From xforce@iss.net Fri Dec 17 16:22:30 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 15 Dec 1999 14:47:53 -0500 (EST) Subject: ISSalert: ISS Security Alert Summary: v4 n10 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary December 15, 1999 Volume 4 Number 10 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 12 Reported Vulnerabilities - nt-resource-enum-dos - sol-snoop-bo - ie-server-side-redirect - ie-msradio-bo - netscape-fasttrack-auth-bo - qpopper-auth-bo - solaris-dtmail-overflow - solaris-dtmailpr-overflow - unixware-su-username-bo - unixware-xlock-username-bo - linux-syslogd-dos - sol-ttdbserverd-dos Risk Factor Key _____ Date Reported: 1999-12-09 Vulnerability: nt-resource-enum-dos Platforms Affected: Windows NT 4.0 Risk Level: Medium Attack Type: Network Based Windows NT 4.0 (Workstation, Server, Enterprise, and Terminal Editions) contains a vulnerability that could allow a remote attacker to make the machine stop responding to service requests. A remote attacker sending a malformed resource enumeration argument can cause the Windows NT Control Manager to fail, resulting in services to stop responding to requests. The system would then have to be restarted to resume normal operation. Reference: Microsoft Security Bulletin (MS99-055): "Patch Available for 'Malformed Resource Enumeration Argument' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-055.asp _____ Date Reported: 1999-12-09 Vulnerability: sol-snoop-bo Platforms Affected: Solaris (2.x) Risk Level: High Attack Type: Network Based The Solaris Snoop application contains a buffer overflow. The Solaris Snoop application is a network sniffing tool that ships with all Solaris 2.x operating systems. This buffer overflow allows a remote attacker to gain privileged access to machines running the Solaris operating system while using Snoop. This vulnerability also allows an attacker to bypass security measures in place by Solaris based firewall machines. It is not recommended to use a sniffing tool such as Snoop from a firewall to diagnose network problems. References: ISS Security Advisory: "Buffer Overflow in Solaris Snoop" at: http://xforce.iss.net/alerts/advise41.php3 Sun Microsystems, Inc. Security Bulletin: "snoop" at: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/190&type=0&nav=sec.sba _____ Date Reported: 1999-12-08 Vulnerability: ie-server-side-redirect Platforms Affected: Microsoft Internet Explorer (4.01, 5.0, 5.01) Risk Level: High Attack Type: Network Based Microsoft Internet Explorer cointains a vulnerability that could allow a malicious web page operator to view files on the browser's machine. The web page operator would need to already know the name of the file he wishes to view such as a normal startup file. Reference: Microsoft Security Bulletin (MS99-050): "Patch Available for 'Server-side Page Reference Redirect' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-050.asp _____ Date Reported: 1999-12-05 Vulnerability: ie-msradio-bo Platforms Affected: Microsoft Internet Explorer (5.x) Risk Level: High Attack Type: Host Based Internet Explorer 5.x contains a buffer overflow. A user can call the local URL vnd.ms.radio:\\ for streaming audio and, send it 360 or more characters causing it to crash. A user then could execute arbitrary code on the machine. Reference: BUGTRAQ Mailing List: "new IE5 remote exploit" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991206023202.84801.qmail@hotmail.com _____ Date Reported: 1999-12-01 Vulnerability: netscape-fasttrack-auth-bo Platforms Affected: Netscape Enterprise Server (3.5.1 - 3.6sp2) Netscape Fast Track Server (3.01) Risk Level: High Attack Type: Network Based Netscape Enterprise Server and Netscape FastTrack Server are widely used Internet web servers. A buffer overflow is present in the HTTP Basic Authentication portion of the server. When accessing a password protected portion of the Administration or Web server, a username or password that is longer than 508 characters will cause the server to crash with an access violation error. An attacker could utilize the Base64 encoded Authorization string to execute arbitrary code as SYSTEM on Windows NT, or as root on Unix. Attackers can use these privileges to gain full access to the server. Reference: ISS Security Advisory: "Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure" at: http://xforce.iss.net/alerts/advise39.php3 _____ Date Reported: 1999-11-29 Vulnerability: qpopper-auth-bo Platforms Affected: qpop 3.2 Risk Level: High Attack Type: Network Based Qpopper server contains a buffer overflow. Qpopper is a server that supports the POP3 protocol for downloading Internet e-mail from software clients on Unix. An attacker could overflow the qpop3 server code and compromise the system with root privileges. Reference: BUGTRAQ Mailing List: "serious Qpopper 3.0 vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.04.9911300056540.6421-300000@aviation.net _____ Date Reported: 1999-11-29 Vulnerability: solaris-dtmail-overflow Platforms Affected: Solaris 7x86 Risk Level: High Attack Type: Host Based The Solaris 7 dtmail program contains a buffer overflow. The dtmail program is a mailer program. It has an exploitable command line buffer overflow in the -f argument. It is unknown if sparc versions are exploitable, but an exploit does exist for intel/x86 Solaris 7. It is verified by executing dtmail -f with 2000 characters. Reference: BUGTRAQ Mailing List: "Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-29&msg=384249A4334.8C16SHADOWPENGUIN@fox.nightland.net _____ Date Reported: 1999-11-29 Vulnerability: solaris-dtmailpr-overflow Platforms Affected: Solaris 7x86 Risk Level: High Attack Type: Host Based The Solaris 7 dtmailpr program contains a buffer overflow. The dtmailpr program is a mail message print filter. It has an exploitable command line buffer overflow in the -f argument. It is unknown if Sparc versions are exploitable, but an exploit does exist for intel/x86 Solaris 7. It is verified by executing dtmail -f with 2000 characters. Reference: BUGTRAQ Mailing List: "Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-29&msg=384249A4334.8C16SHADOWPENGUIN@fox.nightland.net _____ Date Reported: 1999-11-25 Vulnerability: unixware-su-username-bo Platforms Affected: SCO's UnixWare 7 Risk Level: High Attack Type: Host Based SCO's Unixware 7 contains a buffer overflow in the su command. If a local user sends a long username to the su command, it is possible to crash su and execute commands with root privileges. Reference: BUGTRAQ Mailing List: "[w00giving '99 #5 and w00news]: UnixWare 7's su" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.95.991126035202.24887A-100000@cannabis.dataforce.net _____ Date Reported: 1999-11-25 Vulnerability: unixware-xlock-username-bo Platforms Affected: SCO's UnixWare 7 Risk Level: High Attack Type: Host Based SCO's Unixware 7 contains a buffer overflow in the xlock program that is used to lock the X display. If a local user supplies a long username, xlock will crash and allow the user to execute commands with root privileges. Reference: BUGTRAQ Mailing List: "[w00giving '99 #7]: UnixWare 7's xlock" at: http://www.securityfocus..com/templates/archive.pike?list=1&date=1999-11-22&msg=Pine.LNX.3.95.991126042944.31331D-100000@cannabis.dataforce.net _____ Date Reported: 1999-11-19 Vulnerability: linux-syslogd-dos Platforms Affected: Linux Risk Level: High Attack Type: Host Based A denial of service attack exists against Linux operating systems and the syslogd service. The service normally receives system log messages using Unix domain stream sockets. If a local attacker opens many local syslog connections, the service will crash affecting many normal processes such as sendmail and telnetd. References: Caldera Systems, Inc. Security Advisory CSSA-1999-035.0: "DoS with sysklogd, glibc" at: ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-035.0.txt Red Hat, Inc. Security Advisory: "syslogd" at: http://www.redhat.com/corp/support/errata/RHSA1999055-01.html SuSE Security Announcement: "syslogd-1.3.33 (a1)" at: http://www.suse.de/de/support/security/suse_security_announce_31.txt _____ Date Reported: 1999-11-18 Vulnerability: sol-ttdbserverd-dos Platforms Affected: Solaris (7, 7x86) Risk Level: Medium Attack Type: Network Based A denial of service attack exists against the Solaris 7 rpc.ttdbserverd service. A remote attacker could crash the ttdbserverd service by calling function 15 using garbage characters. Reference: BugTraq Mailing List: "Re: rpc.ttdbserverd on solaris 7" at:http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991119133030.Q14594@securityfocus.com _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOFfrKzRfJiV99eG9AQFNMwQAnuRMwNrkmr6BopcDbHw5xuQmnhk4E1LY CE+fQUzuL44ANBQAiURicZdiWTfGiDZSElZAcGnuIcQUg9CTYLUKWtlonqi3pmvM vX7Jzx6e66zWwe87Wx4CN+lPwMHVS7DJ3Lb1BSkGdBHCFoyU4zfbRfnqRaK0+0u/ vSBvkom1uMM= =tW+G -----END PGP SIGNATURE-----