Deutsche Version

Here you find our network security search engine!

Some vulnerabilities were found in CDE and OpenWindows:
1 - ToolTalk ttsession default authentication mechanism insecure
2 - CDE dtspcd relies on file-system based authentication
3 - CDE dtaction buffer overflow
4 - CDE ToolTalk shared library buffer overflow in TT_SESSION
Sun Microsystems recommends to install the following patches:

In sadmind some vulnerabilities were found (see also CA-99-16). Sun Microsystems recommends to install the following patches:

New techniques for executing denial-of-service attacks have been made public. A tool similar to Tribe FloodNet (TFN), called Tribe FloodNet 2K (TFN2K) was released. Tribe FloodNet is described in IN-99-07. Like TFN, TFN2K is designed to launch coordinated denial-of-service attacks from many sources against one or more targets simultaneously. TFN2K is designed to work on various UNIX and UNIX-like systems and Windows NT.
MacOS 9 can be abused by an intruder to generate a large volume of traffic directed at a victim in response to a small amount of traffic produced by an intruder. This allows an intruder to use MacOS 9 as a "traffic amplifier," and flood victims with traffic. The effect and structure to a "smurf" attack, described in CA-98.01.
Information about countermeasurements can be obtained here (pdf-format).

As reported before, in Windows NT 4.0 incl. SP6 the sequence numbers were predictable. Microsoft has released another advisory about this problem and points out that the latest patches are not affected by the regression error.
It's recommeded to install the latest hotfix:
Windows NT 4.0 SP4 or SP5 (Intel), select q243835sp5i.exe
Windows NT 4.0 SP6 (Intel) machine, select q243835i.exe
Windows NT 4.0 SP4 or SP5 (Alpha), select q243835sp5a.exe
Windows NT 4.0 SP6 (Alpha), select q243835a.exe

Several security holes have been found in SCO OpenServer up to version 5.0.5: Buffer Overflows and algorithmic vulnerabilities. Unprivileged users can gain administrative privileges on unpatched servers. So it's strongly recommended to install the concerning patches.

In UnixWare some vulnerabilities and Buffer Overflows were found, e.g. in mail clients, packaging tools, in.i20dialogd and many other utilities. Exploiting these vulnerabilities users may gain increased privileges. It's recommended to install the patches as pointed out in the advisories.

First a problem has been found in Outlook Express 5 for Macintosh. By design, when an HTML mail is received, the mail content is downloaded onto the user's machine and processed. Attachments to the mail should not be downloaded unless the user requests it. A flaw in Outlook Express 5 for Macintosh causes it to download all content, including attachments. 
The second problem was found in Internet Explorer 4.5 for Macintosh. It involves several digital certificates that are included in IE. These certificates are due to expire on December 31, 1999. The patch provides updated certificates, and also adds support for X509 V3 certificates. Microsoft is simply providing the replacement certificates and X.509 V3 support as a community service.
It's recommeded to install a patch, published by Microsoft.

RFC 1738 specifies that web servers must allow hexadecimal digits to be input in URLs by preceding them with the so-called "escape" character (%). IIS complies with this specification, but also accepts characters after the percent sign that are not hexadecimal digits. Some of these translate to printable ASCII characters, and this could provide an alternate means of specifying files in URLs.
This vulnerability could allow files on a web server to be specified using an alternate representation, in order to bypass access controls of some third-party applications.
Microsoft has published an US-hotfix US-Version for Servers under Intel and Alpha processors.

If a file resides in a virtual directory whose name contains a legal file extension, the normal server-side processing of the file can be bypassed. The vulnerability would manifest itself in different ways depending on the specific file type requested, the specific file extension in the virtual directory name, and the permissions that the requester has in the directory. In most cases, an error would result and the requested file would not be served. In the worst case the source code of .ASP or other files could be sent to the browser.
This vulnerability would be most likely to occur due to administrator error, or if a product generated an affected virtual directory name by default (Front Page Server Extensions is one such product). 
Microsoft has published an US-hotfix US-Version for Servers under Intel and Alpha processors.

If a specially-malformed TDS (Tabular Data Stream) packet is sent to a SQL server, it can cause the SQL service to crash because the length given in the header is smaller than the minimum length of a TDS header. Microsoft points out that an access to the system or to data on the server is not possible. An affected machine could be put back into service by restarting the SQL service. This vulnerability could only be remotely exploited if port 1433 were open at the firewall. A hotfix is available for Intel and Alpha.

Concentrated information about vulnerabilities in wu-ftpd are pointed out in the advisory. These problems were mentioned quite often in the last months.

CERT points out the recent activities and reports:
- Y2k: It's pointed out that further information about the problems concerning Y2k are available: FAQ, Expectations, Y2k Viruses and Trojans, Y2k Status reports
- Distributed-systems intruder tools: In November 1999 a workshop was held, information about the outcome are available now.
- Ongoing Intruder Activity: Distributed denial-of-service tools are continuing to be found on compromised hosts. Intruders continue to exploit a vulnerability in the am-utils package to gain root access to victim machines. Finally, RPC service vulnerabilities are still being regularly exploited.

The Windows NT Local Security Authority (LSA) provides a number of functions for enumerating and manipulating security information. One of these functions, LsaLookupSids(), is used to determine the Security Identifier (SID) associated with a particular user or group name. A flaw in the implementation of this function causes it to incorrectly handle certain types of invalid arguments. If an affected call were made to this function, it would cause the LSA to crash, thereby preventing the machine from performing useful work.
An affected machine could be put back into service by rebooting, with the loss of any work that was in progress at the time. Remote attacks via this vulnerability would not be possible if NetBios is filtered at the firewall.
A hotfix vulnerability is included in the patch for the "Syskey Keystream Reuse" vulnerability (x86, alpha), covering all NT systems.

Syskey is a utility that strongly encrypts the hashed password information in the SAM database in order to protect it against offline password cracking attacks. However, Syskey reuses the keystream used to perform some of the encryption. This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it. A hotfix has been published (x86, alpha), covering all NT systems.

A vulnerability exists that could allow an unauthorized person to substitute arbitrary material in place of legitimate content for a specified website. This arbitrary content would be viewable only by users of the affected (or "polluted") Cache Engine. A second vulnerability exists that could allow unauthorized persons to view performance information via the web interface of the Cache Engine. A third vulnerability existed that allowed a null username and password pair to be accepted as valid authentication credentials. Further information about the vulnerabilities and patches can be found in the advisory.

The Inter Net News server inn does not do proper bounds checking. The daemon could be crashed remotely by overflowing the static buffers.
If someone uses the wvdial.lxdialog script to configure a ppp dialup, the config file /var/lib/wvdial/.config is created readable for everyone. This config file usually contains the login and password for the dialup. However, the directory where the config file is placed is only accessable to those in the "dialout" group. The default wvdial config file of SuSE, which is /etc/wvdial.conf, hasn't got this problem. Local users in the "dialout" group might gain access to dialup login information when the wvdial.lxdialog script is used.
It's recommended to install patches from SuSE's Webpage for Patches.

ISS reports 12 new vulnerabilities:
- nt-resource-enum-dos
- sol-snoop-bo
- ie-server-side-redirect
- ie-msradio-bo
- netscape-fasttrack-auth-bo
- qpopper-auth-bo
- solaris-dtmail-overflow
- solaris-dtmailpr-overflow
- unixware-su-username-bo
- unixware-xlock-username-bo
- linux-syslogd-dos (Caldera, Red Hat, SuSE)
- sol-ttdbserverd-dos
Further information can be found at the server of ISS.

The sadmind program is installed by default in Solaris 2.5, 2.6, and 7. In Solaris 2.3 and 2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. All versions of sadmind are vulnerable to a buffer overflow that can overwrite the stack pointer within a running sadmind process. Since sadmind is installed as root, it is possible to execute arbitrary code with root privileges on a remote machine. It's strongly recommended to disable sadmind by removing or commenting out the following line in /etc/inetd.conf:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
Even though it will not defend against the attack discussed in this advisory, it is a good practice to set the security option used to authenticate requests to a STRONG level, for example:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
If you must use sadmind to perform system administration tasks, CERT urges you to use this setting.
Sun Microsystems is currently working on patches to address the issue discussed in this advisory and recommends disabling sadmind.

Programs running on the VirtualVault may be proxied by the Trusted Gateway Proxy (TGP) without having proper access. HP9000 Series 7/800 running HP-UX 10.24 (VVOS) with VirtualVault A.03.50 (either US/Canada or International), _ONLY_ with patch PHSS_17692 installed are vulnerable. As a consequence unprivileged processes may gain access to the inside network. It's recommended to install the following patches:

ORBit and gnome-session each contain a denial-of-service hole. ORBit and esound each contain a security hole. New linuxconf packages are available to fix various bugs in the version of linuxconf shipped with Red Hat Linux 6.x. It's recommended to install the updates:
Red Hat Linux 6.x:
Intel:
rpm -Uvh ftp://updates.redhat.com/6.0/i386/linuxconf-1.16r10-2.i386.rpm
rpm -Uvh ftp://updates.redhat.com/6.0/i386/linuxconf-devel-1.16r10-2.i386.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/i386/ORBit-0.5.0-2.i386.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/i386/ORBit-devel-0.5.0-2.i386.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/i386/esound-0.2.17-1.i386.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/i386/esound-devel-0.2.17-1.i386.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/i386/gnome-core-1.0.54-2.i386.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/i386/gnome-core-devel-1.0.54-2.i386.rpm
Alpha:
rpm -Uvh ftp://updates.redhat.com/6.0/alpha/linuxconf-1.16r10-2.alpha.rpm
rpm -Uvh ftp://updates.redhat.com/6.0/alpha/linuxconf-devel-1.16r10-2.alpha.rpm
SPARC:
rpm -Uvh ftp://updates.redhat.com/6.0/sparc/linuxconf-1.16r10-2.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/6.0/sparc/linuxconf-devel-1.16r10-2.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/sparc/ORBit-0.5.0-2.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/sparc/ORBit-devel-0.5.0-2.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/sparc/esound-0.2.17-1.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/sparc/esound-devel-0.2.17-1.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/sparc/gnome-core-1.0.54-2.sparc.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/sparc/gnome-core-devel-1.0.54-2.sparc.rpm
Source:
rpm -Uvh ftp://updates.redhat.com/6.0/SRPMS/linuxconf-1.16r10-2.src.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/ORBit-0.5.0-2.src.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/esound-0.2.17-1.src.rpm
rpm -Uvh ftp://updates.redhat.com/6.1/SRPMS/gnome-core-1.0.54-2.src.rpm

IBM has published some information about the latest worms and macro-viruses:
W97M/Prilissa:
This is a virus for Word 97 documents, is able to replicate under SR-1 of Word 97, and will turn off the macro warning feature of Word 97. This virus uses the "ThisDocument" stream, or class module, of a document or template during infection routine. It is a copy-cat of the W97M/Melissa.a virus and there is a payload to send the infected file via MS Outlook. Another payload exists for this virus which is date activated - December 25th - to reformat the hard drive (on Windows 9x systems) and also overlay the active document with random shapes.
W32/ExploreZip.worm.pak: Worm.ExploreZip(pack) is a packed version of Worm.ExploreZip, which contains a malicious payload. Further information can also be found in K-008.
W97M.Melissa.AA:
This is a new variant of Melissa which IBM is calling W97M.Melissa.AA. More information will follow as it becomes available.
W32.Mypics.Worm:
The worm propagates automatically on Windows 9x and Windows NT platforms through E-Mail and has a destructive payload that triggers in the year 2000. The worm propagates by automatically sending itself up to people in the Outlooks address book. The subject line is empty and the body of the E-Mail is 'Here's some pictures for you!'. It will also contain a worm program attachment called pics4you.exe (34,304 bytes). When the attachment is executed the worm will become resident in memory and will E-Mail itself up to 50 people. The worm will also sets Microsoft Internet Explorer browsers 'home page' setting to  http://www.geocities.com/SiliconValley/Vista/8279/index.html. The Windows registry keys will be also be modified and changed to load the worm in memory every time the computer system is rebooted. As a result, the worm will always be resident in memory.
The worm has two payloads that simulate a Y2K problem. First, the worm monitors the system clock and when it detects the year is 2000, the worms will modify the system BIOS. On next cold reboot, the computer will display a message such as 'CMOS Checksum Invalid' and prevent the computer from booting. This can easily be corrected by going into the BIOS setup. After the BIOS settings are corrected, the worm will execute its second payload and will format the hard drive.
W32.Babylonia:
W32.Babylonia is a virus that propagates mainly to other computer users via MIRC. MIRC is a text based communication application used to chat over the Internet. When an infected user logs onto MIRC, it will automatically send the virus to everyone with in the same MIRC chat room as the infected user. The virus will be sent as a Y2K bug fix. Once this file (Y2K bug fix) is executed, it will infects other 32-bit EXE program files and also Windows Help files. The virus will try to modify the system to display the following message when booting the infected computer:
W95/Babylonia by Vecna (c) 1999
Greetz to RoadKil and VirusBuster
Big thankz to sok4ever webmaster
Abracos pra galera brazuca!!!
- ---
Eu boto fogo na Babilonia!
The virus will also send an email to 'babylonia_counter@hotmail.com' to track infected computers. This virus has the ability to download the viral components of the virus from the Internet. When the virus is executed, the virus will wait for an Internet connection. When it detects that the computer can access the Internet, it will download several files from a web server in Japan. Because the virus has such capability, it is possible for the virus writer to update the virus centrally.

A buffer overflow in the RSAREF code included in the USA version of the libssl package (called sslUSA, is possibly exploitable in isakmpd if SSL/RSA features are enabled or used. OpenSSH and httpd (with -DSSL) are not vulnerable, also international users using the ssl26 package are not affected. Further informtion about the patch can be found in the advisory.
Sendmail has a race in aliases file handling, which should as well be patched as various bugs in poll(2) which may cause a kernel crash.

Some versions of sshd are vulnerable to a buffer overflow that can allow an intruder to influence certain variables internal to the program. This vulnerability alone does not allow an intruder to execute code. However, a vulnerability in RSAREF2, which was discovered and researched by Core SDI, can be used in conjunction with the vulnerability in sshd to allow a remote intruder to execute arbitrary code.   Using the two vulnerabilities in conjunction allows an intruder to execute arbitrary code with the privileges of the process running sshd, typically root.
Further information about affected systems and patches are pointed out in the CERT-Advisory.

The version of dump that was distributed with Debian GNU/Linux 2.1 suffers from a problem with restoring symbolic links. This has been fixed in version 0.4b9-0slink1.
Sendmail has a slight problem in the code to regenerate the aliases database. It allowed any user to run sendmail with the -bi option to (re)initialize the aliases database. The user could then interrupt sendmail and leave the system with a broken aliases database.   This has been fixed by only allowing root and trusted users to regenerate the aliases database. An upgrade is recommended.
Htdig has a problem with calling external programs to handle non-HTML documents: It calls the external program with the document as a parameter, but does not check for shell escapes. This can be exploited by creating files with filenames that include shell escapes to run arbitraty commands on the machine that runs htdig.
Which patches should be installed is pointed out in the advisories.

US-CERT has received reports of IIS web servers compromised via a vulnerability in MS Data Access Components (MDAC) discussed in 1998. In incidents reported, attacks can be identified by looking through the IIS log files for POST access to the file "/msadc/msadcs.dll". For example:
1999-10-24 20:38:12 - WWW POST /msadc/msadcs.dll 200 1409 664 782 ACTIVEDATA - -
If you use Microsoft Remote Data Services (RDS) these POST operations may be legitimate. CERT encourages all sites using IIS to carefully follow the steps listed in Microsoft Advisory MS99-025 to secure or disable RDS.

Starting with HP-UX release 11.00, Hewlett-Packard has made available the ported wu-ftp code. There are buffer overruns in the wu-ftpd plus corrections to other client functionality. It's recommended to install patch PHNE_18377, which is available here.

A buffer overflow vulnerability has been found in the AIX 4.3.x ftpd daemon that allows remote attackers to gain root access. Now the official fix IY04477 has been published and can be downloaded here.

When a web server performs a server-side redirect, the IE security model checks the server's permissions on the new page. However, under favorable timing conditions, it is possible for a web server to create a reference to a client window that the server is permitted to view, then use a server-side redirect to a client-local file, and bypass the security restrictions. The result is that it could be possible for a malicious web site operator to view files on the computer of a visiting user. The web site operator would need to know (or guess) the name and location of the file.
Microsoft has published a hotfix for the US-version of IE.

When a specific type of malformed argument is supplied to a resource enumeration request, the Windows NT Service Control Manager can fail. The primary effect of the failure is to cause named pipes to fail, which prevents many other system services from operating. The failure would not cause the machine to crash, and as a result it might not be obvious to the operator that the machine was no longer in service. An affected computer can be put back into service by rebooting. The resource enumeration request involved in the vulnerability must be made via IPC, so customers can protect against remote attacks by blocking NetBios requests at the firewall. A Hotfix has been published by Microsoft for the US-versions of Windows NT Workstation, Windows NT Server, and Windows NT Server, Enterprise Edition (x86 and alpha). A fix for Windows NT Server, Terminal Server Edition will be released shortly.

This buffer overflow allows a remote attacker to gain privileged access to machines running the Solaris operating system while using Snoop. This vulnerability also allows an attacker to bypass security measures in place by Solaris based firewall machines. It is not recommended to use a sniffing tool such as Snoop from a firewall to diagnose network problems. It's strongly recommended to install the concerning patches:

A Denial of Service attack is designed to bring a network down by flooding it with large amounts of traffic. Attackers install the mentioned tools on compromised systems and start a concentrated and effective Denial of Service attack against a single target. It's recommended to control machines if these tools are installed. Here commercial tools like the Internet Scanner Security SAFEsuite can support the administrator.

The qpopper program is Unix server software that supports the POP3 protocol for downloading Internet e-mail using software clients. Some versions (older than 2.5 and 3.0 beta older than b22) of qpopper are vulnerable to a remotely exploitable buffer overflow which may allow remote users to gain root access. So it's strongly recommended to upgrade the systems. Further information can also be found in the QPopper FAQ-List.

In these routines holes were found, allowing unauthorized persons more privileges than normal. Several security holes were found in the "su" program of UnixWare 2.1.3 and UnixWare 7.0.0 through 7.1.1along with the iaf library. It's recommended to install the System Security Enhancement (SSE) package SSE039 (ltr). Another package (SSE041, ltr) resolves the problems caused by libnsl and tcpip.so. In UnixWare 7.0.0 through 7.1.1 security problems were found in xlock which can be solved by installing SSE042 (ltr). Patch SSE046 (ltr) fixes the uidadmin program implemented in UnixWare 7.0 through 7.1.1.  Without this patch, systems are vulnerable to local users gaining unauthorized privileges.

The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the hostname or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.
The vulnerability is eliminated by IE 5.01, which is also available here.

This vulnerability only affects the SSL ISAPI filter. The SSL ISAPI filter of IIS supports concurrent use. When used in this mode, a synchronization problem could induce a race condition and cause a single buffer of plaintext to be leaked. The conditions under which this could happen are very rare, and could only occur when a single user's session was multi-threaded and traffic volumes were extremely high.
It's recommended to install the patches for Intel and Alpha published by Microsoft.

A variant of the ExploreZip Worm (See also J-047) is spreading rapidly. The worm runs on all Windows platforms but Outlook or Exchange are needed to spread. The new variant is a packed version of the original worm and is not detected by existing antivirus programs. The worm spreads by sending itself as an attachment to e-mail. The worm is destructive, zeroing the contents of files and making them unrecoverable.
Do not execute an e-mail attachment named zipped_files.exe as this is the worm program. Update your antivirus software as soon as updates are available.

This vulnerability affects all supported platforms of Enterprise and FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack 3.01 were found to be vulnerable. The buffer overflow is present in the HTTP Basic Authentication portion of the server. When accessing a password protected portion of the Administration or Web server, a username or password that is longer than 508 characters will cause the server to crash with an access violation error. An attacker could utilize the Base64 encoded Authorization string to execute arbitrary code as SYSTEM on Windows NT, or as root on Unix. Attackers can use these privileges to gain full access to the server.
An upgrade of the system is strongly recommended. If this is not possible, it's recommended to block the Administration Server port by a firewall. Netscape has stated that FastTrack will not be patched. Although Netscape released service pack 3 for Enterprise Server 3.6 that fixes the vulnerability in the web server, the Administration Server remains vulnerable. ISS recommends to install the iPlanet Web Server 4.0sp2, which is not vulnerable.

Here you can find the News from November 1999, October 1999, September 1999, August 1999, July 1999,  June 1999, May 1999, April 1999, and March 1999