From xforce@iss.net Fri Feb 4 04:04:18 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 2 Feb 2000 23:07:21 -0500 (EST) Subject: ISSalert: ISS Security Alert Summary: v5 n1 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary February 1, 2000 Volume 5 Number 1 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 12 Reported Vulnerabilities - http-indexserver-dirtrans - linux-vmware-symlink - nt-rdisk-enum-file - office-malformed-convert - win-malformed-rtf-control-word - nt-spoofed-lpc-port - linux-corel-update - icq-url-bo - linux-pam-userhelper - winamp-playlist-bo - hp-aserver - sun-sadmind Risk Factor Key _____ Vulnerability: http-indexserver-dirtrans Date Reported: 1/26/2000 Platforms Affected: Index Server 2.0 Risk Factor: Medium Attack Type: Network Based There is a vulnerability in the webhits.dll file included in WindowsNT Option Pack 4.0 as part of Index Server 2.0. The vulnerability allows you to view any file on the filesystem as long as its name is known. Reference: Microsoft Security Bulletin (MS00-006): "Patch Available for 'Malformed Hit-Highlighting Argument' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-006.asp _____ Vulnerability: linux-vmware-symlink Date Reported: 1/24/2000 Platforms Affected: Linux running VMware 1.1.2 Risk Factor: High Attack Type: Host Based A vulnerability exists in Linux operating systems that run VMware 1.1.2. When executed, it creates log files in the /tmp directory but does not check to see if the files exist or not. A malicious user could create symbolic links with the temporary filenames and overwrite existing system files. References: w00w00 Security Advisory: "VMware 1.1.2 Symlink Vulnerability" at: http://www.w00w00.org/files/advisories/vmware.txt BUGTRAQ Mailing List: "VMware 1.1.2 Symlink Vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-22&msg=Pine..BSO.4.10.10001240842210.19617-100000@shaolin.fcbl.net _____ Vulnerability: nt-rdisk-enum-file Date Reported: 1/21/2000 Platforms Affected: Windows NT 4.0 Terminal Server Edition Risk Factor: Medium Attack Type: Host Based The RDISK utility in Windows 4.0 is used to create emergency repair disks and record machine state information in case of file system failure. When the utility executes it creates a temporary file that can contain sensitive security information. A local user on the terminal server could read the file as it is being created. Reference: Microsoft Security Bulletin (MS00-004): "Patch Available for 'RDISK Registry Enumeration File' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms00-004.asp _____ Vulnerability: office-malformed-convert Date Reported: 1/19/2000 Platforms Affected: Microsoft Office (97, 2000) Risk Factor: High Attack Type: Host Based Microsoft Office 2000 contains a conversion pack that converts Word 5 documents from Japanese, Korean, and Chinese to current formats. A vulnerability exists in the conversion utility that would allow a malicious document to execute arbitrary code when opened using the utility. Reference: Microsoft Security Bulletin (MS00-002): "Patch Available for 'Malformed Conversion Data' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms00-002.asp _____ Vulnerability: win-malformed-rtf-control-word Date Reported: 1/17/2000 Platforms Affected: Windows 95 Windows 98 Windows NT 4.0 (including Terminal Server Edition) Risk Factor: Medium Attack Type: Host Based Standard RTF readers for windows contain a vulnerability in their parsing of control words. If a malicious document has a malformed word control (standard control information, a buffer tha goes unchecked) then an error occurs that will crash the application. Reference: Microsoft Security Bulletin (MS00-005): "Patch Available for 'Malformed RTF Control Word' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms00-005.asp _____ Vulnerability: nt-spoofed-lpc-port Date Reported: 1/13/2000 Platforms Affected: Windows NT 4.0 Risk Factor: High Attack Type: Host Based Windows NT 4.0 contains a vulnerability in LPC Ports which are used to allow LPC calls on a machine. If exploited, a user logged into the Windows NT machine from the keyboard can become the administrator of the machine. Reference: Microsoft Security Bulletin (MS00-003): "Patch Available for 'Spoofed LPC Port Request' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-003.asp _____ Vulnerability: linux-corel-update Date Reported: 1/12/2000 Platforms Affected: Corel Linux Risk Factor: High Attack Type: Host Based Corel Linux contains the program "Corel Update" which is used to update and manage .deb files. It is suid root, and calls the 'cp' command without a path. If a local user changes their PATH to execute a personal copy of cp, then obtaining root access is trivial. Reference: BUGTRAQ Mailing List: "Serious Bug in Corel Linux.(Local root exploit)" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-8&msg=Pine.LNX.4.10.10001120924350.5629-100000@enete.gui.uva.es _____ Vulnerability: icq-url-bo Date Reported: 1/10/2000 Platforms Affected: ICQ 99b Risk Factor: High Attack Type: Network Based ICQ is a popular chat software that features file transfers and normal chatting. It contains a problem in URL parsing when an URL is sent from another user. A long url could allow the remote user to execute instructions on the affected machine. Reference: BUGTRAQ Mailing List: "ICQ Buffer Overflow Exploit" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-8&msg=20000111183043.8950.qmail@web2001.mail.yahoo.com _____ Vulnerability: linux-pam-userhelper Date Reported: 1/4/2000 Platforms Affected: Linux (RedHat 6.0, 6.1) Risk Factor: High Attack Type: Host Based The userhelper and PAM programs in Red Hat Linux contains a bug that they follow .. paths. By exploiting these vulnerabilities, a local user could obtain root level access. References: Red Hat, Inc. Security Advisory: "usermode, PAM" at: http://www.redhat.com/support/errata/RHSA2000001-03.html L0pht Security Advisory: "PamSlam" at: http://www.l0pht.com/advisories/pam_advisory _____ Vulnerability: winamp-playlist-bo Date Reported: 1/4/2000 Platforms Affected: Winamp 2.0 Risk Factor: High Attack Type: Host Based Winamp is a Windows based mp3 and wav music player. If a local user has a entry in the playlist of longer than 580 bytes, the buffer is overflowed and the user can execute arbitrary code. Reference: NTBUGTRAQ Mailing List: "Winamp buffer overflow advisory" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0001&L=ntbugtraq&F=&S=&P=946 _____ Vulnerability: hp-aserver Date Reported: 1/1/2000 Platforms Affected: HP-UX (10x, 11x) Risk Factor: High Attack Type: Host Based A vulnerability exists in the Aserver program on HP-UX 10.x and 11.x systems. A local user would be able to exploit this vulnerability to obtain root level access. Reference: HP Security Advisory: "Aserver Vulnerability" at: http://hp-support.hp.com _____ Vulnerability: sun-sadmind Date Reported: 12/29/1999 Platforms Affected: Solaris (2.3, 2.4, 2.5, 2.5.1, 2.6, 7) Risk Factor: High Attack Type: Network Based The sadmind program is installed by default on many SunOS versions. It is used to use system administration operations remotely. Sadmind contrains a vulnerability that would allow a remote attacker to over flow a buffer and execute arbitrary commands and possibly gain root level access. Reference: Sun Microsystems, Inc. Security Bulletin: "sadmind" at: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOJj+NzRfJiV99eG9AQFLNAP+MLZKeWZsg2qcqDv/4n8vWmCxJgmdbkpI Xj4czxrXEgIektEpkWNwzkUDtOBqEJWSOF7nYSD0GVAcx/8Ih5bzGXKs6eJnXbow WQPuXA4xjwppdiivdNECU3OA7KEtPjFPiOBFh2atDE2luy9rKdJ5eUWGxYHDoA8e bzrgqHROdP4= =oaL5 -----END PGP SIGNATURE-----