Hosting Provided By

SecurityFocus Newsletter #178

From: John Boletta <jboletta(at)securityfocus.com>
Date: Mon Jan 06 2003 - 13:48:44 EST

This Issue is Sponsored by GuardedNet - Transforming Security

Data into Knowledge neuSECURE - a Threat Management Solution Your CFO Will Appreciate

neuSECURE isa centralized monitoring system that correlates and analyzes event data from firewalls, IDS, hosts and routers for real-time attack detection and response. It's proven to reduce the time you spend investigating attacks and improves the value of your security infrastructure.

Sign up to receive a paper entitled "Calculating the ROI of a neuSECURE implementation" at <http://www.guarded.net/secondary/calculating_roi.html>

I. FRONT AND CENTER

Exchange 2000 in the Enterprise: Tips and Tricks Part One
Windows Forensics: A Case Study, Part 1
The Briscoe Syndrome
SecurityFocus DPP Program
InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL) II. BUGTRAQ SUMMARY
Microsoft Windows File Protection Signed File Replacement...
Sun Solaris RPC AUTH_DES Privilege Escalation Vulnerability
Typespeed Local Buffer Overflow Vulnerability
SkyStream Edge Media Router-5000 Local Buffer Overflow...
monopd Remote Buffer Overflow Vulnerability
PHP wordwrap() Heap Corruption Vulnerability
Gallery Remote Code Execution Vulnerability
Leafnode Resource Exhaustion Denial Of Service Vulnerability
Web-cyradm Remote Denial of Service Vulnerability
PlatinumFTPServer Information Disclosure Vulnerability
PlatinumFTPServer Arbitrary File Deletion Vulnerability
PlatinumFTPserver Denial Of Service Vulnerability
PEEL Remote File Include Vulnerability
Perl-HTTPd File Disclosure Vulnerability
ShadowJAAS Command Line Password Disclosure Vulnerability III. SECURITYFOCUS NEWS ARTICLES
Macro and script viruses dying off
US military medical records stolen in burglary
FBI Arrests Russian Student Accused of Stealing Secret DirecTV...
Unhappy new Yaha IV. SECURITYFOCUS TOP 6 TOOLS
DumpWin v2.0
pfstats v0.1
Nate Kohari's regular expression pipe v1.32
HotSaNIC v0.5.0-pre3
AlarmMon v0.35
Jay's Iptables Firewall v0.8.1.1 (dev)
SECURITYJOBS LIST SUMMARY
Seeking information security opportunity (Thread)
ISS Certified Expert. Contract role in Middle East. January...
Dror shalev (Thread)
Malcode Analyst -- Sydney, Australia (Thread)
Resume Submit - relocation (Thread)
ArcSight in Sunnyvale, California - Open jobs (Thread) VI. INCIDENTS LIST SUMMARY
What constitutes authorized server access? - was Re: RPAT...
RPAT - Realtime Proxy Abuse Triangulation (Thread)
Mysterious "Support" account created on Win2k server (Thread)
PDL anti-spam blacklist (Thread)
Abnormally high Sub-Seven attack rate increase (Thread)
What constitutes authorized server access? - was Re: RPAT...
MS IIS 5 server is hacked leaving undeletable folders and files...
NC_S_ISLCK? (Thread)
Virus? Trojan? (Thread)
NIMDA - ceased ? - (Thread)
Random unprivileged TCP ports below 5000 kind-of open for... VII. VULN-DEV RESEARCH LIST SUMMARY
ASM OpenBSD (Thread)
Query: BID 6273: PortailPhp SQL Injection Vulnerability. (Thread) VIII. MICROSOFT FOCUS LIST SUMMARY
Account Management (Thread)
SecurityFocus Microsoft Newsletter #119 (Thread)
MDAC 2.7 SP1 now available as a standalone install (Thread) IX. SUN FOCUS LIST SUMMARY
NO NEW POSTS FOR THE WEEK ENDING 01.03.03
LINUX FOCUS LIST SUMMARY
User's and Shells (Thread)
RE : quotas on Redhat 7.3 problem (Thread) XI. SPONSOR INFORMATION
FRONT AND CENTER
Exchange 2000 in the Enterprise: Tips and Tricks Part One By Tim Mullen

In this two-part article we will discuss an alternate configuration in which we will utilize Microsoft's Internet Security and Acceleration (ISA) Server, a third party SMTP Gateway (Trend Micro's Internet Messaging Security Suite) and Exchange 2000. This sort of configuration is flexible enough to be used in smaller installations that do not use a DMZ, or as part of the DMZ configuration itself.

Do you need help?

http://online.securityfocus.com/infocus/1654

2. Windows Forensics: A Case Study, Part One by Stephen Barish

It's a security person's worst nightmare. You've just inherited a large, diverse enterprise with relatively few security controls when something happens. We all try to detect malicious activity at the perimeter of the network by monitoring our intrusion detection systems, and watching attackers bang futilely on our firewall. Even those attackers tricky enough to slip through the firewall bounce harmlessly off our highly secured servers, and trip alarms off throughout the network as they attempt to compromise it. Reality is usually somewhat different: most of us simply don't have the tools, or at least we don't have expensive, dedicated tools. But we do have ways to stop the pain.

http://online.securityfocus.com/infocus/1653

3. The Briscoe Syndrome
By Mark Rasch

Fear of terrorism and a desire to cooperate with law enforcement has led many corporate insiders to pony up sensitive information on their customers to anyone with a badge... with no court order required.

http://online.securityfocus.com/columnists/132

4. SecurityFocus DPP Program

Do you need more help?

Attention Universities!! Sign-up now for preferred pricing on the only global early-warning system for cyber attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster vendor expo; the CISO Executive Summit; invaluable networking opportunities. InfoSec World has it all!

Go to: http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY

Microsoft Windows File Protection Signed File Replacement Vulnerability BugTraq ID: 6483 Remote: No Date Published: Dec 27 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6483 Summary:

Microsoft Windows ships with a component to verify digital signatures that have been applied to system files and third-party code called 'Windows File Protection' (WFP). A vulnerability in Windows File Protection has been reported that may result in the re-introduction of vulnerable files after fixes/patches have replaced them.

Can we help you?

According to the report, Security Catalogs containing the hashes of old files are kept in %WinDir%\System32\CatRoot after patches/fixes which replace them have been deployed. If these patched files are somehow overwritten with the vulnerable old files, Windows File Protection will not detect the old files as being invalid due to the existent catalog containing their hash.

This may allow for attackers to re-introduce onto a system and then exploit vulnerable executables/files.

2. Sun Solaris RPC AUTH_DES Privilege Escalation Vulnerability BugTraq ID: 6484
Remote: Yes
Date Published: Dec 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6484
Summary:

Sun has reported a privilege escalation vulnerability for some versions of Solaris.

The vulnerability occurs when certain RPC requests are made. Specifically, the vulnerability exists for some RPC requests that involve AUTH_DES authentication.

This vulnerability can be exploited by local or remote attackers to obtain access to systems with elevated privileges. In some cases it is possible for attackers to obtain root privileges.

This vulnerability has been reported to affect Sun Solaris 2.5.1 to 7.

3. Typespeed Local Buffer Overflow Vulnerability BugTraq ID: 6485
Remote: No
Date Published: Dec 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6485
Summary:

Can't find what you're looking for?

Typespeed is a game designed to test typing skills. It is available for the Linux operating system. Typespeed is installed setgid 'games' by default on the Debian Linux distribution.

A vulnerability has been discovered in Typespeed. It is possible to trigger a buffer overflow in Typespeed by passing excessive data as a user-supplied parameter. By exploiting this issue to overwrite sensitive locations in memory it may be possible for a local attacker to execute commands with elevated privileges.

The precise technical details regarding this vulnerability are not yet known. This BID will be updated as further information becomes available.

4. SkyStream Edge Media Router-5000 Local Buffer Overflow Vulnerability BugTraq ID: 6486
Remote: No
Date Published: Dec 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6486
Summary:

SkyStream Edge Media Router-5000 (EMR5000) is a satellite network connection router. It provides remote administration capabilities through telnet or optionally a web interface.

The EMR5000 is prone to a buffer overflow. This vulnerability may be exploited from the client shell (accessible via telnet) by an authenticated user.

It is possible to trigger this condition by supplying an overly long string to the command line, which will cause sensitive regions of memory
(such as stack variables) to be corrupted with attacker-supplied data.
This issue may be leveraged to cause arbitrary code to be executed with elevated privileges.

5. monopd Remote Buffer Overflow Vulnerability BugTraq ID: 6487
Remote: Yes
Date Published: Dec 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6487
Summary:

Don't know where to look next?

monopd is game server for Monopoly-like board games. It is designed for use with Linux variant operating systems.

A buffer overflow vulnerability has been reported for monopd. The vulnerability occurs due to improper use of the vsprintf() function.

An attacker can exploit this vulnerability by supplying an overly long command to the monopd server. This will trigger the buffer overflow condition and result in the process corrupting memory with attacker supplied values.

This vulnerability was reported for monopd 0.6.1 and earlier.

6. PHP wordwrap() Heap Corruption Vulnerability BugTraq ID: 6488
Remote: Yes
Date Published: Dec 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6488
Summary:

PHP is a freely available, open source web scripting language package. It is available for Microsoft Windows, Linux, and Unix operating systems.

A vulnerability has been discovered in the wordwrap() function which is a built-in PHP function. Under some circumstances it may be possible to trigger a heap corruption bug when supplying input to a script which uses the vulnerable wordwrap() function. This issue exists due to insufficient allocation of memory used to store wrapped text. Memory corrupted through the wordwrap() function may be later referenced by the web server calling the vulnerable script.

A malicious attacker may be able to exploit this issue to overwrite a malloc header stored in the heap. This may cause an arbitrary word in memory to be overwritten when corrupted chunk is released with the free() function. By replacing a Global Offset Table entry with an address pointed to attacker-supplied data, it may be possible for the attacker to execute malicious instructions. Any code executed will be run with the privileges of the web server that ran the vulnerable script.

Confused? Frustrated?

7. Gallery Remote Code Execution Vulnerability BugTraq ID: 6489
Remote: Yes
Date Published: Dec 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6489
Summary:

Gallery is an open source web based photo album. It is written in PHP and is available for Linux and Unix variant as well as Microsoft Windows operating systems.

A new feature supporting the Windows XP publishing subsystem in Gallery 1.3.2 has introduced a security vulnerability nearly identical to that described in BID 5375.

The PHP script 'publish_xp_docs.php' attempts to include a file, 'init.php', from a path constructed using an uninitiated PHP variable. Malicious remote clients may pass a value for that variable, specifying a remote server as the location of the include file. By doing so, attackers may force a remote server to execute arbitrary PHP code with the privileges of the webserver.

8. Leafnode Resource Exhaustion Denial Of Service Vulnerability BugTraq ID: 6490
Remote: Yes
Date Published: Dec 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6490
Summary:

Leafnode is a USENET proxy server intended for sites with a small number of readers.

A denial of service vulnerability has been reported for Leafnode. The vulnerability occurs when Leafnode tries to retrieve certain news postings. Specifically, Leafnode will consume all available CPU resources when it tries to retrieve messages that have been cross-posted to several groups.

An attacker can exploit this vulnerability by cross-posting to several newsgroups where some groups are prefixes of others. When leafnode attempts to retrieve these news articles by the message-id, the leafnode nntpd server will will go into an infinite loop and consume all CPU resources thereby leading to a denial of service condition.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

This vulnerability affects Leafnode 1.9.20 to 1.9.29. The default installation of Leafnode is not affected by this vulnerabilty.

9. Web-cyradm Remote Denial of Service Vulnerability BugTraq ID: 6491
Remote: Yes
Date Published: Dec 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6491
Summary:

Web-cryadm is a management tool written in PHP. It is used with a Mailsystem built on Cyrus IMAP and Postfix. It is available for the Unix and Linux operating systems.

A vulnerability has been discovered in Web-cyradm. A denial of service may be triggered when attempting to administrate a domain when the necessary IMAP daemon is not running. If this situation occurs the Web-cyradm process will enter an infinite loop, generating errors. This issue occurs due to invalid checks for a running IMAP daemon by the browseaccounts.php, deleteaccount.php, and newaccount.php PHP scripts.

By exploiting this vulnerability it may be possible to consume network resources causing legitimate requests to be denied. Under some circumstances it may also cause the system to crash due to excessive CPU utilization.

PlatinumFTPServer Information Disclosure Vulnerability BugTraq ID: 6492 Remote: Yes Date Published: Dec 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6492 Summary:

PlatinumFTPserver is a FTP server available for Microsoft Windows operating systems.

It has been reported that PlatinumFTPServer fails to properly sanitize some FTP commands. An attacker is able to traverse outside of the established FTP root by using dot-dot-slash (../) directory traversal sequences in conjunction with some FTP commands. Specifically, the attacker can use the DIR FTP command to obtain information about potentially sensitive files located on a vulnerable system outside of the FTP root directory.

Disclosure of sensitive system information may aid the attacker in launching further attacks against the target system.

Do you need help?

This vulnerability was reported for PlatinumFTPserver 1.0.6. It is not known whether other versions are affected.

PlatinumFTPServer Arbitrary File Deletion Vulnerability BugTraq ID: 6493 Remote: Yes Date Published: Dec 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6493 Summary:

PlatinumFTPserver is a FTP server available for Microsoft Windows operating systems.

It has been reported that PlatinumFTPServer fails to properly sanitize some FTP commands. An attacker is able to traverse outside of the established FTP root by using dot-dot-slash (../) directory traversal sequences in conjunction with some FTP commands. Specifically, the attacker can use the DELETE FTP command to delete arbitrary files outside of the FTP root directory. This may be exploited by the attacker to render a system completely unusable.

This vulnerability was reported for PlatinumFTPserver 1.0.6. It is not known whether other versions are affected.

PlatinumFTPserver Denial Of Service Vulnerability BugTraq ID: 6494 Remote: Yes Date Published: Dec 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6494 Summary:

PlatinumFTPserver is a FTP server available for Microsoft Windows operating systems.

It has been reported that PlatinumFTPserver fails to properly sanitize FTP commands. By sending a malicious request to the vulnerable server, using directory traversal sequences, it is possible for a remote attacker to cause a denial of service condition.

An attacker can exploit this vulnerability by using specially crafted dot-dot-slash (../) directory traversal sequences in conjunction with the CD FTP command to cause a denial of service.

Restarting the vulnerable service will be necessary to restore functionality.

Do you need more help?

This vulnerability was reported for PlatinumFTPserver 1.0.6. It is not known whether other versions are affected.

Microsoft Visual SourceSafe Client-Side Access Control Weakness BugTraq ID: 6495 Remote: Yes Date Published: Dec 30 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6495 Summary:

Microsoft Visual SourceSafe is software to manage development projects in any programming language.

Microsoft Visual SourceSafe performs validation of permissions for access control for projects on the client side, instead of on the server side. This poses a security threat because a malicious client user may potentially circumvent these security measures to gain unauthorized access to protected files within a project. The only way to restrict access on the server side is to set NTFS permissions, but these permissions must reportedly be applied to an entire project and not individual project files or folders.

If an attacker can exploit this weakness, it will be possible to gain unauthorized access to restricted files within projects that the attacker has access to. As a consequence, it may be possible for a malicious user to view or modify sensitive data in project files. This has the potential to violate security policy for development projects.

PEEL Remote File Include Vulnerability BugTraq ID: 6496 Remote: Yes Date Published: Dec 31 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6496 Summary:

PEEL is a catalog management system implemented in PHP.

PEEL is prone to an issue which may allow remote attackers to include arbitrary files located on remote servers. This issue is present in the 'modeles/haut.php' script included with PEEL.

An attacker may exploit this by supplying a path to a maliciously created file, located on an attacker-controlled host as a value for the '$dirroot' or '$SESSION' parameters.

If the remote file is a PHP script, this may allow for execution of attacker-supplied PHP code with the privileges of the webserver. Successful exploitation may provide local access to the attacker.

Can we help you?

This vulnerability was reported for PEEL 1.0b. It is not known whether earlier versions are affected.

Perl-HTTPd File Disclosure Vulnerability BugTraq ID: 6497 Remote: Yes Date Published: Dec 31 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6497 Summary:

Perl-HTTPd is a web server implemented in Perl.

It has been reported that Perl-HTTPd fails to properly sanitize some web requests. By exploiting this issue, an attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory.

Disclosure of sensitive system files may aid the attacker in launching further attacks against the target system.

This vulnerability was reported for Perl-HTTPd 1.0 and 1.0.1.

ShadowJAAS Command Line Password Disclosure Vulnerability BugTraq ID: 6498 Remote: No Date Published: Dec 28 2002 12:00AM Relevant URL: http://www.securityfocus.com/bid/6498 Summary:

ShadowJAAS is authentication software that allows users to authenticate to Java applications using a local Linux user account with a shadowed password.

ShadowJAAS is prone to a design error that may cause user credentials to be disclosed to other local users.

Vulnerable versions of ShadowJAAS require that username and password credentials are passed via the command line instead of through standard input when a user authenticates. As a result, this information may be accessible to other local users through various means (such as the 'ps' utility).

Can't find what you're looking for?

III. SECURITYFOCUS NEWS AND COMMENTARY

Macro and script viruses dying off By John Leyden, The Register

The end of standard mass mailing worms is nigh - maybe as soon as before the end of 2003. But there replacements - Trojans and Spyware - are much, much worse.

http://online.securityfocus.com/news/1962

2. US military medical records stolen in burglary By John Leyden, The Register

The medical and social security records of more than 500,000 retired and serving US military personnel were stolen in a break-in last month. Sensitive information, including names, addresses, social security numbers, and some claims information with diagnoses of US servicemen, was obtained when thieves stole computers from the corporate offices of TriWest Healthcare Alliance in Phoenix, Arizona on December 14.

http://online.securityfocus.com/news/1963

3. FBI Arrests Russian Student Accused of Stealing Secret DirecTV Documents
By Ted Bridis, The Associated Press

The FBI arrested a Russian college student Thursday who was accused of stealing and distributing hundreds of secret documents about new anti-piracy technology from DirecTV Inc., the nation's leading satellite television company.

Don't know where to look next?

http://online.securityfocus.com/news/1960

4. Unhappy new Yaha
By John Leyden, The Register

A new version of the Yaha mass mailing email worm has been released, ready to trip up the unwary on their return to work next week.

http://online.securityfocus.com/news/1946

IV. SECURITYFOCUS TOP 6 TOOLS

DumpWin v2.0 by Network Intelligence India Pvt. Ltd. Relevant URL: http://www.nii.co.in/tools.html Platforms: Windows 2000, Windows NT, Windows XP Summary:

Dumpwin is a windows data gathering tool, which includes the functionality of the tool DumpACL. In addition, DumpWin also gathers information about the system, users, groups, drives, shares, running processes, installed software, installed hardware, services, open ports, etc. It also dumps the ACLs of user-specified files/folders and registry keys. It is useful for auditors to dump all relevant data from a Windows system.

2. pfstats v0.1
by George Hedfors george@sr-71.nu
Relevant URL:
http://www.sr-71.nu/pfstats/
Platforms: OpenBSD, POSIX
Summary:

pfstats is a simple external script to MRTG, which generates statistics taken from the pfctl(8) logfile. The statistics represent the number of blocked incoming connections.

Confused? Frustrated?

3. Nate Kohari's regular expression pipe v1.32 by Nate Kohari
Relevant URL:
http://www.lagfactory.net/projects/re/
Platforms: Perl (any system supporting perl) Summary:

RE is a simple utility designed to aid in the management of files. Given a directory name, a regular expression, and a regular shell command, it will parse the filenames in the specified directory, matching them against the regular expression, and then execute the command once for each matched file using the filename as a parameter. It was originally designed to mass-rename MP3 files based on part of the original filenames.

4. HotSaNIC v0.5.0-pre3
by Bernd Pissny bernisys@prima.de
Relevant URL:
http://www.sourceforge.net/projects/hotsanic/ Platforms: Linux, POSIX
Summary:

HotSaNIC is a Web-based information center for Unix-based systems. It gives you a graphical overview about certain network- and system statistics. HotSaNIC is programmed (mainly in Perl 5) in a modular way to give you a great flexibility of which items you like to use, and it can be extended with further modules written by yourself or others.

5. AlarmMon v0.35
by Konstantin N. Terskikh
Relevant URL:
http://sourceforge.net/projects/alarmmon/ Platforms: Os Independent
Summary:

AlarmMon is an alarm monitoring system for TCP/IP networks. It consists of an "alarm" client, an "alarmsvr" server, and several agents that work with a central registration database. It can track the status of verious services, including BIND, Sendmail, and modems, and send notifications by email, SMS, or pager.

6. Jay's Iptables Firewall v0.8.1.1 (dev) by Jerome Nokin
Relevant URL:
http://www.wallaby.be/firewall.php
Platforms: Linux, POSIX
Summary:

Jay's Iptables Firewall is a script with support for multiple
(external/internal) interfaces, TCP/UDP/ICMP control, masquerading,
synflood control, spoofing control, port forwarding, upload limits
(experimental), VPNs, ToS, denying hosts, ZorbIPTraffic, Spyware list IP,
log options and more. It doesn't flush all your existing iptables rules.

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365