SecurityFocus Microsoft Newsletter #67
From: Marc Fossi (mfossi@securityfocus.com)Date: 01/03/02
- Previous message: Evan Mann: "Securing OWA w/SSL on IIS5.0"
- Next in thread: Bill Mote: "patch creates new hole?"
- Reply: Bill Mote: "patch creates new hole?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Jan 2002 09:11:04 -0700 (MST) From: Marc Fossi <mfossi@securityfocus.com> To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #67
--------------------------------------
This Issue is sponsored by: Surfcontrol, Inc.
WHAT'S THE BIGGEST SECURITY PROBLEM FOR IT MANAGERS?
"Users opening up infected email attachments." Unfortunately anti-virus
software alone, is only half the solution. SuperScout Email Filter allows
you to set up rules to effectively block the "Goners" and "BadTrans" of
the cyber world. FREE
30-Day Trial: http://www.surfcontrol.com/offer/zsfms1231
<http://www.surfcontrol.com/offer/zsfms1231>
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Advertising Information
2. Chasing the Wind, Episode Thirteen: Cabbages and Kings
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft UPnP NOTIFY Buffer Overflow Vulnerability
2. Microsoft Internet Explorer Refresh Denial of Service...
3. Microsoft IE for Solaris X Server Denial of Service Vulnerability
4. Microsoft SQL-Server Buffer Overflow Vulnerability
5. Microsoft Universal Plug and Play Simple Service Discovery...
6. Microsoft Windows C Runtime Library Format String Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Taking control of ones machine (Thread)
2. sshd configuration on windows (Thread)
3. Recent Mac/Win interop threads (Thread)
4. domain authentication (Thread)
5. SecurityFocus Microsoft Newsletter #66 (Thread)
6. Re : Microsoft IIS False Content-Length Field DoS Vulnerability...
7. IE headers w patch level (Thread)
8. Posting sensitive info, was => Re: Taking control of one...
9. Microsoft MS01-059, Universal Plug-n-Play vulnerability...
10. NTLM v2 implementation (Thread)
11. mac client password changes (Thread)
12. Pocket PC based password safes (Thread)
13. question regarding SAM file / l0phtcrack / pwdump2 (Thread)
14. Windows XP Update possible BUG [ Was: RE: RE: MS01-058...
15. MS01-058 patch (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Transcend Secure VPN Manager
2. Security Analyzer
3. ActiveSentry
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Stunnel v3.22
2. Big Brother 1.8d2
3. Anubis v1.1.0
4. NTLM Authorization Proxy Server v0.9.7
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. Advertising Information
Reach the LARGEST audience of security professionals with SecurityFocus
direct e-marketing NOW!
SecurityFocus is the Web's most successful security intelligence site,
with more than 200,000 unique monthly visitors (September 2001), and
growing rapidly each week. Leverage the security portal of unrivaled
credibility and influence in your next direct marketing campaign.
To find out how SecurityFocus Web marketing and opt-in email newsletter
sponsorships can drive your company's success, contact us at
adsales@securityfocus.com, or download the Advertising Kit at
http://www.securityfocus.com/about/press/adverts.shtml. To speak directly
with a customer service representative, please call +1(650) 655-6350.
2. Episode Thirteen: Cabbages and Kings
by Robert G. Ferrell
Jake sat at the incarcerated Merv's terminal and scratched his head. The
military security people had told him that this box was sending bursts of
(presumed) classified data to an undisclosed location in another country.
Okay, except that this segment of the network had no physical attachment
to the secured net. In fact, the segment into which this box was plugged
wasn't even on his network map. That was a little disturbing, but not
entirely surprising , since the data telecomm documentation he'd inherited
from his predecessor was a little on the skimpy side.
http://www.securityfocus.com/infocus/1529
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft UPnP NOTIFY Buffer Overflow Vulnerability
BugTraq ID: 3723
Remote: Yes
Date Published: Dec 20 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3723
Summary:
Universal Plug and Play, or UPnP, is a service that allows for hosts to
locate and use devices on the local network. UPnP support ships with
Windows XP and ME. For Windows 98 and 98SE, it is available with Windows
XP's Internet Connection Sharing client.
When a new device is installed, it will broadcast a UDP NOTIFY packet to
all devices on the UPnP network specifying the address and port for all
other devices to download its description from. This information is
stored in the location field, one of several comprising the NOTIFY
message.
When processing the location field in a NOTIFY directive, UPnP server
process memory can be overwritten by data that originated in the packet.
If the IP address, port and filename components are of excessive length,
access violations will occur when the server attempts to dereference
pointers overwritten with data from the packet.
This condition may be exploitable in a number of different ways, depending
on what is overwritten by attackers. An attacker may be able to overwrite
a function pointer with a pointer to shellcode also supplied in the
request. An attacker may also be able to replace a pointer that is
written to, and the value that is written. This could allow for code
execution through replacement of return addresses, function pointers, etc.
It should be noted that the service listens on broadcast and multicast
interfaces. This could permit an attacker to exploit a number of systems
without knowing their individual IP addresses.
The UPnP service runs in the SYSTEM security context. An attacker who
successfully exploits this vulnerability could gain control over the
target host.
2. Microsoft Internet Explorer Refresh Denial of Service Vulnerability
BugTraq ID: 3730
Remote: Yes
Date Published: Dec 20 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3730
Summary:
A malicious web site operator could design a web page that, when visited
by an IE user, will cause IE to crash.
If a webpage containing Javascript designed to cause a continuous refresh
via 'self.location = self.location' is viewed, IE will crash.
A restart of the application is required in order to gain normal
functionality.
3. Microsoft IE for Solaris X Server Denial of Service Vulnerability
BugTraq ID: 3729
Remote: No
Date Published: Dec 20 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3729
Summary:
It has been reported that in some situations, Internet Explorer 5.0 SP1
for Solaris is able to crash the X server. In particular, this has been
reported with Chinese versions of the software.
If a chinese language web page is displayed, and the IE window is rapidly
scrolled up and down, it is possible to end the user session, returning
the CDE session to dtlogin. This may also happen if the IE window is
maximized.
If this procedure is repeated several times, the X server may crash
altogether. At this point, the local user is simply presented with a text
login prompt, and the following message:
can not start x server
This problem can result in a denial of service to all X users.
4. Microsoft SQL-Server Buffer Overflow Vulnerability
BugTraq ID: 3733
Remote: Yes
Date Published: Dec 20 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3733
Summary:
Microsoft SQL Server contains buffer overflows in several built-in text
formatting and printing functions. Two of the affected functions
are 'raiserror()' and 'xp_sprintf()', both vulnerable to overflows due to
inadequate bounds checking of externally supplied data prior to memory
copy operations. If the amount of data supplied exceeds the size of the
buffer where it is to be copied, the excessive data will overwrite
neighbouring memory. If critical data such as the function return address
on the stack is overwritten, the flow of program execution can be
altered.
If an attacker can invoke the affected procedures with
custom arguments, or insert/modify arguments for legitimate invocations,
arbitrary code can be executed. This can be accomplished by replacing the
affected function return address with a pointer to supplied shellcode.
It may be possible for malicious users to exploit this
vulnerability through applications that interact with the database, such
as CGI scripts or Java programs. Public domain CGI scripts are
notoriously ridden with input validation vulnerabilities that may allow
for attacker insertion of exploit code into SQL queries.
This vulnerability makes it possible for an attacker to execute arbitrary
code in the security context of the server process. An attacker can also
exploit this vulnerability to crash the server.
5. Microsoft Universal Plug and Play Simple Service Discovery Protocol
Denial of Service Vulnerability
BugTraq ID: 3724
Remote: Yes
Date Published: Dec 20 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3724
Summary:
Universal Plug and Play, or UPnP, is a service that allows for hosts to
locate and use devices on the local network. UPnP support ships with
Windows XP and ME. For Windows 98 and 98SE, it is available with Windows
XP's Internet Connection Sharing client.
The Simple Service Discovery Protocol (SSDP) is a component of UPnP that
allows a system to enumerate the resources of a newly installed network
device on a UPnP network. When a new device is installed, it will
broadcast a UDP NOTIFY packet to all devices on the UPnP network
specifying the address and port for all other devices to download its
description from.
It is possible to construct a UDP NOTIFY packet that will direct UPnP
devices to download the description from a port on a system which echoes
the requests, the requesting UPnP systems could enter an endless download
cycle. The system could be manually restarted to exit this condition.
It has been reported that in some situations, Internet Explorer 5.0 SP1
for Solaris is able to crash the X server. In particular, this has been
reported with Chinese versions of the software.
It could also be possible to use this technique to initiate a distributed
denial of service attack on a third party. By constructing a NOTIFY
packet which directs a large number of UPnP devices to the address of a
third party server, the responding UPnP devices could flood the server
with requests.
For both scenarios, the NOTIFY packet could be directed to a broadcast or
multicast domain which would affect all the UPnP systems within earshot
with a single packet.
6. Microsoft Windows C Runtime Library Format String Vulnerability
BugTraq ID: 3732
Remote: Unknown
Date Published: Dec 20 2001 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3732
Summary:
The Windows C Runtime Library is a shared library containing instructions
for the standard C library functions. It is used by almost all Windows
programs compiled from C or C++ source code.
There exists a format string vulnerability in the Windows C Runtime
Library that may be exploitable through programs that use the affected
functions.
Format string vulnerabilities typically occur in applications that pass
user input to library functions supporting *printf string formatting as
the format string argument. When users can control the format string,
special format specifiers such as '%n' can be used to write almost
arbitrary values to attacker-supplied locations in memory.
In existing format string vulnerabilities, the problem is that the
application fails to properly sanitize data before passing it to the
*printf function. This vulnerability is different, and lies in the
library code rather than in a specific application.
It is reportedly possible for attackers who can pass data to the affected
functions in programs using them to exploit this vulnerability.
It has been confirmed that this vulnerability is exploitable through SQL
Server, however the only possible consequence of a successful attack is a
denial of service (code execution is reportedly not possible).
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Taking control of ones machine (Thread)
Relevant URL:
2. sshd configuration on windows (Thread)
Relevant URL:
243C47087E9A9E4A86A2650B4E454EC1990D@globalsis1.globalsis.com.ar&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=243C47087E9A9E4A86A2650B4E454EC1990D@globalsis1.globalsis.com.ar&threads=1
3. Recent Mac/Win interop threads (Thread)
Relevant URL:
3C2B862C.4050709@yahoo.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=3C2B862C.4050709@yahoo.com&threads=1
4. domain authentication (Thread)
Relevant URL:
5. SecurityFocus Microsoft Newsletter #66 (Thread)
Relevant URL:
Pine.GSO.4.30.0112261746430.26047-100000@mail.securityfocus.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.GSO.4.30.0112261746430.26047-100000@mail.securityfocus.com&threads=1
6. Re : Microsoft IIS False Content-Length Field DoS Vulnerability (Thread)
Relevant URL:
7. IE headers w patch level (Thread)
Relevant URL:
8. Posting sensitive info, was => Re: Taking control of ones machine (Thread)
Relevant URL:
3C240E2A.F5C9246C@mor-lan-d.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=3C240E2A.F5C9246C@mor-lan-d.com&threads=1
9. Microsoft MS01-059, Universal Plug-n-Play vulnerability. (Thread)
Relevant URL:
3C23C05B.6020208@yahoo.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=3C23C05B.6020208@yahoo.com&threads=1
10. NTLM v2 implementation (Thread)
Relevant URL:
11. mac client password changes (Thread)
Relevant URL:
OF5524A90E.2A1D4398-ON85256B29.0076144D@frb.gov&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=OF5524A90E.2A1D4398-ON85256B29.0076144D@frb.gov&threads=1
12. Pocket PC based password safes (Thread)
Relevant URL:
13. question regarding SAM file / l0phtcrack / pwdump2 (Thread)
Relevant URL:
E0390A21F9C3D41191FC00A0C95FF4B982B5CC@titan.asizip.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=E0390A21F9C3D41191FC00A0C95FF4B982B5CC@titan.asizip.com&threads=1
14. Windows XP Update possible BUG [ Was: RE: RE: MS01-058 patch ] (Thread)
Relevant URL:
15. MS01-058 patch (Thread)
Relevant URL:
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Transcend Secure VPN Manager
by 3com
Platforms: Windows NT
Relevant URL:
http://www.3com.com/products/dsheets/400506.html
Summary:
Designed for simple, real-time VPN monitoring, Transcend Secure VPN
Manager software Version 2.2 for Windows NT software provides a Web-based
client-server system with an easy-to-read graphical interface. This robust
monitoring and diagnostic tool lets you collect and display information on
tunnel and session utilization, as well as security associations and
violations on VPN tunnels terminated by 3Com VPN devices such as
NETBuilder® routers or PathBuilder™ tunnel switches. Monitoring
capabilities include industry-standard Point-to-Point Tunneling Protocol
(PPTP) and Layer 2 Tunneling Protocol (L2TP).
2. Security Analyzer
by NetIQ
Platforms: Linux, Solaris, Windows 95/98, Windows NT, Windows 2000
Relevant URL:
http://www.netiq.com/products/sa/default.asp
Summary:
NetIQ's Security Analyzer helps you secure your corporate systems and
networks by automatically detecting the latest known security
vulnerabilities and providing extensive reports and guidance on how to
address them.
3. ActiveSentry
by Intranode
Platforms: N/A
Relevant URL:
https://activesentry.intranode.com/
Summary:
ActiveSentry, published by Intranode, is an extremely powerful proactive
Internet security management solution based on automatic recurrent
security audits launched from a remote platform. Each audit generates an
exhaustive executive analysis report specifying the vulnerabilities
detected and the counter measures to implement.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Stunnel v3.22
by Michal Trojnara, Michal.Trojnara@centertel.pl
Relevant URL:
http://stunnel.mirt.net/
Platforms: FreeBSD, Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
The stunnel program is designed to work as an SSL encryption wrapper
between remote client and local (inetd-startable) or remote server. It can
be used to add SSL functionality to commonly used inetd daemons like POP2,
POP3, and IMAP servers without any changes in the programs' code. It will
negotiate an SSL connection using the OpenSSL or SSLeay libraries. It
calls the underlying crypto libraries, so stunnel supports whatever
cryptographic algorithms you compiled into your crypto package. This
release includes a timeout for the transfer() function, and a fix for a
coredump on exit with active threads.
2. Big Brother 1.8d2
by Sean MacGuire, sean@iti.qc.ca
Relevant URL:
http://bb4.com/download.html
Platforms: AIX, BSDI, DG-UX, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX,
Linux, MacOS, NetBSD, Netware, SCO, SINIX, Solaris, SunOS, True64 UNIX,
Ultrix, UNICOS, UNIX, Unixware, Windows NT
Summary:
Big Brother is a combination of monitoring methods. Unlike SNMP where
information is just collected and devices polled, Big Brother is designed
in such a way that each local system broadcasts its own information to a
central location. Simultaneously, Big Brother also polls all networked
systems from a central location. This creates a highly efficient and
redundant method for proactive network monitoring.
3. Anubis v1.1.0
by The Anubis Team ghostface@lodz.pdi.net
Relevant URL:
http://anubis.sourceforge.net/
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
Anubis is an anonymous email sender for Unix, BeOS, Win32, and AmigaOS. It
supports WinGates, encrypted TLS/SSL connections, remailers, anonymous
news posting, and more.
4.
NTLM Authorization Proxy Server v0.9.7
by Dmitry Rozmanov
Relevant URL:
http://www.geocities.com/rozmanov/ntlm/
Platforms: Windows 95/98, Windows NT
Summary:
'NTLM Authorization Proxy Server' is a proxy software that allows you to
authenticate via an MS Proxy Server using the proprietary NTLM protocol.
It can change arbitrary values in your client's request header so that
those requests will look like they were created by MS IE. It is written in
Python v1.5.2 language.
VI. SPONSORSHIP INFORMATION
---------------------------
This Issue is sponsored by: Surfcontrol, Inc.
WHAT'S THE BIGGEST SECURITY PROBLEM FOR IT MANAGERS?
"Users opening up infected email attachments." Unfortunately anti-virus
software alone, is only half the solution. SuperScout Email Filter allows
you to set up rules to effectively block the "Goners" and "BadTrans" of
the cyber world. FREE
30-Day Trial: http://www.surfcontrol.com/offer/zsfms1231
<http://www.surfcontrol.com/offer/zsfms1231>
-------------------------------------------------------------------------------
- Previous message: Evan Mann: "Securing OWA w/SSL on IIS5.0"
- Next in thread: Bill Mote: "patch creates new hole?"
- Reply: Bill Mote: "patch creates new hole?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
