AERAsec - Network Security - News October 1999

October 1999, last change: 01/04/00

Here you find (a beta-version of) our network security search engine!

System:	Debian Linux
Topic:	Vulnerabilities in NIS, mirror, lpr, and amd: Debian1027, Debian1018, Debian1030, Debian1018a

Vulnerabilities found in SuSE Linux are found in Debian as well: Caused by some exploits in yp (NIS) users may gain more rights as wanted by the administrator. Using mirror leads to the effect that writing files in upper directories at the destination server is possible by using ".:" in the path. Lpr makes it possible to print files with not even a read-option and AMD opens a backdoor for users. Further information can be found in the advisories.

System:	SuSE Linux
Topic:	Vulnerabilities in mirror, sccw, mutt, cdwtools, ypserv, and lpr/lpd: SUSE022, SUSE023, SUSE024, SUSE025, SUSE026, SUSE027

The mirror package is a tool to duplicate the contents of ftp servers. A vulnerability exists when attackers can create directory like " .." on the target mirror ftp server. Files can be created one level above the local target directory for the mirrored files.
sccw does insufficient bounds checking, trust it's environment and calls insecure system functions. On a default installation sccw is setuid root. These bugs lead to local root compromise.
A "bad guy" could run processes with the previliges of the user using mutt by sending a malicious formated e-mail. These security bug leads to local and remote non-root, and possible root, compromise of the system.
The cdwtools package is a frontend for various programs used to create CDs. Several buffer overflows and /tmp vulnerabilities exist in the cdwtools package. Everyone having the cdwtools package installed and SuSE configured for "easy" security setting (which is the default) are vulnerable to a local root compromise.
The package ypserv is the former "yellow pages", now called NIS information service, which is used for e.g. central network user account management. Several vulnerability exists: ypserv prior 1.3.9 allows an administrator in the NIS domain to inject password tables, rpc.yppasswdd prior 1.3.9 allows users to change GECO and login shell values of other users. If administrator access to one server in the NIS domain is compromised, access to the whole domain can be achieved. It is theoretically possible to execute arbitary code on these systems too. User information can be changed and restricted accounts opened.
The file access permissions aren't properly checked by the lpr and lpd program. By exploiting this race condition a user could print files the user hasn't permissions to.
It's strongly recommended to upgrade the system by installing the patches. They can be found at SuSE's Webpage for Patches.

System:	Microsoft Windows NT 4.0
Topic:	Vulnerability by TCP Initial Sequence Number Randomness: MS99-046, ERS-1999.162, K-006

The Initial Sequence Numbers (ISN) used in TCP/IP sessions should be as random as possible in order to prevent attacks such as IP address spoofing and session hijacking. Microsoft has improved the randomness of the Windows NT 4.0 TCP/IP ISN generation for all versions of NT, providing 15 bits of entropy.
It's recommended to install the (US-) patch for x86 or Alpha.

System:	Microsoft VM, IE
Topic:	Vulnerability in Virtual Machine Verifier: MS99-045, ERS-1999.161, K-005

The Microsoft VM ships as part of several products. Tthe primary ship vehicle is Internet Explorer. IE 4 ships with builds in the 2000 series; IE 5 ships with builds in the 3000 series. In both series a vulnerability in the bytecode verifier that could allow a Java applet to operate outside the bounds set by the sandbox. If hosted on a web site, it could cause any action to be taken on the computer of a visiting user that the user himself could take. This could include, for example, creating, deleting or modifying files, sending data to or receiving data from a web site, or reformatting the hard drive.
It's recommended to install a patch for the 3000 series, a patch for the 2000 series will follow.

System:	Red Hat Linux
Topic:	Vulnerablities in Screen and wu-ftpd: RH1999-042, RH1999-043, ERS-1999.159, ERS-1999.160

System:	all
Topic:	New ISS-Summary: ISS, ERS-1999.158

ISS reports 14 new vulnerabilities:
- http-teamtrack-file-read
- iams-passwords-plaintext
- iams-pop3-command-dos
- iams-smtp-vrfy-dos
- linux-cdda2cdr
- ie-download-behavior
- mediahouse-stats-adminpw-cleartext
- mediahouse-stats-login-bo
- ihtml-merchant-file-access
- yahoo-messenger-dos
- iis-ftp-no-access-files
- nt-ip-source-route
- nt-rasman-pathname
- http-cgi-wwwboard-default
Further information can be found at the server of ISS.

System:	HP-UX
Topic:	Vulnerability in automountd: HP Security Bulletin #00104, ERS-1999.157, S-99-45

This problem was originally reported by CERT, regarding the vulnerability in automountd which allows an intruder to execute arbitrary commands with the privileges of the automountd process. Hewlett Packard has found out that HP-UX 10.X and 11.00 are vulnerable. No patch is available at this time.
As a workaround it's recommended to set AutoFS = 0 in the file /etc/rc.config.d/nfsconf.

System:	Microsoft Excel 97 and 2000
Topic:	Vulnerability caused by Excel SYLK: MS99-044, ERS-1999.156, K-004

Symbolic Link (SYLK) files can contain macros; if such a file were opened in Excel 97 or 2000, the macro would run without asking for the user's permission. These macros could take any action on the computer that the user could take.
It's recommended to install the patch for Excel 97 or Excel 2000.

System:	many Unix
Topic:	Multiple Vulnerabilities in WU-FTPD: CA-99-13, ERS-1999.155, S-99-44

On systems running the WU-FTPD daemon or its derivatives three vulnerabilities were found:
- MAPPING_CHDIR Buffer Overflow: Because of improper bounds checking, it is possible for an intruder to overwrite static memory in certain configurations of the WU-FTPD daemon.
- Message File Buffer Overflow: Because of improper bounds checking during the expansion of macro variables in the message file, intruders may be able to overwrite the stack of the FTP daemon.
- SITE NEWER Consumes Memory: Remote and local intruders who can connect to the FTP server can cause the server to consume excessive amounts of memory, preventing normal system operation. If intruders can create files on the system, they may be able exploit this vulnerability to execute arbitrary code as the user running the ftpd daemon, usually root.
It's recommended to install the concerning patches as described in the advisory.

System:	Microsoft Internet Explorer 4.01 and 5
Topic:	Vulnerability by JavaScript: MS99-043, ERS-1999.154

Client-local data that is displayed in the browser window can be made available to the server by using a redirect to a JavaScript applet running in the same window. This in effect bypasses cross-domain security and makes the data available to the applet, which could then send the data to a hostile server, if an attacker knows the name of the file and the folder in which it resided.
Until Microsoft has published a Patch it's strongly recommended to disable Active Scripting at least in the Internet Zone.

System:	Red Hat Linux
Topic:	New Netscape and vulnerabilities in PAM and lpr/lpd: RH1999-039, RH1999-040, RH1999-041, ERS-1999.152, ERS-1999.153

System:	Microsoft IE 5
Topic:	Vulnerability by IFRAME ExecCommand: MS99-042, ERS-1999.151

The Internet Explorer's 5 security model normally restricts the Document.ExecCommand() method to prevent it from taking inappropriate action on a user's computer. However, at least one of these restrictions is not present if the method is invoked on an IFRAME. This could allow a malicious web site operator to read known files on visiting users' computers. The vulnerability would not allow the malicious user to list the contents of folders, create, modify or delete files, or to usurp any administrative control over the machine.
Internet Explorer 4.01 users should apply IE 4.01 Service Pack 2, users of IE5 should install the patch for Intel or Alpha.
As an interim step customers may also add sites that they trust to the Trusted Zone, and disable Active Scripting in the Internet Zone.

System:	Microsoft Office
Topic:	Patch available against Vulnerabilities in ODBC: MS99-030

Microsoft has published a patch against the vulnerabilities caused by ODBC. This problem was reported earlier.

System:	Hybrid Network's Cable Modems
Topic:	Vulnerability caused by HSMP: KSRT-012

Hybrid Network's cable modems can be configured via a UDP based protocol called HSMP. This protocol does not require any authentication to perform configuration requests. Since UDP is easily spoofed, configuration changes can made anonymously. There are some known Denial-of-Service attacks. HSMP can also be used to configure the DNS servers used by cable modem users, allowing attackers to redirect cable modem subscribers to a trojan site. More complex and theoretical attacks could involve the running of actual code through the debugging interface. This might allow remote attackers to deploy ethernet sniffers on the cable modem.
In the advisory are links noted, demonstrating the problem. It's recommended to block HSMP traffic (7777/udp) by a firewall.

System:	Cactus Software
Topic:	Vulnerability caused by shell-lock: l0pht, ERS-1999.150

The program "shell-lock" is used to create ELF binaries from shell scripts. A trivial encoding mechanism is used for obfuscating the shell code in the "compiled" binary. Anyone with read permissions to the file in question can decode and retrieve the original shell code. Another vulnerability exists where the user can retrieve the un-encoded shell script without needing to actually decode the binary.
As written in the advisory: Do not take candy or accept car rides from strangers. If something seems too good to be true it probably is. It's recommended to write the necessary code in C or another language, but not in shell-scripts.

System:	Debian Linux
Topic:	Vulnerability in amd: Debian0924

The version of amd that was distributed with Debian GNU/Linux 2.1 is vulnerable to a remote exploit. Passing a big directory name to amd's logging code would overflow a buffer which could be exploited. This has been fixed in version 23.0slink1. Further information can be found in the advisory.

Here you can find the News from September 1999, August 1999, July 1999, June 1999, May 1999, April 1999, and March 1999