From xforce@iss.net Sat Mar 11 14:18:14 2000 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Wed, 1 Mar 2000 22:47:09 -0500 (EST) Subject: ISSalert: ISS Security Alert Summary: v5 n2 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary March 1, 2000 Volume 5 Number 2 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 12 Reported Vulnerabilities - trin00-dos - netgear-multiple-dos - sambar-batfiles - win-media-dos - win-active-setup - siteserver-sitebuilder - netbsd-ptrace - netbsd-procfs - ie-image-source-redirect - sco-openserver-arc-symlink - iis-frontpage-info - outlook-active-script-read Risk Factor Key _____ Date Reported: 2/14/00 Attack: trin00-dos Platforms Affected: Any Risk Factor: High Attack Type: Network Based Trin00 is a Distributed Denial of Service system that allows a master computer to launch a denial of service attack by enlisting the help of several client computers that contain the Trin00 client. The Trin00 client can be used by a Trin00 master to launch a DDoS attack. References: ISS Security Alert: "Denial of Service Attack using the TFN2K and Stacheldraht programs" at: http://xforce.iss.net/alerts/advise43.php3 ISS Security Alert Update: "trin00 for Windows Distributed Denial of Service Attack Tool" at: http://xforce.iss.net/alerts/advise44.php3 _____ Date Reported: 2/25/00 Vulnerability: netgear-multiple-dos Platforms Affected: Netgear ISDN Router RH348 and RT328 Risk Factor: Medium Attack Type: Network Based Netgear ISDN Routers (RH348 and RT328) contain multiple denial of service attacks. If a remote attacker runs a SYN scan against the router, it will deny connections to port 23 for about 5 minutes per packet, effectively shutting it down. If a remote attacker telnets to the router and remains idle, it will not allow any other management session. Finally, if a remote attacker sends a large number of ICMP redirect packets, it will stop routing packets as long as the attack exists. Reference: BUGTRAQ Mailing List: "DoSing the Netgear ISDN RT34x router" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=Pine.LNX.4.20.0002251214450.23763-100000@voodoomindcontrol.jcius.com _____ Date Reported: 2/23/00 Vulnerability: sambar-batfiles Platforms Affected: Sambar Server for Windows 9x and NT Risk Factor: High Attack Type: Network Based Sambar Server is a multi-threaded HTTP server for Windows 9x and NT environments. Some beta versions of Sambar Server shipped with two files, HELLO.BAT and ECHO.BAT, in the CGI directory. These two files, and .BAT files like them, could allow remote attackers to execute arbitrary commands on the server. Reference: BugTraq Mailing List: "Sambar Server alert!" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=38B3E60A.6A84FEC3@cybcom.net _____ Date Reported: 2/23/00 Vulnerability: win-media-dos Platforms Affected: Microsoft Windows Media Services (4.0, 4.1) Risk Factor: Medium Attack Type: Network Based Microsoft Windows Media Services contain a denial of service attack against the media server. If a remote user sends client-side handshake packets out of order to the server, the server will try to use resources before it has been initialized causing the Windows Unicast Service to crash. Reference: Microsoft Security Bulletin (MS00-013): "Patch Available for 'Misordered Windows Media Services Handshake' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-013.asp _____ Date Reported: 2/19/00 Vulnerability: win-active-setup Platforms Affected: Microsoft Internet Explorer Microsoft Outlook Risk Factor: High Attack Type: Network/Host Based Microsoft signed ActiveX setup files are normally installed without notification to the user. An attacker could have the operating system install a Microsoft component with known vulnerabilities and then exploit them accordingly.. This could be exploited remotely if it is executed via a web page or an HTML email message. Reference: BUGTRAQ Mailing List: "Microsoft signed software can be install software without prompting users" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000221103938.T21312@securityfocus.com _____ Date Reported: 2/18/00 Vulnerability: siteserver-sitebuilder Platforms Affected: Microsoft SiteServer 3.0 Risk Factor: High Attack Type: Network Based Microsoft SiteServer 3.0 (Commerce Edition) ships with a Site Builder wizard used to build custom sites. A security vulnerability exists in the "product.ast" file it creates that could allow a remote attacker to execute arbitrary SQL commands. This hole also affects the "product.asp" file, which is part of the Volcano Coffee sample site. Reference: Microsoft Security Bulletin MS00-010: "Patch Available for "Site Wizard Input Validation" Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-010.asp _____ Date Reported: 2/16/00 Vulnerability: netbsd-ptrace Platforms Affected: NetBSD/vax 1.4.1 Risk Factor: Medium Attack Type: Host Based A vulnerability in NetBSD's ptrace command could allow a local user to construct a wrapper program that can modify the hardware privileges of the ptrace program. Reference: BUGTRAQ Mailing List: "NetBSD Security Advisory 1999-012" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=14505.23579.967265.266049@passion.geek.com.au _____ Date Reported: 2/16/00 Vulnerability: netbsd-procfs Platforms Affected: NetBSD 1.4.1 Risk Factor: High Attack Type: Host Based NetBSD's proc filesystem contains a vulnerability by which a local user can trick a setuid binary into writing to /proc/. This would cause the memory image of another setuid binary to execute a shell. Reference: BUGTRAQ Mailing List: "NetBSD Security Advisory 2000-001" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=14505.23693.773699.404104@passion.geek.com.au _____ Date Reported: 2/16/00 Vulnerability: ie-image-source-redirect Platforms Affected: Microsoft Internet Explorer (4.0, 4.01, 5.0, 5.01) Risk Factor: Medium Attack Type: Network Based Microsoft Internet Explorer has a problem that allows a malicious web site operator to read files on the affected system that is browsing his website. Reference: Microsoft Security Bulletin (MS00-009) "Patch Available for 'Image Source Redirect' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-009.asp _____ Date Reported: 2/15/00 Vulnerability: sco-openserver-arc-symlink Platforms Affected: SCO OpenServer 5.0.5 Risk Factor: High Attack Type: Host Based SCO OpenServer version 5.0.5 ARCserve agent /tmp files could allow a symlink attack. The ARCserver agent startup script creates several files in the /tmp directory with world writeable permissions (mode 777). An attacker could replace these files with symlinks and create files anywhere on the filesystem with root privileges. Reference: SCO Security Bulletin: "SSE063 - ARCserve startup script symlink vulnerability in SCO OpenServer 5" at: http://www.sco.com/security _____ Date Reported: 2/3/00 Vulnerability: iis-frontpage-info Platforms Affected: IIS running Frontpage Risk Factor: Medium Attack Type: Network Based Microsoft Windows NT 4 running Internet Information Server with Frontpage contains a vulnerability that would allow a remote attacker to learn the name of the anonymous Internet account and learn physical paths on the affected system. Reference: BUGTRAQ Mailing List: "Alert: IIS 4 / IS 2 IDQ Cerberus Information Security Advisory (CISADV000202)" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-29&msg=038201bf6dd8$249e2250$5802020a@cerberusinfosec.co.uk _____ Date Repored: 2/1/00 Vulnerability: outlook-active-script-read Platforms Affected: Microsoft Express 5.01 Internet Explorer 5.01 Risk Factor: Medium Attack Type: Host/Network Based Microsoft Outlook Express 5.01 and Internet Explorer 5.01 under Windows 95 (and possibly other versions) contains a vulnerability in when active scripting is enabled. A malicious email message could run active scripting that would read any new messages that arrive after malicious email has been read. Reference: BUGTRAQ Mailing List: "Outlook Express 5 vulnerability - Active Scripting may read email messages" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=896E440.553BD289@nat.bg _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOL3AUzRfJiV99eG9AQEA3wQAtJ7M11joAtjI5sF/BiAE7X49Jr9gYPRL oW8caEAqZ1dv+6Bm4p26EcBWGBdhCXgR56k+ul5q8ADzetMJXjLrAjGaYx6HflJH EyCqUvFLuhby9LV3S85ZFXiZ7VyDA6K3Y4Nvaisq4DIOIHEOhkmLju63v5XoPrr6 ZqOzZKys3Sk= =FS9Z -----END PGP SIGNATURE-----