I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary May 15, 1999 Volume 3 Number 10 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Contents 14 Reported Vulnerabilities - [14]oracle-unix-symlinks - [15]novell-tts-dos - [16]inn-innconf-env - [17]inn-pathrun - [18]sol-lpset - [19]cde-dtprintinfo - [20]iis-samples - [21]http-alibaba-dotdot - [22]netscape-dirsvc-password - [23]servu-command-bo - [24]oracle-oratclsh - [25]linux-coas - [26]ie-dhtml-control - [27]netbsd-svr4 Risk Factor Key [28]Top of Page || [29]Back to Alert List ___ Date Reported: 1999-05-07 Vulnerability: oracle-unix-symlinks Platforms Affected: Oracle 8 Risk Factor: High Several vulnerabilities have been discovered in the Oracle8i and Oracle8 entperise database system under Unix operating systems. These vulnerabilities could allow local attackers to exploit Oracle support programs to compromise the 'oracle' user account. With the privileges of the oracle user account, the attacker could take complete control of databases and the information contained therein. Reference: ISS Security Advisory: "Multiple File System Vulnerabilities in Oracle 8" at: [30]http://www.iss.net/xforce/alerts/advise26.html [31]Top of Page || [32]Back to Alert List ___ Date Reported: 1999-05-12 Vulnerability: novell-tts-dos Platforms Affected: Novell NetWare (4.11) Risk Factor: Medium The Transaction Tracking System (TTS) is used by Novell NetWare to help preserve the integrity of data during a system crash. A flaw in how the server handles excessive concurrent requests could allow an attacker to crash multiple Novell servers within a short period of time. Reference: Nomad Mobile Research Centre Advisory: "Netware 4.x Transaction Tracking System" at: [33]http://www.nmrc.org/news/tts.txt [34]Top of Page || [35]Back to Alert List ___ Date Reported: 1999-05-11 Vulnerability: inn-innconf-env Platforms Affected: INN (2.x) Risk Factor: High The inndstart program under INN 2.0 and above accepts the INNCONF environment variable as the location for its configuration file. A local attacker can specify a trojaned configuration file in this variable and cause the inndstart program to execute arbitrary commands with possibly root privileges. Reference: BUGTRAQ Mailing List: "INN 2.0 and higher. Root compromise potential" at: [36]http://www.netspace.org/cgi-bin/wa?A2=ind9905b&L=bugtraq&F=&S=&P=2900 [37]Top of Page || [38]Back to Alert List ___ Date Reported: 1999-05-11 Vulnerability: inn-pathrun Platforms Affected: INN (2.x) Risk Factor: High In INN 2.0 and above the privileges under which inndstart runs are determined by a directory specified inside the inn.conf file as pathrun. It is therefore possible for the 'news' user to execute arbitrary commands as any other user on the system, including root. An attacker must first compromise the news account before being able to gain extra privileges. Reference: BUGTRAQ Mailing List: "INN 2.0 and higher. Root compromise potential" at: [39]http://www.netspace.org/cgi-bin/wa?A2=ind9905b&L=bugtraq&F=&S=&P=2900 [40]Top of Page || [41]Back to Alert List ___ Date Reported: 1999-05-11 Vulnerability: sol-lpset-bo Platforms Affected: Solaris (2.x) Risk Factor: High A vulnerability has been discovered in the Solaris 2.x (both x86 and Sparc) 'lpset' program. A buffer overflow within this utility could allow a local attacker to execute arbitrary code with root privileges. Reference: BUGTRAQ Mailing List: "Solaris2.6 and 2.7 lpset overflow" at: [42]http://www.netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R2017 [43]Top of Page || [44]Back to Alert List ___ Date Reported: 1999-05-10 Vulnerability: cde-dtprintinfo Platforms: Solaris (2.x) Risk Factor: High A buffer overflow has been discovered in the dtprintinfo application distributed with some systems. This vulnerability could allow a local attacker to execute arbitrary code with root privileges on the system. Reference: BUGTRAQ Mailing List: "Solaris2.6,2.7 dtprintinfo exploits" at: [45]http://www..netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R1173 [46]Top of Page || [47]Back to Alert List ___ Date Reported: 1999-05-07 Tagname: iis-samples Platforms Affected: IIS (4.0) Risk Factor: Medium Several of the sample ASP applications distributed with Microsoft IIS 4.0 and SiteServer 3.x contain vulnerabilities. Flaws in showcode.asp, viewcode.asp, and codebrws.asp could allow a remote attacker to view any file on the server. Reference: L0pht Security Advisory: "Microsoft IIS 4.0 Web Server" at: [48]http://www.l0pht.com/advisories/showcode.txt [49]Top of Page || [50]Back to Alert List ___ Date Reported: 1999-05-12 Vulnerability: http-alibaba-dotdot Platforms Affected: Alibaba Web Server Risk Factor: Medium Alibaba is a commercial HTTP server for Windows 9x/NT manufactured by CSM. A vulnerability has been found which allows a remote user to traverse the servers filesystem outside the server's document root by using issuing GETs with '..' in them. This could allow any file to be read from remote by an attack; if directory browsing is enabled the attacker doesn't have to have prior knowledge of file names to exploit this flaw. Reference: NTBUGTRAQ Mailing List: "hole in Alibaba 2.0" at: [51]http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=ntbugtraq&F= P&S=&P=3407 [52]Top of Page || [53]Back to Alert List ___ Date Reported: 1999-05-03 Vulnerability: netscape-dirsvc-password Platforms Affected: Netscape Directory Server Risk Factor: High A problem has been discovered within the Netscape Directory Server install procedure (for at least the UNIX version) which could expose sensitive information to local users. The install leaves a server configuration file with a plaintext 'admin' password world-readable within the server's directory. Any local user can read this file and gain all the privileges associated with the admin account. Reference: Packet Storm Security Archive: "bug/Netscape-DirectoryServer4" at: [54]http://www.Genocide2600.com/~tattooman/exploits-May-99/netscape.directory.s erver.4.txt [55]Top of Page || [56]Back to Alert List ___ Date Reported: 1999-05-03 Vulnerability: servu-command-bo Platforms Affected: Serv-U FTP Server Risk Factor: Medium Serv-U is a commercial FTP server designed for Windows NT environments. A vulnerability exists in how the server handles commands issued to it with excessively long arguments which could cause the server to crash. This bug does not relinquish any privileges to a remote attacker, but could allow them to deny service to legitimate users. Reference: NTBUGTRAQ Mailing List: "Buffer overflows in FTP Serv-U 2.5: at: [57]http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=ntbugtraq&F= P&S=&P=316 [58]Top of Page || [59]Back to Alert List ___ Date Reported: 1999-04-29 Vulnerability: oracle-oratclsh Platforms Affected: Oracle (8.x) Risk Factor: High The Oracle 8.x Intelligent Agent for Unix installs a program called 'oratclsh' which is suid root. This program allows full access to the Tcl interpreter, and as such can be used by any local user to execute arbitrary commands with root privileges. Reference: BUGTRAQ Mailing List: "*Huge* security hole in Oracle 8.0.5 with Intellegent agent installed" at: [60]http://www.netspace.org/cgi-bin/wa?A2=ind9904E&L=bugtraq&P=R1249 [61]Top of Page || [62]Back to Alert List ___ Date Reported: 1999-04-27 Vulnerability: linux-coas Platforms Affected: Linux: Caldera Risk Factor: Medium The Caldera Open Adminitration System (COAS) contains a vulnerability that could inadvertently make the '/etc/shadow' file world-readable. While this hole does not directly lead to any unauthorized access, it does negate the benefits of a shadowed passwd file scheme and allows attackers to crack passwords offline at their leisure. Reference: Caldera Systems, Inc. Security Advisory CSSA-1999:009.0: "COAS" at: [63]http://www.calderasystems.com/news/security/CSSA-1999:009.0.txt [64]Top of Page || [65]Back to Alert List ___ Date Reported: 1999-04-21 Vulnerability: ie-dhtml-control Platforms Affected: Internet Explorer Risk Factor: Medium The DHTML Edit Control is an ActiveX control that allows users to edit HTML and render it like it would be seen from a regular browser. This feature is installed by default with Internet Explorer 5 and can be downloaded seperately for 4.0. A vulnerability has been discovered in this feature which could allow a malicious web site to manipulate the browser into reading arbitrary files from the system. Reference: NTBUGTRAQ Mailing List: "DHTML Edit control IE 5 vulnerabilities." at: [66]http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F= P&S=&P=4732 [67]Top of Page || [68]Back to Alert List ___ Date Reported: 1999-04-20 Vulnerability: netbsd-svr4 Platforms Affected: NetBSD (1.3, 1.3.1, 1.3.2, 1.3.3) Risk Factor: High An error in the MAKEDEV script distributed with i386 versions of NetBSD creates the /dev/wabi device with incorrect device numbers. This could allow a local users to gain access to the first IDE disk on the system, which could possibly be leveraged to increase privileges. Reference: NetBSD Security Advisory 1999-009: "SVR4 compatibility device creation vulnerability" at: [69]ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-009. txt.asc [70]Top of Page || [71]Back to Alert List ___ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. [72]Top of Page || [73]Back to Alert List ___ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail [74]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [75]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net > of Internet Security Systems, Inc. [76]News | [77]Serious Fun | [78]Mail Lists | [79]Security Library [80]Protoworx | [81]Alerts | [82]Submissions | [83]Feedback [84]Advanced Search [85]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [86]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [87]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 13. http://xforce.iss.net/xforce/alerts.html 14. http://xforce.iss.net/alerts/vol-3_num-10.php3#oracle-unix-symlinks 15. http://xforce.iss.net/alerts/vol-3_num-10.php3#novell-tts-dos 16. http://xforce.iss.net/alerts/vol-3_num-10.php3#inn-innconf-env 17. http://xforce.iss.net/alerts/vol-3_num-10.php3#inn-pathrun 18. http://xforce.iss.net/alerts/vol-3_num-10.php3#sol-lpset 19. http://xforce.iss.net/alerts/vol-3_num-10.php3#cde-dtprintinfo 20. http://xforce.iss.net/alerts/vol-3_num-10.php3#iis-samples 21. http://xforce.iss.net/alerts/vol-3_num-10.php3#http-alibaba-dotdot 22. http://xforce.iss.net/alerts/vol-3_num-10.php3#netscape-dirsvc-password 23. http://xforce.iss.net/alerts/vol-3_num-10.php3#servu-command-bo 24. http://xforce.iss.net/alerts/vol-3_num-10.php3#oracle-oratclsh 25. http://xforce.iss.net/alerts/vol-3_num-10.php3#linux-coas 26. http://xforce.iss.net/alerts/vol-3_num-10.php3#ie-dhtml-control 27. http://xforce.iss.net/alerts/vol-3_num-10.php3#netbsd-svr4 28. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 29. http://xforce.iss.net/xforce/alerts.html 30. http://www.iss.net/xforce/alerts/advise26.html 31. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 32. http://xforce.iss.net/xforce/alerts.html 33. http://www.nmrc.org/news/tts.txt 34. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 35. http://xforce.iss.net/xforce/alerts.html 36. http://www.netspace.org/cgi-bin/wa?A2=ind9905b&L=bugtraq&F=&S=&P=2900 37. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 38. http://xforce.iss.net/xforce/alerts.html 39. http://www.netspace.org/cgi-bin/wa?A2=ind9905b&L=bugtraq&F=&S=&P=2900 40. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 41. http://xforce.iss.net/xforce/alerts.html 42. http://www.netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R2017 43. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 44. http://xforce.iss.net/xforce/alerts.html 45. http://www..netspace.org/cgi-bin/wa?A2=ind9905B&L=bugtraq&P=R1173 46. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 47. http://xforce.iss.net/xforce/alerts.html 48. http://www.l0pht.com/advisories/showcode.txt 49. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 50. http://xforce.iss.net/xforce/alerts.html 51. http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=ntbugtraq&F=P&S=&P=3407 52. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 53. http://xforce.iss.net/xforce/alerts.html 54. http://www.Genocide2600.com/~tattooman/exploits-May-99/netscape.directory.server.4.txt 55. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 56. http://xforce.iss.net/xforce/alerts.html 57. http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9905&L=ntbugtraq&F=P&S=&P=316 58. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 59. http://xforce.iss.net/xforce/alerts.html 60. http://www.netspace.org/cgi-bin/wa?A2=ind9904E&L=bugtraq&P=R1249 61. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 62. http://xforce.iss.net/xforce/alerts.html 63. http://www.calderasystems.com/news/security/CSSA-1999:009.0.txt 64. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 65. http://xforce.iss.net/xforce/alerts.html 66. http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=4732 67. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 68. http://xforce.iss.net/xforce/alerts.html 69. ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-009.txt.asc 70. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 71. http://xforce.iss.net/xforce/alerts.html 72. http://xforce.iss.net/alerts/vol-3_num-10.php3#list 73. http://xforce.iss.net/xforce/alerts.html 74. mailto:xforce@iss.net 75. http://www.iss.net/xforce/sensitive.html 76. http://xforce.iss.net/news.php3 77. http://xforce.iss.net/seriousfun/ 78. http://xforce.iss.net/maillists/ 79. http://xforce.iss.net/library/ 80. http://xforce.iss.net/protoworx/ 81. http://xforce.iss.net/alerts/ 82. http://xforce.iss.net/submission.php3 83. http://xforce.iss.net/feedback.php3 84. http://xforce.iss.net/search.php3 85. http://xforce.iss.net/about.php3 86. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 87. http://xforce.iss.net/privacy.php3