 |
||||||||
   April 2000, last Update: 05/05/00 |
||||||||
| Furhter links lead to the
organization which reported the problem. So you can also read the
original advisory and you are informed about further actions to be
taken and patches to install. By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use! |
||||||||
|
Here you find our network security
search engine! |
||||||||
|
|
||||||||
US-CERT reports about compromises of machines running the Domain Name System (DNS) server software that is part of BIND ("named"), including compromises of machines that are not being used as DNS Servers.
Some sites with compromised systems have found one of the following empty directories
(/var/named/ADMROCKS, /var/named/O) on systems where the NXT record vulnerability
was successfully exploited. Other commonly
"effects" are: |
||||||||
|
|
||||||||
The AIX Fast Response Cache Accelerator (FRCA) is a kernel extension module that improves the performance of a web server by using a memory cache to store data being served from the web server. FRCA is used primarily with the Apache-based IBM HTTP server, but it may also be used with other web servers. The frcactrl program is used to
manage the FRCA configuration and is distributed as part of the base operating system in AIX 4.3. |
||||||||
|
|
||||||||
Imap-uw is a popular IMAP4/POP2/POP3 mail server from the University of Washington. Numerous buffer overflows were found. Has an imap user successfully logged into their mail account, imapd has dropped root privileges and is running as the user ID of the mail account which has been logged into, so the buffer overflow can only allow code to be executed as that user. This vulnerability is only relevant on a "closed" mail server, i.e. one which does not normally allow interactive logins by mail users. The imap-uw port also supplies a "libc-client" library which provides various functionality common to mail servers. The algorithm used for locking of mailbox files contains a weakness which allows an unprivileged local user to lock an arbitrary local mailbox. There are no patches available at the moment. If not needed, the imapd should be deinstalled. |
||||||||
|
|
||||||||
In Spectra, the Container Editor Preview tool does not enforce object security. Any object-method placed in the container object array by a publishing rule is invoked with security disabled by the container editor preview tab. Allaire has published a patch to fix this problem. |
||||||||
|
|
||||||||
Using FrontPage 2000 Extensions for Internet Information Server 5.0 allows valid FrontPage users connected to a remote Web using a FrontPage Client to obtain a list of account names. This problem was found on NT 4.0 / IIS 4.0 and Windows 9x also, but the workarounds don't work for Windows 2000. Microsoft is working on a patch. |
||||||||
|
|
||||||||
By sending the Real Server (7, pro, Intranet, Plus, Basic, G2 1.0 as well as for Linux and Windows) 471 bytes of malformed data on port 7070, the service can be made to crash. USSRLabs have published a demonstration of this problem. Real Networks seem to work on a patch. |
||||||||
|
|
||||||||
Netscape Communicator 4.x allows a Web site to read HTML files on a user's hard drive, including the user's bookmarks file and browser cache files. The exploit works by setting a cookie whose value contains JavaScript code. A detailed description has been published by Bennett. Netscape will fix this problem with the next minor version. |
||||||||
|
|
||||||||
The Remote Administration service contains a buffer overflow condition that could allow an attacker to launch a denial of service attack against the system, or possibly inject code into the operating system for execution. Novell is working on a patch, a demonstration can be found in the advisory. |
||||||||
|
|
||||||||
Panda Security 3.0 for Windows 95 and 98 is vulnerable to indirect registry key modifications, which allow Panda Security keys to be manipulated by any logged-on user. A demonstration has been published by Deep Zone and Panda Software has released a patch. |
||||||||
|
|
||||||||
A vulnerability exists in the imwheel package of
Red Hat Linux Powertools where local users can execute arbitrary commands as root.
Piranha is a package distributed by Red Hat, Inc. that contains the Linux Virtual Server (LVS)
software, a web-based GUI, and monitoring and fail-over components. A backdoor password exists in the GUI portion of Piranha that may allow remote attackers to execute commands on the server. OpenLDAP follows symbolic links when creating files. The default location for these files is /usr/tmp, which is a symlink to /tmp, which in turn is a world-writable directory. Local users can destroy the contents of any file on any mounted filesystem.
It's recommended to install the concerning patches: |
||||||||
|
|
||||||||
It is a common tactic among spammers to use other machines as an SMTP relay to make their mail appear as if does not come from their site. The sendmail configuration for UnixWare 7 Release 7.0 and 7.0.1 and SCO OpenServer Release 5.0.x does not have the SMTP anti-relay enabled by default. It's strongly recommended to change the configuration in the way pointed out in the advisories. |
||||||||
|
|
||||||||
As Caldera Systems reports, there were some
security holes found in OpenLinux. There is a buffer overflow in the way the
dump command handles certain arguments. This bug can be exploited to
obtain group tty privilege. The INN (InterNetNews) package contains the 'inews' binary, which is used for injecting news articles into the server.
Several buffer overflows were found which allows any local user to gain group 'news' access.
There are several bugs in majordomo that allow arbitrary users to execute commands with the privilege of majordomo.
The OpenLinux package contains a CGI script called rpm_query that allows a user to obtain a list of all RPM packages installed on that machine, provided the Apache Web server is running.
The telnet daemon from the Linux netkit supports a command line option -L that lets the administrator specify a login program other than /bin/login. An unintended interaction with some other piece of code in telnetd has the effect that the memory location holding the name is overwritten with information obtained from the client host. This bug can be abused by an attacker to bypass authentication completely. |
||||||||
|
|
||||||||
The FrontPage 97 and 98 Server Extensions include two components, Htimage.exe and Imagemap.exe, that provide CERN- and NCSA-compliant server side image mapping support, respectively, for legacy browsers. Both components contain unchecked buffers that could be used to run arbitrary code. Although part of the Server Extensions, these components also install as part of several other web server products. Microsoft recommends to eliminate this vulnerability by deleting all copies of the files Htimage.exe and Imagemap.exe from the servers. |
||||||||
|
|
||||||||
CMD.EXE, the command processor for Windows NT 4.0 and Windows 2000, has an unchecked buffer in part of the code that handles environment strings. The vulnerability could allow a malicious user to make some or all of the memory on an affected server unavailable, potentially slowing or stopping an affected server's response time. Microsoft has published fixes for Windows NT4 and Windows 2000. |
||||||||
|
|
||||||||
Active Directory allows for access control of directory objects on a
per-attribute basis. A vulnerability was found, which could allow an
attacker to modify object attributes that he does not have permission to modify, as long as he
combined the operation in a particular way with ones involving attributes that he does have
permission to modify. |
||||||||
|
|
||||||||
Generic-NQS versions 3.50.7 and earlier contain a security vulnerability which allow a local user to easily obtain root privileges. A workaround is to remove the generic-nqs port, but patches are also available. |
||||||||
|
|
||||||||
Using Cisco IOS version 11.3AA, 12.0 releases: 12.0(2) up to and including 12.0(6) may cause a denial-of-service condition when these routers are scanned by security scanners. The router may reload unexpectedly, which can be exploited repeatedly to produce a consistent denial of service (DoS) attack. Further information about fixes can be found in the advisory. |
||||||||
|
|
||||||||
As Georgi Guninski reports, the Microsoft Internet Explorer 5.01 allows the circumvention of its cross-frame security policy by accessing the DOM (document object model) of documents using Java or JavaScript. The problem exposes the whole DOM of the target document and opens a lot of additional security risks. Microsoft seems to work on a patch. |
||||||||
|
|
||||||||
On Cisco Catalyst 4000, 5000, 5500, 6000 and 6500 with the software version 5.4(1)
anyone who can obtain ordinary console access can bypass password authentication to obtain "enable" mode access without
knowing the "enable" password. In version 5.4(2) this problem is
fixed. There are no known workarounds for this vulnerability. Strictly limiting telnet access to the device will prevent the initial connection required to
exploit this vulnerability: |
||||||||
|
|
||||||||
Both pam and userhelper are setuid binary and they follow ".." in the path. Using pam any file on the disk can be opened and in combination with userhelper a local attacker may gain root rights on the system. Further information and links to patches can be found in the advisories. |
||||||||
|
|
||||||||
In Windows NT 4.0 Option Pack, which is the primary distribution mechanism for Internet Information Server 4.0, Personal Web Server 4.0, which ships as part of Windows 95 and 98, and Front Page 98 Server Extensions a hole was found. Dvwssr.dll is a server-side component used to support the Link View feature in Visual Interdev 1.0. However, it contains an unchecked buffer. If overrun with random data, it could be used to cause an affected server to crash. Microsoft is investigating further effects. Until a patch is published, Microsoft recommends to delete all copies of the file Dvwssr.dll from the server. The only functionality lost by deleting this file is the ability to generate link views of .asp pages using Visual Interdev 1.0. |
||||||||
|
|
||||||||
Gpm is a cut and paste utility and mouse server for virtual consoles. As part of this package, the gpm-root program
allows people to define menus and actions for display when clicking on the background of current tty. The current gpm-root program fails to correctly give up the group id 0 membership for user defined menus. If you are running
gpm-root on your system then you are at risk. |
||||||||
|
|
||||||||
This vulnerability involves a registry key used by the CryptoAPI Base CSPs to specify the driver DLL for a hardware accelerator. By design, such a DLL would have access to users’ public and private keys. Although only administrators should have permission to add such a DLL, the permissions on the key actually would allow any user who could interactively log onto the machine to do so. By writing a bogus DLL and installing it, an attacker could compromise the keys of other users who subsequently used the machine. All versions of NT 4.0 are affected, but not Windows 2000. Microsoft has published a patch for X86 and Alpha. |
||||||||
|
|
||||||||
A Internet Information Server reading a malformed URL will suffer a denial of service attack. Special characters can be embedded in URLs by use of so-called escaped character sequences. By providing a malformed URL with an extremely large number of escaped characters, an attacker could increase the work factor associated with parsing the escaped characters, thereby consuming much or all of the CPU availability on the server - a classical Denial-of-Service attack against the Internet Information Server. Microsoft has published patches for IIS 4.0 and IIS 5.0. |
||||||||
|
|
||||||||
CRYPTOCard's CRYPTOAdmin software is a user authentication administration system which uses various hardware and software token devices for challenge/response. Using the user's PIN number and the token, the correct response will be calculated based on the challenge prompted from the CRYPTOAdmin server. The PT-1 token, which runs on a PalmOS device, generates the one-time-password response. A PalmOS .PDB file is created by the CRYPTOAdmin software for each user. The .PDB file is loaded onto the Palm device. The user name, serial number, key, and PIN number are all stored in this file in either encrypted or plaintext form. By gaining access to the .PDB file, the legitimate user's PIN can be determined through a series of DES decrypts-and-compares. Having both the .PDB and the PIN number will allow an attacker to clone the token on another Palm device and generate the proper responses given the challenge from the CRYPTOAdmin server. Using a demonstration tool, the PIN can be determined in under 5 minutes on a Pentium III 450MHz. It's strongly recommended to delete the .PDB file after it has been loaded onto the palm and to change the PIN regulary. |
||||||||
|
|
||||||||
IrcII is a popular text-mode IRC client. Version 4.4
contains a remotely-exploitable buffer overflow in the /DCC CHAT command which allows remote users to execute arbitrary
code as the client user. It's recommended to install a patch or to
remove the program from the system. |
||||||||
|
|
||||||||
A worm with variants known as "chode," "foreskin," "dickhair", "firkin," or "911" has received some attention in the last time. The "chode" worm affects Windows 98 systems with unprotected shares. The worm consists of several batch files and will delete all files on the C drive on the 19th day of the month. Further information can be found in the advisory. |
||||||||
|
|
||||||||
There is a buffer overflow in the Win32 RealPlayer Basic client, versions 6 and 7. This appears to occur when more than 299 characters are entered as a 'location' to play. Real is working on a patch, until it's released it's recommeded to disable ActiveX in the browser. |
||||||||
|
|
||||||||
In UnixWare 7.0.0 through UnixWare 7.1.1 a buffer overflow
is caused by the handling of environment data which allows telnet to execute arbitrary commands with the privileges it is set to run with.
A patch (letter)
has been published. |
||||||||
|
|
||||||||
Gpm is a cut and paste utility and mouse server for virtual consoles. The gpm-root command, which is part of the gpm package, allows local users to define menus and commands to be executed on mouse events. When a command is executed via gpm, the group id 0 priviliged is not
dropped correctly, so local users may gain root-access to the system. |
||||||||
|
|
||||||||
On HP9000 Series 7/800 running only HP-UX 11.04 (VVOS) a vulnerability in the network layer of the operating system that could allow data to be delivered via a network interface to unprivileged processes if multiple IP addresses are assigned to the interface. It's recommended to install a patch published by HP:
In addition, HP has published another workaround for the problem in Aserver which was published before. |
||||||||
|
|
||||||||
In the recent time 33 new vulnerabilities were
found: |
||||||||
|
|
||||||||
When an Excel user starts a macro (.XLM) that resides outside of the current
spreadsheet (for example, in another spreadsheet), Excel by design will generate a warning dialogue.
This dialogue is not generated if the macro consists of Excel 4.0 Macro Language (XLM)
commands in an external text file. The vulnerability only affects whether a warning dialogue is displayed, it does not change any other aspects of the macro's operation.
But, an attacker could use this "feature" to run arbitrary
commands in the context of the user - if he calls this macro. |
||||||||
|
|
||||||||
Due to this hole users are allowed to view and post to secure discussion threads via unsecured conferences and/or through E-Mail. This issue affects multiple templates in the Forums software. It's recommended to install a patch. |
||||||||
|
|
||||||||
CIAC has published an article about Distributed Denial of Service (DDoS) attacks. Many of the network administrators are only concerned with being the target of a DDoS attack. Although with the current TCP/IP implementation, there is little that can be done to prevent your network from suffering the effects of a DDoS, there are steps pointed out that can be taken to help reduce the chances that networks are used as a source of an attack against another network. Some countermeasurements are pointed out in the advisory and another paper published by CIAC gives further information about DDoS. |
||||||||
|
||||||||
Here you can find the News from March
2000, February
2000, January
2000, |
