 |
||||||||||||||
   September 1999, last change: 01/04/00 |
||||||||||||||
| Here you find (a beta-version of) our network security search engine! | ||||||||||||||
|
||||||||||||||
Cron sends mail as root without checking the parameters passed to
sendmail on the command line. This can lead to a root compromise. A buffer overflow in the
inews program as provided by the INN news server is reported. This program is used by
local clients to inject news articles to the server. In order to be able to connect to the
news server through a Unix domain socket it needs to run setgid "news". By
exploiting this bug local users can gain "news" privileges. After that they are
able to modify the configuration for the INN server as well as destroy News databases and
files. |
||||||||||||||
|
||||||||||||||
In all versions of NT 4.0 (TS included) the security descriptor that
secures the Remote Access Connection Manager, RASMAN.EXE, contains an inappropriate ACE in
its DACL and would allow an unprivileged user to levy requests on it via the Service
Control Manager. Among the actions that could be requested is to change the location and
name of the executable code for the service. By doing so, a malicious user with a valid
user-ID and password could substitute arbitrary code for the legitimate service, which
then would run in a System Context. |
||||||||||||||
|
||||||||||||||
A buffer overflow vulnerability has been found in the AIX 4.3.x ftpd daemon that allows remote attackers to gain root access. Example exploit code has been publically released. It's recommended to install a temporary fix as soon as possible. |
||||||||||||||
|
||||||||||||||
The Internet Explorer 5 includes a feature called "download
behavior" that allows web page authors to download files for use in client-side
script. By design, a web site should only be able to download files that reside in its
domain. A server-side redirect can be used to bypass this restriction, thereby enabling a
malicious web site operator to read files on the user's machine or the user's local
intranet. |
||||||||||||||
|
||||||||||||||
The mars_nwe tools are vulnerable to several buffer overflows so an
attacker might get root access to the system. Patches are available for Intel-SuSE 5.3,
6.1,
and 6.2.
SuSE 6.1 on
Alpha is also supported. |
||||||||||||||
|
||||||||||||||
ISS reports 22 new vulnerabilities: |
||||||||||||||
|
||||||||||||||
Ttsession uses weak RPC authentication mechanism, so local and remote users may execute arbitrary programs with the privileges ttsession is running. It's recommended to install the applicable patch:
|
||||||||||||||
|
||||||||||||||
IIS 4.0 provides the ability to restrict access to a web site based
on the user's domain. However, if IIS cannot resolve a user's IP address to a domain, it
will grant the user's first request for a session. It will correctly deny them thereafter. |
||||||||||||||
|
||||||||||||||
Windows NT 4.0 Service Pack 5 introduced the ability to disable source routing on a multi-homed Windows NT machine that acts as a router. However, even if source routing is disabled, it is possible to bypass it by including a specific type of incorrect information within the route pointer in the data packet. Windows 95 and 98 also provide this capability, and are affected by the same vulnerability. Patches for Windows 9x and NT 4.0 TSE will be published soon. A hotfix for the US-Version of NT Workstation and Server ist available. |
||||||||||||||
|
||||||||||||||
Systems running amd, the Berkeley Automounter Daemon have a security risk, so remote intruders can execute arbitrary code as the user running the amd daemon (usually root). Further information about affected systems and the availability of patches is pointed out in the advisory. |
||||||||||||||
|
||||||||||||||
Wuftpd, beroftpd and proftpd are all
optional portions of the system designed to replace the stock ftpd on a FreeBSD system.
There are different security problems which can lead to remote root access in these ports
or packages. The standard ftp daemon which ships with FreeBSD is not impacted by either of
these problems. |
||||||||||||||
|
||||||||||||||
The pine-package published in June had a malfunction in IMAP. Now
patches are available for Intel-SUSE 5.3, 6.1, and 6.2. Further patches
are available here. |
||||||||||||||
|
||||||||||||||
Buffer overflows are present in the mars_nwe package. Since the code
that contains these overflows is run as root, a local root compromise is possible if users
create carefully designed directories and/or bindery objects. It's recommended to install
a patch: |
||||||||||||||
|
||||||||||||||
Multiple vulnerabilities have been identified in some distributions
of the Common Desktop Environment (CDE). These are |
||||||||||||||
|
||||||||||||||
The Microsoft Internet Explorer 5 includes a feature that allows users to export a list of their favorite web sites to a file, or to import a file containing a list of favorite sites. The method that is used to perform this function, ImportExportFavorites(), should only allow particular types of files to be written, and only to specific locations on the drive. However, it is possible for a web site to invoke this method, bypass this restriction and write files that could be used to execute system commands. The net result is that a malicious web site operator potentially could take any action on the computer that the user would be capable of taking. The vulnerability can be prevented by disabling Active Scripting. How to do this is described here. |
||||||||||||||
|
||||||||||||||
When an unattended installation of Windows NT 4.0 completes, a copy of the file Unattend.txt that contains installation parameters remains on the hard drive in system32. Depending on the method that was to perform the installation and the specific installation parameters that were selected, the file could contain sensitive information, potentially including the local Administrator password. In any case this file should be deleted after completing the installation. |
||||||||||||||
|
||||||||||||||
When certain versions of Site Server or Microsoft Commercial Internet System (MCIS) send a web page that contains a Set Cookie Header, they do not flag the page with an expiration header. As a result, such pages may be cached by a web proxy. Multiple users accessing the same site via a web proxy might be served the same page, containing the same Set Cookie Header. If the cookie information includes a GUID that is used as an index for the server's database, one user's personal data might be viewable by the others. When using a browser and no Cookies are needed, they should be turned off. For server administrators it's recommended to install a hotfix published by Microsoft. |
||||||||||||||
|
||||||||||||||
In libc, the LC_MESSAGES environment variable affects the behavior of messaging functions. A vulnerability exists where a buffer overflow could be exploited to gain root access. The patches listed in this bulletin address both libc and the ufsrestore and rcp binaries which are statically linked against libc. It's recommended to install the concerning patch:
|
||||||||||||||
|
||||||||||||||
BSD 4.4 added various flags to files in the file system. A user can
set these flags and mode on the device which they logged into. Since a bug in login and
other similar programs causes the normal chown to fail, this first user will own the
terminal of any login. Local users can execute a man-in-the-middle attack against any
other user (including root) when the other users logs in. |
||||||||||||||
|
||||||||||||||
Due to security problems in these programs/packages, an update should be installed, as pointed out in the advisories. |
||||||||||||||
|
||||||||||||||
By sending fragmented IGMP packets to a Windows 9x or Windows NT 4.0
machine, it is possible to disrupt the normal operation of the machine. This vulnerability
primarily affects Windows 9x machines. Depending on a variety of factors, sending such
packets to a Windows 9x machine may elicit behavior ranging from slow performance to
crashing. Windows NT contains the same vulnerability, but other system mechanisms
compensate and make it much more difficult to mount a successful attack. |
||||||||||||||
|
||||||||||||||
The Telnet client that ships as part of Windows 95 and 98 has an unchecked buffer. A specially-malformed argument could be passed to the client via a web page in order to cause arbitrary code to execute on the computer via a classic buffer overrun technique. It's recommended to install the hotfix for Windows 95 and Windows 98 (also Second Edition). |
||||||||||||||
|
||||||||||||||
Since the last summary in May 1999 the following tendencies were
obtained: |
||||||||||||||
|
||||||||||||||
New packages for all Red Hat Linux platforms. They should be
installed due to security reasons. The latest version of XFree86 can be obtained here. |
||||||||||||||
|
||||||||||||||
There is a new form of denial of service attack based on exploiting the difference in size between a Domain Name System (DNS) query and a DNS response and the willingness of DNS servers to answer queries from any source. Any platform connected to the Internet may be the target of the denial of service. Service is denied by occupying all link bandwidth with responses to bogus DNS queries and potential ICMP port unreachable responses to these bogus responses. The DNS server should be set up secure. How to do this is pointed out in the advisory. |
||||||||||||||
|
||||||||||||||
This issue involves two ActiveX controls, Scriptlet.typlib and
Eyedog. These controls are not in any way related to each other; their only relationship
is that both are incorrectly marked as "safe for scripting" and can therefore be
called from Internet Explorer. |
||||||||||||||
|
||||||||||||||
A buffer overflow vulnerability in the CDE Calendar Manager Service Daemon, rpc.cmsd allows remote and local users to execute arbitrary code with root privileges. Patches are available from Hewlett Packard. Version 10.30 is vulnerable too, but a patch will not be published.
|
||||||||||||||
|
||||||||||||||
Here you can find the News from August 1999, July 1999, June 1999, May 1999, April 1999, and March 1999 |
