I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary June 1, 1999 Volume 4 Number 1 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Contents 13 Reported Vulnerabilities - [14]nt-ras-pwcache - [15]cmail-command-bo - [16]cmail-fileread - [17]ftgate-fileread - [18]coldfusion-admin-dos - [19]coldfusion-encryption - [20]netscape-space-view - [21]netscape-title - [22]netbsd-arp - [23]nt-ras-bo - [24]irix-midikeys - [25]cde-dtlogin - [26]nt-helpfile-bo - [27]SubSeven aka BackDoor-G Risk Factor Key [28]Top of Page || [29]Back to Alert List ___ Date Reported: 1999-05-27 Vulnerability: nt-ras-pwcache Platforms Affected: Windows NT (4.0) Risk Factor: Medium Attack type: Host Based A bug exists in the RAS and RRAS clients installed on Windows NT 4.0 SP5 and below that saves the user's password regardless of whether or not the "Save Password" option is disabled. The password is, however, stored in a registry key with strict permissions and the option of being strongly encrypted. References: Microsoft Security Bulletin (MS99-017): "Patch Available for 'RAS and RRAS Password' Vulnerability" at: [30]http://www.microsoft.com/security/bulletins/ms99-017.asp Microsoft Knowledge Base Article ID: Q230681: "RAS Credentials Saved when 'Save Password' Option Unchecked" at: [31]http://support.microsoft.com/support/kb/articles/q230/6/81.asp Microsoft Knowledge Base Article ID: Q233303: "RRAS Credentials Saved when 'Save Password' Option Unchecked" at: [32]http://support.microsoft.com/support/kb/articles/q233/3/03.asp [33]Top of Page || [34]Back to Alert List ___ Date Reported: 1999-05-26 Vulnerability: cmail-command-bo Platforms Affected: CMail Server Risk Factor: High Attack type: Host/Network Based Numerous buffer overflows have been discovered in the POP and SMTP commands implemented in the CMail server for Windows 9x and Windows NT. The overflows have been shown to be remotely exploitable, and could relinquish complete control of your mail server to an attacker. Reference: eEye Digital Security Team Alert AD05261999: "Multiple Web Interface Security Holes" at: [35]http://www.eeye.com/database/advisories/ad05261999/ad05261999.html [36]Top of Page || [37]Back to Alert List ___ Date Reported: 1999-05-26 Vulnerability: cmail-fileread Platforms Affected: CMail Server Risk Factor: Medium Attack type: Host/Network Based A vulnerability has been discovered in the Web administration interface for the CMail multi-protocol mail server for Windows. This hole could allow a remote attacker to read certain files off vulnerable hosts via the web interface. Reference: eEye Digital Security Team Alert AD05261999: "Multiple Web Interface Security Holes" at: [38]http://www.eeye.com/database/advisories/ad05261999/ad05261999.html [39]Top of Page || [40]Back to Alert List ___ Date Reported: 1999-05-26 Vulnerability: ftgate-fileread Platforms Affected: FTGate Risk Factor: Medium Attack type: Host/Network Based A vulnerability has been discovered in the web interface to the FTGate mail server for Windows. The server could allow a remote attacker to retrieve files from the system. Reference: eEye Digital Security Team Alert AD05261999: "Multiple Web Interface Security Holes" at: [41]http://www.eeye.com/database/advisories/ad05261999/ad05261999.html [42]Top of Page || [43]Back to Alert List ___ Date Reported: 1999-05-24 Vulnerability: coldfusion-admin-dos Platforms: Cold Fusion Risk Factor: Medium Attack type: Host/Network Based The ColdFusion Administrator includes a utility for starting and stopping the ColdFusion service from a web browser. A problem exists in this feature when Advanced Security is enabled, which allows any remote user to stop the ColdFusion server. Reference: Allaire Security Bulletin (ASB99-07): "Solution Available for Denial-of-Service Attack Using CF Admin. Start/Stop Utility" at: [44]http://www2.allaire.com/handlers/index.cfm?ID=10968&Method=Full [45]Top of Page || [46]Back to Alert List ___ Date Reported: 1999-05-24 Tagname: coldfusion-encryption Platforms Affected: Cold Fusion Risk Factor: Low Attack type: Host Based The encryption system used in the ColdFusion CFCRYPT program has been shown to be weak and easily crackable. This weakness could expose the source code distributed with encryption, which was previously thought to be unviewable. Programs that perform this "decryption" are widely available. Reference: Allaire Security Bulletin (ASB99-08): "Pages Encrypted with CFCRYPT.EXE Can Be Illegally Decrypted" at: [47]http://www2.allaire.com/handlers/index.cfm?ID=10969&Method=Full [48]Top of Page || [49]Back to Alert List ___ Date Reported: 1999-05-24 Vulnerability: netscape-space-view Platforms Affected: Netscape FastTrack Netscape Enterprise Server Risk Factor: Medium Attack type: Host/Network Based A vulnerability in Netscape Enterprise and FastTrack servers could allow a remote user to view the source to scripts that are not normally accessible. By appending a "%20" to the end of a GET request, the server will mistakenly return the source code to the script instead of executing the script. This could reveal sensitive information about the server or backend's setup. Reference: Allaire Security Bulletin (ASB99-06): "Netscape Servers for Win NT Exposure of Source Code with '%20' at: [50]http://www2.allaire.com/handlers/index.cfm?ID=10967&Method=Full [51]Top of Page || [52]Back to Alert List ___ Date Reported: 1999-05-24 Vulnerability: netscape-title Platforms Affected: Netscape Directory Server Risk Factor: High Attack Type: Host Based A vulnerability has been discovered in Netscape Communicator and Navigator that could allow scripts embedded in the TITLE tag to be executed when information is requested about the page. It is possible to automatically invoke the information about a screen through a script, so this vulnerability can be exploited unaided from remote. The hole allows the script to run under the "about" protocol context that allows access to sensitive information like the browser's cache, configuration, etc. Reference: BUGTRAQ Mailing List: "Netscape Communicator JavaScript in security vulnerability" at: [53]http://www.netspace.org/cgi-bin/wa?A2=ind9905d&L=bugtraq&F=&S=&P=1276 [54]Top of Page || [55]Back to Alert List ___ Date Reported: 1999-05-21 Vulnerability: netbsd-arp Platforms Affected: NetBSD (1.3) Risk Factor: High Attack type: Host/Network Based The Address Resolution Protocol (ARP) system under NetBSD 1.3.x could allow remote attacks on vulnerable systems. The first flaw allows ARP packets on one network to change the tables for another network connected to the same machine. The second vulnerability allows ARP packets to overwrite "static" entries in the table. Reference: NetBSD Security Advisory 1999-010: "ARP table vulnerability" at: [56]ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-010. txt.asc [57]Top of Page || [58]Back to Alert List ___ Date Reported: 1999-05-20 Vulnerability: nt-ras-bo Platforms Affected: Windows NT (4.0) Risk Factor: High Attack Type: Host Based The portion of the RAS (Remote Access Service) client for Windows NT 4.0 that processes phone book entries contains a buffer overflow condition which could allow a local user to cause a denial of service or possibly execute arbitrary code with system privileges. References: BUGTRAQ Mailing List: "Buffer Overruns in RAS allows execution of arbitary code as system" at: [59]http://www.netspace.org/cgi-bin/wa?A2=ind9905C&L=bugtraq&P=R2187 Microsoft Security Bulletin (MS99-016): "Patch Available for 'Malformed Phonebook Entry' Vulnerability" at: [60]http://www.microsoft.com/security/bulletins/ms99-016.asp Microsoft Knowledgebase Article ID: Q230667: "Malformed Phonebook Entry Security Vulnerability in RAS Client" at: [61]http://support.microsoft.com/support/kb/articles/q230/6/67.asp [62]Top of Page || [63]Back to Alert List ___ Date Reported: 1999-05-19 Vulnerability: irix-midikeys Platforms Affected: IRIX (6.x Risk Factor: High Attack Type: Host Based A vulnerability has been discovered in the IRIX 'midikeys' program that could allow local attackers to read and write files with root privileges. This vulnerability then can be manipulated to gain root privileges on the victim machine. Reference: SGI Security Advisory 19990501-01-A: "IRIX midikeys Vulnerability" at: [64]ftp://sgigate.sgi.com/security/19990501-01-A [65]Top of Page || [66]Back to Alert List ___ Date Reported: 1999-05-18 Vulnerability: cde-dtlogin Platforms Affected: Digital Unix Risk Factor: High Attack Type: Host Based A vulnerability in the 'dtlogin' CDE application distributed with DIGITAL UNIX 4.0b-4.0f could allow a local user to gain unauthorized root privileges. It is currently unknown whether this affects the 'dtlogin' program distributed with other operating systems. Reference: Compaq/Digital Security Advisory: "SSRT0600U Tru64/DIGITAL UNIX (dtlogin) Security Advisory" at: [67]http://www.service.digital.com/security-updates/ssrt0600u.html [68]Top of Page || [69]Back to Alert List ___ Date Reported: 1999-05-18 Vulnerability: nt-helpfile-bo Platforms Affected: Windows NT (4.0) Risk Factor: High Attack Type: Host Based The Windows NT 4.0 help file utility could allow a malformed help file to overflow buffers inside the program. This hole could possibly be manipulated to execute arbitrary code on affected systems. References: Microsoft Knowledgebase Article ID: Q231605: "Malformed Help File Causes Help Utility to Stop Responding" at: [70]http://support.microsoft.com/support/kb/articles/q231/6/05.asp Microsoft Security Bulletin (MS99-015): "Patch Available for 'Malformed Help File' Vulnerability" at: [71]http://www.microsoft.com/security/bulletins/ms99-015.asp [72]Top of Page || [73]Back to Alert List ___ SubSeven (also named BackDoor-G by Network Associates) is a trojan that was released by mobman in March of 1999. This tool can be used by malicious users to maintain access to Windows 95 and 98 machines and control them from remote over TCP. [74]Top of Page || [75]Back to Alert List ___ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. [76]Top of Page || [77]Back to Alert List ___ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail [78]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [79]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force <[80]xforce@iss.net> of Internet Security Systems, Inc. [81]News | [82]Serious Fun | [83]Mail Lists | [84]Security Library [85]Protoworx | [86]Alerts | [87]Submissions | [88]Feedback [89]Advanced Search [90]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [91]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [92]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 13. http://xforce.iss.net/xforce/alerts.html 14. http://xforce.iss.net/alerts/vol-4_num-1.php3#nt-ras-pwcache 15. http://xforce.iss.net/alerts/vol-4_num-1.php3#cmail-command-bo 16. http://xforce.iss.net/alerts/vol-4_num-1.php3#cmail-fileread 17. http://xforce.iss.net/alerts/vol-4_num-1.php3#ftgate-fileread 18. http://xforce.iss.net/alerts/vol-4_num-1.php3#coldfusion-admin-dos 19. http://xforce.iss.net/alerts/vol-4_num-1.php3#coldfusion-encryption 20. http://xforce.iss.net/alerts/vol-4_num-1.php3#netscape-space-view 21. http://xforce.iss.net/alerts/vol-4_num-1.php3#netscape-title 22. http://xforce.iss.net/alerts/vol-4_num-1.php3#netbsd-arp 23. http://xforce.iss.net/alerts/vol-4_num-1.php3#nt-ras-bo 24. http://xforce.iss.net/alerts/vol-4_num-1.php3#irix-midikeys 25. http://xforce.iss.net/alerts/vol-4_num-1.php3#cde-dtlogin 26. http://xforce.iss.net/alerts/vol-4_num-1.php3#nt-helpfile-bo 27. http://xforce.iss.net/alerts/vol-4_num-1.php3#subseven 28. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 29. http://xforce.iss.net/xforce/alerts.html 30. http://www.microsoft.com/security/bulletins/ms99-017.asp 31. http://support.microsoft.com/support/kb/articles/q230 32. http://support.microsoft.com/support/kb/articles/q233 33. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 34. http://xforce.iss.net/xforce/alerts.html 35. http://www.eeye.com/database/advisories/ad05261999/ad05261999.html 36. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 37. http://xforce.iss.net/xforce/alerts.html 38. http://www.eeye.com/database/advisories/ad05261999/ad05261999.html 39. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 40. http://xforce.iss.net/xforce/alerts.html 41. http://www.eeye.com/database/advisories/ad05261999/ad05261999.html 42. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 43. http://xforce.iss.net/xforce/alerts.html 44. http://www2.allaire.com/handlers/index.cfm?ID=10968&Method=Full 45. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 46. http://xforce.iss.net/xforce/alerts.html 47. http://www2.allaire.com/handlers/index.cfm?ID=10969&Method=Full 48. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 49. http://xforce.iss.net/xforce/alerts.html 50. http://www2.allaire.com/handlers/index.cfm?ID=10967&Method=Full 51. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 52. http://xforce.iss.net/xforce/alerts.html 53. http://www.netspace.org/cgi-bin/wa?A2=ind9905d&L=bugtraq&F=&S=&P=1276 54. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 55. http://xforce.iss.net/xforce/alerts.html 56. ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-010.txt.asc 57. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 58. http://xforce.iss.net/xforce/alerts.html 59. http://www.netspace.org/cgi-bin/wa?A2=ind9905C&L=bugtraq&P=R2187 60. http://www.microsoft.com/security/bulletins/ms99-016.asp 61. http://support.microsoft.com/support/kb/articles/q230 62. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 63. http://xforce.iss.net/xforce/alerts.html 64. ftp://sgigate.sgi.com/security/19990501-01-A 65. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 66. http://xforce.iss.net/xforce/alerts.html 67. http://www.service.digital.com/security-updates/ssrt0600u.html 68. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 69. http://xforce.iss.net/xforce/alerts.html 70. http://support.microsoft.com/support/kb/articles/q231 71. http://www.microsoft.com/security/bulletins/ms99-015.asp 72. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 73. http://xforce.iss.net/xforce/alerts.html 74. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 75. http://xforce.iss.net/xforce/alerts.html 76. http://xforce.iss.net/alerts/vol-4_num-1.php3#list 77. http://xforce.iss.net/xforce/alerts.html 78. mailto:xforce@iss.net 79. http://www.iss.net/xforce/sensitive.html 80. mailto:xforce@iss.net 81. http://xforce.iss.net/news.php3 82. http://xforce.iss.net/seriousfun/ 83. http://xforce.iss.net/maillists/ 84. http://xforce.iss.net/library/ 85. http://xforce.iss.net/protoworx/ 86. http://xforce.iss.net/alerts/ 87. http://xforce.iss.net/submission.php3 88. http://xforce.iss.net/feedback.php3 89. http://xforce.iss.net/search.php3 90. http://xforce.iss.net/about.php3 91. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 92. http://xforce.iss.net/privacy.php3