From xforce@iss.net Fri Nov 19 06:05:18 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 17 Nov 1999 20:42:20 -0500 (EST) Subject: ISSalert: ISS Security Alert Summary: v4 n9 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary November 15, 1999 Volume 4 Number 9 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 16 Reported Vulnerabilities - ssh-rsaref-bo - win-fileurl-overflow - ie-active-setup-control - oracle-appserver-apchlctl - oracle-appserver-owslctl - bind-nxt-bo - freebsd-seyon-dir-add - viruswall-helo-bo - realserver-g2-pw-bo - nt-printer-spooler-bo - nt-services-exe-dos - netscape-huge-key-dos - gauntlet-bsdi-bypass - netscape-malformed-pfr-dos - raptor-ipoptions-dos - ie-iframe-exec Risk Factor Key _____ Date Reported: 1999-11-12 Vulnerability: ssh-rsaref-bo Platforms Affected: SSH v1 Daemons Risk Factor: High Attack Type: Network based Secure Shell (SSH) version 1 daemons contain apotentially exploitable buffer overflow when built with the RSAREF library. This could possibly allow remote attackers to compromise root access on affected systems. Reference: BugTraq Mailing List: "ssh-1.2.27 remote buffer overflow - exploitable (VD#7)" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=382DB21B.CB92D7A0@thievco.com _____ Date Reported: 1999-11-12 Vulnerability: win-fileurl-overflow Platforms Affected: Windows 95 Windows 98 Risk Factor: High Attack Type: Network/Host Based Windows 95 and 98 will crash or run arbitrary code if a very long random string or specially formed file:// URL appears in a web page or email message and is used to call a local file. References: Microsoft Security Bulletin (MS99-049): Patch Available for 'File Access URL' Vulnerability at: http://www.microsoft.com/security/bulletins/ms99-049.asp BUGTRAQ Mailing List: IE4/5 'file://' buffer overflow at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-8&msg=382736261D6.CF3ASHADOWPENGUIN@fox.nightland.net _____ Date Reported: 1999-11-11 Vulnerability: ie-active-setup-control Platforms Affected: Internet Explorer 4 Internet Explorer 4 Risk Factor: High Attack Type: Network/Host Based Internet Explorer versions 4 and 5 contain a vulnerability in ActiveX controls that would allow a malicious web page or email message store to a CAB file on the user's hard drive in a known location. A script could then execute the CAB file performing whatever tasks programmed in the CAB file, such as taking full control of the system. Reference: rfp.labs: "RFP9904: TeamTrack webserver vulnerability" at: http://www.technotronic.com/rfp/ _____ Date Reported: 1999-11-10 Vulnerability: oracle-appserver-apchlctl Platforms Affected: Oracle Application Server Risk Factor: High Attack Type: Host Based The Oracle Application Server provides utilities to start, stop, and manipulate the servers. Unprivileged users normally do not have the ability to bind servers to privileged ports (below 1024). However, Oracle has made the 'owslctl' utility root, which allows unprivileged users to start the server on privileged ports. Attackers could take advantage of this design to compromise super-user access. Reference: ISS Security Advisory: "Multiple Root Compromise Vulnerabilities in Oracle Application Server" at: http://xforce.iss.net/alerts/advise38.php3 _____ Date Reported: 1999-11-10 Vulnerability: oracle-appserver-owslctl Platforms Affected: Oracle Application Server Risk Factor: High Attack Type: Host Based Oracle servers could allow users with unprivileged accounts to access the system. The Oracle Application Server offers web administrators the option to install and configure HTTP listeners. A backend setuid root executable attempts to start the Apache server. An attacker with an unprivileged account on the target system may trick the 'apchlctl' utility into executing any arbitrary command as root. The Apache start executable is also unsafe in handling write() calls, and certain files created will follow symbolic links. Reference: ISS Security Advisory: "Multiple Root Compromise Vulnerabilities in Oracle Application Server" at: http://xforce.iss.net/alerts/advise38.php3 _____ Date Reported: 1999-11-08 Vulnerability: bind-nxt-bo Platforms Affected: BIND (8.2, 8.2.1) Risk Factor: High Attack Type: Network Based BIND is a freely available DNS server produced by the Internet Software Consortium. A vulnerability in the processing of NXT records in the 8.2 and 8.2.1 versions of BIND allow a remote attacker to overflow the BIND function and execute arbitrary code on vulnerable servers with root privileges. References: CERT Advisory CA-99-14: "Multiple Vulnerabilities in BIND:" at: http://www.cert.org/advisories/CA-99-14-bind.html Red Hat, Inc. Security Advisory: "Security problems in bind" at: http://www.redhat.com/corp/support/errata/RHSA1999054-01.html Internet Software Consortium: "BIND Vulnerabilities" at: http://www.isc.org/products/BIND/bind-security-19991108.html _____ Date Reported: 1999-11-08 Vulnerability: freebsd-seyon-dir-add Platforms Affected: FreeBSD 3.3 Risk Factor: Medium Attack Type: Host Based seyon is an X11-based telecommunications program shipped with 'additional packages' in FreeBSD 3.3. When seyon is executed, it obtains pathnames for seyon-emu and xterm from the user's $PATH. A local user could execute seyon with its install-time privileges by creating a directory with write access in $PATH and placing a copy of seyon-emu or xterm in the directory. This would allow the user to escalate their privileges to those that seyon has been installed with. Reference: BUGTRAQ Mailing List: "FreeBSD 3.3's seyon vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-8&msg=19991109035038.4631.qmail@www0h.netaddress.usa.net _____ Date Reported: 1999-11-08 Vulnerability: viruswall-helo-bo Platforms Affected: VirusWall (3.23, 3.3) Risk Factor: High Attack Type: Network Based VirusWall is an SMTP gateway that prevents viruses and malicious code from entering into the network. A remote user could send a long HELO command and execute arbitrary code. Reference: beavuh.org: "Interscan VirusWall NT 3.23/3.3 buffer overflow" at: http://www.beavuh.org/exploits/iscan.txt _____ Date Reported: 1999-11-05 Vulnerability: realserver-g2-pw-bo Platforms Affected: RealServer G2 Risk Factor: High Attack Type: Network Based RealNetwork RealServer G2 web authentication contains a buffer overflow on the administrator port. A remote attacker could send a long user/password pair to overflow the buffer and execute arbitrary code. Reference: BugTraq Mailing List: "RealNetworks RealServer G2 buffer overflow" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.991105022225.914A-100000@attica.gen.nz _____ Date Reported: 1999-11-04 Vulnerability: nt-printer-spooler-bo Platforms Affected: Windows NT Printer Service Risk Factor: High Attack Type: Host/Network Based The spoolss.exe Windows NT Printer Service contains a number of buffer overflows in its APIs that could locally or remotely execute arbitrary code. References: Microsoft Security Bulletin (MS99-047): "Patch Available for 'Malformed Spooler Request' Vulnerability" at: http://www.microsoft.com/security/bulletins/MS99-047.asp eEye Digital Security: "Printer (spooler) Service Vulnerabilities" at: http://www.eeye.com/html/advisories/AD19991104.html _____ Date Reported: 1999-10-31 Vulnerability: nt-services-exe-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network Based Windows NT services.exe could allow a denial of service attack. Certain MSRPC calls return NULL values that are not correctly interpreted by services.exe. A remote attacker could send a malicious packet and cause a denial of service on a Windows NT 4.0 host, rendering local administration and network communication useless. Reference: BugTraq Mailing List: "Services.exe DoS in NT 4 (RFPoison)" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.9911010803350.10893-100000@eight.wiretrip.net _____ Date Reported: 1999-10-29 Vulnerability: netscape-huge-key-dos Platforms Affected: Netscape 4.7 and earlier Risk Factor: Medium Attack Type: Network Based Netscape Communicator version 4.7 and earlier could allow a denial of service attack. The problem occurs when Netscape Communicator attempts to validate any certificate key where the certificate key length is above 2048 bytes. A remote attacker could launch a denial of service against web sites to cause the Netscape Communicator to crash, or overflow a buffer to execute arbitrary code. Reference: SecuriTeam: "Netscape 4.7 and earlier vulnerable to 'Huge Key' DoS" at: http://www.securiteam.com/exploits/Netscape_4_7_and_earlier_vulnerable_to__Huge_Key__DoS.html _____ Date Reported: 1999-10-24 Vulnerability: gauntlet-bsdi-bypass Platforms Affected: Guantlet Firewall 5.0 Risk Factor: High Attack Type: Network Based Gauntlet firewall 5.0 BSDI could allow local users and remote non-trusted users to bypass all Gauntlet Firewall security rules. An attacker must have a route through the firewall and could access the network behind the firewall with no activity appearing in the '/var/log/messages' log file. Reference: SecuriTeam: "[UNIX] Gaunlet 5.0 Firewall under BSDI can be bypassed" at: http://www.securiteam.com/unixfocus/Gaunlet_5_0_Firewall_under_BSDI_can_be_bypassed.html _____ Date Reported: 1999-10-23 Vulnerability: netscape-malformed-pfr-dos Platforms Affected: Netscape Communicator Risk Factor: Medium Attack Type: Network Based Netscape Communicator 'Dynamic Font' support could allow a denial of service attack. A remote attacker could provide a malformed page that contains dynamic fonts and crash the system. Reference: SecuriTeam: "Netscape 4.5 and above are vulnerable to 'Dynamic Font' DoS" at: http://www.securiteam.com/exploits/Netscape_4_5_and_above_are_vulnerable_to__Dynamic_Font__DoS.html _____ Date Reported: 1999-10-20 Vulnerability: raptor-ipoptions-dos Platforms Affected: Axent Raptor Risk Factor: High Attack Type: Network Based Axent's Raptor firewall could allow a denial of service attack that could cause the system to freeze. When the firewall's IP option parsing code tries to skip a 'benign' option, it forgets to check if it is of zero length. This error can cause the code to enter an irrecoverable infinite loop. The IP options that can lock up the firewall are the Timestamp and Security options. Reference: BugTraq Mailing List: "Remote DoS in Axent's Raptor 6.0" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-10-15&msg=199910202245.RAA28104@expert.cc.purdue.edu _____ Date Reported: 1999-10-15 Vulnerability: ie-iframe-exec Platforms Affected: Internet Explorer Risk Factor: High Attack Type: Network Based Microsoft Internet Explorer allows a malicious web page to read files on the visitor's computer. The web page operator can bypass Document.ExecCommand() restrictions by using the IFRAME command, which contains the vulnerability. Reference: Microsoft Security Bulletin MS99-042: "Patch Available for 'IFRAME ExecCommand' Vulnerability at: http://www.microsoft.com/security/bulletins/ms99-042.asp _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBODNYczRfJiV99eG9AQFq9QQAj9B3GRpB40q1ocqIRi5d8qQI6f08pL6k JQ9J4spc8FU6JcsLnXSNK/O+czl1T5OnPm736OR1xQiUKua4FFgw7MzOx2K1rlg3 Egq82umlW+8F3I1Bwka4gLjCb0dqhJ0fcD8zN1ZDZNeaew3BrJx2jwt0rbwG/fyZ uKs3tJZKKcw= =sbSD -----END PGP SIGNATURE-----