I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary February 18, 1998 Volume 2 Number 2 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list by sending an e-mail to [11]majordomo@iss.net and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Index 7 Reported Vulnerabilities - [14]NT-logondos - [15]IBM-telnetdos - [16]IBM-symlink - [17]Sun-volrmmount - [18]NT-web8.3 - [19]NT-portbind - [20]elm-filter 2 Update - [21]L0pht-l0phtcrack - [22]HP-land Risk Factor Key [23]Top of Page || [24]Back to Alert List ___ Date Reported: 2/14/98 Vulnerability: NT-logondos Platforms Affected: Windows NT Risk Factor: High Windows NT servers (including those with Service Pack 3 and all hotfixes applied) are vulnerable to a denial of service attack. When a logon request is initiated to access the SMB/CIFS service and the SMB logon packet is incorrectly processed, memory corruption results in the NT kernel. When this happens, a blue screen error message appears and the machine has to be rebooted. Reference: [25]ftp://ftp.secnet.com/pub/advisories/SNI-25.Windows.NT.DoS [26]Top of Page || [27]Back to Alert List ___ Date Reported: 2/11/98 Vulnerability: IBM-telnetdos Platforms Affected: AIX (4.1.x, 4.2.x, 4.3) Risk Factor: High An AIX-specific denial of service exploit has been made publicly available on the Bugtraq mailing list. This exploit causes all tty activity to hang on the system being attacked. This allows remote users to cause the machine to stop accepting new telnet sessions. Reference: [28]http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:003.1 .txt [29]Top of Page || [30]Back to Alert List ___ Date Reported: 2/11/98 Vulnerability: IBM-symlink Platforms Affected: AIX (3.2.5, 4.1.x, 4.2.x, 4.3) Risk Factor: High Several AIX programs will follow symbolic links that have the same name as temporary files they create. By creating a symbolic link with one of these temporary file names that points to a carefully selected system file (such as /etc/passwd), a local user can arrange to cause critical system files to be overwritten when the root user executes one of these programs. Reference: [31]http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:002.2 .txt [32]Top of Page || [33]Back to Alert List ___ Date Reported: 2/10/98 Vulnerability: Sun-volrmmount Platforms Affected: Solaris 2.6 Risk Factor: High The Solaris program 'volrmmount' is used to simulate insertion and ejection of removable media. It is normally setuid and can be used by an attacker to view any file on the system, or in some cases, even gain root privileges. Reference: [34]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-162.txt [35]Top of Page || [36]Back to Alert List ___ Date Reported: 2/6/98 Vulnerability: NT-web8.3 Platforms Affected: Win32 Web Servers Risk Factor: High Some Windows NT and 95 web servers have problems with file names because of the way they handle long file names and the standard Microsoft 8.3 short format file names. In some cases, when a URL is requested using the short file name, the web server can apply different configuration properties to the request, thus enabling an attacker to gain access to unauthorized files. References: [37]ftp://info.cert.org/pub/cert_advisories/CA-98.04.Win32.WebServers [38]http://www.microsoft.com/security/iissfn.htm [39]Top of Page || [40]Back to Alert List ___ Date Reported: 2/6/98 Vulnerability: NT-portbind Platforms Affected: Windows NT Risk Factor: High Microsoft Windows NT allows programs run by users who are logged in to bind to any port. If a program binds to a port that a service is currently running on, the service will be disrupted, effectively making it unavailable. Reference: [41]http://www.l0pht.com/advisories/nc11adv.txt [42]Top of Page || [43]Back to Alert List ___ Date Reported: 1/29/98 Vulnerability: elm-filter Platforms Affected: Any UNIX system running elm/filter Risk Factor: High Two problems have been found in the filter program that is contained in the elm-2.4 package. The first problem allows local users (and potentially remote users) to run arbitrary commands as the user who runs the filter. The second problem allows a local user to read users' mail spools and gain write access to the mail spool directory. In order for these programs to be exploited, the filter must have setuid or setgid permissions (which is common on Linux machines). Reference: [44]http://www.dec.net/ksrt/adv7.html [45]Top of Page || [46]Back to Alert List ___ Date: 2/12/98 Update: L0pht-l0phtcrack Platforms: Windows NT Unix (running Samba) L0pht crack is a utility that can be used by system administrators and security professionals concerned about potential points of access in their local networks. It can also be used by hackers to crack passwords and gain unauthorized access to systems. Reference: [47]http://www.l0pht.com/l0phtcrack/news.html [48]Top of Page || [49]Back to Alert List ___ Date: 1/21/98 (CERT Advisory CA-97.28) Updated: HP-land Vendor: Hewlett Packard Platforms: HP-UX (9.X, 10.X, 11.00) Hewlett Packard has released patches for the land attack. This attack can lock up or "freeze" many different operating systems as well as network hardware. An attacker sends a SYN packet, which is normally used to open a connection, to the host being attacked. References: [50]http://us-support.external.hp.com - HP Security Bulletin #00076 [51]ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land [52]Top of Page || [53]Back to Alert List ___ Risk Factor Key: High any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium any vulnerability that provides information that has a high potential of giving access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that possibly can contain an account with a guessable password. Low any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via bruteforce. Internet Security Systems, Inc., (ISS) is the pioneer and world's leading supplier of network security assessment and intrusion detection tools, providing comprehensive software that enables organizations to proactively manage and minimize their network security risks. For more information, contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS Web site at [54]http://www.iss.net. [55]Top of Page || [56]Back to Alert List ___ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail [57]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [58]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X Force xforce@iss.net > of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNM+1TDRfJiV99eG9AQEAkgQAq9D2aoB/dVtvAqgFE3cB+vp+tcd0IkWh k9MULvWlP80e+gomp4TvA0eUHHSzx7DkGB6qs9yIzMrbx0SqoMMvBFzB1Y4jOQ/3 myedzvQitCe5POAGW8Ax2UU1CkADgJubDJfe86idYmjPmnbeYJW5EbxuMAy2c4bG vBFKuDwIQdk= =wP42 -----END PGP SIGNATURE----- [59]News | [60]Serious Fun | [61]Mail Lists | [62]Security Library [63]Protoworx | [64]Alerts | [65]Submissions | [66]Feedback [67]Advanced Search [68]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [69]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [70]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 13. http://xforce.iss.net/alerts/alerts.php3 14. http://xforce.iss.net/alerts/vol-2_num-2.php3#NT-logondos 15. http://xforce.iss.net/alerts/vol-2_num-2.php3#IBM-telnetdos 16. http://xforce.iss.net/alerts/vol-2_num-2.php3#IBM-symlink 17. http://xforce.iss.net/alerts/vol-2_num-2.php3#Sun-volrmmount 18. http://xforce.iss.net/alerts/vol-2_num-2.php3#NT-web8.3 19. http://xforce.iss.net/alerts/vol-2_num-2.php3#NT-portbind 20. http://xforce.iss.net/alerts/vol-2_num-2.php3#elm-filter 21. http://xforce.iss.net/alerts/vol-2_num-2.php3#L0pht-l0phtcrack 22. http://xforce.iss.net/alerts/vol-2_num-2.php3#HP-land 23. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 24. http://xforce.iss.net/alerts/alerts.php3 25. ftp://ftp.secnet.com/pub/advisories/SNI-25.Windows.NT.DoS 26. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 27. http://xforce.iss.net/alerts/alerts.php3 28. http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:003.1.txt 29. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 30. http://xforce.iss.net/alerts/alerts.php3 31. http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:002.2.txt 32. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 33. http://xforce.iss.net/alerts/alerts.php3 34. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-162.txt 35. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 36. http://xforce.iss.net/alerts/alerts.php3 37. ftp://info.cert.org/pub/cert_advisories/CA-98.04.Win32.WebServers 38. http://www.microsoft.com/security/iissfn.htm 39. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 40. http://xforce.iss.net/alerts/alerts.php3 41. http://www.l0pht.com/advisories/nc11adv.txt 42. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 43. http://xforce.iss.net/alerts/alerts.php3 44. http://www.dec.net/ksrt/adv7.html 45. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 46. http://xforce.iss.net/alerts/alerts.php3 47. http://www.l0pht.com/l0phtcrack/news.html 48. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 49. http://xforce.iss.net/alerts/alerts.php3 50. http://us-support.external.hp.com/ 51. ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land 52. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 53. http://xforce.iss.net/alerts/alerts.php3 54. http://www.iss.net/ 55. http://xforce.iss.net/alerts/vol-2_num-2.php3#list 56. http://xforce.iss.net/alerts/alerts.php3 57. mailto:xforce@iss.net 58. http://www.iss.net/xforce/sensitive.html 59. http://xforce.iss.net/news.php3 60. http://xforce.iss.net/seriousfun/ 61. http://xforce.iss.net/maillists/ 62. http://xforce.iss.net/library/ 63. http://xforce.iss.net/protoworx/ 64. http://xforce.iss.net/alerts/ 65. http://xforce.iss.net/submission.php3 66. http://xforce.iss.net/feedback.php3 67. http://xforce.iss.net/search.php3 68. http://xforce.iss.net/about.php3 69. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 70. http://xforce.iss.net/privacy.php3