the system's owner, but it is also threat to other sites on the Internet. The greater risk to the Internet community is the potentially large number of systems attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as those described in IN-2000-01. Further information and countermeasurements can be found in the advisory.

Microsoft Clip Art Gallery

Vulnerability by Clip Art Buffer Overrun: l0pht, MS00-015, NTShop, ERS-2000.042, ESB-2000.042
Users of the following programs should update their Clip Art Gallery:
- Microsoft Office 2000
- Microsoft Works 2000
- Microsoft PictureIt 2000
- Microsoft HP 2000
- Microsoft Publisher99
- Microsoft PhotoDraw 2000 Version 1
The Microsoft Clip Art Gallery software is used to allow users to retrieve and use clip art in their documents. One of the features of the Clip Art Gallery allows the user to download additional clips from the Microsoft Clip Gallery Live web site (and other sites), and then install that clip art on their computer. To do this, Clip Art Gallery and Clip Gallery Live use a file format called the CIL format to contain the newly downloaded clips. A very long field embedded in a clip art CIL file could cause a buffer overrun in the Clip Art Gallery software. The buffer overrun could cause the software to crash or cause the execution of arbitrary code on the computer where the Clip Art Gallery software was executing. Microsoft has published a Patch to fix this problem.

Red Hat Linux

Microsoft Windows 9x

Denial-of-Service using URL's: NTShop
Windows 95 and 98 can be made to crash using URLs that point to a device (such as CON, AUX, NUL, etc) instead of actual Web pages. Initially it appears as though the Win95/98 desktop shell contains the actual problem since various applications can be used to crash the operating system. For example, a malformed WarFTPd command that incorporates a device name can be used to cause an operating system crash. A demonstration of the problem ist shown in the advisory.

Microsoft Internet Explorer 5.x and Outlook

Arbitrary code execution using .chm-files: NTShop, update: NTShop
There is a vulnerability in IE 5.x for Win95 and WinNT that allows the execution of arbitrary programs using files with the .chm extension. Microsoft Networking must be installed for this exploit to work.
The problem is the window.showHelp() method which opens .chm files. IE disallows the opening of remote .chm files via the HTTP protocol, however the files may still be opened if the .chm file resides on network server or a local drive. G. Guninski has published a demonstration of this problem, Microsoft is working on a patch.

HP Omniback

New Denial-of-Service: NTShop
This problem concernes HP Omniback 2.55, 3.0, 3.10 under Microsoft Windows NT. When a number of connections are made on port 5555 of an Omniback-enabled system, the Omnilnet process consumes memory until the system crashes. If the connections are closed Omniback does not free up the memory. A demonstration can be found in the advisory.

many

New CERT-Summary: CS-2000-01, ESB-2000.035
In the recent time the US-CERT has obtained big activity concerning the following topics:
- Distributed Denial-of-Service Developments: CERT continues to receive reports of intruders compromising machines in order to install software used for launching packet flooding denial-of-service attacks
- BIND Vulnerabilities: CERT still continues to receive reports of intruders compromising machines by exploiting vulnerabilities in BIND.
- Multiple Vulnerabilities in Vixie Cron: Compromises involving the exploitation of several vulnerabilities in the Vixie Cron program have recently been reported to the CERT. These vulnerabilities allow local users to gain root access.
- Root Compromises: There are still many root compromises as a result of vulnerabilities in WU-FTPD, AMD, and various RPC-related services.
- Malicious HTML Tags Embedded in Client Web Requests: There are many web sites that may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources.

various Linux

Multiple Vulnerabilities in Vixie Cron: VN-2000-01
An increase in the intruder activity associated with various vulnerabilities in certain implementations of the clock daemon cron ( developed by Paul Vixie) are obtained. Multiple intruder tools exploiting previously-discussed cron vulnerabilities have been found on compromised Linux systems. Which distibutions are vulnerable and links to the patches can be found in the advisory.

Debian Linux

Vulnerability in nmh (aka slink): Debian0229
The version of nmh that was distributed in Debian GNU/Linux 2.1 doesn't check incoming mail messages properly. This might be exploited by using carefully designed MIME headers to trick mhshow into executing arbitrary shell code. This has been fixed in version 0.27-0.28-pre8-4. It's recommended to upgrade the nmh package, a patch can be found in the advisory.

FreeBSD

Security holes in MySQL and htdig: ERS-2000.039, ERS-2000.040, K-025, ESB-2000.040, ESB-2000.039
The MySQL database server (versions prior to 3.22.32) has a flaw in the password authentication mechanism which allows anyone who can connect to the server to access databases without requiring a password, given a valid username on the database - in other words, the normal password authentication mechanism can be completely bypassed.
There is a security hole in the htsearch cgi-bin program for versions of htdig prior to 3.1.5, which allows remote users to read any file on the local system that is accessible to the user ID running htsearch (usually the user ID running the webserver process, user 'nobody' in the default installation of apache).
Workarounds and links for patches are given in the advisories.

many

New ISS Summary: ISS, ERS--2000.041
In the recent time 12 new vulnerabilities were found:
- trin00-dos (update)
- netgear-multiple-dos
- sambar-batfiles
- win-media-dos
- win-active-setup
- siteserver-sitebuilder
- netbsd-ptrace
- netbsd-procfs
- ie-image-source-redirect
- sco-openserver-arc-symlink
- iis-frontpage-info
- outlook-active-script-read
Further information can be found at the Server of ISS.

SuSE Linux

Security hole in htdig: SUSE-042
Htsearch is a CGI program which is part of htdig. In this program an unsufficient bound checking is carried through, so an attacker can view the contents of any file on the Web Server with the permissions of the httpd. It's recommended to install patches from SuSE's Webpage for Patches.