I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary December 17, 1997 Volume 1 Number 9 _X-Force Vulnerability and Threat Database:_ [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list by sending an e-mail to [11]majordomo@iss.net and within the body of the message type: 'subscribe alert'. ___ Index 2 Reported New Vulnerabilities [12]Back to Alert List [13] - SNMP-config [14] - statd 2 Updates [15] - Sun-sendmail [16] - Sun-at 3 Reported Incidents [17] - Multiple Web Sites Hacked [18] - Fox Online Web Site Hacked [19] - Yahoo! Web Site Hacked Risk Factor Key [20]Top of Page || [21]Back to Alert List ___ Date Reported: 12/9/97 Vulnerability: SNMP-config Platforms Affected: Check Point FireWall-1 Risk Factor: Low The default configuration of Check Point Firewall-1 may allow remote users to access SNMP MIB information. The firewall can not be compromised through this configuration; however, users should evaluate restricting the availability of SNMP MIB information on all SNMP enabled devices. For additional information and a patch go to Check Point's public Web site at [22]http://www.checkpoint.com/techsupport/snmp/cp-fw-301-0024.html If a customer has not upgraded to FireWall-1 3.0, a description of how to change the configuration setting without the patch may be found at [23]http://www.checkpoint.com/techsupport/snmp/config/snmpindex.html References: [24]ftp://ftp.secnet.com/pub/advisories/SNI-21.Firewall-1.advisory [25]Top of Page || [26]Back to Alert List ___ Date Reported: 12/6/97 Vulnerability: Slack-crond Platforms Affected: Linux Slackware 3.4 Risk Factor: High A vulnerability exists in Linux Slackware version 3.4's crond. A locally exploitable buffer overflow condition that will allow local users with an account to execute arbitrary code. By exploiting this vulnerability, users can obtain root access. Reference: [27]http://www.dec.net/ksrt/adv5.html [28]Top of Page || [29]Back to Alert List ___ Date Reported: 12/5/97 Vulnerability: statd Platforms Affected: AIX (3.2, 4.1) Digital UNIX (V4.0 - V4.0c) Solaris (2.4, 2.5, 2.5.1) SunOS (4.1.3, 4.1.4) Risk Factor: High statd provides network status monitoring and provides crash and recovery functions for the locking services on NFS. Local users can exploit a vulnerability in statd that would allow them to execute commands as the user running statd, which is, in most cases, root. Remote users without an account on the system would also be able to exploit this vulnerability if statd is accessible on the network. References: [30]ftp://info.cert.org/pub/cert_advisories/CA-97.26.statd [31]http://ciac.llnl.gov/ciac/bulletins/i-017.shtml [32]Top of Page || [33]Back to Alert List ___ Date: 12/3/97 (Cert Advisory 96.20) Update: Sun-sendmail Vendor: Sun Microsystems, Inc. Platforms: SunOS (4.1.3, 4.1.4) Sun originally shipped SunOS 4.1.3 and 4.1.4 with Sendmail 5. Sun has released patches that contain Sendmail 8.6.9 plus extensions to upgrade Solaris 4.1.3 and 4.1.4 from Sendmail 5. References: [34]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-159.txt [35]http://ciac.llnl.gov/ciac/bulletins/g-43a.shtml [36]ftp://info.cert.org/pub/cert_advisories/CA-96.20.sendmail_vul [37]Top of Page || [38]Back to Alert List ___ Date: 12/3/97 (Cert Advisory 97.18) Update: Sun-at Vendor: Sun Microsystems, Inc. Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1) The at program is used by local users to schedule commands to be run at a specific time. Sun has released patches that correct the problem that allows users to exploit the at command to gain root access. References: [39]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-160.txt [40]ftp://info.cert.org/pub/cert_advisories/CA-97.18.at [41]Top of Page || [42]Back to Alert List ___ Date Reported: 12/13/97 Incident: Multiple Web Sites Hacked Over the weekend, dozens of web sites were hacked by the same (or apparently the same) person or group. A majority of the hacked sites depicted a picture of Jesus with the words 'Thou Art Owned!!!!' and 'BOW DOWN!'. See reference for exact sites and hacks. Reference: [43]http://www.hacked.net/news.html [44]Top of Page || [45]Back to Alert List ___ Date Reported: 12/11/97 Incident: Fox Online Web Site Hacked The Fox television network's, Fox Online, web site was hacked in the early morning of the 11th. A message was posted making reference to a X-File's character and another by the name of 'Heike'. Reference: [46]http://www.news.com/News/Item/0,4,17266,00.html [47]Top of Page || [48]Back to Alert List ___ Date Reported: 12/9/97 Incident: Yahoo! Web Site Hacked The Yahoo! web directory and search engine was hacked. Intruders changed the web pages that are seen by Lynx and older Netscape browsers. Their message was that they had planted a virus on Yahoo! and that anyone who had viewed their pages had it. They also made statements that Kevin Mitnick had been framed, and that they would only release the antidote to their virus, if he was freed. References: [49]http://www.zdnet.com/pcweek/spencer/spencer.html [50]http://www.infowar.com/hacker/hack_121397a.html-ssi [51]http://search.washingtonpost.com/wp-srv/WAPO/19971210/V000626-121097-idx.ht ml [52]http://search.washingtonpost.com/wp-srv/WAPO/19971209/V000115-120997-idx.ht ml [53]http://biz.yahoo.com/bw/971210/trident_data_systems_1.html [54]http://www.yahoo.com/headlines/971210/wired/stories/hacker_1.html [55]http://www.yahoo.com/headlines/971210/tech/stories/yahoo_2.html [56]http://www.wired.com:80/news/news/technology/story/9059.html [57]Top of Page || [58]Back to Alert List ___ Risk Factor Key: High any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium any vulnerability that provides information that has a high potential of giving access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that possibly can contain an account with a guessable password. Low any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via bruteforce. Internet Security Systems, Inc., (ISS) is the pioneer and world's leading supplier of network security assessment and intrusion detection tools, providing comprehensive software that enables organizations to proactively manage and minimize their network security risks. For more information, contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS Web site at [59]http://www.iss.net. [60]Top of Page || [61]Back to Alert List ________ Copyright (c) 1997 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail [62]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [63]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X Force xforce@iss.net > of Internet Security Systems, Inc. [64]Top of Page || [65]Back to Alert List [66]News | [67]Serious Fun | [68]Mail Lists | [69]Security Library [70]Protoworx | [71]Alerts | [72]Submissions | [73]Feedback [74]Advanced Search [75]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [76]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [77]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/alerts.php3 13. http://xforce.iss.net/alerts/vol-1_num-9.php3#SNMP-config 14. http://xforce.iss.net/alerts/vol-1_num-9.php3#statd 15. http://xforce.iss.net/alerts/vol-1_num-9.php3#Sun-sendmail 16. http://xforce.iss.net/alerts/vol-1_num-9.php3#Sun-at 17. http://xforce.iss.net/alerts/vol-1_num-9.php3#Multiple 18. http://xforce.iss.net/alerts/vol-1_num-9.php3#Fox 19. http://xforce.iss.net/alerts/vol-1_num-9.php3#Yahoo 20. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 21. http://xforce.iss.net/alerts/alerts.php3 22. http://www.checkpoint.com/techsupport/snmp/cp-fw-301-0024.html 23. http://www.checkpoint.com/techsupport/snmp/config/snmpindex.html 24. ftp://ftp.secnet.com/pub/advisories/SNI-21.Firewall-1.advisory 25. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 26. http://xforce.iss.net/alerts/alerts.php3 27. http://www.dec.net/ksrt/adv5.html 28. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 29. http://xforce.iss.net/alerts/alerts.php3 30. ftp://info.cert.org/pub/cert_advisories/CA-97.26.statd 31. http://ciac.llnl.gov/ciac/bulletins/i-017.shtml 32. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 33. http://xforce.iss.net/alerts/alerts.php3 34. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-159.txt 35. http://ciac.llnl.gov/ciac/bulletins/g-43a.shtml 36. ftp://info.cert.org/pub/cert_advisories/CA-96.20.sendmail_vul 37. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 38. http://xforce.iss.net/alerts/alerts.php3 39. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-160.txt 40. ftp://info.cert.org/pub/cert_advisories/CA-97.18.at 41. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 42. http://xforce.iss.net/alerts/alerts.php3 43. http://www.hacked.net/news.html 44. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 45. http://xforce.iss.net/alerts/alerts.php3 46. http://www.news.com/News/Item/0,4,17266,00.html 47. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 48. http://xforce.iss.net/alerts/alerts.php3 49. http://www.zdnet.com/pcweek/spencer/spencer.html 50. http://www.infowar.com/hacker/hack_121397a.html-ssi 51. http://search.washingtonpost.com/wp-srv/WAPO/19971210/V000626-121097-idx.html 52. http://search.washingtonpost.com/wp-srv/WAPO/19971209/V000115-120997-idx.html 53. http://biz.yahoo.com/bw/971210/trident_data_systems_1.html 54. http://www.yahoo.com/headlines/971210/wired/stories/hacker_1.html 55. http://www.yahoo.com/headlines/971210/tech/stories/yahoo_2.html 56. http://www.wired.com/news/news/technology/story/9059.html 57. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 58. http://xforce.iss.net/alerts/alerts.php3 59. http://www.iss.net/ 60. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 61. http://xforce.iss.net/alerts/alerts.php3 62. mailto:xforce@iss.net 63. http://www.iss.net/xforce/sensitive.html 64. http://xforce.iss.net/alerts/vol-1_num-9.php3#list 65. http://xforce.iss.net/alerts/alerts.php3 66. http://xforce.iss.net/news.php3 67. http://xforce.iss.net/seriousfun/ 68. http://xforce.iss.net/maillists/ 69. http://xforce.iss.net/library/ 70. http://xforce.iss.net/protoworx/ 71. http://xforce.iss.net/alerts/ 72. http://xforce.iss.net/submission.php3 73. http://xforce.iss.net/feedback.php3 74. http://xforce.iss.net/search.php3 75. http://xforce.iss.net/about.php3 76. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 77. http://xforce.iss.net/privacy.php3