I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary December 24, 1998 Volume 3 Number 3 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. Happy Holidays from the X-Force. [12]Top of Page || [13]Back to Alert List ___ Contents 12 Reported Vulnerabilities - [14]hp-jetdirect-tcpip - [15]icmp-redirects - [16]sgi-fcagent-dos - [17]pcm-dos-execute - [18]sol-mkcookie - [19]excite-world-write - [20]iparty-dos - [21]netbsd-mmap-drivers-dos - [22]aix-infod - [23]http-netscape-fileread - [24]samba-wsmbconf - [25]nftp-bo Virus Alert - [26]remote-explorer Risk Factor Key [27]Top of Page || [28]Back to Alert List ___ Date Reported: 12-10-98 Vulnerability: hp-jetdirect-tcpip Platforms Affected: HP JetDirect Print Servers HP JetDirect Printer Interface Cards Risk Level: High This issue regards a variety of problems with HP JetDirect printer interface cards and print servers. Older TCP/IP implementations on HP JetDirect cards and servers are vulnerable to Denial of Service (DoS) attacks. HP has addressed many of these issues with newer JetDirect print server products (Fall 98). Newer JetDirect interfaces feature a web interface for configuration, access, and control. Because the interface does not use SSL encryption, the potential exists for exposing sensitive information, such as administrative passwords and configuration information, to sniffing attacks. Reference: ISS Security Advisory: "HP JetDirect TCP/IP problems" at [29]http://www.iss.net/xforce/alerts/advise15.html [30]Top of Page || [31]Back to Alert List ___ Date Reported: 12-10-98 Vulnerability: icmp-redirects Platforms Affected: OS-9 Risk Level: Medium One or more operating systems, popular for use in intelligent embedded controllers or PLCs (Programmed Logic Controllers), may have network protocol stacks which are vulnerable to certain classes of ICMP Redirect attacks. Vulnerable controllers are prone to hang or shutdown shortly after receiving the attacking packets. The failure can extend even to their non-network functionality and can cause the controlled equipment to fail. There exists a significant possibility of the controlled equipment being left in a non-safe or inoperable condition, possibly leading to physical damage. Reference: ISS Security Advisory: "ICMP Redirects Against Embedded Controllers" at [32]http://www.iss.net/xforce/alerts/advise14.html [33]Top of Page || [34]Back to Alert List ___ Date Reported: 12-10-98 Vulnerability: sgi-fcagent-dos Platforms Affected: IRIX (6.4, 6.5, 6.5.1) Risk Level: Medium The fcagent RPC service is used to service requests about the status or configuration of a FibreVault enclosure. It is installed by default on Origin and Onyx2 platforms running IRIX 6.4 and higher. SGI has discovered a vulnerability that would allow a remote attacker to crash the FibreVault program. Reference: Silicon Graphics Inc. Security Advisory: "Vulnerability in IRIX fcagent daemon" at [35]ftp://sgigate.sgi.com/security/19981201-01-PX [36]Top of Page || [37]Back to Alert List ___ Date Reported: 12-04-98 Vulnerability: pcm-dos-execute Platforms Affected: Policy Compliance Manager 7.0 Risk Level: High The Policy Compliance Manager (PCM) program performs security policy checks on systems, as well as a few security checks, similar to a security scanner. The smaxagent.exe listens to port 1827. If a user connects to the PCM port and sends it a specific amount of data, the service will crash and have to be restarted. It is also possible for a remote user to execute arbitrary code using this vulnerability. Reference: S.A.F.E.R. Security Bulletin 981204.DOS.1.3: "Buffer Overflow in Platinum PCM 7.0" at [38]http://www.siamrelay.com/advisories/advisory_0004.html [39]Top of Page || [40]Back to Alert List ___ Date Reported: 12-03-98 Vulnerability: sol-mkcookie Platforms Affected: Solaris (2.5x86, 2.5.1x86, 2.6x86, 2.7x86) Risk Level: High mkcookie is a utility used to generate fresh 'Magic Cookies' each time the X server is run. RSI has discovered a vulnerability in mkcookie caused by insufficient bounds checking. Because mkcookie is suid root on Solaris x86 systems, this would allow attackers to execute arbitrary commands as root. Reference: Repent Security Incorporated, RSI: "RSI.0012.12-03-98.SOLARIS.MKCOOKIE" at [41]http://enigma.repsec.com/advisory/0012.html [42]Top of Page || [43]Back to Alert List ___ Date Reported: 11-30-98 Vulnerability: excite-world-write Platforms Affected: Excite 1.1 Risk Level: High In Excite 1.1, the installation program installs many files with world writable permissions. One of the world writable files contains all of the user's encrypted passwords. Any user with shell or anonymous FTP access can modify any of the passwords. Reference: BUGTRAQ Mail Archives: "Security bugs in Excite for Web Servers 1.1" at [44]http://www.netspace.org/cgi-bin/wa?A2=ind9811e&L=bugtraq&F=&S=&P=519 [45]Top of Page || [46]Back to Alert List ___ Date Reported: 11-30-98 Vulnerability: iparty-dos Platforms Affected: iParty Servers Risk Level: Low A denial of service attack exists against iParty servers. If a remote user connects to the iParty port (port 6004 is default), and sends a large amount of ^? characters, the iParty server will shut itself down and disconnect all users. No event of this activity shows up in the iParty log. Reference: BUGTRAQ Mail Archives: "iParty can be shut down remotely" at [47]http://www.netspace.org/cgi-bin/wa?A2=ind9812a&L=bugtraq&F=&S=&P=68 [48]Top of Page || [49]Back to Alert List ___ Date Reported: 11-20-98 Vulnerability: netbsd-mmap-drivers-dos Platforms Affected: NetBSD Risk Level: Medium Many of the mmap character device drivers do not properly bounds check their arguments. This vulnerability permits access to physical or device memory, causing some systems to kernel panic and have to be rebooted. Reference: NetBSD Security Advisory 1998-005: "Problem with mmap(2) and many drivers." at [50]ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-005. t xt.asc [51]Top of Page || [52]Back to Alert List ___ Date Reported: 11-19-98 Vulnerability: aix-infod Platforms Affected: AIX (3.2.x, 4.1.x, 4.2.x, 4.3.x) Risk Level: High The AIX infod (Information Explorer daemon) program provides information about the operating system. A malicious local user can trick the infod daemon by sending it false information to start an X display. If the attacker sends false environment variables as well as uid and gid of 0, infod will spawn a X display with root privileges. Reference: Repent Security Incorporated (RSI) RSI.0011.11-12-98.AIX.INFOD: "AIX infod" at [53]http://www.repsec.com/advisory/0011.html [54]Top of Page || [55]Back to Alert List ___ Date Reported: 11-19-98 Vulnerability: http-netscape-fileread Platforms Affected: Netscape Communicator (4.05, 4.5) for Windows 95, and Windows NT Risk Level: Medium A bug exists in Netscape Communicator that allows a malicious web page to read files and browse directories on the system. The contents of the file can be copied and sent to an arbitrary host. This problem exists in Netscape Communicator 4.5 for Windows 95 and 4.05 for NT. Reference: Georgi Guninski's Home Page: "Reading local files with Netscape Communicator 4.5" at [56]http://www.geocities.com/ResearchTriangle/1711/b6.html [57]Top of Page || [58]Back to Alert List ___ Date Reported: 11-19-98 Vulnerability: samba-wsmbconf Platforms Affected: Samba 1.9.18 Risk Level: High A vulnerability exists in Samba 1.9.18 as distributed by Red Hat, Caldera, and TurboLinux. The vulnerability is in the wsmbconf binary, which is installed setgid root and executable by everyone. Normal users can exploit this vulnerability to gain read/write access as the group root. Reference: BUGTRAQ Mail Archives: "Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux" at [59]http://www.netspace.org/cgi-bin/wa?A2=ind9811c&L=bugtraq&F=&S=&P=4610 [60]Top of Page || [61]Back to Alert List ___ Date Reported: 11-17-98 Vulnerability: nftp-bo Platforms Affected: nftp Risk Level: High nftp is a shareware ftp program that contains a buffer overflow condition in the way that it handles strings returned by the server. Once a user running nftp connects to the server, it could be possible to execute arbitrary code on the connecting system. Reference: BUGTRAQ Mail Archives: "nftp vulnerability" at [62]http://www.netspace.org/cgi-bin/wa?A2=ind9811c&L=bugtraq&F=&S=&P=1799 [63]Top of Page || [64]Back to Alert List ___ Date Reported: 12/22/98 Virus Alert: remote-explorer Platforms Affected: Windows NT Risk Level: High A virus dubbed the Remote Explorer virus, or the RICHS virus, has been discovered at MCI WorldCom. The virus installs itself as a service on Windows NT and waits for a Admin to log in. Once an admin has logged in, the virus tries to infect every other machine on the network using the admin privileges. The virus also encrypts files on the machine in which it is running, and renders them useless. References: Microsoft Security Advisor: "Information on the 'Remote Exlorer' or 'RICHS' Virus" at [65]http://www.microsoft.com/security/bulletins/remote.asp Network Associates: "Remote Explorer" at [66]http://www.nai.com/products/antivirus/remote_explorer.asp [67]Top of Page || [68]Back to Alert List ___ High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse and security policy violations. The Company has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, 9 of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at [69]http://www.iss.net. [70]Top of Page || [71]Back to Alert List ___ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please email [72]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [73]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net > of Internet Security Systems, Inc. [74]News | [75]Serious Fun | [76]Mail Lists | [77]Security Library [78]Protoworx | [79]Alerts | [80]Submissions | [81]Feedback [82]Advanced Search [83]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [84]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [85]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 13. http://xforce.iss.net/alerts/alerts.php3 14. http://xforce.iss.net/alerts/vol-3_num-3.php3#hp-jetdirect-tcpip 15. http://xforce.iss.net/alerts/vol-3_num-3.php3#icmp-redirects 16. http://xforce.iss.net/alerts/vol-3_num-3.php3#sgi-fcagent-dos 17. http://xforce.iss.net/alerts/vol-3_num-3.php3#pcm-dos-execute 18. http://xforce.iss.net/alerts/vol-3_num-3.php3#sol-mkcookie 19. http://xforce.iss.net/alerts/vol-3_num-3.php3#excite-world-write 20. http://xforce.iss.net/alerts/vol-3_num-3.php3#iparty-dos 21. http://xforce.iss.net/alerts/vol-3_num-3.php3#netbsd-mmap-drivers-dos 22. http://xforce.iss.net/alerts/vol-3_num-3.php3#aix-infod 23. http://xforce.iss.net/alerts/vol-3_num-3.php3#http-netscape-fileread 24. http://xforce.iss.net/alerts/vol-3_num-3.php3#samba-wsmbconf 25. http://xforce.iss.net/alerts/vol-3_num-3.php3#nftp-bo 26. http://xforce.iss.net/alerts/vol-3_num-3.php3#remote-explorer 27. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 28. http://xforce.iss.net/alerts/alerts.php3 29. http://www.iss.net/xforce/alerts/advise15.html 30. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 31. http://xforce.iss.net/alerts/alerts.php3 32. http://www.iss.net/xforce/alerts/advise14.html 33. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 34. http://xforce.iss.net/alerts/alerts.php3 35. ftp://sgigate.sgi.com/security/19981201-01-PX 36. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 37. http://xforce.iss.net/alerts/alerts.php3 38. http://www.siamrelay.com/advisories/advisory_0004.html 39. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 40. http://xforce.iss.net/alerts/alerts.php3 41. http://enigma.repsec.com/advisory/0012.html 42. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 43. http://xforce.iss.net/alerts/alerts.php3 44. http://www.netspace.org/cgi-bin/wa?A2=ind9811e&L=bugtraq&F=&S=&P=519 45. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 46. http://xforce.iss.net/alerts/alerts.php3 47. http://www.netspace.org/cgi-bin/wa?A2=ind9812a&L=bugtraq&F=&S=&P=68 48. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 49. http://xforce.iss.net/alerts/alerts.php3 50. ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-005.t 51. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 52. http://xforce.iss.net/alerts/alerts.php3 53. http://www.repsec.com/advisory/0011.html 54. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 55. http://xforce.iss.net/alerts/alerts.php3 56. http://www.geocities.com/ResearchTriangle/1711/b6.html 57. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 58. http://xforce.iss.net/alerts/alerts.php3 59. http://www.netspace.org/cgi-bin/wa?A2=ind9811c&L=bugtraq&F=&S=&P=4610 60. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 61. http://xforce.iss.net/alerts/alerts.php3 62. http://www.netspace.org/cgi-bin/wa?A2=ind9811c&L=bugtraq&F=&S=&P=1799 63. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 64. http://xforce.iss.net/alerts/alerts.php3 65. http://www.microsoft.com/security/bulletins/remote.asp 66. http://www.nai.com/products/antivirus/remote_explorer.asp 67. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 68. http://xforce.iss.net/alerts/alerts.php3 69. http://www.iss.net/ 70. http://xforce.iss.net/alerts/vol-3_num-3.php3#list 71. http://xforce.iss.net/alerts/alerts.php3 72. mailto:xforce@iss.net 73. http://www.iss.net/xforce/sensitive.html 74. http://xforce.iss.net/news.php3 75. http://xforce.iss.net/seriousfun/ 76. http://xforce.iss.net/maillists/ 77. http://xforce.iss.net/library/ 78. http://xforce.iss.net/protoworx/ 79. http://xforce.iss.net/alerts/ 80. http://xforce.iss.net/submission.php3 81. http://xforce.iss.net/feedback.php3 82. http://xforce.iss.net/search.php3 83. http://xforce.iss.net/about.php3 84. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 85. http://xforce.iss.net/privacy.php3