SecurityFocus Microsoft Newsletter #113

From: John Boletta <jboletta(at)securityfocus.com>
Date: Mon Nov 18 2002 - 12:14:52 EST

SecurityFocus Microsoft Newsletter #113

---

This Issue is Sponsored by: SpiDynamics

ALERT! -Cross-Site Scripting Holes in Web Applications! Cross-site scripting vulnerabilities in web applications allow hackers to collect confidential user information, manipulate or steal cookies, and create requests that can be mistaken for those of a valid user!! All undetectable by IDS!

Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://www.spidynamics.com/mktg/xss20

---

I. FRONT AND CENTER

1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
2. .NET/MSIL malicious code and AV/heuristic Engines
3. Locking Down the Pop-up Perps
4. Maintaining Credible IIS Log Files
5. Back to the Insecure Future
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. MICROSOFT VULNERABILITY SUMMARY
8. Pine From: Field Heap Corruption Vulnerability
9. Macromedia JRun IIS ISAPI Filter GET Request Buffer Overrun...
10. Macromedia J Run Log File/JRun.INI File Disclosure...
11. Macromedia JRun Web Server Unicode Source Disclosure Vulnerability
12. CuteCast User Credential Disclosure Vulnerability
13. Perception LiteServe DNS Wildcard Cross Site Scripting...
14. Microsoft JVM Unauthorized Clipboard Access Vulnerability
15. Microsoft JVM Package Access Restriction Bypassing Vulnerability
16. Microsoft JVM Passed HTML Object Reference Denial Of Service...
17. Microsoft JVM HTML Applet Tag Class Restriction Bypass...
18. Microsoft JVM CAB File Loading Vulnerability
19. Microsoft JVM Codebase Information Disclosure Vulnerability
20. Microsoft JVM Information Disclosure Vulnerability
21. Microsoft JVM INativeServices Unauthorized Memory Access...
22. Perception LiteServe Directory Query String Cross Site...
23. Lotus Domino Non-existent NSF Database Banner Information...
24. Microsoft JVM Class Loader Buffer Overrun Vulnerability
25. Microsoft JVM URI Parsing Vulnerability
26. EZ Systems HTTPBench Information Disclosure Vulnerability
27. Light HTTPD GET Request Buffer Overflow Vulnerability III. MICROSOFT FOCUS LIST SUMMARY
28. Unknown workgroup in Microsoft Windows Network (Thread)
29. Local security settings in W2k adv server causes problems (Thread)
30. Active Directory network security (Thread)
31. Tools (Thread)
32. RES: Tools (Thread)
33. SecurityFocus Microsoft Newsletter #112 (Thread)
34. Win 2000 password Complexity Requirements (Thread)
35. Win 2000 passsword Complexity Requirements (Thread)
36. IIS 5 and client certificates (Thread) IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
37. SentriNET
38. Secure-IT
39. Big Crocodile
40. NEW TOOLS FOR MICROSOFT PLATFORMS
41. MAIL PASSWORD RECOVERY v1.0.0.0
42. KingPing v1.0
43. lcrzoex v4.16.0 VI. SPONSOR INFORMATION
44. FRONT AND CENTER

    ---

45. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux By Joe Stewart

In a previous SecurityFocus article, the author described the tools and processes involved in basic reverse engineering of a simple trojan. This article will offer a more detailed examination of the reversing process, using a trojan found in the wild, and focusing on techniques for reversing Windows-native code entirely under Linux.

http://online.securityfocus.com/infocus/1641

2. .NET/MSIL malicious code and AV/heuristic Engines By Markus Schmall

While the Windows .NET strategy incorporates numerous aspects, this article will focus on what aspects to cover in developing an AV/heuristic engine for this new platform. Specifically, it will address the additions introduced by .NET technologies to standard Windows PE (portable executable) file format and how that will affect the development of an effective heuristic engine. It will also briefly discuss the existing malicious codes for the .NET environment.

http://online.securityfocus.com/infocus/1642

3. Locking Down the Pop-up Perps
By Mark Rasch

Pop-up ads have already inspired civil lawsuits. Here's how federal computer crime law and the USA-PATRIOT Act could put obnoxious advertisers in the pokey ...

http://online.securityfocus.com/columnists/124

4. Maintaining Credible IIS Log Files
by Mark Burnett

Many network administrators by now have encountered serious Web server intrusions that have resulted in legal action. Often IIS logs are the primary evidence used to track down Web intruders. But what would happen if the credibility of your IIS logs was challenged in court? What if the defense claimed the logs were not reliable enough to be admissible as evidence?

http://online.securityfocus.com/infocus/1639

5. Back to the Insecure Future
By Richard Forno

Web services, such as Microsoft's .NET platform, represent a return to centralized computing. They also pose some serious security issues.

http://online.securityfocus.com/columnists/123

6. SecurityFocus DPP Program

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today&#x2019;s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

---

1. Pine From: Field Heap Corruption Vulnerability BugTraq ID: 6120 Remote: Yes Date Published: Nov 07 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6120 Summary:

Pine is an open source mail user agent distributed by the University of Washington. It is freely available for Unix, Linux, and Microsoft operating systems.

It is possible to cause a denial of service in Pine by sending an email message with a specially crafted "From:" address. According to the report, the crash can be reproduced by setting the "From:" address to a value such as:

"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.tld

When the condition is triggered, heap memory may be corrupted. It is possible to exploit this memory corruption to cause execution of arbitrary code.

Note that the user does not have to view the message in order for the denial of service to take place; the message simply has to be present in the user's Inbox. While a message with this address is present in the Pine Inbox, it is not possible to start Pine again. The message containing this address must be manually removed from the spool or by using another MUA.

It is important to note that this specially crafted "From:" address is RFC legal.

This issue will reportedly be fixed in Pine 4.50.

2. Macromedia JRun IIS ISAPI Filter GET Request Buffer Overrun Vulnerability BugTraq ID: 6122
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6122
Summary:

Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application server for use with IIS (Internet Information Server) 4/5 on the Microsoft Windows operating systems. Versions are also available for Unix and Linux variants.

The Macromedia JRun IIS ISAPI handler is prone to a remotely exploitable buffer overrun condition. The issue is due to a lack of bounds checking on requested filenames. It is possible to trigger the overrun by requesting a filename (with extension ".jsp") of length 4096 characters or greater.

For example:

GET /[buffer].jsp HTTP/1.0

The overrun reportedly occurs in stack memory and may be trivially exploited to execute instructions on the target host. The instructions will run with the privileges of IIS.

3. Macromedia JRun Log File/JRun.INI File Disclosure Vulnerability BugTraq ID: 6125
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6125
Summary:

Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application server for use with IIS (Internet Information Server) 4/5 on the Microsoft Windows operating systems. Versions are also available for Unix and Linux variants.

Macromedia JRun is prone to a file disclosure vulnerability.

It has been reported that this issue may be exploited by remote attackers to retrieve sensitive resources such as JRun log files or the 'jrun.ini' configuration file. This issue is likely due to insufficient input validation of incoming HTTP requests, causing the vulnerable software to serve sensitive content.

Disclosure of this type of sensitive information may lead to further attacks against the vulnerable host.

This issue is specific to JRun running on Microsoft Windows platforms.

4. Macromedia JRun Web Server Unicode Source Disclosure Vulnerability BugTraq ID: 6126
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6126
Summary:

Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application server for use with IIS (Internet Information Server) 4/5 on the Microsoft Windows operating systems. Versions are also available for Unix and Linux variants.

Macromedia JRun ships with a non-production web server, which is intended to be used on internal networks.

The Macromedia JRun Web Server component is prone to a source code disclosure issue. The cause of this issue is reportedly insufficient validation of unicode characters in HTTP requests. A remote attacker may submit a malicious request containing unicode characters and cause the source code of the requested script resource to be displayed instead of interpreted.

Information gathered from a successful attack may aid in further attacks.

This issue is specific to Macromedia JRun running on Unix and Linux platforms.

5. CuteCast User Credential Disclosure Vulnerability BugTraq ID: 6127
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6127
Summary:

CuteCast is web forum software. It is implemented in Perl and is available for Unix and Linux variants as well as Microsoft Windows operating systems.

CuteCast is prone to an issue which may cause user credentials to be disclosed to remote attackers. CuteCast stores user information in a publicly accessible directory. User information is also stored in plaintext.

Remote attackers may request any individual user files and gain access to user credentials. The attacker may use these credentials to gain unauthorized access to user accounts.

6. Perception LiteServe DNS Wildcard Cross Site Scripting Vulnerability BugTraq ID: 6131
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6131
Summary:

Perception LiteServe is a commercial e-mail, web, and FTP server for Microsoft Windows operating systems.

A cross site scripting vulnerability has been discovered LiteServe.

It should be noted that this vulnerability is limited to server configurations with Wildcard DNS enabled.

It has been reported that LiteServe fails to sanitize requests containing encoded HTML and script code as the hostname when Wildcard DNS is used. Requests of this nature will be rejected by the server, effectively returning the request to the sender, without sanitizing the contents of the request.

This issue may allow an attacker to create a malicious link containing encoded HTML and script code in the requested hostname. When the malicious link is clicked by an unsuspecting user, the attacker-supplied HTML and script code will be executed by their web client.

Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

This issue was reported in LiteServe v2.01. It is not yet known whether earlier versions are affected by this issue.

7. Microsoft JVM Unauthorized Clipboard Access Vulnerability BugTraq ID: 6132
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6132
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered Microsoft's implementation of the Java Virtual Machine (JVM).

By implementing the 'INativeServices' class, ClipBoardGetText() and ClipBoardSetText() methods into a malicious Java applet, it is possible for a remote attacker to access and modify the contents of a target users clipboard. The methods must be called indirectly through the java.lang.reflect.* package.

Exploiting this vulnerability may allow a remote attacker to read and potentially corrupt sensitive information stored in a users clipboard, which could be used to launch further attacks against target systems.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

8. Microsoft JVM Package Access Restriction Bypassing Vulnerability BugTraq ID: 6133
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6133
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

The JVM includes a class named com.ms.security.StandardSecurityManager which can be extended by any applet. This class contains two protected static fields named deniedDefinitionPackages and deniedAccessPackages. These fields contain package access restrictions.

The package access restrictions set in these two fields can be altered or emptied, allowing any applet to bypass the set restrictions.

These restrictions originate from the registry and are not implemented by default.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

9. Microsoft JVM Passed HTML Object Reference Denial Of Service Vulnerability BugTraq ID: 6135
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6135
Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

A vulnerability has been reported in Microsoft JVM that may lead to a denial of service in Microsoft Internet Explorer.

This problem occurs when references of HTML objects are passed to Java applets via JavaScript. Applets may potentially invoke methods of proprietary Microsoft interfaces. In some cases, when a HTML object is passed to a Java applet which invokes a method of one of these proprietary interfaces, illegal memory access will occur. This will cause the web browser to crash.

It is theoretically possible that this problem may be an exploitable memory corruption vulnerability which may allow arbitrary code execution. This possibility has not been confirmed.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM HTML Applet Tag Class Restriction Bypass Vulnerability BugTraq ID: 6136 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6136 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

A vulnerability has been reported in Microsoft JVM that may lead to a denial of service in Microsoft Internet Explorer.

It is possible to abuse the HTML <applet> tag to bypass Java class restrictions. Class objects may be instantiated using the HTML <applet> tag, and since this is not expected by the browser when some native methods are used, this may crash the browser.

It is theoretically possible that this problem may be an exploitable memory corruption vulnerability which may allow arbitrary code execution. This possibility has not been confirmed.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM CAB File Loading Vulnerability BugTraq ID: 6137 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6137 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

The JVM contains a class named com.ms.vm.loader.CabCracker. This class contains a load() method that can be used to load CAB archives from the local drive. This method performs security checks and queries the user for permission to access the CAB file from the hard drive. The method then calls load0() to load the archive from disk.

The load0() method is declared public, which allows any applet to call the method directly, bypassing the security checks performed by the load() method.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM Codebase Information Disclosure Vulnerability BugTraq ID: 6138 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6138 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer. A vulnerability has been discovered in the Microsoft Java Virtual Machine.

By including a codebase of 'file://%00' in the applet tag of a malicious Java applet, it is possible to gain local read access to all local files on a target system. If the applet is loaded from a publicly readable network share, it is possible to list directory contents on a target system.

By gaining local read access to a target system, it may be possible for a remote attacker to disclose sensitive information, including cookie-based credentials and passwords. Information gathered through this technique, may be used by an attacker to launch further attacks against a target system.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM Information Disclosure Vulnerability BugTraq ID: 6139 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6139 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

Due to insufficient access validation, the JVM may allow applets to retrieve sensitive information.

By calling new File(".").getAbsolutePath(), the applet may retrieve the path to the current Internet Explorer directory. On multiuser operating systems such as Windows NT/2000/XP, this path may also include the current username.

This information could be used by an attacker to mount further attacks against the system.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM INativeServices Unauthorized Memory Access Vulnerability BugTraq ID: 6140 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6140 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

INativeServices methods accept memory addresses as parameters. Due to insufficient checking of these values, it may be possible to pass invalid memory addresses and cause a denial of service.

Additionally, the pGetFontEnumeratedFamily() methods may also be invoked to read memory via INativeServices methods. This may lead to disclosure of various types of sensitive information such as websites visited, cookies, and filesystem information such as the location of the cache directory.

Exploitation of this vulnerability may facilitate other attacks, potentially leading to further information disclosure or execution of malicious code.

It is possible for a Java applet to access INativeServices methods directly via other methods such as SystemX.getNativeServices(). Indirectly, the INativeServices methods may be accessed through the the java.lang.reflect.* methods.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Perception LiteServe Directory Query String Cross Site Scripting Vulnerability BugTraq ID: 6143 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6143 Summary:

Perception LiteServe is a commercial e-mail, web, and FTP server for Microsoft Windows operating systems.

A cross site scripting vulnerability has been discovered LiteServe.

It has been reported that LiteServe fails to sanitize query strings from indexed folders. By constructing a malicious link containing encoded HTML and script code in the 'dir' variable, it is possible to execute the script code within the context of a victims web browser.

Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

1. Lotus Domino Non-existent NSF Database Banner Information Disclosure Vulnerability BugTraq ID: 6128 Remote: Yes Date Published: Nov 07 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6128 Summary:

Lotus Domino Server is an application framework for web based collaborative software. It runs on multiple platforms including Microsoft Windows and Unix.

Lotus Domino reportedly discloses sensitive banner information when a non-existent NSF database is requested. A remote attacker may exploit this by making a HTTP request for such a database. Disclosure of this information may allow a remote attacker to discover information about the layout of the filesystem.

This type of sensitive information may aid in further attacks against the system hosting the vulnerable software.

This issue is present on Lotus Domino Server with the 'DominoNoBanner' set to a value of '1'.

This vulnerability is similar to the issue described by Bugtraq ID 4049.

1. Microsoft JVM Class Loader Buffer Overrun Vulnerability BugTraq ID: 6134 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6134 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

Details of a vulnerability in Microsoft JVM have been published. According to the report, a buffer overrun condition is present in the class loader. It may be triggered by attempting to load a class with a name of excessive length. At the very least, attackers may crash victim browsers when the condition occurs.

This vulnerability may be exploited by malicious webmasters who construct a Java applet designed to do so. It is not confirmed whether this may be exploited to execute attacker-supplied instructions or not. It should be assumed that this is possible.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. Microsoft JVM URI Parsing Vulnerability BugTraq ID: 6142 Remote: Yes Date Published: Nov 08 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6142 Summary:

The Microsoft JVM implements the Java runtime environment for Microsoft Internet Explorer.

Details of a vulnerability in the Microsoft JVM have been published. The vulnerability is in the parsing of the location URI string and may result in an applet being retrieved from an attacker-specified location rather than that of the document it is embedded in. This may result in a malicious applet having access to the DOM of the target location. The applet may retrieve cookie values or manipulate web content.

According to the report, the Microsoft JVM can be fooled into believing that the HTTP username component of a HTTP URI is the domain. This allegedly occurs when a colon character is present in the URI that would normally, when it is in the correct location in the URI string, indicate the listening port of the server. If the attacker constructs a HTTP URI with a HTTP username component containing a location and the port, the Microsoft engine will use that value incorrectly as the document location. Such a URI may look like:

http://www.attackersite.tld:80@www.realsite.tld
       ^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^

  HTTP Auth Username/Password Actual domain

In this example, if the document served by the server 'www.realsite.tld' has an embedded applet the Java engine will retrieve it from
'www.attackersite.tld'. The consequences of this are significant. An
attacker may place a rogue applet on a server under their control ('www.attackersite.tld') with the same class name. When invoked, this applet will have access to the DOM of the document from
'www.realsite.tld'. The applet may then retrieve cookie values or
otherwise access/manipulate the contents of the document.

This vulnerability was originally reported in BID 5670. As technical details have emerged, a database record with a unique BID for this issue has been created.

1. EZ Systems HTTPBench Information Disclosure Vulnerability BugTraq ID: 6153 Remote: Yes Date Published: Nov 11 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6153 Summary:

eZ Systems httpbench is a benchmarking utility implemented in PHP. It is available for Unix and Linux variant as well as Microsoft Windows operating environments.

An information disclosure vulnerability has been reported for httpbench. Reportedly, httpbench may disclose the contents of web server readable files to remote attackers.

This vulnerability can be exploited by a remote attacker to obtain potentially sensitive information on a vulnerable system. Information obtained in this manner may be used to launch further, destructive attacks against a vulnerable system.

This vulnerability was reported for httpbench 1.1. It is not known whether other versions are affected.

20. Light HTTPD GET Request Buffer Overflow Vulnerability BugTraq ID: 6162
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6162
Summary:

Light httpd is a small HTTP server, derived from ghttpd. It is available for a large variety of platforms, including Linux, BSD, Solaris, and Microsoft Windows operating systems.

A vulnerability has been discovered in Light httpd, when processing GET requests. Passing an excessively long GET request to a vulnerable server, containing roughly 1024 or more bytes of data, will trigger a buffer overflow. This will typically result in sensitive memory being overwritten with attacker-supplied values.

Exploitation of this issue will result in the execution of arbitrary commands with the privileges of the target web server. As Light httpd drops privileges, commands will be executed with the privileges of the
'nobody' user.

III. MICROSOFT FOCUS LIST SUMMARY

---

1. Unknown workgroup in Microsoft Windows Network (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/299922

2. Local security settings in W2k adv server causes problems (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/299879

3. Active Directory network security (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/299795

4. Tools (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/299692

5. RES: Tools (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/299613

6. SecurityFocus Microsoft Newsletter #112 (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/299440

7. Win 2000 password Complexity Requirements (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/299434

8. Win 2000 passsword Complexity Requirements (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/298907

9. IIS 5 and client certificates (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/298899

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS

---

1. SentriNET by ISL Platforms: BeOS, BSDI, Windows 2000, Windows 95/98, Windows CE, Windows NT, Windows XP http://www.informer.co.uk/sols/sols_sentrinet_main.htm Summary:

SentriNET provides biometric authentication and verification techniques to secure network access by replacing the logon password with fingerprint authentication.

2. Secure-IT
by ISL
Platforms: Windows 2000, Windows NT
http://www.informer.co.uk/sols/sols_secureit_main.htm Summary:

Secure-IT provides the corporate business a means to effectively control and monitor all forms of remote access into the corporate network. The product supports the &#x2018;best of breed ' authentication technologies ranging from simple PIN controlled hardware tokens to sophisticated smart card and biometrics

3. Big Crocodile
by Sow
Platforms: Windows 2000, Windows 95/98, Windows NT http://www.sowsoft.com/bigcroc.htm
Summary:

Big Crocodile is a powerful, secure password manager. Storage of all your passwords, logins and hyperlinks in a securely encrypted file. Big Crocodile can automatically insert the passwords into the windows that require them. Password generator with advanced functions, multi file interface, special password folders, backup, export and other features. This program is very easy to use. The program uses powerful commercial encryption algorithm.

V. NEW TOOLS FOR MICROSOFT PLATFORMS

---

1. MAIL PASSWORD RECOVERY v1.0.0.0 by Aleksandar Boros Relevant URL: http://members.ams.chello.nl/a.boros/mpr/ Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP Summary:

Mail Password Recovery allows you to recover your email password for any POP3 account, as long as it is stored in an email program on your computer. You just need to temporarily change the settings in your email program , so that it connects to Mail Password Recovery instead, and your password will be revealed. Mail Password Recovery works by emulating a local POP server, your email program hands over the password when it connects, and Mail Password Recovery will show it to you. Only works with email accounts/passwords that have the login information stored in your email program (Outlook Express, Eudora, The Bat! etc.) Program can only recover the passwords that are stored on your computer

Program does NOT recover passwords from web based email accounts such as Hotmail, Yahoo, MSN, AOL etc.

2. KingPing v1.0
by Vladimir Kraljevic
Relevant URL:
http://www.k-qube.com/index.html
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP Summary:

KingPing is the network administration tool for professionals, it enables you to utilize ICMP (Internet Control Message Protocol) and troubleshoot most network problems regardless of the size of the network you are administering. So far, it is the only ICMP echo program which allows you to specify more than just ICMP parameters.

3. lcrzoex v4.16.0
by Laurent Constantin
Relevant URL:
http://www.laurentconstantin.com/en/lcrzoex/ Platforms: FreeBSD, Linux, OpenBSD, Solaris, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

Lcrzoex is a toolbox for network administrators and network hackers. Lcrzoex contains over 300 functionnalities using network library lcrzo. Each one can be compiled alone and modified to match your needs.

Lcrzoex can be used in the following contexts :

- discover the Ethernet address of a computer (number 2, 3, 134, etc.)
- sniff your LAN to detect what's going on (number 7, 8, 9, etc.)
- check the checksums created by a network program which isn't working

(number 16, 17, 18, etc.)
- intercept a session and replay it as many times you want to strictly test your application (number 10, 11, 12, 22, etc.) - verify if a router is well configured even if the needed computers are down (number 48, ..., 53, etc.)

- check if your router/firewall/computer blocks
- IP protocols (number 29, ..., 34, etc.)
- IP options (number 29, ..., 34, 73, ..., 79, etc.), source routing

(number 45, 56, 59, 62, etc.)

- IP fragments (number 44, 55, 58, 61, 72, etc.)
- TCP options (number 48, ..., 53, etc.)
- ICMP types (number 65, ..., 70, etc.)
- ARP poisoning (number 80, 81, 82, 83, etc.)
- create a tcp/udp client with a special local port (number 85, 89, 86,

93, 97, etc.)
- convert between numbers (number 139, ..., 148, etc.) - etc.

VI. SPONSOR INFORMATION

---

This Issue is Sponsored by: SpiDynamics

ALERT! -Cross-Site Scripting Holes in Web Applications! Cross-site scripting vulnerabilities in web applications allow hackers to collect confidential user information, manipulate or steal cookies, and create requests that can be mistaken for those of a valid user!! All undetectable by IDS!

Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://www.spidynamics.com/mktg/xss20

---

Received on Mon Nov 18 20:31:37 2002