From xforce@iss.net Mon Aug 16 20:13:43 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Cc: X-Force Date: Mon, 16 Aug 1999 16:20:23 -0400 (EDT) Subject: ISSalert: ISS Security Alert Summary v4 n6 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary August 15, 1999 Volume 4 Number 6 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 8 Reported Vulnerabilities - - irdp-gateway-spoof - - http-iis-malformed-header - - netbsd-profil - - nt-terminal-dos - - frontpage-pws-dos - - sun-stdcm-convert - - exchange-relay - - gauntlet-dos Risk Factor Key _____ Date Reported: 1999-08-11 Vulnerability: irdp-gateway-spoof Platforms Affected: Windows (95, 98) Solaris SunOS Risk Factor: High Attack Type: Network Based Systems configured for DHCP obtain their default gateway information, along with other configuration parameters, when they first contact the network's DHCP server. When dynamically configured through DHCP, it has been shown to be possible to remotely change the default gateway of certain systems, including Sun Solaris and SunOS as well as Windows 9x, by manipulating the systems with ICMP Router Advertisement messages. An attacker could therefore cause a system to direct its network traffic through a system of their choice, opening up man-in-the-middle, monitoring and denial of service attacks. Reference: L0pht Security Advisory: "ICMP Router Discovery Protocol" at: http://www.l0pht.com/advisories/rdp.txt _____ Date Reported: 1999-08-11 Vulnerability: http-iis-malformed-header Platforms Affected: IIS 4.0 Risk Factor: Medium Attack Type: Host/Network Based A vulnerability has been discovered in Microsoft Internet Information Server 4.0 (IIS) and other web servers that use IIS as their web engine. If a remote attacker sends a flood of specifically malformed HTTP request headers, it could cause IIS to consume all the memory on the server. The service would have to be stopped and restarted in order to resume normal operation. Reference: Microsoft Security Bulletin (MS99-029): "Patch Available for 'Malformed HTTP Request Header' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-029.asp _____ Date Reported: 1999-08-09 Vulnerability: netbsd-profil Platforms Affected: NetBSD Risk Factor: High Attack Type: Host Based NetBSD supports the profil(2) system call which arranges for the kernel to sample the PC and increment an element of an array on every profile clock tick. The profil(2) call fails to disable itself when a program calls execve(2). Under certains circumstances a malicious local user could call a privileged program through execve(2) and possibly modify its behavior during execution and gain elevated privileges. Reference: NetBSD Security Advisory 1999-011: "profil(2) can modify setuid root programs" at: http://www.netbsd.org/Security/advisory.html _____ Date Reported: 1999-08-09 Vulnerability: nt-terminal-dos Platforms Affected: Windows NT Server (4.0 Terminal Server Edition) Risk Factor: Medium Attack Type: Network Based The ISS X-Force has discovered a denial of service attack against Windows NT Server 4.0, Terminal Server Edition. This vulnerability allows a remote attacker to quickly consume all available memory on a Windows NT Terminal Server, causing a significant disruption for users currently logged into the terminal server, and preventing any new terminal connections from being successfully completed. References: Microsoft Security Bulletin (MS99-028): "Patch Available for 'Terminal Server Connection Request Flooding' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-028.asp _____ Date Reported: 1999-08-08 Vulnerability: frontpage-pws-dos Platforms Affected: Microsoft FrontPage Server Extensions PWS Risk Factor: Medium Attack Type: Host/Network Based A bug in Microsoft FrontPage Server Extensions PWS for Windows exists in the way it handles long URLs. If someone sends it a URL of 167 characters or more, then the web server crashes. Reference: BUGTRAQ Mailing List: "Crash FrontPage Remotely..." at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=199908071207.FAA23507@mb3.mailbank.com _____ Date Reported: 1999-08-08 Vulnerability: sun-stdcm-convert Platforms Affected: Solaris (2.6) Risk Factor: High Attack Type: Host Based A vulnerability exists in stdcm_convert, which is a program shipped with CDE and packaged with Solaris 2.6. A local user could create a symbolic link of the tmp file created by stdcm_convert and point it to any file on the system. This would overwrite the file and make it writable by the user. This could lead to a local root compromise. Reference: BUGTRAQ Mailing List: "sdtcm_convert" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-08&msg=19990809010450.A3223@hades.chaoz.org _____ Date Reported: 1999-08-06 Vulnerability: exchange-relay Platforms Affected: Microsoft Exchange (5.5) Risk Factor: Low Attack Type: Network Based A vulnerability exists in Microsoft Exchange 5.5 with at least one Internet Mail Service configured, which would allow a remote user to relay mail off of the server to other users by using encapsulated SMTP addresses. This could allow a spammer to send e-mail from your site, but poses no real security risk. Reference: Microsoft Security Bulletin (MS99-027): "Patch Available for 'Encapsulated SMTP Address' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-027.asp _____ Date Reported: 1999-07-30 Vulnerability: gauntlet-dos Platforms Affected: Gauntlet Firewall (5.0) Risk Factor: High Attack Type: Network Based Network Associates Gauntlet Firewall contains a vulnerability that would allow a remote attacker to crash the firewall by sending a specifically constructed ICMP packet through the machine to a known IP inside the firewall. Reference: BUGTRAQ Mailing List: "Remotely Lock Up Gauntlet 5.0" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-07-29&msg=199907301603.LAA17178@expert.cc.purdue.edu _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN7hyVDRfJiV99eG9AQHmTQP9G81xqXy+YxZwipgqLfutU/CdRZgGsWn4 9g+ddZMaFbgRrAya6Ny+FArYi5iqQDJWzDtw8xknk7t++nDOOnDph97lxgGusH3r mLIHwLqWERVSDMGJ4CUtRs/MrKLJhRw0lMDQ6QKXPXmONiBSvSVslskgeV8LVlWM R8lq/ubHPCE= =noQT -----END PGP SIGNATURE-----