I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary January 20, 1999 Volume 3 Number 4 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Contents 17 Reported Vulnerabilities - [14]backweb-polite-agent-protocol - [15]http-cgic-library-bo - [16]hp-series5-crash - [17]http-request-method-garble - [18]acc-tigris-login - [19]datalynx-suguard-relative-paths - [20]novell-intranetware-dos - [21]sco-calserver-remote-bo - [22]ssh-privileged-port-forward - [23]oracle-tnslsnr-dos - [24]linux-random-read-dos - [25]bnc-proxy-bo - [26]http-cgi-nlog-metachars - [27]sims-slapd-logfiles - [28]backweb-cleartext-passwords - [29]http-frame-spoof - [30]linux-pam-passwd-tmprace Risk Factor Key [31]Top of Page || [32]Back to Alert List ___ Date Repored: 1999-01-18 Vulnerability: backweb-polite-agent-protocol Plaforms Affected: BackWeb Client with Polite Agent Protocol Risk Level: High The BackWeb Polite Agent protocol is a UDP-based protocol that BackWeb clients use to communicate with BackWeb servers. BackWeb's "anti-spoofing mechanism" for delivery of UDP data to the client and server is the exchange of a 32-bit integer, randomly generated by the client each time it requests data from the server. This integer is appended to each packet of a specific piece of BackWeb data (InfoPak). By examining these packets in transport, an attacker may send false data to a BackWeb client, acting as the real BackWeb server. Reference: ISS Security Advisory: "Vulnerability in the BackWeb Polite Agent Protocol" at [33]http://www.iss.net/xforce/alerts/advise17.html [34]Top of Page || [35]Back to Alert List ___ Date Reported: 1999-01-10 Vulnerability: http-cgic-library-bo Platforms Affected: Common Gateway Interface (CGI) Risk Level: High CGIC is a library for the creation of CGI-based World Wide Web applications created by Thomas Boutell. Versions up to and including 1.05 contain a buffer overflow which could allow an attacker to execute arbitrary code on the system. The circumstances of this exploit rely on the nature of the program linked to the cgic library and the way it uses the vulnerable function. References: BUGTRAQ Mailing List: "cgic: an ANSI C library for CGI Programming" [36]http://geek-girl.com/bugtraq/1999_1/0147.html Thomas Boutell: "cgic: an ANSI C library for CGI Programming" [37]http://www.boutell.com/cgic/ [38]Top of Page || [39]Back to Alert List ___ Date Reported: 1999-01-06 Vulnerability: hp-series5-crash Platforms Affected: HP Printers Risk Level: Medium A vulnerability exists in the firmware code of Hewlett-Packard Series 5 printers that allows a malicious user to place the device into an unpredictable and unusable state. This bug is similar to the one that caused HP 5m printers to hang when multivarible SNMP queries were made on the interpreters table. It is believed this only affects printers whose firmware datecode is less than 19960829. Reference: BUGTRAQ Mailing List: "Another way to crash HP printers" [40]http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=10073 [41]Top of Page || [42]Back to Alert List ___ Date Reported: 1999-01-06 Vulnerability: http-request-method-garble Platforms Affected: IIS (2.0, 3.0, 4.0) Apache Risk Level: Low The logging facilities in many web servers are insecure with respect to the way they create log files. Because of the special characters allowed in REQUEST_METHODs when accessing dynamic resources, like CGI scripts, it is possible for a remote attacker to manipulate and garble the information written to log files. Reference: BUGTRAQ Mailing List: "HTTP REQUEST_METHOD flaw" [43]http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=8530 [44]Top of Page || [45]Back to Alert List ___ Date Reported: 1999-01-03 Vulnerability: acc-tigris-login Platforms Affected: ACC Tigris (up to 10.5.8) Risk Level: High Tigris is terminal server system manufactured and distributed by Advanced Computer Communications (ACC). A vulnerability exists in the login portion of the server which allows users to execute commands without being authenticated. Once a user has exploited this hole, they can run non- privileged commands from the server, which include dumping limited configuration information, accessing other machines, etc. This hole affects OS versions up to and including 10.5.8. References: BUGTRAQ Mailing List: "ACC's 'Tigris' Access Terminal server security vunerability.." [46]http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=2546 ACC Products Homepage: "Remote Access Concentrators Page" [47]http://www.acc.com/internet/products/remote_access_concentrat.html [48]Top of Page || [49]Back to Alert List ___ Date Reported: 1999-01-03 Vulnerability: datalynx-suguard-relative-paths Platforms Affected: suGuard Risk Level: High DataLynx Inc. suGuard security package contains a vulnerability that allows users configured for suGuard to gain root privileges. The hole exists because suGuard uses the PATH environment. An intruder can execute commands on mail variables, searching for certain programs. The attacher may trick the server into executing a trojan horse program. References: L0pht Security Advisory: "suGuard rev 1.0 from DataLynx" [50]http://www.l0pht.com/advisories/suguard.txt DataLynx, Inc. Homepage: "suGUARD Access Security Software" [51]http://www.dlxguard.com/suguard.htm [52]Top of Page || [53]Back to Alert List ___ Date Reported: 1998-12-30 Vulnerability: novell-intranetware-dos Platforms Affected: IntranetWare Client (3.0.0.0) Risk Level: Medium The Novell Intranetware 3.0.0.0 client installed on many Windows systems contains a flaw which allows it to be remotely crashed with a "half-open" TCP packet (often part of a SYN scan). After receiving the packet, the machine will become unresponsive and subsequently lose all network connectivity. It is possible to recover from the attack, but a reboot is necessary to restart network connectivity. Reference: BUGTRAQ Mailing List: "SecureXpert Labs Advisory [SX-98.12.30-01]" [54]http://www.netspace.org/cgi-bin/wa?A2=ind9812e&L=bugtraq&F=&S=&P=2284 [55]Top of Page || [56]Back to Alert List ___ Date Reported: 1998-12-29 Vulnerability: sco-calserver-remote-bo Platforms Affected: SCO Openserver Enterprise System (5.0.4p) Risk Level: High A buffer overflow exists in the SCO OpenServer Enterprise calendar server program "calserver." This vulnerability could allow both local and remote attackers to gain root access on the victim server, resulting in a high probability of giving system access to an intruder. Fortunately, calserver doesn't run in network mode by default, so an administrator would have had to explicitly configure calserver to run in network mode for this vulnerability to be remotely exploitable. Reference: BUGTRAQ Mailing List: "Local/remote exploit for SCO UNIX" [57]http://www.netspace.org/cgi-bin/wa?A2=ind9812e&L=bugtraq&F=&S=&P=68 [58]Top of Page || [59]Back to Alert List ___ Date Reported: 1998-12-29 Vulnerability: ssh-privileged-port-forward Platforms Affected: SSH (up to 2.0.11) Risk Level: Medium SSH up to and including version 2.0.11 contains a security bug which allows any eligible user to request remote forwarding from privileged ports without being root. This vulnerability does not grant unauthorized access to an attacker and requires that the user have an existing account on the system. Reference: BUGTRAQ Mailing List: "ssh2 security problem (and patch)" [60]http://www.netspace.org/cgi-bin/wa?A2=ind9812e&L=bugtraq&F=&S=&P=416 [61]Top of Page || [62]Back to Alert List ___ Date Reported: 1998-12-28 Vulnerability: oracle-tnslsnr-dos Platforms Affected: Oracle TNSLSNR Risk Level: Medium The TNSLSNR server included with the Oracle server package contains a denial of service vulnerability that allows attackers to cause the server to utilize excess amounts of CPU time. The attack results from the server not properly handling packets of a form it isn't programmed to recognize. Reference: BUGTRAQ Mailing List: "Oracle8 TNSLSNR DoS" [63]http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=11696 [64]Top of Page || [65]Back to Alert List ___ Date Reported: 1998-12-27 Vulnerability: linux-random-read-dos Platforms Affected: Linux Risk Level: Medium A flaw in the Linux implementation of the /dev/random driver could allow a user to overload the system, in some cases forcing a reboot. The flaw exists because the random driver doesn't check for pending signals when it is reading random data, which makes it impossible to kill a process reading a large quantity of random data. Reference: BUGTRAQ Mailing List: "[patch] fix for urandom read(2) not interruptible" [66]http://www.netspace.org/cgi-bin/wa?A2=ind9812e&L=bugtraq&F=&S=&P=672 [67]Top of Page || [68]Back to Alert List ___ Date Reported: 1998-12-26 Vulnerability: bnc-proxy-bo Platforms Affected: BNC Proxy (2.2.4 and below) Risk Level: High The BNC IRC Proxy server written by James Seter contains a buffer overflow which could allow remote attackers to execute arbitrary commands on the server with the privileges of the user owning the BNC process. This vulnerability exists in versions 2.2.4 and prior. Exploit information for this hole has been made widely available. References: BUGTRAQ Mailing List: "bnc exploit" [69]http://www.geek-girl.com/bugtraq/1998_4/0745.html Refract Media, Inc.: "the official BNC webpage" [70]http://bnc.refract.com/ [71]Top of Page || [72]Back to Alert List ___ Date Reported: 1998-12-26 Vulnerability: http-cgi-nlog-metachars Platforms Affected: Common Gateway Interface (CGI) Risk Level: High Nlog is a package of scripts designed to correlate and analyze output from the nmap 2.0 portscanning software. Versions up to 1.1 contain a security flaw in the way metacharacters are parsed, which could allow a remote attacker to execute arbitrary commands on the server with the privileges of the user running the httpd process, usually "nobody." References: BUGTRAQ Mailing List: "Nlog 1.1b released - security holes fixed" [73]http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=10302 HD Moore: "n-log home page" [74]http://owned.comotion.org/~spinux/index.html [75]Top of Page || [76]Back to Alert List ___ Date Reported: 1998-12-25 Vulnerability: sims-slapd-logfiles Platforms Affected: Sun Internet Mail Server (3.x) Sun LDAP Directory Services (1.x, 3.1) Risk Level: High SIMS (Sun Internet Mail Server) 3.x is packaged with SDS (Sun LDAP Server) 1.x & 3.1 which logs LDAP connections and actions. The log file created by the slapd daemon is world readable (and writable), and contains the username and passwords of users connecting to IMAP to read their e-mail. This information is therefore available to anyone with a local account on the server system. Reference: BUGTRAQ Mailing List: "Vulnerability" [77]http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=9086 [78]Top of Page || [79]Back to Alert List ___ Date Reported: 1998-12-24 Vulnerability: backweb-cleartext-passwords Platforms Affected: BackWeb Client Risk Level: Medium BackWeb is a software package designed to "push" software updates onto customers to eliminate the need to regularly upgrade systems. A vulnerability in BackWeb stores information needed to connect to a proxy server in cleartext inside the system registry. This information contains usernames and passwords, which may allow an attacker who has gained access to your system to compromise access to your proxy server (and possibly other systems). Reference: NTBUGTRAQ Mailing List: "BackWeb - Password issue (used by NAI for Corporate customer notification)" [80]http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9812&L=ntbugtraq&F=P&S= & P=8019 [81]Top of Page || [82]Back to Alert List ___ Date Reported: 1998-12-23 Vulnerability: http-frame-spoof Platforms Affected: Netscape Navigator Internet Explorer (3.01, 3.02, 4.0, 4.01) Risk Level: High A vulnerability exists in many popular Web browsers, including Netscape Navigator and Internet Explorer, which allows a malicious web site to trick a user into entering possibly compromising information. The vulnerability allows an attacker to create a frame inside a browser window which looks like that of a legitimate site, which could fool an unwary user. References: Microsoft Knowledgebase Article ID: Q167614: "Update Available For "Frame Spoof" Security Issue" [83]http://support.microsoft.com/support/kb/articles/q167/6/14.asp Netscape Security Update: "The Frame-Spoofing Vulnerability" [84]http://home.netscape.com/products/security/resources/bugs/framespoofing.htm l [85]Top of Page || [86]Back to Alert List ___ Date Reported: 1998-12-23 Vulnerability: linux-pam-passwd-tmprace Platforms Affected: Linux Risk Level: High A vulnerability exists in the Pluggable Authentication Modules (PAM) for Linux which allows local users to gain root privileges. All versions of PAM up to and including pam-0.64-2 are considered vulnerable. The vulnerability exists in the pam_unix_passwd.so library's temporary file implementation and its honoring the umask passed to it via the environment. Reference: BUGTRAQ Mailing List: "Linux PAM (up to 0.64-2) local root compromise" [87]http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=4495 [88]Top of Page || [89]Back to Alert List ___ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse and security policy violations. The Company has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, 9 of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at [90]http://www.iss.net. [91]Top of Page || [92]Back to Alert List ___ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please email [93]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [94]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net > of Internet Security Systems, Inc. [95]News | [96]Serious Fun | [97]Mail Lists | [98]Security Library [99]Protoworx | [100]Alerts | [101]Submissions | [102]Feedback [103]Advanced Search [104]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [105]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [106]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 13. http://xforce.iss.net/alerts/alerts.php3 14. http://xforce.iss.net/alerts/vol-3_num-4.php3#backweb-polite-agent-protocol 15. http://xforce.iss.net/alerts/vol-3_num-4.php3#http-cgic-library-bo 16. http://xforce.iss.net/alerts/vol-3_num-4.php3#hp-series5-crash 17. http://xforce.iss.net/alerts/vol-3_num-4.php3#http-request-method-garble 18. http://xforce.iss.net/alerts/vol-3_num-4.php3#acc-tigris-login 19. http://xforce.iss.net/alerts/vol-3_num-4.php3#datalynx-suguard-relative-paths 20. http://xforce.iss.net/alerts/vol-3_num-4.php3#novell-intranetware-dos 21. http://xforce.iss.net/alerts/vol-3_num-4.php3#sco-calserver-remote-bo 22. http://xforce.iss.net/alerts/vol-3_num-4.php3#ssh-privileged-port-forward 23. http://xforce.iss.net/alerts/vol-3_num-4.php3#oracle-tnslsnr-dos 24. http://xforce.iss.net/alerts/vol-3_num-4.php3#linux-random-read-dos 25. http://xforce.iss.net/alerts/vol-3_num-4.php3#bnc-proxy-bo 26. http://xforce.iss.net/alerts/vol-3_num-4.php3#http-cgi-nlog-metachars 27. http://xforce.iss.net/alerts/vol-3_num-4.php3#sims-slapd-logfiles 28. http://xforce.iss.net/alerts/vol-3_num-4.php3#backweb-cleartext-passwords 29. http://xforce.iss.net/alerts/vol-3_num-4.php3#http-frame-spoof 30. http://xforce.iss.net/alerts/vol-3_num-4.php3#linux-pam-passwd-tmprace 31. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 32. http://xforce.iss.net/alerts/alerts.php3 33. http://www.iss.net/xforce/alerts/advise17.html 34. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 35. http://xforce.iss.net/alerts/alerts.php3 36. http://geek-girl.com/bugtraq/1999_1/0147.html 37. http://www.boutell.com/cgic 38. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 39. http://xforce.iss.net/alerts/alerts.php3 40. http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=10073 41. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 42. http://xforce.iss.net/alerts/alerts.php3 43. http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=8530 44. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 45. http://xforce.iss.net/alerts/alerts.php3 46. http://www.netspace.org/cgi-bin/wa?A2=ind9901a&L=bugtraq&F=&S=&P=2546 47. http://www.acc.com/internet/products/remote_access_concentrat.html 48. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 49. http://xforce.iss.net/alerts/alerts.php3 50. http://www.l0pht.com/advisories/suguard.txt 51. http://www.dlxguard.com/suguard.htm 52. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 53. http://xforce.iss.net/alerts/alerts.php3 54. http://www.netspace.org/cgi-bin/wa?A2=ind9812e&L=bugtraq&F=&S=&P=2284 55. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 56. http://xforce.iss.net/alerts/alerts.php3 57. http://www.netspace.org/cgi-bin/wa?A2=ind9812e&L=bugtraq&F=&S=&P=68 58. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 59. http://xforce.iss.net/alerts/alerts.php3 60. http://www.netspace.org/cgi-bin/wa?A2=ind9812e&L=bugtraq&F=&S=&P=416 61. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 62. http://xforce.iss.net/alerts/alerts.php3 63. http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=11696 64. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 65. http://xforce.iss.net/alerts/alerts.php3 66. http://www.netspace.org/cgi-bin/wa?A2=ind9812e&L=bugtraq&F=&S=&P=672 67. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 68. http://xforce.iss.net/alerts/alerts.php3 69. http://www.geek-girl.com/bugtraq/1998_4/0745.html 70. http://bnc.refract.com/ 71. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 72. http://xforce.iss.net/alerts/alerts.php3 73. http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=10302 74. http://owned.comotion.org/~spinux/index.html 75. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 76. http://xforce.iss.net/alerts/alerts.php3 77. http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=9086 78. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 79. http://xforce.iss.net/alerts/alerts.php3 80. http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9812&L=ntbugtraq&F=P&S 81. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 82. http://xforce.iss.net/alerts/alerts.php3 83. http://support.microsoft.com/support/kb/articles/q167 84. http://home.netscape.com/products/security/resources/bugs/framespoofing.html 85. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 86. http://xforce.iss.net/alerts/alerts.php3 87. http://www.netspace.org/cgi-bin/wa?A2=ind9812d&L=bugtraq&F=&S=&P=4495 88. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 89. http://xforce.iss.net/alerts/alerts.php3 90. http://www.iss.net/ 91. http://xforce.iss.net/alerts/vol-3_num-4.php3#list 92. http://xforce.iss.net/alerts/alerts.php3 93. mailto:xforce@iss.net 94. http://www.iss.net/xforce/sensitive.html 95. http://xforce.iss.net/news.php3 96. http://xforce.iss.net/seriousfun/ 97. http://xforce.iss.net/maillists/ 98. http://xforce.iss.net/library/ 99. http://xforce.iss.net/protoworx/ 100. http://xforce.iss.net/alerts/ 101. http://xforce.iss.net/submission.php3 102. http://xforce.iss.net/feedback.php3 103. http://xforce.iss.net/search.php3 104. http://xforce.iss.net/about.php3 105. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 106. http://xforce.iss.net/privacy.php3