From xforce@iss.net Fri Sep 17 14:58:41 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Thu, 16 Sep 1999 14:53:29 -0400 (EDT) Subject: ISSalert: ISS Security Alert Summary: v4 n7 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary September 15, 1999 Volume 4 Number 7 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 22 Reported Vulnerabilities - http-powerdynamo-dotdotslash - inn-inews-bo - amd-bo - wu-ftpd-dir-name - nt-sequence-prediction-sp4 - ibm-gina-group-add - linux-pt-chown - oracle-dbsnmp - oracle-dbsnmp-trace - jet-text-isam - jet-vba-shell - lotus-ldap-bo - smtp-refuser-tmp - ciscosecure-read-write - linux-telnetd-term - qms-2060-no-root-password - trn-symlinks - aix-pdnsd-bo - bsdi-smp-dos - linux-termcap-tgetent - suse-identd-dos - win-ie5-telnet-heap-overflow Risk Factor Key _____ Date Reported: 1999-09-06 Vulnerability: http-powerdynamo-dotdotslash Platforms Affected: Sybase PowerDynamo PWS Risk Factor: Medium Attack Type: Network/Host Based PowerDynamo is a personal HTTP server produced by Sybase. A vulnerability has been found that allows a remote attacker to traverse the server's file system outside the document root by issuing GET requests with '../' in them. This could allow any file to be remotely read by an attacker. If directory browsing is enabled, the attacker doesn't need prior knowledge of file names to exploit this flaw. Reference: BUGTRAQ Mailing List: "[Sybase] software vendors do not think about old bugs" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.05.9909041428230.5675-100000@mx.nkm.lt _____ Date Reported: 1999-09-02 Vulnerability: inn-inews-bo Platforms Affected: InterNet News (INN) Risk Factor: High Attack Type: Host Based The InterNet News (INN) daemon contains the program inews, which injects new postings into the news system. It is possible for a local attacker to overflow a buffer in the inews program, shipped with INN 2.2 and below that, would give the user privileges of the news group. This could theoretically allow the attacker to gain root privileges. References: Red Hat, Inc. Security Advisory: "Buffer overflow problem in the inews program" at: http://www.redhat.com/corp/support/errata/RHSA1999033_01.html SuSE Security Announcement: "Security hole in inn" at: http://www.suse.de/security/announcements/suse-security-announce-16.txt Caldera Systems, Inc. Security Advisory CSSA-1999:026.0: "buffer overflow in inews" at: ftp://ftp.calderasystems.com/pub/info/security/CSSA-1999:026.0.txt _____ Date Reported: 1999-08-30 Vulnerability: amd-bo Platforms Affected: FreeBSD Linux: Red Hat (4.2, 5.2, 6.0) Risk Factor: High Attack Type: Network/Host Based The Automounter daemon has a buffer overflow in the mount code that affects Red Hat Linux. Passing a long string to the AMQPROC_MOUNT procedure can cause a remote intruder to obtain root credentials. References: Red Hat, Inc. Security Advisory: "Buffer overrun in amd" at: http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html Caldera Systems, Inc. Security Advisory CSSA-1999:024.0: "buffer overflow in amd" at: ftp://ftp.calderasystems.com/pub/info/security/CSSA-1999:024.0.txt _____ Date Reported: 1999-08-26 Vulnerability: wu-ftpd-dir-name Platforms Affected: wu-ftpd (2.5) Risk Factor: High Attack Type: Network/Host Based A vulnerability has been discovered in Washington University's wu-ftpd program. A buffer overflow condition exists in bounds checking of directory names supplied by the user. It is possible for a local or remote user to overwrite static memory space and create directory names that could result in increased privileges. Reference: BUGTRAQ Mailing List: "WU-FTPD Security Update" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=NDBBKFDGMLFBPDALDAMOOEHFCBAA.yua@artlover.com _____ Date Reported: 1999-08-25 Vulnerability: nt-sequence-prediction-sp4 Platforms Affected: Windows NT (4.0) Risk Factor: Medium Attack Type: Network/Host Based Microsoft Windows NT 4.0 SP4 introduced a new method of generating TCP sequence numbers. The method was designed to close a hole in previous versions of Windows NT that allowed these numbers to be easily guessed. It has been shown that SP4 and above systems are just as vulnerable to sequence number prediction attacks as earlier service packs. Reference: NTA: "Leading Security testers ^̉NTA Monitor^̉ Discover Security Flaw in Microsoft NT4 SP4" at: http://www.nta-monitor.com/news/NT4-SP4.htm _____ Date Reported: 1999-08-23 Vulnerability: ibm-gina-group-add Platforms Affected: IBM GINA for NT Risk Factor: High Attack Type: Host Based IBM's GINA for Windows NT that allows a NT hosts to authenticate against OS/2 domains. A vulnerability has been discovered that would allow a local user to add themselves or another user to the "Local Administrators" group by modifying a registry key. Once this key is modified, the user has administrator privileges at the logon. Reference: NTBUGTRAQ Mailing List: "IBM Gina security warning" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534 _____ Date Reported: 1999-08-23 Vulnerability: linux-pt-chown Platforms Affected: Linux Redhat (6.0) Risk Factor: High Attack Type: Host Based The GNU C Library (glibc) 2.1.x ships with the setuid helper program "pt_chown", which is used to allow safe allocation of terminals to non-privileged applications. A lack of security checks within this program could allow a local attacker to take control of another user's (including root) terminal and take ownership of that device. Reference: BUGTRAQ Mailing List: "[Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl _____ Date Reported: 1999-08-23 Vulnerability: oracle-dbsnmp Platforms Affected: Oracle (8.x) Risk Factor: High Attack Type: Host Based The Oracle 8 Intelligent Agent trusts certain environment variables. The Intelligent Agent is also installed setuid root by default. Attackers may manipulate these environment variables to create root owned files that will follow symbolic links. Reference: ISS Security Advisory: "Root Compromise Vulnerabilities in Oracle 8" at: http://xforce.iss.net/alerts/advise35.php3 - ----- Date Reported: 1999-08-23 Vulnerability: oracle-dbsnmp-trace Platforms Affected: Oracle (8.x) Risk Factor: High Attack Type: Host Based Oracle can be tricked into reading rogue configuration files via trusted environment variables. 'dbsnmp' then opens a 'trace' file that is owned by root and created with mode 666. This file can be linked out. Another vulnerability again depends on trusted environment variables. 'dbsnmp' will execute rogue TCL scripts if environment variables are manipulated correctly. Reference: ISS Security Advisory: "Additional Root Compromise Vulnerabilities in Oracle 8" at: http://xforce.iss.net/alerts/advise36.php3 - ----- Date Reported: 1999-08-20 Vulnerability: jet-text-isam Platforms Affected: Microsoft Jet (3.5, 3.5.1, 4.0) Risk Factor: High Attack Type: Network/Host Based Microsoft Jet is a database engine used in programs such as Office 97 and Office 2000. It has functionality called Text I-ISAM that allows the Jet driver to write to a text file. A malicious user could exploit a vulnerability in Text I-ISAM and write to system files by performing a database query. Reference: Microsoft Security Bulletin (MS99-030): "Patch Available for Office 'ODBC Vulnerabilities'" at: http://www.microsoft.com/Security/Bulletins/ms99-030.asp - ----- Date Reported: 1999-08-20 Vulnerability: jet-vba-shell Platforms Affected: Microsoft Jet (3.5, 3.5.1) Risk Factor: High Attack Type: Network/Host Based Microsoft Jet is a database engine used in programs such as Office 97 and Office 2000. Microsoft Jet contains a vulnerability that could allow an operating system command to be executed from a database query. Once the query is executed from a spreadsheet or program, then a user could execute virtually anything on the affected machine. Reference: Microsoft Security Bulletin (MS99-030): "Patch Available for Office 'ODBC Vulnerabilities'" at: http://www.microsoft.com/Security/Bulletins/ms99-030.asp - ----- Date Reported: 1999-08-20 Vulnerability: lotus-ldap-bo Platforms Affected: Lotus Notes Risk Factor: Medium Attack Type: Network/Host Based There is a buffer overflow in the Lotus Notes LDAP Service (NLDAP), the service that handles the LDAP protocol. This buffer overflow is related to the way that NLDAP handles the ldap_search request. By sending a large parameter in the ldap_search request, an attacker can cause a PANIC in the Domino server. This allows an attacker to stop all Domino services running on the affected machine. Reference: ISS Security Advisory: "Denial of Service Attack against Lotus Notes Domino Server 4.6" at: http://xforce.iss.net/alerts/advise34.php3 - ----- Date Reported: 1999-08-20 Vulnerability: smtp-refuser-tmp Platforms Affected: Linux: Debian Risk Factor: Medium Attack Type: Network/Host Based The smtp-refuser package, installed on some versions of Debian Linux systems, creates a logging facility in the system "/tmp" directory. This facility is insecurely created and could allow a local attacker who has write access to "/tmp" to delete arbitrary, root-owned files on the system. Reference: Debian Security Information: "smtp-refuser: /tmp file creation problem" at: http://www.debian.org/security/1999/19990823b - ----- Date Reported: 1999-08-19 Vulnerability: ciscosecure-read-write Platforms Affected: CiscoSecure Risk Factor: High Attack Type: Network/Host Based A vulnerability in CiscoSecure ACS version 1.0 through 2.3.2 for Unix allows a remote attacker to read and write to the server database without authentication. The attacker could modify access policies, add and delete accounts, or elevate access privileges for accounts. CiscoSecure ACS for Windows NT is not vulnerable to this problem. Reference: Cisco Field Notice: "CiscoSecure Access Control Server for UNIX Remote Administration Vulnerability" at: http://www.cisco.com/warp/public/770/csecure-dbaccess.shtml - ----- Date Reported: 1999-08-19 Vulnerability: linux-telnetd-term Platforms Affected: Linux: Red Hat (4.2, 5.2, 6.0) Risk Factor: Medium Attack Type: Network/Host Based The telnetd server and libncurses library of some Linux systems, notably Red Hat and Caldera, could allow a remote or local attacker to cause the system to crash or hang. By specifying a malformed terminal when connecting to a vulnerable system's telnet server, the daemon could possibly attempt to read files that would cause a denial of service by crashing the system. This same attack can be exploited by local attackers, giving bad terminal information to setuid programs linked against a vulnerable libncurses library. References: Red Hat, Inc. Security Advisory: "Denial of service attack in in.telnetd" at: http://www.redhat.com/corp/support/errata/RHSA1999029_01.html Caldera Systems, Inc. Security Advisory CSSA-1999:022.0: "Security issues with telnetd and libcurses" at: http://www.calderasystems.com/news/security/CSSA-1999:022.0.txt _____ Date Reported: 1999-08-19 Vulnerability: qms-2060-no-root-password Platforms Affected: QMS CrownNet Unix Utilities for 2060 Risk Factor: High Attack Type: Network Based The QMS CrownNet Unix Utilities for 2060 use a file called passwd.ftp that controls logins for users allowed to print to the QMS. This vulnerability allows root to log on without a password, and therefore change the passwd.ftp and other files. Reference: BUGTRAQ Mailing List: "QMS 2060 printer security hole" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=199908181402.KAA03077@alchemy.chem.utoronto.ca _____ Date Reported: 1999-08-19 Vulnerability: trn-symlinks Platforms Affected: Linux: Debian Risk Factor: Medium Attack Type: Host Based Trn is an NNTP compatible newsreader for Unix systems. Some versions of trn create temporary files insecurely in the system '/tmp' directory. This could allow a local attacker to create symbolic links to a user's files that would be overwritten when that user executes trn. References: Debian Security Information: "trn: /tmp file creation problem" at: http://www.debian.org/security/1999/19990823c SuSE Security Announcement: "Security hole in trn" at: http://www.suse.de/security/announcements/suse-security-announce-14.txt _____ Date Reported: 1999-08-17 Vulnerability: aix-pdnsd-bo Platforms Affected: AIX Risk Factor: High Attack Type: Network/Host Based The Source Code Browser's Program Database Name Server Daemon (pdnsd) component of the C Set ++ compiler for AIX contains a remotely exploitable buffer overflow. This vulnerability allows local or remote attackers to compromise root privileges on vulnerable systems. References: IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1999:003: "The IBM C Set ++ for AIX Source Code Browser allows local and remote users to become root." at: http://www.brs.ibm.com/services/brs/ers/brspwadv.nsf/Date/E53CE3A5F5B41D44852567D0004A250F/$file/sva003.txt CIAC Information Bulletin J-059: "J-059: IBM AIX (pdnsd) Buffer Overflow Vulnerability" at: http://www.ciac.org/ciac/bulletins/j-059.shtml _____ Date Reported: 1999-08-17 Vulnerability: bsdi-smp-dos Platforms Affected: BSDi (4.0.1) Risk Factor: Medium Attack Type: Host Based A local denial of service exists with Symmetric Multiprocessing (SMP) in BSDi 4.0.1. When the CPU load average is initially high, a local user can make the system halt or stop responding by executing fstat calls. Reference: BUGTRAQ Mailing List: "Symmetric Multiprocessing (SMP) Vulnerbility in BSDi 4.0.1" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.4.10.9908170253560.19291-100000@saturn.psn.net _____ Date Reported: 1999-08-17 Vulnerability: linux-termcap-tgetent Platforms Affected: Linux: RedHat (4.2, 5.2) Risk Factor: High Attack Type: Host Based A vulnerability in Red Hat 4.2 and 5.2 Linux systems libtermcap tgetent() function could allow a malicious local user to overflow a buffer, allowing them to execute arbitrary code with root privileges. This hole can be exploited on systems that allow a user to specify their own termcap file. Reference: Red Hat, Inc. Security Advisory RHSA-1999:028-01: "Buffer overflow in libtermcap tgetent()" at: http://www.redhat.com/corp/support/errata/RHSA1999028_01.html _____ Date Reported: 1999-08-16 Vulnerability: suse-identd-dos Platforms Affected: Linux: SuSE Risk Factor: Medium Attack Type: Network/Host Based In some SuSE Linux distributions, identd is started with inetd.conf with the options -w -t120. Once an identd connection is made to the server, it waits 120 seconds before answering another connection. A remote attacker could send a large amount of identd connections to the server, and use up all the memory on the server, causing it to crash. Reference: BUGTRAQ Mailing List: "DOS against SuSE's identd" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990814202948.26220.qmail@securityfocus.com _____ Date Reported: 1999-08-16 Vulnerability: win-ie5-telnet-heap-overflow Platforms Affected: Internet Explorer (4.0, 4.01, 5.0) Risk Factor: High Attack Type: Network/Host Based A vulnerability exists in the Telnet.exe program shipped with Internet Explorer 4 and some versions of Internet Explorer 5. An overflow in the Telnet.exe application could allow arbitrary code to be remotely executed by an attacker. Reference: BUGTRAQ Mailing List: "telnet.exe heap overflow - remotely exploitable" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990815220227.37285.qmail@hotmail.com _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN9+/tzRfJiV99eG9AQEokAP/Su3Ndb6NShK/H0xbEqCsQbKv+ju7XAAK JYnzl8nBgESAxTfOoVDic4MA049YNONuKlN99bb3X9RZ7GbZq7WogA+G8BbQEbQ5 DkkbVD2ntjCwKpcuH9XcUiTFrQfGWblS9aJgYtX+tEhVqmMrSl/86cp664D1lKkn J/j4/CsFi4A= =AWqf -----END PGP SIGNATURE-----