From xforce@iss.net Fri Mar 5 14:35:07 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Fri, 5 Mar 1999 15:09:44 -0500 (EST) Subject: ISSalert: ISS Security Alert Summary v3 n6 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary March 3, 1999 Volume 3 Number 6 X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 12 Reported Vulnerabilities - linux-super-logging-bo - cobalt-raq-history-exposure - openbsd-link-crash - ncftpd-port-bo - openbsd-ping-bo - win-resourcekit-taskpads - arcserve-agent-passwords - wget-permissions - backdoor-update - digital-networker-bo - openbsd-ipintr-race - zgv-privilege-leak Risk Factor Key _____ Date Reported: 1999-02-26 Vulnerability: linux-super-logging-bo Platforms Affected: Linux (Debian) Risk Factor: High Super is a package for delegating administrative privileges to users without giving complete root privileges. A buffer overflow exists in the logging code of Super which could allow a local user to cause the program to execute arbitrary code with root privileges. Exploit information for this vulnerability has been widespread. References: BUGTRAQ Mailing List: "SUPER buffer overflow" at: http://www.netspace.org/cgi-bin/wa?A2=ind9902d&L=bugtraq&F=&S=&P=9518 Sekure SDI Homepage at: http://www.sekure.org/english/ _____ Date Reported: 1999-02-25 Vulnerability: cobalt-raq-history-exposure Platforms: Cobalt RaQ Risk Factor: Medium The Cobalt RaQ web server device contains a vulnerability that may allow a user's shell command history to be remotely obtained. By default, the Cobalt server web shares a user's entire directory that could include sensitive files, such as command history files. Any remote user can abuse this hole and the nature of Cobalt RaQ's setup allows for identifying these server's easily through web search engines. References: Wired News Online: "Teenager Finds Web-Server Hole" at: http://www.wired.com/news/news/technology/story/18109.html Cobalt Networks, Inc.: "Cobalt Networks - Security" at: http://www.cobaltnet.com/security.html _____ Date Reported: 1999-02-25 Tagname: openbsd-link-crash Platforms Affected: OpenBSD (2.4) Risk Factor: Medium The OpenBSD FFS link(2) library function can be used by local users to crash the system under some circumstances. The vulnerability exists when an unbounded increment is made on the nlink value. Reference: The OpenBSD Project: "OpenBSD release errata" at: http://www.openbsd.com/errata.html#nlink _____ Date Reported: 1999-02-23 Vulnerability: ncftpd-port-bo Platforms Affected: NCFTPd Risk Factor: Medium A buffer overflow has been discovered within the NCFTPd server's implementation of the PORT command. The vulnerability allows a remote attacker to corrupt one byte of memory, which is enough to cause the server to crash and respawn. The bug doesn't cause the service to be permanently crashed. Reference: Proof of Concept - Security Advisory: "NcFTPd remote buffer overflow" at: http://poc.csoft.net/advs/ncftpd-of/advisory.txt _____ Date Reported: 1999-02-23 Vulnerability: openbsd-ping-bo Platforms Affected: OpenBSD (2.4) Risk Factor: Medium The OpenBSD ping command contains a buffer overflow in its handling of oversized ICMP packets. It isn't known whether or not this could lead to unauthorized access, but it is recommended that sites upgrade ping regardless. Reference: The OpenBSD Project: "OpenBSD release errata" at: http://www.openbsd.com/errata.html#nlink _____ Date Reported: 1999-02-22 Vulnerability: win-resourcekit-taskpads Platforms Affected: Windows Resource Kit Risk Factor: High The Windows Resource Kit (RK), optionally installed with Windows 95, 98, or NT, contains a feature called "Taskpads" scripting as part of the Tools Management Console Snap-in. Certain methods of launching RK Tools are considered "safe for scripting," however, they could allow a malicious web site to execute arbitrary commands on the browsing server. Reference: Microsoft Knowledgebase Article ID: Q218619: "Taskpads Let Web Sites Invoke Executables on a User's Computer" at: http://support.microsoft.com/support/kb/articles/Q218/6/19.ASP Microsoft Security Bulletin MS99-007: "Patch Available for Taskpads Scripting Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-007.asp _____ Date Reported: 1999-02-21 Vulnerability: arcserve-agent-passwords Platforms Affected: ARCserveIT Risk Factor: High The CAI ARCserver NT backup agents transmit NT username and password combinations with very weak encryption across the network. Due to the nature of the tasks these agents perform, these passwords are generally of Administrator or highly-privileged nature. Reference: BUGTRAQ Mailing List: "Severe Security Hole in ARCserve NT agents (fwd)" at: http://www.netspace.org/cgi-bin/wa?A2=ind9902d&L=bugtraq&F=&S=&P=2099 _____ Date Reported: 1999-02-20 Vulnerability: wget-permissions Platforms Affected: Linux (Debian) Risk Factor: Medium Wget, a file retrieval program for Unix systems, has been found to contain a vulnerability in how it changes permissions on symbolic links when invoked with the -N option. Reference: Debian GNU/Linux - Security Information: "wget: Improper handling of symlink permissions" at: http://www.debian.org/security/1999/19990220 _____ Date Reported: 1999-02-19 Vulnerability: backdoor-update Platforms Affected: Windows 9x Windows NT Risk Factor: High The final version of NetBus 2.0 Pro was released on February 19. The new version of NetBus is not distributed as a backdoor, but as a "Remote Administration and Spy Tool." Due to the proliferation of NetBus and its common use in attacks across the Internet, NetBus 2.0 poses a significant risk with its new functionality and enhanced network communication obfuscation. The version of NB2 available on the Internet notifies users upon installation, however attackers can easily hide the installation with slight modification. Reference: ISS Vulnerability Alert: "Windows Backdoors Update II: NetBus 2.0 Pro, Caligula, and Picture.exe" at: http://www.iss.net/xforce/alerts/advise20.html _____ Date Reported: 1999-02-19 Vulnerability: digital-networker-bo Platforms Affected: Digital Unix Risk Factor: High The Digital NetWorker program "nsralist" for Digital Unix contains a buffer overflow that allows local users to execute arbitrary code with root privileges. This hole affects all known versions of NetWorker which install with suid root privileges. References: BUGTRAQ Mailing List: "More Buffer Overflows in Digital Unix" at: http://www.netspace.org/cgi-bin/wa?A2=ind9902c&L=bugtraq&F=&S=&P=12530 _____ Date Reported: 1999-02-19 Vulnerability: openbsd-ipintr-race Platforms Affected: OpenBSD (2.4) Risk Factor: Medium The kernel function ipintr() within OpenBSD contains a race condition which could allow a remote attacker to crash the machine. References: The OpenBSD Project: "OpenBSD release errata" at: http://www.openbsd.com/errata.html#nlink _____ Date Reported: 1999-02-19 Vulnerability: zgv-privilege-leak Platforms Affected: All Operating systems running zgv Risk Factor: High zgv is an image file viewer that runs under SVGAlib at the Linux console. Since it has to access graphics hardware, it has to be installed suid root. A vulnerability exists when zgv leaks its privileges to a child process, which gives the user access to all I/O ports and usage of cli() and sti() commands. This vulnerability could lead to the attacker gaining root access. References: Bugtraq Mailing List: "Security hole: 'zgv'" at: http://www.netspace.org/cgi-bin/wa?A2=ind9902c&L=bugtraq&F=&S=&P=13001 _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNuALgzRfJiV99eG9AQEsIgP+OuiLegj2uDyLSxwGIiLDzqliV01We314 2cEHjh6kPGzb9WyJl5MwFP4GzDbUeUeNe5HjlXMmizpTARmeoKCAIGjODTZmDARN SPEOGrKTNUXVJ7KH929LVrcMP6GOwMXyfJx9rnw+e3lTw7aB2IaKrTdH4FvaYCf0 XjOnzHYRDno= =66lB -----END PGP SIGNATURE-----