I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary August 14, 1998 Volume 2 Number 9 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Contents 5 Reported Vulnerabilities - [14]BO-backdoor - [15]Sun-libauth - [16]OpenBSD-chpass - [17]Notes-retrieve - [18]Exchange-DoS Risk Factor Key [19]Top of Page || [20]Back to Alert List ___ Date Reported: 8/6/98 Vulnerability: BO-backdoor Platforms Affected: Windows 95 Risk Level: High A hacker group known as the Cult of the Dead Cow has released a Windows 95/98 backdoor named 'Back Orifice' (BO). Once installed, this backdoor lets unauthorized users execute privileged operations on the affected machine. Back Orifice leaves evidence of its existence and can be detected and removed. The communications protocol and encryption used by this backdoor has been broken by ISS X-Force. Reference: ISS Security Alert Advisory: "Cult of the Dead Cow Back Orifice Backdoor" at [21]http://www.iss.net/xforce/alerts/advise5.html [22]Top of Page || [23]Back to Alert List ___ Date Reported: 8/4/98 Vulnerability: Sun-libauth Platforms Affected: Solaris (2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6) Risk Level: High Two buffer overflows have been found in Sun Microsystem's libauth library that could allow a local user to overwrite the buffer and execute commands. Depending on the system's configuration, it could be possible for the attacker to gain root access. Reference: RSI Alert Advisory RSI.0007.05-26-98.SUN.LIBAUTH: "Sun Microsystem's library libauth" at [24]http://www.repsec.com/advisory/0007.html [25]Top of Page || [26]Back to Alert List ___ Date Reported: 8/3/98 Vulnerability: OpenBSD-chpass Platforms Affected: OpenBSD (2.3 and below) Risk Level: High The chpass command lets unprivileged users edit database information associated with their account. A vulnerability in chpass could allow an attacker to change the account information associated with the root account, and gain superuser access. Reference: Network Associates, Inc. Security Advisory #28: "Vulnerability in OpenBSD 2.3 chpass(1)" at [27]http://www.nai.com [28]Top of Page || [29]Back to Alert List ___ Date Reported: 7/31/98 Vulnerability: Notes-retrieve Platforms Affected: Lotus Notes 4.6+ Risk Level: High The L0pht has released an advisory concerning a vulnerability in the Lotus Notes 4.6 client. This vulnerability could allow a remote attacker to create files, overwrite files, and retrieve databases. Some Lotus Notes databases contain sensitive company information and would be a major security breach if obtained. Reference: L0pht Security Advisory: "Application: Notes 4.6+ Client: Users can overwrite/create system files" at [30]http://www.l0pht.com/advisories/nny.txt [31]Top of Page || [32]Back to Alert List ___ Date Reported: 7/24/98 Vulnerability: Exchange-DoS Platforms Affected: Microsoft Exchange (5.0 to 5.5) Risk Level: High A vulnerability has been found that would allow an attacker to disrupt an organization by crashing Microsoft Exchange Server over the network. This attack will stop e-mail and other services that Exchange provides for the organization. References: ISS Security Alert Advisory: "Denial of Service attacks against Microsoft Exchange 5.0 to 5.5" at [33]http://www.iss.net/xforce/alerts/advise4.html CIAC Information Bulletin I-080: "Microsoft Exchange Denial of Service Attacks" at [34]http://www.ciac.org/ciac/bulletins/i-080.shtml [35]Top of Page || [36]Back to Alert List ___ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse and security policy violations. The Company has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, 9 of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at [37]http://www.iss.net. [38]Top of Page || [39]Back to Alert List ___ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please email [40]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [41]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net > of Internet Security Systems, Inc. [42]News | [43]Serious Fun | [44]Mail Lists | [45]Security Library [46]Protoworx | [47]Alerts | [48]Submissions | [49]Feedback [50]Advanced Search [51]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [52]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [53]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-2_num-9.php3#list 13. http://xforce.iss.net/alerts/alerts.php3 14. http://xforce.iss.net/alerts/vol-2_num-9.php3#BO-backdoor 15. http://xforce.iss.net/alerts/vol-2_num-9.php3#Sun-libauth 16. http://xforce.iss.net/alerts/vol-2_num-9.php3#OpenBSD-chpass 17. http://xforce.iss.net/alerts/vol-2_num-9.php3#Notes-retrieve 18. http://xforce.iss.net/alerts/vol-2_num-9.php3#Exchange-DoS 19. http://xforce.iss.net/alerts/vol-2_num-9.php3#list 20. http://xforce.iss.net/alerts/alerts.php3 21. http://www.iss.net/xforce/alerts/advise5.html 22. http://xforce.iss.net/alerts/vol-2_num-9.php3#list 23. http://xforce.iss.net/alerts/alerts.php3 24. http://www.repsec.com/advisory/0007.html 25. http://xforce.iss.net/alerts/vol-2_num-9.php3#list 26. http://xforce.iss.net/alerts/alerts.php3 27. http://www.nai.com/ 28. http://xforce.iss.net/alerts/vol-2_num-9.php3#list 29. http://xforce.iss.net/alerts/alerts.php3 30. http://www.l0pht.com/advisories/nny.txt 31. http://xforce.iss.net/alerts/vol-2_num-9.php3#list 32. http://xforce.iss.net/alerts/alerts.php3 33. http://www.iss.net/xforce/alerts/advise4.html 34. http://www.ciac.org/ciac/bulletins/i-080.shtml 35. http://xforce.iss.net/alerts/vol-2_num-9.php3#list 36. http://xforce.iss.net/alerts/alerts.php3 37. http://www.iss.net/ 38. http://xforce.iss.net/alerts/vol-2_num-9.php3#list 39. http://xforce.iss.net/alerts/alerts.php3 40. mailto:xforce@iss.net 41. http://www.iss.net/xforce/sensitive.html 42. http://xforce.iss.net/news.php3 43. http://xforce.iss.net/seriousfun/ 44. http://xforce.iss.net/maillists/ 45. http://xforce.iss.net/library/ 46. http://xforce.iss.net/protoworx/ 47. http://xforce.iss.net/alerts/ 48. http://xforce.iss.net/submission.php3 49. http://xforce.iss.net/feedback.php3 50. http://xforce.iss.net/search.php3 51. http://xforce.iss.net/about.php3 52. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 53. http://xforce.iss.net/privacy.php3