SecurityFocus Microsoft Newsletter # 87
From: Marc Fossi (mfossi@securityfocus.com)Date: 05/21/02
- Previous message: Greene, Michael: "Hfnetchk scans every file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 May 2002 07:50:49 -0600 (MDT) From: Marc Fossi <mfossi@securityfocus.com> To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #87
--------------------------------------
This issue is sponsored by Qualys, Inc.
Bulletproof Your Network: FREE White Paper
Existing security products -- firewalls, anti-virus and IDS -- are simply
no longer enough to ensure your servers are safe against latest
sophisticated attacks and worms such as Code Red and Nimda.
FREE White Paper shows you how to ensure TOTAL security for your
Internet perimeter with the most current and most complete PROACTIVE
Vulnerability Assessment solution. Get your FREE White Paper now. Click
here! https://www.qualys.com/forms/techwhite_133.php
----------------------------------------------------------------------
I. FRONT AND CENTER
1. Bad Company
2. Securing Privacy Part Three: E-Mail Issues
3. Cutting-Edge High Tech Crime Fighting: Best Practices in Computer Forensics
4. Meeting IT Security Benchmarks Through IT Audits
II. MICROSOFT VULNERABILITY SUMMARY
1. Hosting Controller DSNManager Directory Traversal Vulnerability
2. LevCGI NetPad Unauthorized File Access Vulnerability
3. Hosting Controller Import Root Directory Command Execution Vuln
4. Microsoft Internet Explorer Zone Spoofing Vulnerability
5. Microsoft Internet Explorer Cookie Content Disclosure Vuln
6. Phorum Remote Command Execution Vulnerability
7. Xerox DocuTech Scanner Insecure Default Configuration Vuln
8. NetWin DNews Remote Access Vulnerability
9. Microsoft Internet Explorer Content-Disposition Handling...
III. MICROSOFT FOCUS LIST SUMMARY
1. About ping request? (Thread)
2. Hotfixes overwritten? (Thread)
3. XP or not XP - enterprise desktop? (Thread)
4. Hotfixes overwritten? (Thread)
5. XP or not XP - enterprise desktop? (Thread)
6. Bypassing Windows 2000 Domain Password settings (Thread)
7. renaming the IIS metabase (Thread)
8. setting "List" (RX-unspecified) with xcacls.exe (Thread)
9. setting "List" (RX-unspecified) with xcacls.exe (Thread)
10. renaming the IIS metabase (Thread)
11. Bypassing Windows 2000 Domain Password settings (Thread)
12. SecurityFocus Microsoft Newsletter #86 (Thread)
13. using SecEdit across different NT installations (Thread)
IV. MICROSOFT PRODUCTS
1. InTether Desktop
2. PoliVec Builder
3. SecureScan NX
4. ZDelete
5. SafeIT E-Mail Encryption
6. securiQ Suite
V. MICROSOFT TOOLS
1. Poor Man's IDS v1.2
2. Enigma Mailer v0.2.3
3. j-chkmail v1.01
4. GrabItAll
I. FRONT AND CENTER
-------------------
1. Bad Company
By George Smith
You don't have much choice in anti-virus products if you make your
purchasing decisions based on Consumer Reports.
http://online.securityfocus.com/columnists/83
2. Securing Privacy Part Three: E-Mail Issues
By Scott Granneman
This is the third article in a four-part series that will examine
privacy concerns as they relate to security. The first installment in the
series examined hardware-based privacy issues. The second part discussed
software-based issues. This article will discuss privacy issues that are
particularly relevant to e-mail.
http://online.securityfocus.com/infocus/1579
3. Cutting-Edge High Tech Crime Fighting: Best Practices in Computer Forensics
June 17-18, 2002
American Management Association, Washington, DC
Walk away able to perform computer forensic examinations that will not
only yield sound evidence but will also hold up in a court of law! Learn
to find, collect and preserve digital evidence, and present the evidence
in court. Also learn to successfully combine private and public computer
forensics forces to investigate computer crimes. Keynote speech by
Microsoft's Chief Security Strategist Scott Charney. Public sector
employee discounts available.
For more information, call 800-280-8440, or visit http://www.frallc.com
(see InfoTech events).
4. Meeting IT Security Benchmarks Through IT Audits
August 8-9, 2002, Washington, DC.
By Information Technology Research Associates
Agenda: http:// www.frallc.com (see InfoTech Events)
Have your IT security solutions kept pace with evolving threats? Until
you conduct a thorough IT security audit, you won't know until after a
breach has occurred. To help you achieve the most ROI on your security
investment, ITRA is proud to present a step-by-step practical guide to
auditing your enterprise's IT security. For more information, call
800-280-8440.
II. BUGTRAQ SUMMARY
-------------------
1. Hosting Controller DSNManager Directory Traversal Vulnerability
BugTraq ID: 4759
Remote: Yes
Date Published: May 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4759
Summary:
Hosting Controller is an application which centralizes all hosting tasks
to one interface. Hosting Controller runs on Microsoft Windows operating
systems.
The DSNManager script is bundled with Hosting Controller and enables users
to view and manage DSN (Data Source Number) information for an underlying
database.
The DSNManager script does not sufficiently filter dot-dot-slash (../)
sequences from URL parameters, making it prone to directory traversal
attacks. The attacker may submit a web request which is capable of
breaking out of the webroot directory, effectively allowing the attacker
to browse the filesystem at large. An attacker can exploit this condition
to disclose the contents of arbitrary web-readable files or potentially
add a DSN (Data Source Number) to an arbitrary directory.
2. LevCGI NetPad Unauthorized File Access Vulnerability
BugTraq ID: 4741
Remote: Yes
Date Published: May 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4741
Summary:
LevCGI NetPad is a web-based text editor. It is available for Linux and
Unix variants as well as Microsoft Windows operating systems.
Write access to NetPad documents is password-protected. However,
authentication is not required to read the contents of NetPad documents.
Arbitrary web users may request existing documents and view their
contents, causing sensitive information in the documents to be disclosed.
3. Hosting Controller Import Root Directory Command Execution Vulnerability
BugTraq ID: 4761
Remote: Yes
Date Published: May 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4761
Summary:
Hosting Controller is an application which centralizes all hosting tasks
to one interface. Hosting Controller runs on Microsoft Windows operating
systems.
The Import Root Directory (imp_rootdir.asp) script does not force an
authentication challenge when accessed. This script allows users to
perform actions on files and directories on the host, but under normal
circumstances only to those files and directories below the administrative
root directory for the Hosting Controller. However, it is possible to
manipulate URL parameters to change the root directory to another
arbitrary directory on the system (such as C:).
This may enable a remote attacker to execute arbitrary commands on the
underlying system, eventually leading to a full compromise.
4. Microsoft Internet Explorer Zone Spoofing Vulnerability
BugTraq ID: 4753
Remote: Yes
Date Published: May 15 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4753
Summary:
A privilege escalation issue has been discovered in Microsoft Internet
Explorer. It is possible for malicious web pages to bypass the Security
Zone settings in IE.
Due to a flaw in the way IE handles sites accessed using the NetBIOS
protocol, a maliciously crafted web page could trick IE into opening the
page as a trusted site. As a result, arbitrary web pages can be viewed in
the Local Intranet Zone. Under certain circumstances web pages can be
viewed in the Trusted Site Zone.
Exploitation of this issue will lead to arbitrary web pages being handled
with fewer security restrictions.
5. Microsoft Internet Explorer Cookie Content Disclosure Vulnerability
BugTraq ID: 4754
Remote: Yes
Date Published: May 15 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4754
Summary:
A flaw exists in the way that Microsoft Internet Explorer handles scripts
embedded within cookies. Since cookies are essentially an extension of
the website from which they were received, they should be treated as
though they are in the Internet zone, and allowed access only to contents
of their domain of origin.
However, some versions of Internet Explorer treat all cookie content as
originating from the same domain. As a result, script code embedded in a
cookie will have access to the contents of all cookies on the local
machine.
In order to execute scripts embedded in cookie contents, the cookie file
must normally be referenced as a file on the local system. The ability of
a remote attacker to reference the file depends on their ability to
predict the file location of a known cookie.
Exploitation of this vulnerability may require that an attacker know the
exact name and original domain of additional cookies.
New information suggests that Internet Explorer may still be vulnerable to
this issue. It has been suggested that when requesting a cookie file
after applying the patch for MS02-023, simply appending a space followed
by a dot " ." will allow the cookie to be read. For example, the
following request would allow a cookie to read the contents of another
cookie named test.txt: about:<a href="file:///c:/test.txt .">test.txt
.</a>
6. Phorum Remote Command Execution Vulnerability
BugTraq ID: 4763
Remote: Yes
Date Published: May 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4763
Summary:
Phorum is a PHP based web forums package designed for most UNIX variants,
Linux, and Microsoft Windows operating systems.
A vulnerability has been reported in Phorum that will allow remote
attackers to specify external PHP scripts and potentially execute
commands.
The vulnerability exists in 'plugin.php', 'admin.php' and 'del.php' files
found in the distribution of Phorum version 3.3.2a. It is possible for a
malicious attacker to specify the location of a parameter to the
vulnerable PHP files by passing an argument via URL to the PHP files. As
a consequence, the vulnerable system will interpret the arbitrary
attacker-supplied remote file (such as a PHP script). The remote file may
potentially contain destructive commands that will be executed by the
vulnerable system.
7. Xerox DocuTech Scanner Insecure Default Configuration Vulnerability
BugTraq ID: 4766
Remote: Yes
Date Published: May 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4766
Summary:
DocuTech is a printer and scanner combination system distributed and
maintained by Xerox.
A problem with the scanner could make it possible for a user to gain
access to the system. The problem is in the default configuration.
The scanner portion of the DocuTech system is a Microsoft Windows system
running Windows NT. By default, the Windows NT system is implemented
insecurely, with the entire C drive shared and copies of all jobs run on
the system archived and available via a web interface.
The archived copies of jobs on the system could allow a remote user to
view all previously run jobs on the system, and the names of the users
that have run them. This problem is further complicated by the fact that
Xerox uses the same password for all NT scanner stations ("administ"), and
makes a web interface available for remote users to anonymously submit
jobs.
This configuration could make it possible for a remote attacker to gain
local access, and administrative privileges on a vulnerable system.
8. NetWin DNews Remote Access Vulnerability
BugTraq ID: 4737
Remote: Yes
Date Published: May 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4737
Summary:
DNews is a commercially available NNTP server. It is available for
various operating systems, including Linux, Unix, and Microsoft Windows.
A vulnerability has been announced by the distributors of DNews.
Information concerning this vulnerability is not readily available. It
is, however, possible that this vulnerability is remotely exploitable, as
the distributors of DNews recommend the placement of access control
entries in dnews.conf configuration file.
Successful exploitation may allow for remote attackers to gain access to
target servers. It has been suggested that this vulnerability affects the
management interface on port 7119, and could result in DNews system
reconfiguration. This is yet unconfirmed.
9. Microsoft Internet Explorer Content-Disposition Handling File Execution Vulnerability
BugTraq ID: 4752
Remote: Yes
Date Published: May 15 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/4752
Summary:
This vulnerability is a variant of Bugtraq ID 3578.
An HTTP header may include the fields 'content-type' and
'content-disposition'. These fields are normally used to define the type
of data being returned, and how it is expected to be handled by the
client.
An error exists with the way Microsoft Internet Explorer handles conflicts
between this information and the filename of an attached file. IE may,
under some circumstances, make a decision to trust a file based on these
HTTP header values, and a decision on how to launch the file based on the
file name.
A malicious web site owner may exploit this vulnerability. By providing
executable content with specially crafted HTTP headers, it is possible to
convince IE that provided content is a benign type (such as a Windows
Media file). Once downloaded, the file will passed to the application that
Explorer believes should handle it without any warning to the user. An
executable file may be executed if the application, upon not being able to
interpret the content, passes it back to the operating system.
It has been demonstrated that variants of this vulnerability can be
exploited when Windows Media Player 6.4 or 7.1 is installed on the system.
If a vulnerable user viewed content that returned an HTTP header similar
to: Content-Type: audio/x-ms-wma Content-disposition: inline;
filename="foo.exe"
Windows Media Player would return "foo.exe" to the operating system
instead of returning an error flag.
An alert user may be able to cancel the download process, as a progress
dialog box is presented. This ability is highly dependant on the download
time of the file. For small files or fast network conditions, there may
not be sufficient time for manual intervention.
It is also possible to exploit this vulnerability through HTML formatted
email, which may contain external references. Files may be downloaded and
executed through reading or previewing email.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. About ping request? (Thread)
Relevant URL:
Pine.LNX.4.44.0205172131100.25357-100000@lodos.ieee.metu.edu.tr">http://online.securityfocus.com/archive/88/Pine.LNX.4.44.0205172131100.25357-100000@lodos.ieee.metu.edu.tr
2. Hotfixes overwritten? (Thread)
Relevant URL:
E00ECDED326C0B4288A0B4F7F02DE2DD131B87@mickey.quest.fl.com">http://online.securityfocus.com/archive/88/E00ECDED326C0B4288A0B4F7F02DE2DD131B87@mickey.quest.fl.com
3. XP or not XP - enterprise desktop? (Thread)
Relevant URL:
0GW900H23GWHGT@emroute3.ornl.gov">http://online.securityfocus.com/archive/88/0GW900H23GWHGT@emroute3.ornl.gov
4. Hotfixes overwritten? (Thread)
Relevant URL:
200205171441.g4HEfgb04210@mail.phg.com">http://online.securityfocus.com/archive/88/200205171441.g4HEfgb04210@mail.phg.com
5. XP or not XP - enterprise desktop? (Thread)
Relevant URL:
9d00a8c0@pxs.se">http://online.securityfocus.com/archive/88/000c01c1fd7a$daeee010$9d00a8c0@pxs.se
6. Bypassing Windows 2000 Domain Password settings (Thread)
Relevant URL:
EDEJKJKNOIPKHHIEIADCEEPDCDAA.mail226518@pop.net">http://online.securityfocus.com/archive/88/EDEJKJKNOIPKHHIEIADCEEPDCDAA.mail226518@pop.net
7. renaming the IIS metabase (Thread)
Relevant URL:
20020515220631.10030.qmail@securityfocus.com">http://online.securityfocus.com/archive/88/20020515220631.10030.qmail@securityfocus.com
8. setting "List" (RX-unspecified) with xcacls.exe (Thread)
Relevant URL:
EKOJAODLNNJKGAAA@mailcity.com">http://online.securityfocus.com/archive/88/EKOJAODLNNJKGAAA@mailcity.com
9. setting "List" (RX-unspecified) with xcacls.exe (Thread)
Relevant URL:
20020515181624.47025.qmail@web14704.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020515181624.47025.qmail@web14704.mail.yahoo.com
10. renaming the IIS metabase (Thread)
Relevant URL:
F09AE4CA8CCD6A4DA1C2A17F50E27F0A05B761@des.avet.com.pl">http://online.securityfocus.com/archive/88/F09AE4CA8CCD6A4DA1C2A17F50E27F0A05B761@des.avet.com.pl
11. Bypassing Windows 2000 Domain Password settings (Thread)
Relevant URL:
EDEJKJKNOIPKHHIEIADCOEOICDAA.mail226518@pop.net">http://online.securityfocus.com/archive/88/EDEJKJKNOIPKHHIEIADCOEOICDAA.mail226518@pop.net
12. SecurityFocus Microsoft Newsletter #86 (Thread)
Relevant URL:
Pine.LNX.4.43.0205131136520.24028-100000@mail.securityfocus.com">http://online.securityfocus.com/archive/88/Pine.LNX.4.43.0205131136520.24028-100000@mail.securityfocus.com
13. using SecEdit across different NT installations (Thread)
Relevant URL:
20020513160439.80229.qmail@web20105.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020513160439.80229.qmail@web20105.mail.yahoo.com
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. InTether Desktop
by Infraworks, Corp.
Platforms: Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.infraworks.com/p2p.html
Infraworks' InTether technology safeguards digital property from
unauthorized use and redistribution by preventing copying, printing,
saving, screen capturing and forwarding. InTether Desktop product is a
desktop application that allows the owner or sender of digital information
to control the recipient's use of the file. InTether Desktop allows you to
control exactly who has access to a file, the length of time they have to
view it, and when the file will self-destruct. It's simple to use and
works with virtually any file type. For the first time, you have complete
control over what happens to digital information after you send it to
someone else.
2. PoliVec Builder
by PoliVec Inc.
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.polivec.com/polivecbuilder.html
PoliVec Builder gives IT professionals the ability to design, develop, and
implement a comprehensive IT security policy. It also generates operating
system-specific implementation standards that provide the IT staff with
step-by-step instructions to ensure systems are configured in compliance
with the policy. A "best practice" policy template, complete with
rationale text, is provided to guide users through the policy development
process.
3. SecureScan NX
by VIGILANTe
Platforms: Windows 2000, Windows NT
Relevant URL:
http://www.vigilante.com/securescan/nx/product_description.htm
SecureScan NX provides a distributed console-agent architecture which
allows multi-level, multi-segment scanning of all subnets behind the
firewall and a complete evaluation of the firewall filtering rules in
place between the scanning agent and the console. This multi-level, multi-
segment scanning enables assessments of any size networks.
4. ZDelete
by LSoft Technologies Inc.
Platforms: Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.zdelete.com/
ZDelete is designed to permanently erase computer files, temporary
Internet files, cookies, Internet history, and recently used files and
documents. An integrated disk wiper included can also clear out all
available/free disk space. It makes the recovery of files previously
removed from the drive impossible.
5. SafeIT E-Mail Encryption
by Softnet Security Ltd.
Platforms: Windows 2000, Windows NT
SafeIT E-Mail Encryption gives you point-to-point e-mail security. SafeIT
is extremely easy to use and operates automatically in the background. You
use your normal POP3/SMTP e-mail program to send and receive e-mails.
Automatic installation and establishment of secure contacts.
6. securiQ Suite
by GROUP Technologies
Platforms: Windows 2000, Windows NT Score: Not scored yet
Relevant URL: http://www.group-technologies.com/en/home.nsf/id/securiq
securiQ stands for rule-based content checking of images and text,
comfortable and automatic encryption, auditproof filing, personalized
legal disclaimer and modular virus protection - all in one optimally
coordinated program package. Included in the suite are: .Crypt Encryption,
.Watchdog Antivirus, .Wall Content Control, .Xblock Image Control,
.Trailer Legal Disclaimer, and also .Safe mail Archiving.
V. NEW TOOLS FOR MICROSOFT PRODUCTS
-----------------------------------
1. 1. Poor Man's IDS v1.2
by red0x
Relevant URL: http://online.securityfocus.com/tools/2667
Poor Man's IDS is a couple of scripts which check certain files on your
host (any you like) for changes in content, ownership, and mode. Instead
of only mailing if something is wrong (like other IDSs), this lean IDS
will send you a daily (or weekly or hourly, depending on how you set-up
your cron job) security audit, containing details of what it found (if
anything).
2. Enigma Mailer v0.2.3
by Fang
Relevant URL: http://www.enigmail.org.uk/
Enigmailer allows you to send enciphered email with an optional password
hint. The recipient receives a mail message with a link to the script to
facilitate deciphering. Unlike other secure mail systems, it allows you to
use your existing email address rather than forcing you to setup and use
yet another one.
3. j-chkmail v1.01
by Jose Marcio Martins da Cruz (martins@ensmp.fr)
Relevant URL: http://j-chkmail.ensmp.fr
j-chkmail is a Sendmail filter written completely in C. It is able to
filter mail containing executable attached files, based on file extensions
or regular expressions. It is also possible to filter on local destination
addresses, domains or IP addresses. For example, the root user could be
allowed to receive mail only from local network. It conforms to RFC header
guidelines.
4. GrabItAll
by Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
Relevant URL: http://ntsecurity.nu/toolbox/grabitall/
GrabItAll performs traffic redirection by sending spoofed ARP replies. It
can redirect traffic from one computer to the attackers computer, or
redirect traffic between two other computers through the attackers
computer. In the last case you need to enable IP Forwarding which can be
done with GrabItAll too.
VI. SPONSOR INFORMATION:
------------------------
This issue is sponsored by Qualys, Inc.
Bulletproof Your Network: FREE White Paper
Existing security products -- firewalls, anti-virus and IDS -- are simply
no longer enough to ensure your servers are safe against latest
sophisticated attacks and worms such as Code Red and Nimda.
FREE White Paper shows you how to ensure TOTAL security for your
Internet perimeter with the most current and most complete PROACTIVE
Vulnerability Assessment solution. Get your FREE White Paper now. Click
here! https://www.qualys.com/forms/techwhite_133.php
- Previous message: Greene, Michael: "Hfnetchk scans every file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
