SecurityFocus Microsoft Newsletter #92

From: Marc Fossi (mfossi@securityfocus.com)
Date: 06/25/02


Date: Tue, 25 Jun 2002 07:36:21 -0600
From: "Marc Fossi" <mfossi@securityfocus.com>
To: <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #92
--------------------------------------

This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System

From June 24th - September 30th, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.

With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.

Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Secure Coding
     2. Implementing Networks Taps with Network Intrusion Detection...
     3. Alexis de Tocqueville Serves Up a Red Herring
     4. Black Hat Briefings & Training
     5. Cutting-Edge High Tech Crime Fighting
II. MICROSOFT VULNERABILITY SUMMARY
     1. AnalogX SimpleServer:WWW Web Server Denial of Service...
     2. Microsoft Visual Studio .NET Korean Version Nimda Infected File...
     3. Lumigent Log Explorer XP_LogAttach Buffer Overflow Vulnerability
     4. Multiple Vendor Spoofed IGMP Report Denial Of Service...
     5. Lumigent Log Explorer XP_LogAttach_SetPort Buffer Overflow...
     6. Digi-Net Technologies DigiChat User IP Information Disclosure...
     7. PHPEventCalendar Remote Command Execution Vulnerability
     8. Mewsoft NetAuction Cross Site Scripting Vulnerability
     9. Xitami GSL Template Vulnerabilities
     10. Cisco Secure ACS Cross-site Scripting Vulnerability
     11. Microsoft Internet Explorer CSSText Bold Font Denial Of...
     12. Caucho Technology Resin Server View_Source.JSP Arbitrary File...
     13. Caucho Technology Resin Server Denial Of Service Vulnerability
     14. OSCommerce Remote File Include Vulnerability
     15. Apache Chunked-Encoding Memory Corruption Vulnerability
     16. PHPBB2 Install.PHP Remote File Include Vulnerability
     17. MetaLinks MetaCart2.SQL Database Disclosure Vulnerability
     18. 4D WebServer Long HTTP Request Buffer Overflow Vulnerability
     19. DeepMetrix LiveStats HTML Report Script Injection Vulnerability
     20. Apache Tomcat Web Root Path Disclosure Vulnerability
     21. Microsoft SQL MS Jet Engine Unicode Buffer Overflow Vulnerability
     22. Microsoft SQL Server 2000 PWDEncrypt Buffer Overflow...
     23. Lumigent Log Explorer XP_LogAttach_StartProf Buffer Overflow...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Null session and Exchange2K (Thread)
     2. MS02-29 breaks PPTP connections for non-Admin users? (Thread)
     3. SecurityFocus Microsoft Newsletter #91 (Thread)
     4. backing up IE config (Thread)
     5. xcacls and a service account (Thread)
IV. MICROSOFT PRODUCTS
     1. Defender
     2. Bifrost Firewall
     3. i.Secure Store
V. MICROSOFT TOOLS
     1. DreamSys Server Monitor v3.1
     2. EGADS v0.9
     3. DSCMD - DataSAFE Command Line Encryptor v2.0
     4. Bouncer v1.0.RC6
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Secure Coding
By David Wong

It's virtually impossible to build bug-free, vulnerability-free software.
This article will provide a brief overview of some of the key issues of
secure coding, including some common software development mistakes, a list
of best practices for secure coding, and a list of resources that will aid
in your quest to build more secure software.

http://online.securityfocus.com/infocus/1596

2. Implementing Networks Taps with Network Intrusion Detection Systems
by Nathan Einwechter, Senior Research Scientist Fate Research Labs

Over the past decade or so, the use of switches to replace hubs has
increased substantially. This is largely due to the increased size of
networks, and the requirement for increasingly faster and more efficient
networks. On most networks, the data must now be dependable and timely.
This transition from hubs to switches, however, has generated a conflict
with already deployed and designed network intrusion detection systems.

http://online.securityfocus.com/infocus/1594

3. Alexis de Tocqueville Serves Up a Red Herring
By Richard Forno

The press release announcing the Alexis de Tocqueville Institution's
recent white paper proclaims that open source software is a threat to
national security. However, there is much in the document that the press
release conveniently overlooks.

http://online.securityfocus.com/columnists/89

4. Black Hat Briefings & Training

Attend Black Hat Briefings & Training, July 29 - August 1, Las Vegas, the
world's premier technical security event! 8 tracks, 12 training sessions,
Richard Clarke keynote, 500 delegates from 30 nations, with a near cult
following of both CSOs and "underground" security experts. See for
yourself what the buzz is all about.

Please visit www.blackhat.com for more information.

5. Tech Crime Fighting: Best Practices in Computer Forensics
June 17-18, 2002
American Management Association, Washington, DC

Walk away able to perform computer forensic examinations that will not
only yield sound evidence but will also hold up in a court of law! Learn
to find, collect and preserve digital evidence, and present the evidence
in court. Also learn to successfully combine private and public computer
forensics forces to investigate computer crimes. Keynote speech by
Microsoft's Chief Security Strategist Scott Charney. Public sector
employee discounts available.

For more information, call 800-280-8440, or visit www.frallc.com (see
InfoTech events).

II. BUGTRAQ SUMMARY
-------------------
1. AnalogX SimpleServer:WWW Web Server Denial of Service Vulnerability
BugTraq ID: 5006
Remote: Yes
Date Published: Jun 13 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5006
Summary:

AnalogX SimpleServer:WWW is designed to be a simple web server for use
with Microsoft Windows operating environments.

Reportedly, version 1.16 of SimpleServer:WWW is prone to a denial of
service vulnerability.

A remote attacker is able to connect to SimpleServer via telnet and makes
an invalid request to the server. This will cause the web server to crash
and lead to the denial of service condition.

Making a request consisting of about 640 '@' characters will cause the web
server to crash.

This may be the result of a buffer overflow condition.

It is not known whether earlier versions of SimpleServer are prone to this
vulnerability.

2. Microsoft Visual Studio .NET Korean Version Nimda Infected File Vulnerability
BugTraq ID: 5012
Remote: No
Date Published: Jun 13 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5012
Summary:

Visual Studio .Net is the enhanced development environment distributed by
Microsoft.

A problem with the Korean version of the software could make it possible
to cause an outbreak of a dangerous malicious code.

It has been discovered that the Korean version of the .Net framework
includes a Nimda-infected file. A user with sufficient privileges that
executes this file could potentially infect the host with Nimda. This may
result in the host becoming suspectible to the problems associated with
the W32/Nimda malicious code.

This could lead to an outbreak of Nimda on a network, and potentially
result in the spread of the malicious code to other hosts on the network.

While this the infection is believed to be inert, there is some
possibility that the worm could be triggered.

3. Lumigent Log Explorer XP_LogAttach Buffer Overflow Vulnerability
BugTraq ID: 5018
Remote: No
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5018
Summary:

Lumigent Log Explorer is a transaction log explorer for Microsoft SQL
Server 7/2000.

A buffer overflow vulnerability in xp_logattach.dll has been reported for
Lumigent Log Explorer 3.01. The DLL, xp_logattach.dll, contains extended
stored procedures (XPs). XPs are procedures written in a language such as
C that perform high level functions in SQL Server. Specifically, this
issue is known to affect the xp_logattach stored procedure.

If this condition is successfully exploited, it is possible for locations
in memory to be overwritten with attacker-supplied instructions, allowing
for code execution as the SQL server process. By default, SQL Server runs
as a non-privileged user.

It should be noted that extended stored procedures can be run only by the
dbo user by default.

4. Multiple Vendor Spoofed IGMP Report Denial Of Service Vulnerability
BugTraq ID: 5020
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5020
Summary:

Internet Group Management Protocol (IGMP) is the specified guidelines for
the management of Internet Multicast Routing management.

A problem with the implementation of the protocol in some operating
systems could lead to a denial of service.

It is possible for an arbitrary host to deny service to a system on the
same segment of network. In a situation where a multicast router sends a
membership report request, a host sending a unicast membership report
response to the primary responder can prevent the responder from sending a
message to the multicast router. In doing so, the router will not receive
a response from any host, and thus the transmission will time out and
cease.

This problem could result in an attacker launching a denial of service
against an affected host, and could additionally be used to deny service
to a range of vulnerable hosts on a subnet.

This vulnerability may additionally affect other operating systems, though
it is currently unknown which implementations may be vulnerable.

5. Lumigent Log Explorer XP_LogAttach_SetPort Buffer Overflow Vulnerability
BugTraq ID: 5017
Remote: No
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5017
Summary:

Lumigent Log Explorer is a transaction log explorer for Microsoft SQL
Server 7/2000.

A buffer overflow vulnerability in xp_logattach.dll has been reported for
Lumigent Log Explorer 3.01. The DLL, xp_logattach.dll, contains extended
stored procedures (XPs). XPs are procedures written in a language such as
C that perform high level functions in SQL Server. Specifically, this
issue is known to affect the xp_logattach_setport stored procedure.

If this condition is successfully exploited, it is possible for locations
in memory to be overwritten with attacker-supplied instructions, allowing
for code execution as the SQL server process. By default, SQL Server runs
as a non-privileged user.

It should be noted that extended stored procedures can be run only by the
dbo user by default.

6. Digi-Net Technologies DigiChat User IP Information Disclosure Vulnerability
BugTraq ID: 5019
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5019
Summary:

DigiChat is a web based chat application maintained by Digi-Net. DigiChat
runs on most Microsoft Windows and UNIX platforms.

It is possible for chat users to obtain sensitive information about other
chat visitors.

By design, only ChatMasters are able to resolve the IP address of visiting
chat users. However, it is reportedly possible for users to obtain the IP
address of chat visitors by including '<Param Name="Showip"Value="True">'
in the chat applet. As a result, IP address information is disclosed when
viewing the information details of visitors.

An attacker may exploit this flaw to gain unauthorized access to sensitive
information about site users.

This issue has been reported in DigiChat 3.5, however other versions may
also be affected by this.

7. PHPEventCalendar Remote Command Execution Vulnerability
BugTraq ID: 5021
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5021
Summary:

PHPEventCalendar is a web based calendar. It is implemented in PHP and
should be supported on UNIX and Linux variants as well as Microsoft
Windows operating environments.

A vulnerability has been reported in phpEventCalendar that may allow a
user of phpEventCalendar to execute commands on a vulnerable host.

The vulnerability exists in the 'index.php' file. The user supplied value
to the 'userfile' parameter is not properly sanitized.

Commands executed via this method will be executed with the privileges of
the user running the web server process. This could potentially lead to a
denial of service, or a remote attacker gaining elevated privileges.

8. Mewsoft NetAuction Cross Site Scripting Vulnerability
BugTraq ID: 5023
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5023
Summary:

Mewsoft NetAuction is designed for users to create auction sites. It is
developed for use with Microsoft Windows and Linux operating environments.

NetAuction does not filter script code from URI parameters, making it
prone to cross-site scripting attacks. Attacker-supplied HTML code may be
included in a malicious link to 'auction.cgi' via the 'terms' parameter.

The supplied HTML code will be executed in the browser of a web user who
visits this link, in the security context of the host running NetAuction.
Such a link might be included in a HTML e-mail or on a malicious webpage.

This may enable a remote attacker to steal cookie-based authentication
credentials from legitimate users of a host running NetAuction.

This issue has been reported in version 3.0, other versions may also be
vulnerable.

9. Xitami GSL Template Vulnerabilities
BugTraq ID: 5025
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5025
Summary:

Xitami is a webserver for Microsoft Windows operating systems.

A number of vulnerabilities have been reported in Xitami 2.5 Beta versions
GSL Templates. GSL is a server-side scripting language. These issues
appear to be present in an error script. The exact nature of these issues
is not known at this time.

Further technical details will be added as they become available.

Reports indicate that non-beta versions of the software may also be
affected by these issues.

10. Cisco Secure ACS Cross-site Scripting Vulnerability
BugTraq ID: 5026
Remote: Yes
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5026
Summary:

Cisco Secure ACS is an access control and accounting server system. It is
distributed and maintained by Cisco, and in this vulnerability affects
implementations on the Microsoft Windows NT platform.

A problem has been discovered in the Secure ACS server that could lead to
the circumvention of browser security.

It has been discovered that the web server component of the Cisco Secure
ACS package allows an attacker to execute cross-site scripting attacks.
A malicious link could be crafted including the specific port of the
Secure ACS web server and arbitrary HTML or script code. When this link
is visited, the attacker-supplied HTML or script code could be executed in
the browser of a user, provided the user has authenticated to the Secure
ACS server.

The attacker-supplied code will be executed in the context of the Secure
ACS server.

11. Microsoft Internet Explorer CSSText Bold Font Denial Of Service Vulnerability
BugTraq ID: 5027
Remote: Yes
Date Published: Jun 15 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5027
Summary:

A problem with Microsoft Internet Explorer may make it possible to deny
service to users of the browser. The problem is in the handling of
certain types of stylesheet input.

Under some circumstances, it may be possible to crash IE. When IE
encounters a style sheet with the p{cssText} element declared, and a font
weight of bold is specified, the browser becomes unstable, and reacts
unpredictably. This problem has been reported to cause a browser crash in
both IE 5.5 and IE 6.0.

This problem could allow an attacker to crash a vulnerable browser. This
vulnerability is known to affect the 5.5 browser on Windows 98, and 6.0
browser on Windows XP.

12. Caucho Technology Resin Server View_Source.JSP Arbitrary File Disclosure Vulnerability
BugTraq ID: 5031
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5031
Summary:

Caucho Technology Resin is a servlet and JSP (Java Server Pages) engine
that supports java and javascript. It is built for Unix and Linux variants
as well as Microsoft Windows operating environments.

A vulnerability has been reported in Resin Server 2.1.2, deployed on a
Microsoft Windows platform, that may allow remote attackers to view
contents of arbitrary files.

The 'view_source.jsp' script, found in an example folder as part of the
Resin Server installation, may allow remote attackers access to files
readable by the web server.

The vulnerability occurs when parsing requests for directory traversal.
The 'view_source.jsp' script prevents directory traversal via '/../'
sequences. However, an attacker attempting directory traversal via '\..\'
sequences will succeed. This may allow an attacker to request any files on
the vulnerable system readable by the web server.

This problem could lead to a remote user gaining access to sensitive
information on a system. This could include information such as access
control passwords, or other information stored on the server not meant for
public access.

13. Caucho Technology Resin Server Denial Of Service Vulnerability
BugTraq ID: 5032
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5032
Summary:

Caucho Technology Resin is a servlet and JSP (Java Server Pages) engine
that supports java and javascript. It is built for Unix and Linux variants
as well as Microsoft Windows operating environments.

A vulnerability has been reported in Resin Server 2.1.1, deployed on a
Microsoft Windows platform, that may cause Resin Server to cease
functioning properly leading to a denial of service condition.

The vulnerability occurs when a client accesses non-existent resources.
If large variables are defined for such requests, parts (if not all) of
Resin will cease to be fully operational. A denial of service condition
may result.

An attacker may take advantage of this vulnerability to deny service to
legitimate users.

14. OSCommerce Remote File Include Vulnerability
BugTraq ID: 5037
Remote: Yes
Date Published: Jun 16 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5037
Summary:

osCommerce is open-source e-commerce software written in PHP. osCommerce
will run on most Unix and Linux variants as well as Microsoft Windows
operating systems.

osCommerce is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the 'include_once.php'. An attacker may exploit this by supplying a
path to a file on a remote host as a value for the 'include_file'
parameter.

If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may gain the attacker local access on the affected
host.

15. Apache Chunked-Encoding Memory Corruption Vulnerability
BugTraq ID: 5033
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5033
Summary:

Apache is a freely available webserver for Unix and Linux variants, as
well as Microsoft operating systems.

The HTTP protocol specifies a method of data coding called 'Chunked
Encoding', designed to facilitate fragmentation of HTTP requests in
transit. A vulnerability has been discovered in the Apache implementation
of 'Chunked Encoding'.

When processing requests coded with the 'Chunked Encoding' mechanism,
Apache fails to properly calculate required buffer sizes. This may be due
to improper (signed) interpretation of an unsigned integer value.

Consequently, several conditions may occur that have security
implications. It has been reported that a buffer overrun and signal race
condition occur. Exploitation of these conditions may result in the
execution of arbitrary code.

On Windows and Netware platforms, Apache uses threads within a single
server process to handle concurrent connections. Causing the server
process to crash on these platforms may result in a denial of service.

It has been confirmed that this vulnerability may be exploited to execute
arbitrary code on both Win32 and UNIX platforms.

Note: Products which use or bundle Apache such as Oracle 9iAS or IBM
Websphere may also be affected.

16. PHPBB2 Install.PHP Remote File Include Vulnerability
BugTraq ID: 5038
Remote: Yes
Date Published: Jun 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5038
Summary:

phpBB2 is an open-source web forum application that is written in PHP and
backended by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.

A problem has been discovered in phpBB2 which may enable an attacker to
include an arbitrary attacker-supplied file which is located on a remote
host.

The problem is that an arbitrary path can be specified as a value for the
'phpbb_root_path' URL parameter. This issue exists in the 'install.php'
script. An attacker may exploit this vulnerability by supplying the
location of a remote file as the value for the 'phpbb_root_path' URL
parameter.

In the case that the remote file is a PHP script, this may allow commands
to be executed remotely with the privileges of the webserver. Successful
exploitation will allow a remote attacker to gain local, interactive
access to a host running the vulnerable software. This is especially a
concern for hosts running Microsoft Windows operating systems, as
webservers are generally run with SYSTEM privileges on these platforms.

17. MetaLinks MetaCart2.SQL Database Disclosure Vulnerability
BugTraq ID: 5042
Remote: Yes
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5042
Summary:

MetaLinks MetaCart2.sql is a shopping cart application written using ASP
(Active Server Pages). It is intended for use with a Microsoft Windows
operating environment.

A vulnerability has been reported in MetaCart2.sql that will allow remote
attackers to obtain the contents of the user database being used by
MetaCart2.sql.

The vulnerability is a result of MetaCart2.sql storing its user database
in a web accessible directory without any access prevention controls. As
such, a remote attacker is able to request the user database via URL.

This problem could lead to a remote user gaining access to sensitive
information on a system. This could include information such as passwords,
credit card information, or other information stored on the server not
meant for public access.

18. 4D WebServer Long HTTP Request Buffer Overflow Vulnerability
BugTraq ID: 5045
Remote: Yes
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5045
Summary:

4D WebServer is a client/server database management system with integrated
web development and serving. It runs on Microsoft Windows and MacOS
operating systems.

Due to insufficient bounds checking of HTTP requests, 4D WebServer is
prone to a buffer overflow condition. It is possible to overwrite stack
variables such as the return address by overflowing either of these
fields. This may enable a remote attacker to cause a denial of service or
execute attacker-supplied instructions.

It should be noted that the software will run in the SYSTEM context on
multi-user Windows operating systems, so successful exploitation may
result in a full compromise of the host.

This issue may be similar to the vulnerability discussed in BID 4665, 4D
WebServer Authentication Buffer Overflow.

This issue was reported for 4D WebServer version 6.7.3, earlier versions
may also be affected.

19. DeepMetrix LiveStats HTML Report Script Injection Vulnerability
BugTraq ID: 5047
Remote: Yes
Date Published: Jun 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5047
Summary:

LiveStats parses web server log files into an SQL database, enabling a
user to generate reports defining site traffic. The HTML generated reports
are viewed through the LiveStats web browser interface. LiveStats runs on
Microsoft Windows and is maintained by DeepMetrix, formerly known as
MediaHouse Software.

LiveStats does not filter HTML tags when generating reports. As a result,
it is possible for an attacker to cause arbitrary script code to be
included in HTML reports generated by LiveStats. When a user views the
report page via the browser interface, the script code will be executed in
their browser, in the context of the LiveStats host.

Reportedly, LiveStats displays the browser-tag and referer strings in the
HTML generated reports. Therefore, including script code in the
HTTP_Referer header when submitting a web request for a page being
monitored by LiveStats, will result in the execution of the embedded
script code.

This issue might be exploited to steal cookie-based authentication
credentials from a legitimate user of the software.

This issue has been reported in 6.2, prior versions may also be affected
by this issue.

20. Apache Tomcat Web Root Path Disclosure Vulnerability
BugTraq ID: 5054
Remote: Yes
Date Published: Jun 19 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5054
Summary:

Apache Tomcat is a freely available, open source web server maintained by
the Apache Foundation. It is available for use on Unix and Linux variants
as well as Microsoft Windows operating environments.

A vulnerability has been reported for Apache Tomcat 4.0.3 on a Microsoft
Windows platform. Reportedly, it is possible for a remote attacker to make
requests that will result in Apache Tomcat returning an error page
containing information that includes the absolute path to the server's web
root.

For example, submitting a request for LPT9 to Tomcat will result in the
following error message: "java.io.FileNotFoundException: C:\Program
Files\Apache Tomcat 4.0\webapps\ROOT\lpt9 (The system cannot find the file
specified)"

Gaining knowledge of path information could assist an attacker in further
attacks against the host.

21. Microsoft SQL MS Jet Engine Unicode Buffer Overflow Vulnerability
BugTraq ID: 5057
Remote: Yes
Date Published: Jun 19 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5057
Summary:

Microsoft SQL Server is prone to a remotely exploitable unicode-based
buffer overflow condition. This condition occurs when the OpenDataSource
function is used with MS Jet Engine.

The OpenDataSource function is used for referencing heterogeneous OLE DB
data sources in Transact-SQL statements. Microsoft Jet Engine is the
database engine for Microsoft SQL Server.

An overly long string passed to the Microsoft Jet Engine component via the
OpenDataSource function will trigger this condition. This issue may be
exploited to execute attacker-supplied instructions with the privileges of
the SQL Server process. If the SQL Server process is running in the
SYSTEM context, this may lead to a full compromise.

This issue requires that the attacker is capable of passing maliciously
crafted data to the OpenDataSource function. Under normal circumstances,
this would require the attacker to have access to the database server.
However, this may be exploitable remotely via SQL injection
vulnerabilities in any web-based software that accesses a vulnerable
database.

Due to this being an issue in the MS Jet Engine component itself, other
products which rely on Jet Engine may also be affected by this
vulnerability.

We previously alerted on this issue in Bugtraq ID 4847 "Microsoft SQL
Server 2000 Multiple Vulnerabilities". This issue was originally
publicized as a VNA by NGSSoftware. Seperate entries will be created as
more information about the individual vulnerabilities described in BID
4847 becomes available.

22. Microsoft SQL Server 2000 PWDEncrypt Buffer Overflow Vulnerability
BugTraq ID: 5014
Remote: No
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5014
Summary:

SQL Server 2000 is a commercially available enterprise level database
product from Microsoft.

A buffer overflow has been discovered in Microsoft SQL Server 2000. This
vulnerability is due to insufficient bounds checking of data supplied to
the built-in pwdencrypt() hashing function. This issue is reported to be
a heap overflow and may be exploited to execute arbitrary
attacker-supplied instructions as the SQL Server.

The attacker must be able to execute a database query using the
pwdencrypt() function to exploit this vulnerability, which implies that
the attacker must either have legitimate access to the database server or
obtain unauthorized access through some other means. For example, it may
be possible to exploit this issue via a SQL injection attack in another
application.

This issue may be related to the vulnerabilities reported in Bugtraq ID
4847.

23. Lumigent Log Explorer XP_LogAttach_StartProf Buffer Overflow Vulnerability
BugTraq ID: 5016
Remote: No
Date Published: Jun 14 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/5016
Summary:

Lumigent Log Explorer is a transaction log explorer for Microsoft SQL
Server 7/2000.

A buffer overflow vulnerability in xp_logattach.dll has been reported for
Lumigent Log Explorer 3.01. The DLL, xp_logattach.dll, contains extended
stored procedures (XPs). XPs are procedures written in a language such as
C that perform high level functions in SQL Server. Specifically, this
issue is known to affect the xp_logattach_StartProf stored procedure.

If this condition is successfully exploited, it is possible for locations
in memory to be overwritten with attacker-supplied instructions, allowing
for code execution as the SQL server process. By default, SQL Server runs
as a non-privileged user.

It should be noted that extended stored procedures can be run only by the
dbo user by default.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Null session and Exchange2K (Thread)
Relevant URL:

D503BBD92FE9D2118A010008C75F644814FB9C35@usnssexc20.us.kworld.kpmg.com">http://online.securityfocus.com/archive/88/D503BBD92FE9D2118A010008C75F644814FB9C35@usnssexc20.us.kworld.kpmg.com

2. MS02-29 breaks PPTP connections for non-Admin users? (Thread)
Relevant URL:

E00ECDED326C0B4288A0B4F7F02DE2DD39E90B@mickey.quest.fl.com">http://online.securityfocus.com/archive/88/E00ECDED326C0B4288A0B4F7F02DE2DD39E90B@mickey.quest.fl.com

3. SecurityFocus Microsoft Newsletter #91 (Thread)
Relevant URL:

DAEAJFEIFOBBPLJKBAONMEANCAAA.mfossi@securityfocus.com">http://online.securityfocus.com/archive/88/DAEAJFEIFOBBPLJKBAONMEANCAAA.mfossi@securityfocus.com

4. backing up IE config (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/94BE36C72683404F84258BBFEE6A826004668621@dua-msg-01.middleeast.corp.microsoft.c

5. xcacls and a service account (Thread)
Relevant URL:

20020617132526.70952.qmail@web13402.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020617132526.70952.qmail@web13402.mail.yahoo.com

IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Defender
by PassGo Technologies
Platforms: Solaris, Windows 2000, Windows NT
Relevant URL:
http://www.passgo.com/products/defender/
Summary:

Defender uses standards-based challenge/response technology to create a
one-time password that is far more secure than static passwords. Its
easy-to-use tokens compute this one-time password when challenged by the
Defender Security Server. Then, without the authorized user's unique token
and PIN to activate the token, potential intruders cannot compute the
one-time password. Even if the password is captured, it doesn't pose a
threat because the password is never valid again.

2. Bifrost Firewall
by Heimdall's Limited
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://bifrost.heimdalls.com/
Summary:

Bifrost is a firewall management interface to iptables (iptables GUI). The
system is inspired by Checkpoint and Watchguard firewall management. We
looked at the way Checkpoint works with source, destination, action and
logging. At the same time, we work with incoming and outgoing traffic in a
similar way as Watchguard and PIX Firewalls.

3. i.Secure Store
by Archisoft Security Solutions Limited
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.archisoft.com.hk/prod02.htm
Summary:

i.Secure Store is a plug-in security module for Microsoft Windows. It
makes use of the latest PKI technology together with personal Smart Token
to ensure that every information that reaches its users is uniquely
identified, confidential and intact. i.Secure Store works transparently
with Microsoft Windows to promote supreme security.

V. MICROSOFT TOOLS
-------------------
1. DreamSys Server Monitor v3.1
Relevant URL:
by DreamSys Software
http://www.mikersoft.com/servermonitor/
Platforms: Windows 2000, Windows NT, Windows XP
Summary:

Monitor servers over a network or the Internet. Connect, Receive, or Send
& Receive tests on TCP connections. Simple Ping tests. Test services on
remote machines, and restart services if necessary. Quick and Easy to use
Windows interface. Save/Load host lists as separate documents.

2. EGADS v0.9
by Secure Software Solutions
Relevant URL:
http://www.securesw.com/egads/
Platforms: UNIX, Windows 2000
Summary:

EGADS is a system service and library for providing secure random numbers.
It contains an implementation of the Tiny pseudo-random number generator
and the Tiny entropy gateway. Tiny is an evolution of Yarrow, and was
designed by John Kelsey (an original designer of Yarrow) and John Viega.
We are currently preparing a white paper on the Tiny algorithm.

EGADS provides the same kind of functionality as /dev/random and
/dev/urandom on Linux systems, but works on Windows, and as a portable
Unix program.

EGADS is available as a portable user-level daemon for Unix systems, and
as a service for Windows 2000 machines. An XP-compatible version will be
available shortly.

3. DSCMD - DataSAFE Command Line Encryptor v2.0
by Regnoc Software
Relevant URL:
http://www.regnoc.com
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

DSCMD allows you to encrypt source files for secure storage, transmission
via the Internet, and e-mail attachments. Only someone who knows the
eight-character locking combination can recover the contents of the
encrypted file. DSCMD is completely command-line driven, and simple to
integrate into your programs and scripts on both Windows NT and Linux
servers.

4. Bouncer v1.0.RC6
by Chris Mason chris@r00t3d.org.uk
Relevant uRL:
http://www.r00t3d.org.uk/bin/
Platforms: FreeBSD, Linux, OpenBSD, Solaris, Windows 2000, Windows NT
Summary:

Bouncer is a network tool which allows you to bypass proxy restrictions
and obtain outside connections from an internal LAN. It uses SSL
tunneling, which allows you to obtain a constant streaming connection out
of a proxy. If you are restricted behind a proxy and can access secure
online ordering sites, then you can get out to whatever host on whatever
port you want. It also supports a lot of other features including socks 5,
basic authentication, access control lists, and Web-based administration,
and will run on Windows, Linux, and FreeBSD.

VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System

From June 24th - September 30th, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.

With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.

Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------



Relevant Pages

  • SecurityFocus Microsoft Newsletter #229
    ... Windows NTFS Alternate Data Streams ... MICROSOFT VULNERABILITY SUMMARY ... VBulletin Forumdisplay.PHP Remote Command Execution Vulnerab... ... AWStats Debug Remote Information Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #260
    ... MICROSOFT VULNERABILITY SUMMARY ... Remote: Yes ... attacker to execute arbitrary code on a vulnerable computer with SYSTEM ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #182
    ... Introducing the world's first and only complete Internal Security Gateway: ... Microsoft Windows XP Explorer.EXE Remote Denial of Service V... ... Apache Error Log Escape Sequence Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #131
    ... MICROSOFT VULNERABILITY SUMMARY ... Advanced Poll Remote Information Disclosure Vulnerability ... PHPNuke News Module Article.PHP SQL Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #237
    ... MICROSOFT VULNERABILITY SUMMARY ... JPortal Banner.PHP SQL Injection Vulnerability ... Microsoft Windows Kernel Object Management Denial Of Service... ... Microsoft Windows Message Queuing Remote Buffer Overflow Vul... ...
    (Focus-Microsoft)