From xforce@iss.net Sat Jul 8 16:54:04 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Fri, 7 Jul 2000 17:04:55 -0400 (EDT) Subject: ISSalert: Internet Security Systems Security Alert Summary v5 n6 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert Summary July 1, 2000 Volume 5 Number 6 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php _____ Contents 77 Reported Vulnerabilities: - win2k-telnetserver-dos - win2k-cpu-overload-dos - fw1-resource-overload-dos - sybergen-routing-table-modify - ircd-dalnet-summon-bo - win-arp-spoofing - imesh-tcp-port-overflow - ie-active-setup-download - ftgate-invalid-user-requests - winproxy-get-dos - firstclass-large-bcc-dos - winproxy-command-bo - boa-webserver-file-access - ie-access-vba-code-execute - ie-powerpoint-activex-object-execute - fortech-proxy-telnet-gateway - xwin-clients-default-export - sawmill-file-access - sawmill-weak-encryption - netscape-virtual-directory-bo - netscape-enterprise-netware-bo - proxyplus-telnet-gateway - glftpd-privpath-directive - irc-leafchat-dos - openbsd-isc-dhcp-bo - debian-cups-malformed-ipp - jetadmin-network-dos - wuftp-format-string-stack-overwrite - jrun-read-sample-files - redhat-secure-locate-path - redhat-gkermit - weblogic-file-source-read - netscape-ftpserver-chroot - linux-kon-bo - dmailweb-long-username-dos - dmailweb-long-pophost-dos - aix-cdmount-insecure-call - irix-workshop-cvconnect-overwrite - blackice-security-level-nervous - linux-libice-dos - xdm-xdmcp-remote-bo - webbbs-get-request-overflow - nettools-pki-http-bo - nettools-pki-unauthenticated-access - panda-antivirus-remote-admin - dragon-telnet-dos - dragon-ftp-dos - small-http-get-overflow-dos - mdaemon-pass-dos - simpleserver-long-url-dos - win2k-desktop-separation - zope-dtml-remote-modify - pgp-cert-server-dos - antivirus-nav-fail-open - antivirus-nav-zip-bo - kerberos-gssftpd-dos - sol-ufsrestore-bo - tigris-radius-login-failure - webbanner-input-validation-exe - smartftp-directory-traversal - antisniff-arptest - weblogic-jsp-source-read - websphere-jsp-source-read - freebsd-alpha-weak-encryption - mailstudio-set-passwords - http-cgi-mailstudio-bo - mailstudio-view-files - kerberos-lastrealm-bo - kerberos-localrealm-bo - kerberos-emsg-bo - kerberos-authmsgkdcrequests - kerberos-free-memory - openssh-uselogin-remote-exec - mailstudio-cgi-input-vaildation - ceilidh-path-disclosure - ceilidh-post-dos - nt-admin-lockout _____ Date Reported: 6/30/00 Vulnerability: win2k-telnetserver-dos Platforms Affected: Windows 2000 Risk Factor: Medium Attack Type: Network/Host Based Microsoft Windows 2000 contains a telnet server for users to access the console remotely. If a a user sends a stream of binary zeros to the server will cause it to crash and restart. If this happens numerous times, the service stops restarting because of maximum failure. Reference: Bugtraq Mailing List: "SecureXpert Advisory [SX-20000620-1]" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161841.4619A-100000@fjord.fscinternet.com _____ Date Reported: 6/30/00 Vulnerability: win2k-cpu-overload-dos Platforms Affected: Windows 2000 Risk Factor: Medium Attack Type: Network/Host Based Microsoft Windows 2000 is vulnerable to a binary zero denial of service attack. If a user sends a stream of binary zeros to any of Windows 2000's ports, the CPU usage will rise to 100% and slow to a halt. Reference: Bugtraq Mailing List: "SecureXpert Advisory [SX-20000620-2]" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630161935.4619B-100000@fjord.fscinternet.com _____ Date Reported: 6/30/00 Vulnerability: fw1-resource-overload-dos Platforms Affected: Firewall 1 Risk Factor: Medium Attack Type: Network/Host Based Checkpoint Software's Firewall-1 versions 1.4.0 and 1.4.1 contain a resource overload denial of service. If a user sends a stream of binary zeros to the SMTP port (25) on the firewall, it causes the load to increase to 100% causing the system to slow to a halt. Reference: Bugtraq Mailing List: "SecureXpert Advisory [SX-20000620-3]" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000630162106.4619C-100000@fjord.fscinternet.com _____ Date Reported: 6/30/00 Vulnerability: sybergen-routing-table-modify Platforms Affected: Sybergen Secure Desktop 2.1 Risk Factor: High Attack Type: Network Based Sybergen Secure Desktop 2.1 is a personal firewall that protects a single computer from malicious attackers. A vulnerability exists in the program in that it does not properly protect the system from spoofed ICMP router advertisements. This would allow a remote attacker to modify the routing table, which would open up such vulnerabilties as disabling the firewall, tcp redirection, and man in the middle attacks. Reference: Bugtraq Mailing List: "Multiple vulnerabilities in Sybergen Secure Desktop" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=4125690E.00524395.00@guardianit.se _____ Date Reported: 6/29/00 Vulnerability: ircd-dalnet-summon-bo Platforms Affected: Dalnet ircd 4.6.5 Risk Factor: Medium Attack Type: Network Based Internet Relay Chat (IRC) is a popular program used for chatting with other users across ircd servers. The Dalnet ircd server is vulnerable to a buffer overflow in the SUMMON command. If a remote user overflows this command and supplies shellcode, it will be executed as the user running ircd. This is very difficult to exploit, and default versions of ircd do not have the SUMMON command enabled. Reference: Bugtraq Mailing List: "dalnet 4.6.5 remote vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-06-22&msg=Pine.LNX.3.95.1000628153342.12798A-100000@cannabis.dataforce.net _____ Date Reported: 6/29/00 Vulnerability: win-arp-spoofing Platforms Affected: Windows 95 Windows 98 Risk Factor: High Attack Type: Network Based Windows 95 and 98 is vulnerable to an ARP spoofing attack. If a user spoofs ARP packets to the system, it would allow them to overwrite the ARP table with static ips that would reroute traffic for specific hosts to other machines on the same subnet. Reference: Bugtraq Mailing List: "Buggy ARP handling in Windoze" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=395B7E64.9FB3D4DB@starzetz.de _____ Date Reported: 6/29/00 Vulnerability: imesh-tcp-port-overflow Platforms Affected: iMesh 1.02 Risk Factor: High Attack Type: Network/Host Based iMesh is a program that allows users to access and share information from one desktop to another, rather than over servers. If a user connects to the TCP port that iMesh is listening to, and creates an overflow that overwrites the EIP, it would allow them to execute arbitrary code on the vulnerable system. Reference: BluePanda Vulnerability Announcement: "iMesh 1.02 vulnerability" at: http://bluepanda.box.sk/files/imbof102.txt _____ 4839 Date Reported: 6/29/00 Vulnerability: ie-active-setup-download Platforms Affected: Microsoft Internet Explorer (4.0, 4.01, 5.0, 5.01) Risk Factor: High Attack Type: Network Based Microsoft Internet Explorer uses Active Setup Control which allows Microsoft signed .cab files to be installed without asking for the user's approval. A malicious web site operator could imbed tags into the web site that would install .cab files onto a visitor's machine, overwriting existing files, possibly making the machine unusable. Reference: Microsoft Security Bulletin (MS00-042): "Patch Available for 'Active Setup Download' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-042.asp _____ Date Reported: 6/28/00 Vulnerability: ftgate-invalid-user-requests Platforms Affected: FTGate Risk Factor: Low Attack Type: Network Based FTGate is a feature packed mail server that runs on Windows 95/98 or Windows NT/2000. FTGate's POP3 server responds to invalid USER requests with a -ERR code without disconnecting making it possible for an attacker to bruteforce usernames and passwords. Reference: BugTraq Mailing List, Mon Jun 26 2000 14:23:08: "Problems with FTGate" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006262019340.87758-100000@unix.za.net _____ Date Reported: 6/27/00 Vulnerability: winproxy-get-dos Platforms Affected: WinProxy Risk Factor: Medium Attack Type: Network/Host Based WinProxy is a windows based proxy program by Sapporo Works in Japan. If a user connects to the POP3 or HTTP port and issues a GET command followed by a forward slash, it causes the proxy to stop responding. Reference: Bugtraq Mailing List: "[SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp _____ Date Reported: 6/27/00 Vulnerability: firstclass-large-bcc-dos Platforms Affected: FirstClass Internet Services 5.770 Risk Factor: Medium Attack Type: Network/Host Based FirstClass Internet Services 5.770 is vulnerable to a denial of service attack. If a message is received that has a unusually large BCC header (such as many spam messages do), it causes the FCIS server processes to hang and have to be restarted. Reference: Bugtraq Mailing List: "DoS in FirstClass Internet Services 5.770" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-22&msg=4.3.2.7.2.20000627222545.00b06c80@mailbox80.utcc.utoronto.ca _____ Date Reported: 6/27/00 Vulnerability: winproxy-command-bo Platforms Affected: WinProxy Risk Factor: High Attack Type: Network/Host Based WinProxy is a windows based proxy program by Sapporo Works in Japan. If a user connects to the POP3 or HTTP port and any of the standard commands such as USER, PASS, LIST, RETR, DELE, followed by strings of 312 characters or more, the buffer overflows and the user can execute arbitrary code. Reference: Bugtraq Mailing List: "[SPSadvisory #37]WinProxy 2.0.0/2.0.1 DoS and Exploitable Buffer Overflow" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006271417.GFE84146.-BJXON@lac.co.jp _____ Date Reported: 6/27/00 Vulnerability: boa-webserver-file-access Platforms Affected: BOA Webserver Risk Factor: High Attack Type: Network Based BOA Webserver is a simple, basic command web server for Unix based machines. Because of the lack of URL parsing, a remote user can access any file on the machine by specificly formatting an URL such as '/../../../../etc/passwd'. Reference: Bugtraq Mailing List: "BOA Webserver local path problem" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-22&msg=Pine.LNX.4.21.0006271632590.30256-100000@binxdsign.com _____ Date Reported: 6/27/00 Vulnerability: ie-access-vba-code-execute Platforms Affected: Microsoft Internet Explorer 5.01 Microsoft Access 2000 Risk Factor: High Attack Type: Network Based Microsoft Internet Explorer and Microsoft Access 2000 contain a vulnerability that would allow a malicious web page to execute Visual Basic Applications (VBA) code. If a web page or email message uses IFRAME without acknowledging the user, .mdb files can be executed with VBA code embeded in them. Reference: Bugtraq Mailing List: "IE 5 and Access 2000 vulnerability - executing programs" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589359.762392DB@nat.bg _____ Date Reported: 6/27/00 Vulnerability: ie-powerpoint-activex-object-execute Platforms Affected: Microsoft Internet Explorer 5.01 Microsoft Powerpoint 2000 Risk Factor: High Attack Type: Network Based Microsoft Internet Explorer and Microsoft Powerpoint 2000 contain a bulnerability that would allow a malicious web page to execute applications on the affected system. Using IFRAME, ActiveX object tags can be executed which could save a file anywhere on the system without the user knowning. If the file is saved in the startup folder, it would be executed the next time a user restarts Windows. Reference: Bugtraq Mailing List: "IE 5 and Excel 2000, PowerPoint 2000 vulnerability - executing programs" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=39589349.ED9DBCAB@nat.bg _____ Date Reported: 6/26/00 Vulnerability: fortech-proxy-telnet-gateway Platforms Affected: Fortech Risk Factor: Low Attack Type: Network Based Proxy+ is an intergrated firewall proxy server and mail server. A vulnerability in the Proxy+ telnet proxy can allow an attacker to connect remotely to the system resources. Reference: BugTraq Mailing List, Mon Jun 26 2000 13:58:20: "Proxy+ Telnet Gateway Problems" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006261954210.87590-100000@unix.za.net _____ Date Reported: 6/26/00 Vulnerability: xwin-clients-default-export Platforms Affected: Exceed (6.0.1.0, 6.0.2, 6.1) Risk Factor: Low Attack Type: Network Based Many Xwindows clients for Windows based opearting systems export sessions to the world by default. If a remote user can access the session, it is possible for them to capture keystrokes, usernames, passwords, and other sensitive information. Reference: ducktank.net: "X Window Vulnerabilities making a strong comeback" at: http://www.ducktank.net/tips/X.html _____ Date Reported: 6/26/00 Vulnerability: sawmill-file-access Platforms Affected: Sawmill 5.0.21 Risk Factor: Medium Attack Type: Network/Host Based Flowerfire's Sawmill is a program for Unix, Windows based, or Macintosh operationg systems that logs site statistics. A user can send a malformed url to the program over the http server, and read the first line of any file on the system. Reference: Bugtraq Mailing List: "sawmill5.0.21 old path bug & weak hash algorithm" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006261615350.606-200000@localhost.localdomain _____ Date Reported: 6/26/00 Vulnerability: sawmill-weak-encryption Platforms Affected: Sawmill 5.0.21 Risk Factor: Medium Attack Type: Network/Host Based Flowerfire's Sawmill is a program for Unix, Windows based, or Macintosh operationg systems that logs site statistics. The password file 'SawmillPassword' uses a weak encryption algorithm and a program exists to decrypt this password, which would give the attacker access to Sawmill for viewing statistics or reconfiguring it. Reference: Bugtraq Mailing List: "sawmill5.0.21 old path bug & weak hash algorithm" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006261615350.606-200000@localhost.localdomain _____ Date Reported: 6/26/00 Vulnerability: netscape-virtual-directory-bo Platforms Affected: Netscape Enterprise Server for NetWare (4.1.1, 5.0) Risk Factor: High Attack Type: Network Based Netscape Enterprise Server for NetWare is vulnerable to a buffer overflow. By issuing a malformed URL, a remote attacker can overflow the buffer and execute arbitrary code on the system with the privileges of the web server. Reference: BugTraq Mailing List, Mon Jun 26 2000 06:02:15: "Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-01-8&msg=199801122320.PAA09984@passer.osg.gov.bc.ca _____ Date Reported: 6/26/00 Vulnerability: netscape-enterprise-netware-bo Platforms Affected: Netscape Enterprise Server NetWare (5.0, 5.1) Risk Factor: High Attack Type: Network/Host Based Netscape Enterprise Server for Netware 5.0 and 5.1 contains a buffer overflow. If a user requests a specifically malformed URL to the server, the services stop responding and the user can execute arbitrary code. Reference: Bugtraq Mailing List: "Netscape Enterprise Server for NetWare Virtual Directory Vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=A5F256C2C72FD411BCD600508B65FE6A02B783@nm-exch-cph.internal.n-m.com _____ Date Reported: 6/26/00 Vulnerability: proxyplus-telnet-gateway Platforms Affected: Proxy+ 2.40 Risk Factor: High Attack Type: Network Based Fortech's Proxy+ is a service that provides solutions for accessing the internet from a local area network. Proxy+ restricts remote access via the http proxy, however it is possible to access the services over the telnet proxy. Reference: Bugtraq Mailing List: "Proxy+ Telnet Gateway Problems" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006261954210.87590-100000@unix.za.net _____ Date Reported: 6/26/00 Vulnerability: glftpd-privpath-directive Platforms Affected: GlFtpd Risk Factor: High Attack Type: Network/Host Based glftpd contains a vulnerability in its checking of access of the privpath directive. If the attacker knows the name of a directory, they can access the directory using the chdir command combined with the name completion function (such as only entering the first letter of the directory). Reference: Bugtraq Mailing List: "Glftpd privpath bugs... +fix" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10006261041360.31907-200000@twix.thrijswijk.nl _____ Date Reported: 6/25/00 Vulnerability: irc-leafchat-dos Platforms Affected: LeafChat 1.7 Risk Factor: Low Attack Type: Network Based The LeafChat IRC client is vulnerable to a denial of service attack by a remote user. When a LeafChat client receives invalid data from the server, a dialog box appears with an error message. A remote attacker can send invalid messages rapidly from the server to consume resources on the client's system and crash the LeafChat program. Reference: BugTraq Mailing List, Sun Jun 25 2000 15:00:06: "LeafChat Denial of Service" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.10.10006252056110.74551-100000@unix.za.net _____ Date Reported: 6/24/00 Vulnerability: openbsd-isc-dhcp-bo Platforms Affected: ISC DHCP Client (2.0, 3.0) Risk Factor: High Attack Type: Network Based The ISC Dynamic Host Configuration Protocol Distribution provides a free redistributable reference implementation of the DHCP protocol. An input validation flaw exists in DHCP which could allow an attacker to execute commands from remote an obtain root access. Reference: BugTraq Mailing List, Wed Jun 21 2000 06:54:08: "Possible root exploit in ISC DHCP client." at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl _____ Date Reported: 6/22/00 Vulnerability: debian-cups-malformed-ipp Platforms Affected: Linux Debian (2.2, 2.3) Risk Factor: Low Attack Type: Network/Host Based A denial of service attack exists in certain versions of CUPS(Common Unix Printing System) which could result in the disruption of printing services. Reference: BugTraq Mailing List, Tue Jun 20 2000 00:20:02: "CUPS DoS Bugs" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000620132002.B16494@server1 _____ Date Reported: 6/22/00 Vulnerability: jetadmin-network-dos Platforms Affected: JetAdmin 6.0 Risk Factor: Medium Attack Type: Network/Host Based Hewlett-Packard Web JetAdmin provides a management solution for TCP/IP and IPX connected peripheral devices. Web JetAmin is vulnerable to a denial of service attack. An attacker could send a malformed URL to crash the service and cause the networked devices to work improperly. Reference: Hewlett-Packard Security Bulletin HPSBUX0006-116: "Sec. Vulnerability in Web JetAdmin 6.0" at: http://us-support.external.hp.com/cki/bin/doc.pl/screen=ckiDisplayDocument?docId=200000050014347 _____ Date Reported: 6/22/00 Vulnerability: wuftp-format-string-stack-overwrite Platforms Affected: wu-ftpd 2.5 Risk Factor: High Attack Type: Network Based Washington University's ftp daemon for Unix based operating systems is a widely used ftp service. It contains a vulnerablity that would allow a remote user to execute arbitrary commands over an anonymous ftp session. If the user uses the SITE EXEC command, its possible to overwrite data such as the return address on the stack. A user can then execute code, as root, they have inserted into the string. This is not a standard buffer overflow but an "input validation" vulnerability. Reference: BugTraq Mailing List, Fri Jun 23 2000 01:18:22: "ftpd: the advisory version" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000623091822.3321.qmail@fiver.freemessage.com _____ Date Reported: 6/22/00 Vulnerability: jrun-read-sample-files Platforms Affected: Jrun Server Risk Factor: High Attack Type: Network Based Allaire Jrun is Java application server that supports Java Servlet APIs and Java Server Pages (JSP). Jrun 2.3.x includes sample files that could allow a remote user to view files on the web server. By requesting specially crafted URLs, a remote attacker could view online documentation or sample files, as well as view files on the web server and retrieve sensitive information. Reference: Allaire Security Bulletin ASB00-15: "Workaround available for vulnerabilities exposed by JRun 2.3.x code sample" at: http://www.allaire.com/handlers/index.cfm?ID=16290&Method=Full _____ Date Reported: 6/21/00 Vulnerability: redhat-secure-locate-path Platforms Affected: Linux RedHat 6.2 Risk Factor: Medium Attack Type: Host Based The slocate (Secure Locate) package in Red Hat Linux is used to maintain an index of the entire filesystem. The program performs insufficient input validation on the LOCATE_PATH environment variable. An unauthorized user could construct an invalid LOCATE_PATH variable and cause a possibly exploitable SEGV (segmentation fault) in Secure Locate. Reference: BugTraq Mailing List, Wed Jun 21 2000 06:54:08: "rh 6.2 - gid compromises, etc" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl _____ Date Reported: 6/21/00 Vulnerability: redhat-gkermit Platforms Affected: Linux RedHat 6.2 Risk Factor: Medium Attack Type: Host Based The gkermit binary in Red Hat Linux could allow a local attacker to access sensitive files. The gkermit binary is a Unix utility for transferring files using the Kermit protocol. A local attacker could use gkermit to gain read and write access to critical system files, including uucp password files, because the program is setgid uucp. Reference: BugTraq Mailing List, Wed Jun 21 2000 06:54:08: "rh 6.2 - gid compromises, etc" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl _____ Date Reported: 6/21/00 Vulnerability: weblogic-file-source-read Platforms Affected: WebLogic Express Risk Factor: Medium Attack Type: Network/Host Based BEA System's Weblogic web server is vulnerable to a source disclosure vulnerability. If a user makes an HTTP request and uses the "/file/" at the end of the URL, this causes the server to display the source of the requested java applet instead of running it. Reference: Foundstone, Inc.: "BEA's WebLogic" at: http://www.foundstone.com/FS-062100-4-BEA.txt _____ Date Reported: 6/21/00 Vulnerability: netscape-ftpserver-chroot Platforms Affected: Netscape Professional Services FTPServer 1.3.6 Risk Factor: High Attack Type: Network Based Netscape Professional Services FTP Server version 1.3.6 could allow a remote attacker to gain root privileges. The FTP server fails to enforce a restricted user environment (chroot) allowing an FTP user to download any file on the system. An attacker could download any file on the system (such as /etc/passwd) and gain root access. An attacker could also upload files with the privileges of the FTP daemon. Additionally, this FTP server supports LDAP users, and multiple LDAP accounts use the same physical UID. An attacker could access and overwrite files on other accounts, or retrieve LDAP user passwords. Reference: BugTraq Mailing List, Wed Jun 21 2000 08:13:33: "Netscape FTP Server - "Professional"" as hell :>"" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006211351280.23780-100000@nimue.tpi.pl _____ Date Reported: 6/21/00 Vulnerability: linux-kon-bo Platforms Affected: Linux RedHat (5.0, 5.1, 5.2, 6.1, 6.2) Linux Debian (2.1, 2.2, 2.3) Risk Factor: High Attack Type: Host Based The KON (Kanji on Console) package in Linux is used to display Kanji text. KON binaries "kon" and "fld" are vulnerable to buffer overflows in the stack that may allow an attacker to gain root access. Reference: BugTraq Mailing List, Mon Jun 19 2000 16:51:53: ""Problems with ""kon2"" package"" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192340340.19998-100000@ferret.lmh.ox.ac.uk _____ Date Reported: 6/20/00 Vulnerability: dmailweb-long-username-dos Platforms Affected: NetWin DMailWeb 2.6 NetWin CWMail 2.6 Risk Factor: Low Attack Type: Network Based NetWin DMailWeb 2.6 is vulnerable to a denial of service if a remote user sends a long username with 240 characters or more. Reference: BugTraq Mailing List, Tue Jun 20 2000 23:52:22: "NetWin dMailWeb Denial of Service" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca _____ Date Reported: 6/20/00 Vulnerability: dmailweb-long-pophost-dos Platforms Affected: NetWin DMailWeb 2.6 NetWin CWMail 2.6 Risk Factor: Low Attack Type: Network Based NetWin DMailWeb 2.6 is vulnerable to a denial of service if a remote user sends a long pophost with 512 characters or more. Reference: BugTraq Mailing List, Tue Jun 20 2000 23:52:22: "NetWin dMailWeb Denial of Service" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=4.1.20000621113334.00996820@qlink.queensu.ca _____ Date Reported: 6/20/00 Vulnerability: aix-cdmount-insecure-call Platforms Affected: AIX Risk Factor: High Attack Type: Network Based The AIX cdmount program is part of the AIX UltiMedia Services (UMS) package, designed to allow regular users to mount CD-ROM filesystems. Insecure handling of the arguments to cdmount may allow a local regular user to execute commands as root. The system()library subroutine is used to spawn a shell to execute the mount command with arguments provided by the user. By calling cdmount with arguments containing shell metacharacters, an attacker could execute arbitrary commands as root. AIX systems with the LPP UMS.objects 2.3.0.0 and below installed are affected. Reference: Internet Security Systems Security Advisory #55: "Insecure call of external program in AIX cdmount" at: http://xforce.iss.net/alerts/advise55.php _____ Date Reported: 6/20/00 Vulnerability: irix-workshop-cvconnect-overwrite Platforms Affected: IRIX Risk Factor: High Attack Type: Netowrk/Host Based WorkShop is a set of software tools used to debug programs. WorkShop could allow a remote attacker to overwrite any file on the system, due to a flaw in the included cvconnect(1M) binary. The cvconnect(1M) binary, which is setuid root, is invoked by WorkShop and is not intended to be run by users. An attacker with a local account on the system could use cvconnect(1M) to overwrite any file, and then gain root access on the system. Reference: Silicon Graphics Inc. Security Advisory: "IRIX WorkShop cvconnect(1M) Vulnerability" at: http://www.securityfocus.com/templates/advisory.html?id=2341 _____ Date Reported: 6/20/00 Vulnerability: blackice-security-level-nervous Platforms Affected: BlackICE Risk Factor: High Attack Type: Network Based BlackICE is an Intrustion Detection System (IDS) for personal or corporate use. The BlackICE application fails to block high UDP ports at the "NERVOUS" configuration level. A remote attacker could use various exploits (such as Back Orifice) that use high UDP ports to bypass BlackICE and compromise the system. Reference: BugTraq Mailing List, Tue Jun 20 2000 00:30:22: "BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=KIEPJBAEMHMFLDLNKBOBKEOKCAAA.juancho@networkice.com _____ Date Reported: 6/19/00 Vulnerability: linux-libice-dos Platforms Affected: Gnome 1.1 Risk Factor: Low Attack Type: Network Based The libICE package in many versions of Linux is vulnerable to a denial of service. LibICE is an X11 widowing system component. The libICE package is vulnerable to a denial of service attack. Due to improper handling of the SKIP_STRING macro, a remote attacker can cause a segfault by supplying a large skip value. In GNOME, a remote attacker can use the libICE vulnerability to crash another user's X session. Reference: BugTraq Mailing List, Mon Jun 19 2000 16:51:18: "XFree86: libICE DoS" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=P ine.LNX.4.21.0006192220220.9945-100000@ferret.lmh.ox.ac.uk _____ Date Reported: 6/19/00 Vulnerability: xdm-xdmcp-remote-bo Platforms Affected: XFree86 Risk Factor: Medium Attack Type: Network Based XDM and derivative packages (KDM and WDM) shipped with X Windows are vulnerable to a buffer overflow in the xdmcp.c error handling code. XDM is a X Windows display manager for Linux. The send_failed() method copies a host name into a buffer without verifying sufficient memory space. By sending over 256 characters, a remote attacker can overflow the buffer and gain access to the system. If XDM is run as root, the attacker could gain root privileges. It may be possible to cause a denial of service by crashing XDM. Reference: BugTraq Mailing List, Mon Jun 19 2000 16:51:43: "XFree86: xdm flaw; present in kdm" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0006192325410.19998-100000@ferret.lmh.ox.ac.uk _____ Date Reported: 6/19/00 Vulnerability: webbbs-get-request-overflow Platforms Affected: WebBBS 1.1.5 Risk Factor: High Attack Type: Network/Host Based WebBBS is a multi-function web server and web-based bulletin board developed by International TeleCommunications. WebBBS version 1.1.5 is vulnerable to a buffer overflow in the GET command. By sending a large GET request to the server on port 80, a remote attacker can overflow a buffer and execute arbirtary code on the system. Reference: Security Team Advisories DST2K0018: "Multiple BufferOverruns in WebBBS HTTP Server v1.15" at: http://www.delphisplc.com/thinking/whitepapers/security/DST2K0018.txt _____ Date Reported: 6/18/00 Vulnerability: nettools-pki-http-bo Platforms Affected: Net Tools PKI Server Risk Factor: Medium Attack Type: Network/Host Based Network Associates' Net Tools PKI Server contains a vulnerability when a user sends an unusually long URL to the HTTP server. This will cause the service to crash and have to be restarted. Reference: BugTraq Mailing List, Sun Jun 18 2000 17:19:59: "Net Tools PKI server exploits" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=B1F2937B437BD3119603000094A18677169B58@mailer.0.20.172.in-addr.arpa _____ Date Reported: 6/18/00 Vulnerability: nettools-pki-unauthenticated-access Platforms Affected: Net Tools PKI Server Risk Factor: High Attack Type: Network/Host Based Network Associates' Net Tools PKI Server uses Xcert Universal Database API (XUDA) templates. XUDA does not use absolute pathnames so a user can create a file and gain access to the system. Reference: BugTraq Mailing List, Sun Jun 18 2000 17:19:59: "Net Tools PKI server exploits" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=B1F2937B437BD3119603000094A18677169B58@mailer.0.20.172.in-addr.arpa _____ Date Reported: 6/17/00 Vulnerability: panda-antivirus-remote-admin Platforms Affected: Panda Antivirus 2.0 for NetWare Risk Factor: High Attack Type: Network Based Panda Antivirus is a multi-platform virus protection program. Panda Antivirus 2.0 for NetWare could allow an attacker to execute arbitrary NetWare commands on the administration server. An unauthenticated remote attacker can telnet to port 2001 and execute any NetWare command using the CMD command. Reference: BugTraq Mailing List, Sat Jun 17 2000 05:10:17: "Infosec.20000617.panda.a" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=41256901.003D5E29.00@mailgw.backupcentralen.se _____ Date Reported: 6/16/00 Vulnerability: dragon-telnet-dos Platforms Affected: Dragon Server (1.0, 2.0) Risk Factor: Medium Attack Type: Network/Host Based Dragon Server is vulnerable to a denial of service caused by a buffer overflow in the Telnet login function. Dragon Server is an FTP and Telnet server for Windows that is designed to look and function like a Unix program. By sending a string of 16,500 characters at the Telnet username login prompt, a remote attacker can cause the Telnet service (port 23) to crash and have to be restarted. Reference: Underground Security System Research Advisory USSR-2000046: "Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00 Vulnerability" at: http://www.ussrback.com/labs46.html _____ Date Reported: 6/16/00 Vulnerability: dragon-ftp-dos Platforms Affected: Dragon Server (1.0, 2.0) Risk Factor: Medium Attack Type: Network/Host Based Dragon Server is vulnerable to a denial of service caused by a buffer overflow in the FTP login function. Dragon Server is an FTP and Telnet server for Windows that is designed to look and function like a Unix program. By sending a string of 16,500 characters at the FTP username prompt (port 21), a remote attacker can cause the FTP service to crash and have to be restarted. Reference: Underground Security System Research Advisory USSR-2000046: "Multiples Remotes DoS Attacks in Dragon Server v1.00 and v2.00 Vulnerability" at: http://www.ussrback.com/labs46.html _____ Date Reported: 6/16/00 Vulnerability: small-http-get-overflow-dos Platforms Affected: Small HTTP Server Risk Factor: Medium Attack Type: Network/Host Based Small HTTP server is an web server for Windows. The program is vulnerable to a denial of service attack caused by a buffer overflow in the GET command. By sending a GET request of 65,000 characters to the HTTP server service (port 80), an attacker can cause the server to crash and have to be restarted. Reference: Underground Security System Research USSR-2000047: "Remote DoS Attack in Small HTTP Server ver. 1.212 Vulnerability" at: http://www.ussrback.com/labs47.html _____ Date Reported: 6/16/00 Vulnerability: mdaemon-pass-dos Platforms Affected: MDaemon Risk Factor: Medium Attack Type: Network/Host Based Deerfield.com's Mdaemon is an email server which supports SMTP, POP3, IMAP4, and many other applications. If a local or remote user uses the pass command, then issues the UIDL command and quits immediately before receiving a UIDL response, then the server crashes and has to be restarted. Reference: NTBugtraq Mailing List, Fri, 16 Jun 2000 22:08:44 +0200: ""mdaemon 2.8.5.0 WinNT and Win9x remote DoSContent"" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0006&L=ntbugtraq&F=&S=&P=7545 _____ Date Reported: 6/15/00 Vulnerability: simpleserver-long-url-dos Platforms Affected: AnalogX SimpleServer WWW Version 1.05 Risk Factor: Medium Attack Type: Network/Host Based AnalogX SimpleServer:WWW is a standard web server for Windows. Version 1.05 is vulnerable to a denial of service attack caused by a buffer overflow in the GET command. By requesting a URL with a long string following the /cgi-bin/ directory, an attacker can crash the server, requiring it to be rebooted. Reference: Underground Security System Research USSR-2000045: "Remote DoS attack in AnalogX SimpleServer WWW Version 1.05 Vulnerability" at: http://www.ussrback.com/labs45.html _____ Date Reported: 6/15/00 Vulnerability: win2k-desktop-separation Platforms Affected: Windows 2000 Risk Factor: Medium Attack Type: Host Based Microsoft Windows 2000 could allow an attacker to gain increased privileges on the local system. The Windows 2000 security architecture restricts processes through a system of sessions, "windows stations", and "desktops". A local attacker could create a process that runs in a higher-privilege context (""desktop"") than the local user. This would give the attacker access to certain input devices available to the higher-privilege desktop, for instance, allowing the user to monitor local logins to record usernames and passwords. Reference: Microsoft Security Bulletin MS00-020: "Patch Available for 'Desktop Separation' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-020.asp _____ Date Reported: 6/15/00 Vulnerability: zope-dtml-remote-modify Platforms Affected: Zope (2.1.7 and earlier) Risk Factor: Medium Attack Type: Network Based The Z Object Publishing Environment (Zope) could allow a remote attacker to modify DTML documents. Zope versions 2.1.7 and earlier contain an insufficiently protected method in one of the base classes in the DocumentTemplate package. An attacker could change the contents of DTMLDocuments or DTMLMethods remotely or through DTML code, without being properly authorized to make such changes. References: Zope web site: "News Item: Zope security alert and hotfix product" at: http://www.zope.org/Products/Zope/Hotfix_06_16_2000/security_alert BugTraq Mailing List, Thu Jun 15 2000 13:44:52: "[Brian@digicool.com: [Zope] Zope security alert and 2.1.7 update [*important*]]" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000615214452.C11871@schvin.net BugTraq Mailing List, Thu Jun 15 2000 23:38:07: "Conectiva Linux Security Announcement - ZOPE" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000616103807.A3768@conectiva.com.br Zope.org Home Page: "News Item: Zope security alert and hotfix product" at: http://www.zope.org/Products/Zope/Hotfix_06_16_2000/security_alert _____ Date Reported: 6/14/00 Vulnerability: pgp-cert-server-dos Platforms Affected: Network Associates PGP Certificate Server Risk Factor: Medium Attack Type: Network/Host Based Network Associates PGP Certificate Server is vulnerable to a denial of service attack. If a local or remote user attempts to access remote server management, and has an IP address that does not resolve to a hostname, the service crashes and has to be restarted. Reference: Underground Security System Research Advisory USSR-2000044: "Remote DoS attack in Networks Associates PGP Certificate Server Version 2.5 Vulnerability" at: http://www.ussrback.com/labs44.html _____ Date Reported: 6/14/00 Vulnerability: antivirus-nav-fail-open Platforms Affected: Norton AntiVirus for Microsoft Exchange (2.0 and earlier) Risk Factor: Medium Attack Type: Network Based Norton AntiVirus for Microsoft Exchange is an anti-virus program for detecting and removing viruses sent in email messages. Under certain circumstances, versions 2.0 and earlier may enter a ""fail-open"" state that leaves users completely unprotected from email viruses. When this failure occurs, the program logs (in Event Viewer) e-mail messages that contain viruses, but it fails to clean them from the recipients' mail boxes. The service must be restarted to restore proper functionality. References: BugTraq Mailing List, Wed Jun 14 2000 08:02:16: "Vulnerabilities in Norton Antivirus for Exchange" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=3947F2D8.18900.89F003@localhost BugTraq Mailing List, Tue Jun 20 2000 17:38:47: "FW: Vulnerabilities in Norton Antivirus for Exchange" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=OF16AB62DA.D26E5050-ON88256905.005570DD@symantec.com _____ Date Reported: 6/14/00 Vulnerability: antivirus-nav-zip-bo Platforms Affected: Norton AntiVirus for Microsoft Exchange (2.0 and earlier) Risk Factor: Medium Attack Type: Network Based Norton AntiVirus for Microsoft Exchange is an anti-virus program for detecting and removing viruses sent in email messages. The component for unzipping files in versions 2.0 and earlier is vulnerable to a buffer overflow. By sending an email message containing a .ZIP file with a long file name, an attacker can overflow a buffer and disrupt service on the Norton AntiVirus server. The attacker may be able to use this vulnerability to embed viruses in .ZIP files with long names, cause the server to enter an unrecoverable ""fail-open"" state, or possibly execute arbitrary code on the mail server. References: BugTraq Mailing List, Wed Jun 14 2000 08:02:16: "Vulnerabilities in Norton Antivirus for Exchange" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=3947F2D8.18900.89F003@localhost BugTraq Mailing List, Tue Jun 20 2000 17:38:47: "FW: Vulnerabilities in Norton Antivirus for Exchange" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=OF16AB62DA.D26E5050-ON88256905.005570DD@symantec.com _____ Date Reported: 6/14/00 Vulnerability: kerberos-gssftpd-dos Platforms Affected: MIT Kerberos 5-1.1.x Risk Factor: Medium Attack Type: Network/Host Based MIT Kerberos 5-1.1.x is vulnerable to a denial of service attack. The gssftp daemon could allow a remote user to execute certain FTP commands without authorization and crash the system. An attacker with a local account may be able to use this vulnerability to gain root access. Reference: Kerberos Security Advisories: "Remote root vulnerability in GSSFTPD" at: http://web.mit.edu/kerberos/www/advisories/ftp.txt _____ Date Reported: 6/14/00 Vulnerability: sol-ufsrestore-bo Platforms Affected: Solaris 8 Risk Factor: High Attack Type: Host Based The ufsrestore utility in Sun Solaris is used to restore files from backup created with the ufsdump command. The ufsrestore utility in Sun Solaris versions 8 and earlier is vulnerable to a buffer overflow. An attacker can overflow the buffer that holds the pathname/command for an interactive session to gain local root access on the system. Reference: BugTraq Mailing List, Wed Jun 14 2000 07:59:05: "Vulnerability in Solaris ufsrestore" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=20000614135905.A8522@itsx2.itsx.com _____ Date Reported: 6/13/00 Vulnerability: tigris-radius-login-failure Platforms Affected: Ericsson AXC Tigris MultiService Access Platform Risk Factor: Medium Attack Type: Network Based Ericsson AXC Tigris MultiService Access Platform is a high-density router for voice and data networks. The Tigris operating system may fail to pass RADIUS accounting data under certain login conditions. When a remote user attempts to log in with invalid login credentials, the user's PPP software may prompt them to retry the login without re-establishing a new connection. A remote attacker can bypass RADIUS accounting by failing the initial login, and then successfully logging in when prompted to retry the login. Reference: BugTraq Mailing List, Tue Jun 13 2000 12:32:47: "ACC/Ericsson Tigris Accounting Failure" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=39458F3F.905001A3@pinnacle.net.au _____ Date Reported: 6/13/00 Vulnerability: webbanner-input-validation-exe Platforms Affected: WebBanner 4.0 Risk Factor: High Attack Type: Network/Host Based Extropia WebBanner version 4.0 is a Perl-based CGI program that randomly displays banner ads on web pages. The index.cgi script performs insufficient input validation on data passed to it. By sending a malformed request containing metacharacters to the script, an attacker can execute arbitrary commands on the server and gain access as the user running the service, typically webmaster. Reference: BugTraq Mailing List, Tue Jun 13 2000 02:55:53: "CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=ILENKALMCAFBLHBGEOFKGEJCCAAA.jwesterink@jwesterink.daxis.nl _____ Date Reported: 6/13/00 Vulnerability: smartftp-directory-traversal Platforms Affected: Mindstorm Networks SmartFTP Daemon Risk Factor: High Attack Type: Network Based Mindstorm Networks SmartFTP Daemon could allow a user to created and specify a modified configuration file to gain privileges on the server. For each FTP account on the system, the account's user rights and password are stored in a configuration file (username.FTP_user). A remote attacker with write access could gain full access to the server by creating a modified configuration file with a new username. By using ""dot dot"" sequences in the username field at login, the attacker can traverse directories on the server to use the new configuration file. Reference: BugTraq Mailing List, Tue Jun 13 2000 12:01:38: "SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=15307.960912098@www16.gmx.net _____ Date Reported: 6/12/00 Vulnerability: antisniff-arptest Platforms Affected: L0pht's AntiSniff Risk Factor: Medium Attack Type: Network Based The L0pht AntiSniff program is performing an ARP test to scan your network for systems in promiscuous (sniffing) mode. The AntiSniff program developed by L0pht Heavy Industries determines if a device is listening to traffic on the local network. An attacker could use L0pht AntiSniff to gain information about a network that could be useful in an attack. AntiSniff can detect if an IDS (Intrusion Detection System) is being used on the network, prompting an attacker to use IDS evasion techniques. An attacker could also use L0pht AntiSniff to locate compromised machines that have been placed in promiscuous (sniffing) mode that could be used by the attacker. Reference: L0pht Heavy Industries, Inc.: "AntiSniff" at: http://www.l0pht.com/antisniff/ _____ Date Reported: 6/12/00 Vulnerability: weblogic-jsp-source-read Platforms Affected: BEA WebLogic Server Risk Factor: Medium Attack Type: Network/Host Based BEA WebLogic Server is vulnerable to source code disclosure of Java Server Pages (JSP files). By requesting a JSP file from the server with the file extension changed from lowercase .jsp to uppercase .JSP, an attacker can cause the web server to reveal the source code for the requested JSP file. Potentially proprietary web server files (such as Java Server Pages) may contain sensitive information (such as user IDs and passwords) embedded in the source code ths should not be available to remote users. Reference: BugTraq Mailing List, Sun Jun 11 2000 13:22:38: "IBM WebSphere JSP showcode vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-8&msg=2153DBA073F0D311911100B0D01A826F05B770@mail.foundstone.com _____ Date Reported: 6/12/00 Vulnerability: websphere-jsp-source-read Platforms Affected: IBM Websphere Risk Factor: Medium Attack Type: Network/Host Based The IBM Websphere web server is vulnerable to source code disclosure of Java Server Pages (JSP files). By requesting a JSP file from the server with the file extension changed from lowercase .jsp to uppercase .JSP, an attacker can cause the web server to reveal the source code for the requested JSP file. Potentially proprietary web server files (such as Java Server Pages) may contain sensitive information (such as user IDs and passwords) embedded in the source code ths should not be available to remote users." Reference: BugTraq Mailing List, Sun Jun 11 2000 13:19:45: "BEA WebLogic JSP showcode vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-8&msg=2153DBA073F0D311911100B0D01A826F05B76E@mail.foundstone.com _____ Date Reported: 6/12/00 Vulnerability: freebsd-alpha-weak-encryption Platforms Affected: FreeBSD Alpha Risk Factor: Medium Attack Type: Host Based FreeBSD Alpha version does not contain the /dev/random or /dev/urandom pseudo-random number generators that are included in other versions of the FreeBSD kernel. Some applications, such as OpenSSL 0.9.4, do not properly check for a working /dev/random, resulting in weaker encryption. Reference: FreeBSD Security Advisory FreeBSD-SA-00:25: "FreeBSD/Alpha platform lacks kernel pseudo-random number generator, some applications fail to detect this" at: http://www.securityfocus.com/templates/advisory.html?id=2323 Reference: NetBSD Security Advisory 2000-007: "bad key generation in libdes if no /dev/urandom" at: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-007.txt.asc _____ Date Reported: 6/10/00 Vulnerability: mailstudio-set-passwords Platforms Affected: MailStudio 2000 Risk Factor: Medium Attack Type: Network Based MailStudio 2000 is a web-based email server for remote users to view mail from any computer. MailStudio 2000 could allow a remote user to set the password for a system user if a password is not already set. Reference: BugTraq Mailing List, Sat Jun 10 2000 17:17:12: "Re: Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-15&msg=394223B8.A61C0517@relaygroup.com _____ Date Reported: 6/9/00 Vulnerability: mailstudio-view-files Platforms Affected: MailStudio 2000 Risk Factor: Low Attack Type: Network Based MailStudio 2000 is a web-based email server for remote users to view mail from any computer. MailStudio 2000 could allow a remote user to view files on the mail server. A remote attacker with a local account can use ""dot dot"" (/../) sequences when calling a CGI application to traverse directories and view any file on the mail server, such as other users' email, password files, log files, or configuration files. Reference: BugTraq Mailing List, Fri Jun 09 2000 14:00:16: "Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006091800.UAA02755@MaNTRa.FuZZy.net _____ Date Reported: 6/9/00 Vulnerability: kerberos-lastrealm-bo Platforms Affected: MIT Kerberos Risk Factor: Medium Attack Type: Network Based MIT Kerberos is vulnerable to a buffer overflow in the lastrealm variable in the set_tgtkey() function that could lead to a denial of service. A remote attacker could overflow this buffer to cause the KDC to issue invalid tickets for all principles, generate a ""principal unknown"" error, or crash the KDC process. Both Kerberos 4 and Kerberos 5 KDC servers that can service version 4 ticket requests are vulnerable. References: Kerberos Security Advisory: "MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC" at: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt CERT Advisory CA-2000-11: "MIT Kerberos Vulnerable to Denial-of-Service Attacks" at: http://www.cert.org/advisories/CA-2000-11.html _____ Date Reported: 6/9/00 Vulnerability: kerberos-emsg-bo Platforms Affected: MIT Kerberos Risk Factor: Medium Attack Type: Network Based MIT Kerberos is vulnerable to a buffer overflow in the e_msg variable in the kerb_err_reply() function that could lead to a denial of service. A remote attacker could overflow this buffer to cause the KDC to issue invalid tickets for all principles, generate a ""principal unknown"" error, or crash the KDC process. Both Kerberos 4 and Kerberos 5 KDC servers that can service version 4 ticket requests are vulnerable. References: Kerberos Security Advisory: "MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC" at: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt CERT Advisory CA-2000-11: "MIT Kerberos Vulnerable to Denial-of-Service Attacks" at: http://www.cert.org/advisories/CA-2000-11.html _____ Date Reported: 6/9/00 Vulnerability: kerberos-authmsgkdcrequests Platforms Affected: MIT Kerberos Risk Factor: Medium Attack Type: Network Based MIT Kerberos 5-1.1.x is vulnerable to a denial of service attack, when configured to service version 4 ticket requests. The code specific to AUTH_MSG_KDC_REQUESTs improperly checks for null-termination, which could lead to a double-free of memory and corruption of the malloc pool. This may result in the KDC process crashing. References: Kerberos Security Advisory: "MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC" at: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt CERT Advisory CA-2000-11: "MIT Kerberos Vulnerable to Denial-of-Service Attacks" at: http://www.cert.org/advisories/CA-2000-11.html _____ Date Reported: 6/9/00 Vulnerability: kerberos-free-memory Platforms Affected: MIT Kerberos Risk Factor: Medium Attack Type: Network Based MIT Kerberos 5-1.1.x is vulnerable to a denial of service attack, when configured to service version 4 ticket requests. A portion of the Kerberos 4 compatibility code could allow free memory to be improperly freed again. This causes a double-free of memory, which could corrupt the malloc pool and crash the KDC process. References: Kerberos Security Advisory: "MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC" at: http://web.mit.edu/kerberos/www/advisories/krb4kdc.txt CERT Advisory CA-2000-11: "MIT Kerberos Vulnerable to Denial-of-Service Attacks" at: http://www.cert.org/advisories/CA-2000-11.html _____ Date Reported: 6/9/00 Vulnerability: openssh-uselogin-remote-exec Platforms Affected: OpenSSH Risk Factor: High Attack Type: Network Based OpenSSH could allow authenticated users to execute commands with elevated privileges, if the UseLogin option is enabled. When UseLogin is enabled, the OpenSSH server uses the login(1) program to switch the uid to that of the user. However, when a remote user executes a command through ssh, the uid does not change to the user, and the code executes with the uid of sshd (usually root). Default installations of OpenSSH are not vulnerable, because UseLogin is disabled by default. References: BugTraq Mailing List, Fri Jun 09 2000 11:06:30: "OpenSSH's UseLogin option allows remote access with root privilege." at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-8&msg=20000609170629.A4933@folly.informatik.uni-erlangen.de BugTraq Mailing List, Sat Jun 10 2000 03:11:56: "CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-06-08&msg=20000610141156.F3275@conectiva.com.br _____ Date Reported: 6/9/00 Vulnerability: mailstudio-cgi-input-vaildation Platforms Affected: MailStudio 2000 Risk Factor: High Attack Type: Network Based MailStudio 2000 is a web-based email server for remote users to view mail from any computer. MailStudio 2000 could allow a remote user to execute arbitrary commands on the mail server. Due to insufficient input validation in the userreg.cgi script, an unauthenticated remote attacker can execute arbitrary commands on the server by inserting ""%0a"" into the URL. Reference: BugTraq Mailing List, Fri Jun 09 2000 14:00:16: "Mailstudio2000 CGI Vulnerabilities [S0ftPj.4]" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200006091800.UAA02755@MaNTRa.FuZZy.net _____ Date Reported: 6/8/00 Vulnerability: ceilidh-path-disclosure Platforms Affected: Ceilidh v2.60a Risk Factor: Low Attack Type: Network Based Ceilidh v2.60a web bulletin board software could reveal the physical path of the Ceilidh files. The HTML code generated by ceilidh.exe contains a hidden form field named ""translated_path"" that provides the physical location of the program's files on the web server. Reference: Security Team Advisory DST2K0010: "DoS, Path Revealing & BufferOverrun Vulnerability in Ceilidh v2.60a" at: http://www.delphisplc.com/thinking/whitepapers/security/DST2K0010.txt _____ Date Reported: 6/8/00 Vulnerability: ceilidh-post-dos Platforms Affected: Ceilidh v2.60a Risk Factor: Low Attack Type: Network Based Ceilidh v2.60a web bulletin board software is vulnerable to a denial of service attack. A remote attacker can consume available resources on the web server using the POST statement. By repeatedly sending a specially-crafted POST statement, an attacker can spawn multiple copies of ceilidh.exe, with each copy consuming 1% of the CPU and 700 KB of memory. Reference: Security Team Advisory DST2K0010: "DoS, Path Revealing & BufferOverrun Vulnerability in Ceilidh v2.60a" at: http://www.delphisplc.com/thinking/whitepapers/security/DST2K0010.txt _____ Date Reported: 6/8/00 Vulnerability: nt-admin-lockout Platforms Affected: Windows NT Risk Factor: Low Attack Type: Host Based Normally, the Administrator account cannot be locked out if an attacker attempts to guess the password. However, a utility in the Windows NT Resource Kit called PASSPROP supports this option. If the PASSPROP utility is installed, the Administrator account will be locked out if an attacker attempts a brute force or dictionary attack from another computer on the network. This utility does not block the administrator from logging on locally, even if the account has been locked out. Reference: Microsoft TechNet: "Securing Your Network" at: http://www.microsoft.com/TechNet/winnt/Winntas/Tips/techrep/secnet.asp _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. _____ Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. About Internet Security Systems Internet Security Systems (ISS) is the leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite* security software, ePatrol* remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers and partners, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOWUkuDRfJiV99eG9AQFmcAP+O8+a2+sWgzUKOsPC2m3O0vr0SBiCOCx3 xBQn2tu2TN7/JtNHbXdIA/PySKTpyEpnL4RNbr93P+Br+NfDuT4+5tJg1pQF6d6j TgpZb/oOgDl0TCx9khBdAXBJOxRakAoAthAsDNeI956N9YcBkNgbaTMxKXairVv1 LOjUVxE9UK4= =vNze -----END PGP SIGNATURE-----