I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary March 11, 1998 Volume 2 Number 3 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an e-mail to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Contents 4 Reported Vulnerabilities - [14]Sun-dtaction - [15]Linux-quake2 - [16]BSD-mmap - [17]BSD-sourceroute 2 Updates - [18]Sun-vacation - [19]SCO-land 2 Reported Incidents - [20]Wide Spread Teardrop Attacks - [21]Pentagon Hacked Risk Factor Key [22]Top of Page || [23]Back to Alert List ___ Date Reported: 3/4/98 Vulnerability: Sun-dtaction Platforms Affected: Solaris (2.4, 2.5, 2.5.1, 2.6) Risk Factor: High The "dtaction" utility allows applications or shell scripts, which are otherwise not connected into the CDE development environment, to invoke action requests. "dtaction" contains a vulnerability that would allow an attacker to overwrite stack space of dtaction, and gain unauthorized root level access. References: [24]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-164.txt [25]http://www.ciac.org/ciac/bulletins/i-032.shtml [26]Top of Page || [27]Back to Alert List ___ Date Reported: 2/25/98 Vulnerability: Linux-quake2 Platforms Affected: Linux (3.13 and below with Quake2 installed) Risk Factor: Medium Quake 2 is a game that is installed setuid root under Linux 3.13 and below. It contains vulnerabilities that allows users to read arbitrary files and gain root level access. Systems with Quake 2 installed should remove the setuid bit from the Quake 2 binary. References: [28]http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=2157 [29]http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=1911 [30]Top of Page || [31]Back to Alert List ___ Date Reported: 2/20/98 Vulnerability: BSD-mmap Platforms Affected: OpenBSD (2.2 and below) FreeBSD (2.2.5 and below) BSDI (3.0) Risk Factor: High The mmap() system call is used to map files to a memory address space. In some 4.4 BSD derived operating systems such as (FreeBSD, NetBSD, OpenBSD, and BSDI), a vulnerability exists within this system call that allows a user of a privileged group (kmem) to become root. This vulnerability also allows a root user to modify the securelevel of a system. This setting normally prevents everyone, even root users, from making some security critical modifications to a normal system. Reference: [32]http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=3208 [33]Top of Page || [34]Back to Alert List ___ Date Reported: 2/15/98 Vulnerability: BSD-sourceroute Platforms Affected: OpenBSD (2.2 and below) FreeBSD (2.2.5 and below) FreeBSD (2.2-current before 1998/02/16) FreeBSD-stable (before 1998/02/23) Risk Factor: High 4.4 BSD derived operating systems allow kernel state variables to be changed via the "sysctl" command. "sysctl" is used to define whether a system accepts source routed packets by using the variable "net.inet.ip.dosourceroute". The variable is set to "0" by default which means "do not perform IP source routing". Secure Networks Inc. has found that it is possible to send source routed packets to these systems even when the flag is set to "0". Reference: [35]http://www.openbsd.org/advisories/sourceroute [36]Top of Page || [37]Back to Alert List ___ Date: 3/4/98 (SNI Vacation Advisory) Update: Sun-vacation Vendor: Sun Microsystems, Inc. Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1, 2.6) Sun has released patches for the vacation vulnerability reported in September, 1997. The vacation program is used to automatically reply to incoming e-mail, such as "out of office" replies, etc. The vacation program contains a vulnerability that allows remote users to obtain access to the account running vacation. References: [38]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-163.txt [39]http://www.ciac.org/ciac/bulletins/i-032.shtml [40]ftp://ftp.secnet.com/advisories/SNI-18.VACATION.advisory [41]Top of Page || [42]Back to Alert List ___ Date: 2/24/98 (CERT Advisory CA-97.28) Update: SCO-land Vendor: SCO Platforms: SCO Open Desktop/Open Server (Release 3.0) SCO CMW+ (3.0) SCO OpenServer (Release 5.0) SCO UnixWare (2.1) SCO has released patches for the land attack. This attack can lock up or "freeze" many different operating systems as well as network hardware. When this happens an attacker sends a SYN packet, which is normally used to open a connection, to the targeted host. References: [43]ftp://ftp.sco.com/SSE/sse010.ltr [44]ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land [45]Top of Page || [46]Back to Alert List ___ Date Reported: 3/3/98 Incident: Widespread Windows DOS Attacks Attackers launched a widespread Teardrop/Bonk/Boink type of attack that crashed a large quantity of Windows 95 and Windows NT systems across the Internet. The attack uses the a malformed UDP packet to 'blue screen' Windows NT and Windows 95 systems. References: [47]http://www.microsoft.com/security/netdos.htm [48]http://cnn.com/TECH/computing/9803/04/internet.attack.ap/ [49]http://www.ciac.org/ciac/bulletins/i-031a.shtml [50]Top of Page || [51]Back to Alert List ___ Date Reported: 2/25/98 Incident: Pentagon Hacked Hackers penetrated unclassified computers at the Pentagon in what was said to be an organized and systematic attack. Two teenagers in California were raided and linked to the attacks. An Israeli hacker says that he is the ring leader of the group that hacked numerous Department of Defense computers. References: [52]http://cnn.com/TECH/computing/9802/25/pentagon.cyberattack/ [53]http://www.wired.com/news/news/technology/story/10730.html [54]Top of Page || [55]Back to Alert List ___ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via bruteforce methods. Internet Security Systems, Inc., (ISS) is the pioneer and world's leading supplier of network security assessment and intrusion detection tools, providing comprehensive software that enables organizations to proactively manage and minimize their network security risks. For more information, contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS Web site at [56]http://www.iss.net. [57]Top of Page || [58]Back to Alert List ___ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail [59]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [60]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net > of Internet Security Systems, Inc. [61]News | [62]Serious Fun | [63]Mail Lists | [64]Security Library [65]Protoworx | [66]Alerts | [67]Submissions | [68]Feedback [69]Advanced Search [70]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [71]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [72]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 13. http://xforce.iss.net/alerts/alerts.php3 14. http://xforce.iss.net/alerts/vol-2_num-3.php3#Sun-dtaction 15. http://xforce.iss.net/alerts/vol-2_num-3.php3#Linux-quake2 16. http://xforce.iss.net/alerts/vol-2_num-3.php3#BSD-mmap 17. http://xforce.iss.net/alerts/vol-2_num-3.php3#BSD-sourceroute 18. http://xforce.iss.net/alerts/vol-2_num-3.php3#Sun-vacation 19. http://xforce.iss.net/alerts/vol-2_num-3.php3#SCO-land 20. http://xforce.iss.net/alerts/vol-2_num-3.php3#Wide Spread Teardrop Attacks 21. http://xforce.iss.net/alerts/vol-2_num-3.php3#Pentagon Hacked 22. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 23. http://xforce.iss.net/alerts/alerts.php3 24. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-164.txt 25. http://www.ciac.org/ciac/bulletins/i-032.shtml 26. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 27. http://xforce.iss.net/alerts/alerts.php3 28. http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=2157 29. http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=1911 30. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 31. http://xforce.iss.net/alerts/alerts.php3 32. http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=3208 33. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 34. http://xforce.iss.net/alerts/alerts.php3 35. http://www.openbsd.org/advisories/sourceroute 36. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 37. http://xforce.iss.net/alerts/alerts.php3 38. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-163.txt 39. http://www.ciac.org/ciac/bulletins/i-032.shtml 40. ftp://ftp.secnet.com/advisories/SNI-18.VACATION.advisory 41. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 42. http://xforce.iss.net/alerts/alerts.php3 43. ftp://ftp.sco.com/SSE/sse010.ltr 44. ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land 45. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 46. http://xforce.iss.net/alerts/alerts.php3 47. http://www.microsoft.com/security/netdos.htm 48. http://cnn.com/TECH/computing/9803/04/internet.attack.ap 49. http://www.ciac.org/ciac/bulletins/i-031a.shtml 50. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 51. http://xforce.iss.net/alerts/alerts.php3 52. http://cnn.com/TECH/computing/9802/25/pentagon.cyberattack 53. http://www.wired.com/news/news/technology/story/10730.html 54. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 55. http://xforce.iss.net/alerts/alerts.php3 56. http://www.iss.net/ 57. http://xforce.iss.net/alerts/vol-2_num-3.php3#list 58. http://xforce.iss.net/alerts/alerts.php3 59. mailto:xforce@iss.net 60. http://www.iss.net/xforce/sensitive.html 61. http://xforce.iss.net/news.php3 62. http://xforce.iss.net/seriousfun/ 63. http://xforce.iss.net/maillists/ 64. http://xforce.iss.net/library/ 65. http://xforce.iss.net/protoworx/ 66. http://xforce.iss.net/alerts/ 67. http://xforce.iss.net/submission.php3 68. http://xforce.iss.net/feedback.php3 69. http://xforce.iss.net/search.php3 70. http://xforce.iss.net/about.php3 71. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 72. http://xforce.iss.net/privacy.php3