Deutsche Version

Here you find our network security search engine!

The version of userv that is distributed with Debian GNU/Linux 2.1 (slink) has a problem in the fd swapping algorithm: it could sometimes make an out-of-bounds array reference. It might be possible for local users to abuse this to carry out unauthorised actions or be able to take control for service user accounts. Patches are available now. 

The registry entry that specifies the Windows Shell executable Explorer.exe provides a relative, rather than absolute, path name. Because of the circumstances in place at system startup time, the normal search order would cause any file named Explorer.exe in the %Systemdrive%\ directory to be loaded in place of the bona fide version. This could provide an opportunity for an attacker user to cause code of his choice to run when another user subsequently logged onto the same machine. Microsoft has published fixes for Microsoft Windows NT 4.0 and Microsoft Windows 2000. A patch for Microsoft Windows NT 4.0 Terminal Server will be published soon.

The NetBIOS Name Server (NBNS) protocol, part of the NetBIOS over TCP/IP (NBT) family of protocols, is implemented in Windows systems as the Windows Internet Name Service (WINS). By design, NBNS allows network peers to assist in managing name conflicts and is an unauthenticated protocol. An attacker can misuse the Name Conflict and Name Release mechanisms to cause another machine to conclude that its name was in conflict. Depending on the scenario, the machine would as a result either be unable to register a name on the network, or would relinquish a name it already had registered. The result in either case would be the same - the machine would not respond requests sent to the conflicted name anymore. If port 137 UDP has been blocked by a firewall, external attacks would not be possible. Micrsoft has published a fix for Windows 2000, patches for NT 4.0 and NT 4.0 Terminal Server will follow.

Gpm as shipped in Red Hat Linux 5.2 and 6.x contains a number of security problems. Additionally, a denial of service attack via /dev/gpmctl is possible. Red Hat has published updated packages for the affected systems which should be installed:
Red Hat Linux 6.2:
Intel: 
rpm- Fvh ftp://updates.redhat.com/6.2/i386/gpm-1.19.3-0.6.x.i386.rpm
Alpha: 
rpm- Fvh ftp://updates.redhat.com/6.2/alpha/gpm-1.19.3-0.6.x.alpha.rpm
Sparc: 
rpm- Fvh ftp://updates.redhat.com/6.2/sparc/gpm-1.19.3-0.6.x.sparc.rpm
Sources: 
rpm- Fvh ftp://updates.redhat.com/6.2/SRPMS/gpm-1.19.3-0.6.x.src.rpm

A vulnerability has been discovered in REGISTER.ID, a worksheet function, when referencing a DLL created by an attacker. When REGISTER.ID is invoked from an Excel worksheet it can reference any DLL on the system and can be harmful if the referenced DLL contains malicious code. By design, there is no warning given to the user when REGISTER.ID calls a DLL, from a worksheet. Microsoft has published a patch for Excel 97 and Excel 2000.

The JPEG interchange format provides for a two-byte comment length field within the body of the data, however that field is not checked for a proper value in the affected versions of the Netscape Communicator. Because of that programming oversight it may be possible to overwrite the heap to cause arbitrary code to execute on the system. The problem affects the mail, news, and Web components of Communicator. It's recommended to upgrade at least to version 4.74.

Several unchecked buffer exist within AnalogX Proxy 4.04 allowing for a diverse set of denial of service exploits against the various supported protocols. For example, the FTP and POP3 "USER" commands, as well as the SMTP "HELO" all contain unchecked buffers that can be overrun by sending 370 or more characters as the parameter string for the commands. In addition, the SOCK4 "CONNECT" command buffer will overflow with a parameter of 1800 characters or more. It's recommended to upgrade to version 4.05.

If the autoexec.bat file on a Windows 2000 NTFS system volume is encrypted, users will not be able to logon to that system locally. In addition, remote resource access will fail, regardless of user authority. The problem resides in the fact that once the autoexec.bat file has been encrypted with the Encrypting File System (EFS) it can only be decrypted by accessing the certificate of the user that encrypted the file. Since autoexec.bat is encrypted it cannot be read, and thus the normal logon process cannot succeed. Workarounds are pointed out in the advisory and in Microsoft's Knwoledge Base (Q229716, Q185590). Microsoft is working on a patch.

A remote denial of service vulnerability has been discovered in the Telnet Server that ships with all versions of Microsoft Windows 2000. The denial of service can occur when a malicious client sends a particular malformed string to the server. For going back to normal operation the Telnet Server has to be restarted. A patch is available.

The security problems pointed out in CA-2000-13 affect SCO OpenServer up to version 5.0.5. They are corrected in Version 5.0.6. In the two programs /usr/lib/libX11 and /usr/lib/libXt another security problem was found. When the environment variable "HOME" of the OpenServer is set to a large string that is greater than 2K, memory corruption occurs, which results in incorrect results or segmentation violation errors. A patch (ltr) is available.

Rainbow Technologies' iKey 1000 is a portable USB (Universal Serial Bus) smartcard-like device providing authentication and digital storage of passwords, cryptographic keys,  credentials, or other data. An attack to compromise this card requires physical access to the device circuit board, which can be gained in under 30 seconds with no special tools and leaving no proof of attack. Further information is pointed out in the advisory. 

L0pht reports about passwords and their possiblity to store passwords on a local machine. These mechanisms are not always safe:  Passwords can be easily decrypted by exploiting NetZero's (V3.0 and earlier) encryption algorithm. A detailed description is pointed out in the advisory.

Caldera Systems, Inc. reports about security problems within gpm (General Purpose Mouse support daemon). They which allow removal of system files and also exhibit a local denial of service attack. Affected systems are OpenLinux Desktop 2.3, OpenLinux eServer 2.3, OpenLinux eBuilder and OpenLinux eDesktop 2.4. Upgrades are available now.
Caldera OpenLinux, eServer and eDesktop do not ship with rpc.statd, and hence are not affected by this problem.

About this vulnerability was reported last month. Now it became clear, that the Enterprise Manager is afftcted, too. Patches are available for Intel and Alpha.

By design, HTML E-Mail can contain script, and among the actions such a script can take is to open a browser window that links back to the Outlook Express windows. Also by design, script in the browser window could read the HTML E-Mail that is displayed in Outlook Express. A vulnerability results because the link could be made persistent. This could allow the browser window to retrieve the text of mails subsequently displayed in the preview pane, and relay it to the malicious user. Outlook Express 5.5 is not vulnerable.
By design, an HTML E-Mail that creates a file on the recipient's computer should only be able to create it in the so-called cache. Files in the cache, when opened, do so in the Internet Zone. A vulnerability would allow an HTML mail to bypass the cache mechanism and create a file in a known location on the recipient's disk. If an HTML mail created an HTML file outside the cache, it would run in the Local Computer Zone when opened. This could allow it to open a file on the user's computer and send it a malicious user's web site. The vulnerability also could be used as a way of placing an executable file on the user's machine, which the malicious user would then seek to launch via some other means. This vulnerability can be found  in Outlook Express and Outlook 97, 98, and 2000.
A patch is available. The vulnerability can also be avoided by installing IE5.01 SP1 or (except Windows 2000) by upgrading to IE 5.5.

The ftpd shipped in the netstd package in Debian 2.1 (slink) is vulnerable to the widely discussed "setproctitle bug". The ftpd in the not-yet-released Debian 2.2 (potato) is also vulnerable. It's recommended to upgrade the ftpd immediately. 
The version of nfs-common distributed in the not-yet-released Debian GNU/Linux 2.2 (potato), as well as in the unstable (woody) distribution, is vulnerable to a remote root compromise. In Debian 2.1 (slink) rpc-statd is not implemented.
The versions of cvsweb distributed in Debian GNU/Linux 2.1 (slink) as well as in the frozen (potato) and unstable (woody) distributions, are vulnerable to a remote shell exploit. An attacker with write access to the cvs repository can execute arbitrary code on the server, as the www-data user. Patches to fix these problems are available now.

A component shared by Outlook and Outlook Express contains an unchecked buffer in the functionality that parses E-Mail headers when downloading mail via either POP3 or IMAP4. By sending an E-Mail that overruns the buffer, a malicious user could cause either of two effects to occur when the mail was downloaded by an affected E-Mail client:
- If the affected field were filled with random data, the E-Mail could be made to crash. 
- If the affected field were filled with carefully-crafted data, the E-Mail client could be made to run code of the attacker's choice.
Systems with Internet Explorer 5.01 Service Pack 1 or Internet Explorer 5.5 on any system
other than Windows 2000 is not affected. So it's recommended to upgrade to IE 5.01 SP1 or IE 5.5 for all other systems then Windows 2000.

A security vulnerability in the implementation of userOsa of SCO OpenServer 5.0.x has been identified which could allow unprivileged users to overwrite files with group auth permissions. A patch (ltr) is available now.

The web archive component distributed with L-Soft LISTSERV provides administration services for mailing lists as well as giving users the ability to subscribe, post and search the list over the web. By sending a long QUERY_STRING to wa or wa.exe it is possible to overwrite the stack with user defined data allowing the execution of arbitrary code on the remote host. A workaround is pointed out in the advisory.

The rpc.statd daemon in the nfs-utils package shipped in Red Hat Linux 6.0, 6.1, and 6.2 contains a flaw that could lead to a remote root break-in. Updated pam packages are available for Red Hat Linux 6.x. These packages fix a bug that would potentially allow remote users to access console devices and shut down the workstation if the workstation is running a display manager (xdm, gdm, kdm, etc.) with XDMCP enabled. It's recommended to install the concerning patches:
Red Hat Linux 6.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/i386/pam-0.72-20.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/nfs-utils-0.1.9.1-1.alpha.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/pam-0.72-20.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/nfs-utils-0.1.9.1-1.sparc.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/pam-0.72-20.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/nfs-utils-0.1.9.1-1.src.rpm
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/pam-0.72-20.src.rpm

The standard ftp server of SuSE Linux 6.1 - 6.4 passes untrusted data directly und untested from a DNS server to the setproctitle() function. So it may be possible for an attacker to modify DNS records to execute abitrary machine code as root while connecting to the ftp daemon.
It's recommended to install patches from SuSE's Webpage for Patches.

There are two vulnerabilities in many ftpd, also mentioned in CA-2000-13. SGI points out that their systems are NOT vulnerable.

Two vulnerabilities werde found in the Internet Information Server 4.0 and 5.0. 
The "Absent Directory Browser Argument" vulnerability is caused by an administrative script installed as part of IIS 3.0 but preserved on upgrade to IIS 4.0 or IIS 5.0. This doesn't correctly handle the case where an expected argument is missing. The absence of the argument causes the script to go into an infinite loop, at which point the script consumes all CPU resources on the server. In addition, the permissions on this tool and several related ones, are inappropriate under IIS 4.0 and 5.0. This could allow web site visitors to use these tools, which provide the ability to view the directory structure on the server.
A new variant of the "File Fragment Reading via .HTR" vulnerability was found. This new vulnerability differs only in the specific way that it may be exploited - like the original version, the effect of the vulnerability is that fragments of .ASP and other files could potentially be retrieved from the server. Microsoft has published a patch for IIS 4.0 and IIS 5.0.

Two vulnerabilities have been discovered, one affecting Microsoft Office 2000, and PowerPoint 97, and the other Internet Explorer 4.01 SP2 and higher.
The Office HTML Script vulnerability allows malicious script code on a web page to reference an Excel 2000 or PowerPoint file in such a way as to cause a remotely hosted file to be saved to a visiting user's hard drive. An IE Script vulnerability can allow malicious script code on a web page to reference a remotely hosted Microsoft Access file. The Microsoft Access file can in turn causes a VBA macro code in the file to be executed. 
Microsoft has published patches for Excel 2000, PowerPoint 2000 and PowerPoint 97.

Two holes in ftpd, also mentioned in CA-2000-13, are present in HP-UX 10.20 and 11.00. Hewlett Packard has published a temporary solution. Binaries for 10.20 and 11.00 can be downloaded now.

As Georgi Guninski found out, there is a new hole in Excel 2000 and possibly other versions. Excel can be made to execute code upon opening an Excel Workbook file. The problem is in the Register.ID function, which is used to call functions that reside in external DLLs. A patch is not available yet, a demonstration is available at Georgi Guninski's Web site.

Quite many Linux are vulnerable against a hole in makewhatis, a part of the man-package. Exploiting this hole, local users may gain root privileges. ISS gives an overview of systems beeing vulnerable.

A denial of service condition can be launched against WFTPD/WFTPD Pro 2.41 RC10 and all previous versions by sending commands out of sequence. If the RNTO command is issued before a RNFR command, the service is crash. It's recommended to upgrade to version 2.41 RC11 or later.

The default directory and registry permissions for objects used by Netshield 4.5 and VirusScan 4.5 doesn't protect against unauthorized manipulation. Because of the loose security settings, the AutoUpdate feature may be exploited to execute code on the operating system. NAI recommends to tighten the permissions as described in the Administrator's guide.

Nef (< 0-124) extracts eMails compressed with MS-Outlook. The compressed file includes the path name to which the decompressed data should be written. By sending an E-Mail to root, specifing a path name like /etc/passwd an attacker could gain remote root access to a system by overwriting the local password database. This problem concerns SuSE Linux 6.3 and 6.4 only.
The client side program of the ISC DHCP package, dhclient (<2.0), does not do quoting of server messages before passing them to /sbin/dhclient-script. This script is executed with root privileges. So dhclient may be tricked ouzt by a rogue DHCP server to execute commands as user root. This leads to a remote root compromise of the system using dhclient. It's strongly recommended to install patches from SuSE's Webpage for Patches.

The WircSrv IRC Server 5.07s contains an unchecked buffer that could lead to denial of service attacks against the service. By sending a command string that is approximately 65000 characters in length, a buffer will overflow and crash the service. A patch is not available yet.

When the Cisco Secure PIX Firewall receives a TCP Reset (RST) packet, it evaluates that packet based on data contained in the TCP packet header: source IP address, source port, destination IP address, and destination port. If these four values match an entry in the stateful inspection table, the associated connection will be reset. If an attacker knows details about the connection, he may reset it. A workaround is not available. In the advisory Cisco recommends to upgrade to a current version.

The DHCP client program, dhclient(8), doesn't correctly handle DHCP options it receives in DHCP response messages, possibly permitting a rogue dhcp server to send maliciously formed options which may result in a remote root compromise.
An improper use of the setproctitle() library function by ftpd may allow an attacker remote ftp client to subvert an FTP server, including possibly getting remote access to a system.
Wu-ftpd versions prior to 2.6.1 contain known security holes which may allow unauthorized remote users to gain root access. Patches are available now.

Caldera Systems reports about a problem in the way the makewhatis script, which is run daily to rebuild the database used by the whatis(1) command, handles temporary files. This can be exploited by local users to corrupt arbitrary files on the system. 
The IRC client irc-BX (otherwise known as B*tchX) will accept bogus data from other IRC users that causes it to crash, and possibly even to execute malicious code. An exploit has been published that will result in a crash of the IRC client. Patches are available now.

During the installation process, Blackboard CourseInfo 4.0 requires that the user create an administrative account used to access and configure the CourseInfo software. The user name and password are stored in a registry key that is left unprotected from access by unauthorized users. Furthermore, the password is stored in clear text making abuse all the more likely. The registry should be protected, a patch is not available yet.

Originally this security bug was reported by Sendmail. An unsafe fgets() usage in sendmail's mail.local exposes the setuid() security hole in the Linux kernel-2.2.15 and earlier. This vunlnerability allows local users to obtain root privilege by exploiting setuid root applications. For TurboLinux a patch is available.

Execute permission checks on stored procedures may be bypassed when a stored procedure is referenced from a temporary stored procedure. This omission would allow a malicious user to run a stored procedure that, by design, he should not be able to access. Microsoft has published fixes for Intel and Alpha platforms.

In the last month 77 (!) new vulnerabilities were found:

An unchecked buffer exists in the LocalWEB 1.2.0 software's GET command processing code. By sending the server a GET command with a URL of approximately 10,000 characters the service will crash. A corrected version has not been published yet. 

OpenSSH is an implementation of the SSH secure shell protocols for providing encrypted and authenticated network access. If the sshd configuration was modified to enable the 'UseLogin' directive then remote users with SSH access to the local machine can execute arbitrary commands as root. A workaround to avoid this problem is pointed out in the advisory.

FrontPage server extensions 1.0 will expose critical path information when errors occur while accessing certain DLL files related to the extensions. For example, accessing an invalid file  through "_vti_bin/shtml.dll" will reveal path information. In addition, if numerous connections are established to the shtml.dll file, the server can be caused to utilize100% of its available CPU cycles. These problems will be fixed in version 1.2.

In WebBBS 1.17 two unchecked buffer conditions exist in the search function and in the new user signup function. By using an overly long search string it is possible to cause a denial of service attack against a remote server. In addition, by sending a user name of 896 bytes (user name + EIP pointer) a buffer overrun will occur, thereby allowing an intruder to run code on the remote system. A patch is not available yet. 

In the programs and packages above security holes were found. It's strongly recommended to update the system.

Multiple local vulnerabilities were found in imwheel. It's recommended to remove this package. The makewhatis portion of the man package is insecure in the use of files in /tmp, so it's possible for local users to modify files that they normally could not and gain elevated privilege. A denial of service vulnerability exists in BitchX. It's recommended to install the relevant patches:
Red Hat Linux 5.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/5.2/i386/man-1.5h1-2.5.x.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/5.2/alpha/man-1.5h1-2.5.x.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/5.2/sparc/man-1.5h1-2.5.x.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/5.2/SRPMS/man-1.5h1-2.5.x.src.rpm
Red Hat Linux 6.2:
Intel:
rpm -Fvh ftp://updates.redhat.com/6.2/i386/man-1.5h1-2.6.x.i386.rpm
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/i386/BitchX-1.0c16-1.i386.rpm
Alpha:
rpm -Fvh ftp://updates.redhat.com/6.2/alpha/man-1.5h1-2.6.x.alpha.rpm
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/alpha/BitchX-1.0c16-1.alpha.rpm
Sparc:
rpm -Fvh ftp://updates.redhat.com/6.2/sparc/man-1.5h1-2.6.x.sparc.rpm
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/sparc/BitchX-1.0c16-1.sparc.rpm
Sources:
rpm -Fvh ftp://updates.redhat.com/6.2/SRPMS/man-1.5h1-2.6.x.src.rpm
rpm -Fvh ftp://updates.redhat.com/powertools/6.2/SRPMS/BitchX-1.0c16-1.src.rpm

On HP3000 running MPE/iX release 4.5 and newer users with ordinary database privileges can gain additional privileges if there is a specific setup. Patches are not available yet, but it's recommended to secure DBUTIL.PUB.SYS and the database schemas with a lockword.

By sending a stream of binary zeros to any of several ports on a Windows 2000 machine the system will consume 100% of available CPU cycles. Affected ports include TCP ports 7, 9, 21, 23, 7778 and UDP ports 53, 67, 68, 135, 137, 500, 1812, 1813, 2535, 3456. Testing this problem is e.g. possible with netcat and an input of /dev/zero. Microsoft is working on a patch.

Sybergen Sygate 3.11 and 2.0 are vulnerable against a Denial-of-Service attack from internal users. It starts when a user sends a UDP datagram which contains invalid data to port 53 on the Sygate server. No patch is available, but a demonstration is shown in the advisory.
Sybergen Secure Desktop 2.1 does not protect against false router advertisements, which may allow attackers to add routes as they will. In addition, if the route table contains numerous false entries and a user clear them the firewall will silently crash, requiring a reboot to restart the firewall. A patch is not available yet.

The canna package as distributed in Debian GNU/Linux 2.1 can be remotely exploited to gain access. This could be done by overflowing a buffer by sending a SR_INIT command with a very long username or groupname. It's recommended to install version 3.5b2-24slink1. Links to get it are shown in the advisory.

The wu-ftpd program provides file transfer protocol (FTP) services. Due to insufficient checking in the formatting of the "site exec" command, it is possible to coerce the wu-ftpd daemon to execute arbitrary code. So any command may be executed by "guests" as user root. A separate vulnerability involving a missing character-formatting argument in setproctitle(), a call which sets the string used to display process identifier information, is also present in the mentioned ftpd. Which systems are vulnerable is pointed out in the AusCERT advisory and US-CERT advisory.

Here you can find the News from June 2000, May 2000, April 2000, March 2000,  February 2000, January 2000, December 1999, November 1999, October 1999, September 1999, August 1999, July 1999,  June 1999, May 1999, April 1999, and March 1999