From xforce@iss.net Wed Aug 2 20:15:50 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 2 Aug 2000 19:51:47 -0400 (EDT) Subject: ISSalert: Internet Security Systems Security Alert Summary v5 n7 [The following text is in the "X-UNKNOWN" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert Summary August 1, 2000 Volume 5 Number 7 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php _____ Contents 37 Reported Vulnerabilities - analogx-proxy-ftp-crash - analogx-proxy-pop3-crash - analogx-proxy-socks4-crash - roxen-null-char-url - wftpd-stat-info - bair-security-removal - roxen-admin-pw-readable - wftpd-stat-dos - wftpd-rest-dos - wftpd-mlst-dos - outlook-express-mail-browser-link - winamp-playlist-parser-bo - outlook-date-overflow - tomcat-error-path-reveal - tomcat-snoop-info - website-webfind-bo - alibaba-cgi-script-directory-listing - alibaba-get-dos - website-httpd32-bo - alibaba-script-file-overwrite - zeroport-weak-encryption - linux-usermode-dos - blackboard-courseinfo-dbase-modification - lsoft-listserv-querystring-bo - linux-nfsutils-remote-root - iis-absent-directory-dos - blackboard-courseinfo-plaintext - cvsweb-shell-access - webactive-long-get-dos - worldclient-dir-traverse - http-cgi-bigbrother-bbhostsvc - apache-source-asp-file-write - netware-port40193-dos - netscape-admin-server-password-disclosure - cisco-pix-firewall-tcp - mssql-manager-password - minivend-viewpage-sample Risk Factor Key _____ Date Reported: 7/25/00 Vulnerability: analogx-proxy-ftp-crash Platforms Affected: AnalogX Proxy Risk Factor: Low Attack Type: Network Based AnalogX Proxy is a proxy server that has the ability to proxy requests for many different services. AnalogX Proxy is vulnerable to a denial of service attack caused by a buffer overflow in the USER command. By sending an FTP USER command containing 370 characters or more to TCP port 21, a remote attacker can overflow the buffer and crash the service. Reference: Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at: http://www.foundstone.com/FS-072500-7-ANA.txt _____ Date Reported: 7/25/00 Vulnerability: analogx-proxy-pop3-crash Platforms Affected: AnalogX Proxy Risk Factor: Low Attack Type: Network Based AnalogX Proxy is a proxy server that has the ability to proxy requests for many different services. AnalogX Proxy is vulnerable to a denial of service attack caused by a buffer overflow in the USER command. By sending a POP3 USER command containing 370 characters or more to TCP port 110, a remote attacker can overflow the buffer and crash the service. Reference: Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at: http://www.foundstone.com/FS-072500-7-ANA.txt _____ Date Reported: 7/25/00 Vulnerability: analogx-proxy-socks4-crash Platforms Affected: AnalogX Proxy Risk Factor: Low Attack Type: Network Based AnalogX Proxy is a proxy server that has the ability to proxy requests for many different services. AnalogX Proxy is vulnerable to a denial of service attack caused by a buffer overflow in the CONNECT request. By sending a SOCKS4 CONNECT request with a user ID field of 1800 characters or more to TCP port 1080, a remote attacker can overflow the buffer and crash the service. Reference: Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at: http://www.foundstone.com/FS-072500-7-ANA.txt _____ Date Reported: 7/22/00 Vulnerability: roxen-null-char-url Platforms Affected: Roxen 2.0 Risk Factor: Medium Attack Type: Network Based Roxen is a platform that is used to develop and manage dynamic web sites. Roxen 2.0 could allow an attacker to view directory listings. By submitting a specially-crafted URL containing null characters, a remote attacker can obtain a directory listing the directories having index files. It may also be possible for a remote attacker to read the source code of CGI files or obtain other sensitive data. Reference: BugTraq Mailing List, Fri Jul 21 2000 21:53:34: "Roxen security alert: Problems with URLs containing null characters." at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D76r98nc4m9.fsf@rimmer.idonex.se _____ Date Reported: 7/21/00 Vulnerability: wftpd-stat-info Platforms Affected: WFTPD 2.4.1 Risk Factor: Low Attack Type: Network Based WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker can issue a STAT request while a file transfer is in progress to display the path and file name on the server. The server must be restarted to regain functionality before it can respond to any additional FTP requests. Reference: BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au _____ Date Reported: 7/21/00 Vulnerability: bair-security-removal Platforms Affected: BAIR Risk Factor: Medium Attack Type: Host Based BAIR web filtering software includes a setting to block access to the Internet Explorer options menu. However, a local attacker can modify the system registry to access this options menu. An attacker can delete the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BAIR Secure to gain full access to the Internet Explorer options menu. An attacker could use this to bypass security and reconfigure Internet Explorer. Reference: BugTraq Mailing List, Fri Jul 21 2000 07:26:40: "More bad censorware" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D4.3.2.7.2.20000721222424.00b5b330@gatekeeper.cloudview.com _____ Date Reported: 7/21/00 Vulnerability: roxen-admin-pw-readable Platforms Affected: Roxen 2.0 Risk Factor: Medium Attack Type: Network Based Roxen 2.0 is a platform that is used to develop and manage dynamic web sites. Roxen 2.0 stores the encrypted administrator password in a file that is readable by any user. A remote attacker can access the /usr/local/roxen/configurations/_configinterface/settings/administrator_uid file to obtain the encrypted web admin password. A remote attacker can retrieve the encrypted password, and then decrypt it, to gain full access to the web server. Reference: BugTraq Mailing List, Thu Jul 20 2000 23:48:18: "Roxen Web Server Vulnerability" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D20000721074818.A10870@sdf.freeshell.org _____ Date Reported: 7/21/00 Vulnerability: wftpd-stat-dos Platforms Affected: WFTPD 2.4.1 Risk Factor: Medium Attack Type: Network Based WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker can issue a STAT command at the same time that a LIST is in progress to crash the FTP server. The server must be restarted to regain funtionality before it can respond to any additional FTP requests. Reference: BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au _____ Date Reported: 7/21/00 Vulnerability: wftpd-rest-dos Platforms Affected: WFTPD 2.4.1 Risk Factor: Medium Attack Type: Network Based WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker can issue a REST command to write past a file that does not exist, or past the end of an existing file, to crash the FTP server. The server must be restarted to regain functionality before it can respond to any additional FTP requests. Reference: BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au _____ Date Reported: 7/21/00 Vulnerability: wftpd-mlst-dos Platforms Affected: WFTPD 2.4.1 Risk Factor: Medium Attack Type: Network Based WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker can issue a MLST command before logging in and issuing a password (with the USER and PASS commands) to crash the server. The server must be restarted to regain functionality before it can respond to any additional FTP requests. Reference: BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11 vulnerabilities" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au _____ Date Reported: 7/20/00 Vulnerability: outlook-express-mail-browser-link Platforms Affected: Microsoft Outlook Express (4.0 - 5.1) Risk Factor: Low Attack Type: Network Based Microsoft Outlook Express versions 4.0 through 5.1 could allow a remote attacker to view a user's email messages. In Outlook Express, an email message can contain a link to open a separate browser window that refers back to (or "reads") the open email message. A vulnerability in Outlook Express could allow an attacker to make this browser window permanently refer back to the open email message, until the user closes the browser window or exits Outlook Express. Attackers could use this to send a message that would allow them to view the recipient's subsequent email messages displayed in the preview pane." Reference: Microsoft Security Bulletin MS00-045: "Patch Available for 'Persistent Mail-Browser Link' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/MS00-045.asp _____ Date Reported: 7/20/00 Vulnerability: winamp-playlist-parser-bo Platforms Affected: Winamp 2.10 Risk Factor: Medium Attack Type: Network Based Winamp is a high-fidelity music player for Windows 95/98/NT. By loading a specially crafted M3U file with a #EXTINF: variable of 280 characters or more on a user's computer, a remote attacker can overflow the buffer and execute arbitrary code on the system. References: BugTraq Mailing List, Fri Jul 21 2000 02:23:53: "Re: Winamp M3U playlist parser buffer overflow security vulnerability" at: http://securityfocus.com/templates/archive.pike?list=1&msg=OFC40D0B40.4D3E7C9E-ONC1256923.0022766E@mn.man.de BugTraq Mailing List, Thu Jul 20 2000 11:52:56: "Winamp M3U playlist parser buffer overflow security vulnerability" at: http://securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3DLAW-F83FV4TJvGa1hXE000013d0@hotmail.com _____ Date Reported: 7/19/00 Vulnerability: outlook-date-overflow Platforms Affected: Outlook Express (4.0, 5.0) Microsoft Outlook (97, 98, 2000) Risk Factor: High Attack Type: Network Based Microsoft Outlook and Outlook Express are vulnerable to a buffer overflow in the the inetcomm.dll component shared by the programs, which could allow a remote attacker to execute arbitrary code on your system. By sending an email message using either the POP3 or IMAP4 protocols with a date header value of excessive length, a remote attacker can overflow a buffer and execute arbitrary code on your system. The malicious email can begin executing code when it is retrieved by the server, before the user previews or opens the message. Users that only retrieve mail using MAPI (Microsoft Messaging API), including Microsoft Exchange users, are not affected by this vulnerability. References: Microsoft Security Bulletin MS00-043: "Patch Available for 'Malformed E-mail Header' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/MS00-043.asp Internet Security Systems Security Alert #57: "Buffer Overflow in Microsoft Outlook and Outlook Express Mail Clients" at: http://xforce.iss.net/alerts/advise57.php _____ Date Reported: 7/19/00 Vulnerability: tomcat-error-path-reveal Platforms Affected: Jakarta Tomcat Risk Factor: Low Attack Type: Network/Host Based Jakarta Tomcat reveals sensitive path information. Jakarta Tomcat is a Java application server used with Apache web servers to support Java Servlet Pages (JSP) and Java servlets. When a user requests the URL of a filename that is not found, the program returns an error message that provides the physical path to the web directory that was contained in the request. An attacker could use this to gain information about the file structure of the web server that would be helpful in an attack. Reference: BugTraq Mailing List, Wed, 19 Jul 2000 06:45:13: "[LoWNOISE] Tomcat 3.1 Path Revealing Problem." at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org _____ Date Reported: 7/19/00 Vulnerability: tomcat-snoop-info Platforms Affected: Jakarta Tomcat Risk Factor: Low Attack Type: Netowrk/Host Based Jakarta Tomcat snoop servlet reveals sensitive information about the web server. Jakarta Tomcat is a Java application server used with Apache web servers to support Java Servlet Pages (JSP) and Java servlets. When a user requests the snoop servlet, the program returns detailed information about the web server, including the physical path to the web directory and the web server operating system and software version. An attacker could use this to gain information about the web server that would be helpful in an attack. Reference: BugTraq Mailing List, Wed Jul 19 2000 11:56:21: "[LoWNOISE] Snoop Servlet (Tomcat 3.1 and 3.0)" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org _____ Date Reported: 7/19/00 Vulnerability: website-webfind-bo Platforms Affected: WebSite Professional (2.3.18, 2.4, 2.4.9) Risk Factor: High Attack Type: Network Based O'Reilly WebSite Professional 2.3.18, 2.4, and 2.4.9 is vulnerable to a buffer overflow in the webfind.exe search utility. By entering a long request to the keywords string, a remote attacker can overflow the buffer and execute arbitrary code on the system. Reference: O'Reilly Software: "WebSite Professional 2.x Updates" at: http://website.oreilly.com/support/software/wsp2x_updates.cfm _____ Date Reported: 7/18/00 Vulnerability: alibaba-cgi-script-directory-listing Platforms Affected: Alibaba 2.0 Risk Factor: Low Attack Type: Network Based The Alibaba web server could allow a remote attacker to view directory listings. Many of the .exe scripts in the cgi-bin directory allow a user to send a specially-crafted URL to the server and obtain a directory listing of any directory on the server. Reference: BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org _____ Date Reported: 7/18/00 Vulnerability: alibaba-get-dos Platforms Affected: Alibaba 2.0 Risk Factor: Medium Attack Type: Network Based The Alibaba web server is vulnerable to a denial of service, caused by a buffer overflow. A remote attacker can send an abnormally long GET request to the server to overflow a buffer and shut down the server. The web server must be restarted to regain functionality. Reference: BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org _____ Date Reported: 7/18/00 Vulnerability: website-httpd32-bo Platforms Affected: WebSite Professional 2.4 Risk Factor: Medium Attack Type: Network Based O^ÒReilly WebSite Professional 2.4 is vulnerable to a buffer overflow in the httpd32.exe program. By submitting a long GET request or long ^ÓReferer^Ô client header, a remote attacker can overflow a buffer and execute arbitrary code on the system. References: Cerberus Information Security Advisory CISADV000717: "Website Pro GET buffer overflow" at: http://www.cerberus-infosec.co.uk/advisories.html O'Reilly Software: "WebSite Professional 2.x Updates" at: http://website.oreilly.com/support/software/wsp2x_updates.cfm _____ Date Reported: 7/18/00 Vulnerability: alibaba-script-file-overwrite Platforms Affected: Alibaba 2.0 Risk Factor: High Attack Type: Network Based The Alibaba web server could allow a remote attacker to overwrite files. Many of the .exe scripts in the cgi-bin directory allow a user to send a specially-crafted URL to the server and overwrite any file on the system. Reference: BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org _____ Date Reported: 7/18/00 Vulnerability: zeroport-weak-encryption Platforms Affected: NetZero ZeroPort 3.0 Risk Factor: High Attack Type: Host Based NetZero, a free Internet service provider, uses a program called ZeroPort to establish a connection and authenticate the user. NetZero ZeroPort 3.0 and earlier uses weak encryption to store the user's password in the id.dat text file. An attacker with access to this file can decrypt the username and password using a substitution cipher. L0pht released the encryption algorithm used by ZeroPort, making it available to the public. Reference: L0pht Research Labs Security Advisory 07.18.2000: "NetZero Password Encryption Algorithm" at: http://www.l0pht.com/advisories/netzero.txt _____ Date Reported: 7/17/00 Vulnerability: linux-usermode-dos Platforms Affected: Linux-Mandrake 7.1 Risk Factor: Low Attack Type: Host Based The usermode package in Linux-Mandrake 7.1 could allow a local user without root access to reboot the machine or crash the server. The files that give users access to reboot, shutdown, halt, and poweroff the system all are affected. Reference: BugTraq Mailing List, Mon Jul 17 2000 23:09:37: "MDKSA-2000:020 usermode update" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D20000718130936.S29595@mandrakesoft.com _____ Date Reported: 7/17/00 Vulnerability: blackboard-courseinfo-dbase-modification Platforms Affected: Blackboard CourseInfo 4.0 Risk Factor: Medium Attack Type: Network/Host Based Blackboard CourseInfo 4.0 course management software could allow any user who has a valid account to make modifications to the database. An attacker can enter custom form values through any perl script located in /bin and its subdirectories to change other user's passwords or assign elevated security privileges. Reference: BugTraq Mailing List, Tue Jul 18 2000 06:59:57: "Blackboard Courseinfo v4.0 User Authentication" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3DNDBBJCMNOLEKOCMECKFHCEPMCGAA.amini@eecs.tulane.edu BugTraq Mailing List, Wed Jul 19 2000 00:19:04: "Security Fix for Blackboard CourseInfo 4.0" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000719151904.I17986@securityfocus.com _____ Date Reported: 7/17/00 Vulnerability: lsoft-listserv-querystring-bo Platforms Affected: Listserv Risk Factor: High Attack Type: Network Based L-Soft LISTSERV is a system that creates, manages, and controls electronic mailing lists^Òon a corporate network. L-Soft LISTSERV is vulnerable to a buffer overflow in the web archive component. By sending a long query string to wa or wa.exe, a remote attacker can overflow the buffer and execute arbitrary code on the system with privileges of the LISTSERV daemon. References: Network Associates, Inc. Security Advisory #43: "LISTSERV Web Archive Remote Overflow" at: http://www.nai.com/nai_labs/asp_set/advisory/43_Advisory.asp L-Soft Security Advisory #1 17 July 2000: "THE 2000b LEVEL SET" at: http://www.lsoft.com/news/default.asp?item=Advisory1 _____ Date Reported: 7/15/00 Vulnerability: linux-nfsutils-remote-root Platforms Affected: Red Hat Linux (6.0, 6.1, 6.2) Debian Linux (2.2, 2.3) Mandrake Linux (7.0, 7.1) Risk Factor: High Attack Type: Network Based The nfs-utils package in many Linux distributions could allow a remote attacker to gain root acess. The rpc.statd program included with nfs-utils is vulnerable to root compromise. References: Red Hat, Inc. Security Advisory RHSA-2000:043-03: "Updated package for nfs-utils available" at: http://www.redhat.com/support/errata/RHSA-2000-043-03.html Caldera Systems, Inc. Security Advisory CSSA-2000-025.0: "rpc.statd is not a problem on OpenLinux" at: http://www.calderasystems.com/support/security/advisories/CSSA-2000-025.0.txt Debian Security Advisory: "nfs-common (from nfs-utils)" at: http://www.debian.org/security/2000/20000719a _____ Date Reported: 7/14/00 Vulnerability: iis-absent-directory-dos Platforms Affected: IIS 3.0 Risk Factor: Low Attack Type: Network/Host Based Microsoft Internet Information Server (IIS) is vulnerable to a denial of service attack. An administrative script installed with IIS 3.0 enters an infinite loop if an expected argument is missing. An attacker can use this to consume all CPU resources on the server. IIS 4.0 and 5.0 are only vulnerable if version 3.0 was previously installed on the system. Reference: Microsoft Security Bulletin MS00-044: ""Patch Available for ""Absent Directory Browser Argument"" Vulnerability"" at: http://www.microsoft.com/TechNet/security/bulletin/MS00-044.asp ISBASE Security Advisory (SA2000-02): "IIS ISM.DLL truncation exposes file content" at: http://securityfocus.com/frames/?content=/templates/advisory.html%3Fid%3D2412 _____ Date Reported: 7/14/00 Vulnerability: blackboard-courseinfo-plaintext Platforms Affected: Blackboard CourseInfo 4.0 Risk Factor: High Attack Type: Network/Host Based Blackboard CourseInfo 4.0 course management software stores the local administrator username and password in plaintext in the registry. An attacker can use this username and password to connect to the server and access critical system information. Reference: NTBugtraq Mailing List, Mon, 10 Jul 2000 08:43:21 -0500: "Blackboard CourseInfo 4.0 stores admin password in clear text" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647 _____ Date Reported: 7/14/00 Vulnerability: cvsweb-shell-access Platforms Affected: CVSWeb 1.85 Risk Factor: High Attack Type: Network/Host Based The CVSWeb package version 1.85 and earlier could allow a remote user with commit access to a CVS repository to cause the CGI program to execute arbitrary commands. The Perl code in the cvsweb.cgi program invokes an open() call insecurely. An attacker can create a file name containing shell metacharacters to execute the shell code on the system. A user with commit access, but who does not have shell access to the CVS repository, can use this vulnerability to gain shell access. References: Linux-Mandrake Security Update Advisory MDKSA-2000:019: "SECURITY UPDATE: cvsweb" at: http://www.linux-mandrake.com/en/fupdates.php3#7.1 Debian Security Advisory 20000719b: "cvsweb: unauthorized remote code execution" at: http://www.debian.org/security/2000/20000719b BugTraq Mailing List, Tue Jul 11 2000 23:34:27: "cvsweb: remote shell for cvs committers" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000712143427.H15253@kitenet.net _____ Date Reported: 7/13/00 Vulnerability: gatekeeper-long-string-bo Platforms Affected: Proxy-Pro GateKeeper 3.6 Risk Factor: Medium Attack Type: Network Based Proxy-Pro GateKeeper proxy server 3.6 and earlier is vulnerable to a buffer overflow. By sending a long string containing over 4096 characters to port 2000 on the server, a remote attacker can overflow a buffer and execute arbitrary code or crash the server. The server must be restarted to regain functionality. Reference: BugTraq Mailing List, Thu Jul 13 2000 11:48:01: "The MDMA Crew's GateKeeper Exploit" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D00af01bfece2%24a52cbd80%24367e1ec4@kungphusion _____ Date Reported: 7/12/00 Vulnerability: webactive-long-get-dos Platforms Affected: ITAfrica WEBactive 1.0 Risk Factor: Low Attack Type: Network Based ITAfrica WEBactive 1.0 HTTP Server is vulnerable to a denial of service, caused by a buffer overflow. By requesting a URL containing more than 280 characters, a remote attacker can overflow a buffer and crash the server. Reference: BugTraq Mailing List, Wed Jul 12 2000 09:27:38: "Lame DoS in WEBactive win65/NT server" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26thread%3D200007130827.BAA32671@Rage.Resentment.org _____ Date Reported: 7/12/00 Vulnerability: worldclient-dir-traverse Platforms Affected: Deerfield WorldClient 2.1 Risk Factor: High Attack Type: Network Based Deerfield WorldClient 2.1 could allow a remote user to traverse directories on the server. WorldClient a server for providing web-based access to email accounts. A remote attacker can traverse directories on the server by requesting a specially-crated URL containing "dot dot" (/../) sequences. An attacker can use this to download any file on the system if the attacker knows or could guess the name of the file. Reference: BugTraq Mailing List, Wed Jul 12 2000 04:16:57: "Infosec.20000712.worldclient.2.1" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D4125691A.00387C3A.00@guardianit.se _____ Date Reported: 7/11/00 Vulnerability: http-cgi-bigbrother-bbhostsvc Platforms Affected: Big Brother Risk Factor: Medium Attack Type: Network Based Big Brother is a Unix-based distributed network monitoring package that allows network administrators to view the status of networks and machines from a web browser. Due to a vulnerability in the host services ("bb-hostsvc.sh") CGI program, a remote attacker could view directory and file contents on a Big Brother server. Reference: BugTraq Mailing List, Mon Jul 10 2000 19:10:28: "REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=00071110152805.00679@sj-soc-wks1.priv.nuasis.com _____ Date Reported: 7/11/00 Vulnerability: apache-source-asp-file-write Platforms Affected: Apache Risk Factor: Medium Attack Type: Network/Host Based Apache web server could allow remote attackers to write to files on the web server. Due to a vulnerability in the source.asp file, an attacker can write to files that are in the same directory as the source.asp sample file. Reference: BugTraq Mailing List, Mon Jul 10 2000 19:38:56: "ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000711033856.17708.qmail@securityfocus.com _____ Date Reported: 7/11/00 Vulnerability: netware-port40193-dos Platforms Affected: Novell NetWare 5.0 Risk Factor: Medium Attack Type: Network Based Novell NetWare 5.0 is vulnerable to a denial of service attack. A remote attacker can send packets of random data to port 40193 of the NetWare server to crash the server. The server must be restarted to resume normal operation. Reference: BugTraq Mailing List, Tue Jul 11 2000 09:26:56: "Remote Denial Of Service -- NetWare 5.0 with SP 5" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D000501bfeab5%249330c3d0%24d801a8c0@dimuthu.baysidegrp.com.au _____ Date Reported: 7/11/00 Vulnerability: netscape-admin-server-password-disclosure Platforms Affected: Netscape SuiteSpot Risk Factor: Medium Attack Type: Network/Host Based Netscape SuiteSpot web server suite default installation includes the Netscape Administration Server, which contains the Java and JavaScript forms used to configure the SuiteSpot servers. The encrypted administrative password is stored in the admpw file, in a readable local directory on the the SuiteSpot server. An attacker could retrieve this file, and then decrypt the password to gain full access to the administration server console. Reference: BugTraq Mailing List, Tue Jul 11 2000 10:46:22: "Security Advisory ( netscape.ad.00-07 ) : Netscape Administration Server Password Disclosure" at: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-8%26msg%3D00071122473300.00796@ninja _____ Date Reported: 7/11/00 Vulnerability: cisco-pix-firewall-tcp Platforms Affected: Cisco Secure PIX Firewall 5.1(1) Risk Factor: High Attack Type: Network Based Cisco Secure PIX Firewall version 5.1(1) and earlier could allow a remote attacker to terminate an established TCP/IP connection. The Secure PIX Firewall cannot distinguish between a forged TCP Reset packet and a genuine TCP Reset packet, if the source IP address, source port, destination IP address, and destination port are correct. Reference: Cisco Systems Field Notice, July 11, 2000: "Cisco Secure PIX Firewall TCP Reset Vulnerability" at: http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml _____ Date Reported: 7/11/00 Vulnerability: mssql-manager-password Platforms Affected: Microsoft SQL Server 7.0 Risk Factor: High Attack Type: Host Based Microsoft SQL Server 7.0 Enterprise Manager could allow a local user to a username and password for the server. If a SQL Server is registered under Enterprise Manager with a username and password instead of with Windows Authentication, the password is stored in the Registered Server Properties dialog box, hidden with asterisks. However, an attacker could use an available utility to reveal the actual password. Reference: Microsoft Security Bulletin MS00-041: ""Patch Available for ""DTS Password"" Vulnerability"" at: http://www.microsoft.com/technet/security/bulletin/ms00-041.asp _____ Date Reported: 7/10/00 Vulnerability: minivend-viewpage-sample Platforms Affected: MiniVend Risk Factor: High Attack Type: Network Based MiniVend is a free, Perl-based web shopping cart system for Unix systems. An insecure open() call in the MiniVend UTIL.PM module could allow remote attackers to execute arbitrary commands, if they have access to the VIEW_PAGE.HTML sample file. This vulnerability affects users who have installed the "simple" catalog that ships with MiniVend as a sample. Reference: ZDNet News: "How a cracker defeated 'Hackopen'" at: http://www.zdnet.com/zdnn/stories/news/0,4586,2600258,00.html _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. _____ Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. About Internet Security Systems Internet Security Systems (ISS) is the leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite* security software, ePatrol* remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers and partners, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOYizcDRfJiV99eG9AQFAowP9ENtJEYB5dLHco2/Yq6Z9NNDnbSJLjGbh cDRpnzZZGq451wYxXXYcldVptJ0SSJp5rkT1+VOHT4gHasHfIDtEC9Y6ROcyjltg TA67ej/KCXaVfqsptyg9JMl1DPMalP9qZbSaLn+YsWPXYjDbKfZvDV/1eJ80i3ou EesO57LGbuk= =tGKp -----END PGP SIGNATURE-----