SecurityFocus Microsoft Newsletter #96
From: Marc Fossi (mfossi@securityfocus.com)Date: 07/22/02
- Previous message: Laura A. Robinson: "Re: Exporting GPOs from Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Jul 2002 12:13:15 -0600 From: "Marc Fossi" <mfossi@securityfocus.com> To: <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #96
--------------------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System
From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.
With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.
Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Justifying the Expense of IDS, Part One: An Overview of ROIs...
2. Assessing Internet Security Risk, Part Two: an Internet...
3. The Devil And The Deep Blue Sea
4. Crypto Controls are Spreading Internationally
5. The Realities of Disclosure
6. Black Hat Briefings & Training
7. SecurityFocus DPP Program
8. Meeting IT Security Benchmarks Through IT Audits
II. MICROSOFT VULNERABILITY SUMMARY
1. Mirabilis ICQ Sound Scheme Remote Configuration Modification...
2. Macromedia Sitespring Default Error Page Cross Site Scripting...
3. W3C Jigsaw Device Name Path Disclosure Vulnerability
4. PGP Outlook Plug-In Heap Corruption Vulnerability
5. Microsoft SQL Server 2000 Incorrect Registry Key Permissions...
6. Entercept Agent Password Disclosure Vulnerability
7. Microsoft MS-SQL Server Installation Password Caching...
8. Microsoft SQL Server 2000 Password Encrypt Procedure Buffer...
9. Microsoft IIS SMTP Service Encapsulated SMTP Address Vulnerability
11. Ultrafunk Popcorn Multiple Denial of Service Vulnerabilities
12. Working Resources BadBlue Null Byte File Disclosure Vulnerability
13. Hosting Controller Hidden Field Password Changing Vulnerability
14. Novell NetMail ModWeb Buffer Overflow Vulnerability
15. Symantec Norton Personal Firewall/Internet Security 2001...
16. IMHO Webmail Account Hijacking Vulnerability
17. Real Networks RealJukebox Predictable File Extraction...
18. Novell NetMail IMAP Agent Denial Of Service Vulnerability
19. Fastlink Software TheServer Plain Text Password Storage...
20. Microsoft Windows 2000 Narrator Password Disclosure Vulnerability
21. Working Resources BadBlue Plain Text Password Storage...
22. Novell NetMail WebAdmin Buffer Overflow Vulnerability
23. Thorsten Korner 123tkShop Arbitrary File Include Vulnerability
24. Thorsten Korner 123tkShop SQL Injection Vulnerability
25. Mirabilis ICQ Sound Scheme Predictable File Location...
26. Caucho Technology Resin Server Device Name Path Disclosure...
27. AOL Instant Messenger Unauthorized Actions Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Exchange Information Store Replication (Thread)
2. write permissions for IIS (Thread)
3. Need security proposal for Win2K upgrade... (Thread)
4. Announcement (Thread)
5. Win32 Apache service not run as System... (Thread)
6. Exchange 2000 ms02-025 hotfix Q320436 caused SA to hang on
7. SecurityFocus Microsoft Newsletter #95 (Thread)
8. Exchange 2000 ms02-025 hotfix Q320436 caused SA to hang on restart
9. Exchange2K/DMZ (Thread)
IV. MICROSOFT PRODUCTS
1. TermiNET
2. SecureNT
3. SoftClan Security Suite
V. MICROSOFT TOOLS
1. SQL Server Password Auditing Tool v1.0.1
2. Inzider 1.2
3. Simp (Secway's Instant Messenger Privacy) v1.1.0
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. Justifying the Expense of IDS, Part One: An Overview of ROIs for IDS
By Kevin Timm
A positive return on investment (ROI) of intrusion detection systems (IDS)
is dependent upon an organization's deployment strategy and how well the
successful implementation and management of the technology helps the
organization achieve the tactical and strategic objectives it has
established. For organizations interested in quantifying the IDS's value
prior to deploying it, their investment decision will hinge on their
ability to demonstrate a positive ROI.
http://online.securityfocus.com/infocus/1608
2. Assessing Internet Security Risk, Part Two: an Internet Assessment
Methodology
by Charl van der Walt
This article is the second in a series that is designed to help readers to
assess the risk that their Internet-connected systems are exposed to. In
the first installment, we established the reasons for doing a technical
risk assessment. In this installment, we'll start discussing the
methodology that we follow in performing this kind of assessment.
http://online.securityfocus.com/infocus/1607
3. The Devil And The Deep Blue Sea
By Jon Lasser
Why Microsoft's Palladium project threatens to send Linux and open-source
into exile.
http://online.securityfocus.com/columnists/96
4. Crypto Controls are Spreading Internationally
By David Banisar
Five years ago, when the Organization for Economic Cooperation and
Development (OECD) released their guidelines for cryptography policy,
crypto advocates cheered and declared victory. After a hard fought battle,
we had forced the OECD to back away from the U.S. government's efforts to
restrict encryption worldwide. After the guidelines, countries around the
world issued crypto policies that called for the free and unfettered use
of encryption products to promote e-commerce and protect privacy.
Eventually, even the U.S. gave up anddropped most export controls. In the
last EPIC Cryptography and Privacy survey, written in 2000, there were
only a handful of nations that still restricted crypto, like Burma,
Belarus, and Russia -- countries you really didn't want to go to anyway.
http://online.securityfocus.com/columnists/95
5. The Realities of Disclosure
by Michael Morgenstern, Tom Parker
Four months ago, we published a SecurityFocus guest feature entitled It's
Time to be Responsible (March 1, 2002) calling for greater consensus in
the computer security arena on policies of vulnerability disclosure. Since
that time little positive movement has occurred, to the detriment of all
involved parties. Microsoft's consortium remains a black hole;
vulnerabilities (and exploits) continue to be released without control;
and everyone suffers - vendors and users included. Thankfully, not all
movement has been entirely negative. Unfortunately, Steve Christey and
Chris Wysopol's RFC of February 2002 was only tepidly received, despite
calling for positive and proactive measures. We surmise that no concrete
movement has occurred due mostly to the segregated computer communities
and the lack of any consensus on these matters. It is high time the
computer cognoscenti finally comes together and advocates responsible
disclosure practices.
http://online.securityfocus.com/guest/14155
6. Black Hat Briefings & Training
Attend Black Hat Briefings & Training, July 29 - August 1, Las Vegas, the
world's premier technical security event! 8 tracks, 12 training sessions,
Richard Clarke keynote, 1500 delegates from 30 nations, with a near cult
following of both CSOs and "underground" security experts. See for
yourself what the buzz is all about.
Visit us at: http://www.blackhat.com
7. SecurityFocus DPP Program
Attention Non-profit Organizations and Universities!!
Sign-up now for preferred pricing on the only global early-warning system
for cyber attacks - SecurityFocus DeepSight Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
8. Meeting IT Security Benchmarks Through IT Audits
August 8-9, 2002, Washington, DC.
By Information Technology Research Associates
Agenda: www.frallc.com (see InfoTech Events)
Have your IT security solutions kept pace with evolving threats? Until
you conduct a thorough IT security audit, you won't know until after a
breach has occurred. To help you achieve the most ROI on your security
investment, ITRA is proud to present a step-by-step practical guide to
auditing your enterprise's IT security. For more information, call
800-280-8440.
II. BUGTRAQ SUMMARY
-------------------
1. Mirabilis ICQ Sound Scheme Remote Configuration Modification Vulnerability
BugTraq ID: 5239
Remote: Yes
Date Published: Jul 15 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5239
Summary:
ICQ is an instant messenger client for Microsoft Windows systems. ICQ
includes support for sound schemes. ICQ sound scheme files are generally
given the .scm extension.
It is possible for a remote user to make some modifications to the
configuration of some versions of ICQ. Reportedly, it is possible to
modify sounds by forcing a vulnerable user to access a .scm file. This may
be accomplished by sending the vulnerable user an HTML formatted email or
enticing the user into viewing a malicious HTML page.
The HTML content must reference an available .scm file within an IFRAME
tag. If the HTML is then viewed, the sound scheme will be automatically
loaded, modifying the ICQ configuration.
It is not currently known if any other ICQ configuration settings can be
modified in this fashion.
2. Macromedia Sitespring Default Error Page Cross Site Scripting Vulnerability
BugTraq ID: 5249
Remote: Yes
Date Published: Jul 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5249
Summary:
Macromedia Sitespring is a J2EE compliant website production management
solution. The Macromedia Sitespring server runs on Microsoft Windows
operating systems.
A cross site scripting issue has been reported in the default error page
used by Sitespring. When an HTTP 500 error is returned, some user supplied
data is included in the generated HTML. This data is not properly
sanitized, and it is possible to include arbitrary HTML, include
JavaScript.
An attacker may create a malicious link to a vulnerable site, including
arbitrary JavaScript commands. If a user of the site is enticed into
following this link, the malicious script code will execute within the
context of the Sitespring site. Script code may take actions as an
authenticated user, or disclose sensitive information to an attacker,
including cookie data.
3. W3C Jigsaw Device Name Path Disclosure Vulnerability
BugTraq ID: 5251
Remote: Yes
Date Published: Jul 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5251
Summary:
Jigsaw is an HTTP server produced by W3C. It is implemented in Java, and
will run on a wide range of systems, including Microsoft Windows, Linux
and other Unix based systems.
A vulnerability has been reported in some versions of Jigsaw running under
Microsoft Windows. Requesting '/aux' will result in an error condition.
Requesting '/aux' a second time will result in an error page which
includes the full path of the webroot.
It may also be possible to trigger this condition by requesting other
MS-DOS devices.
Exploitation of this vulnerability may aid an attacker in gathering
information about the vulnerable system. This data may, in turn, be of
value in exploiting further vulnerabilities.
4. PGP Outlook Plug-In Heap Corruption Vulnerability
BugTraq ID: 5202
Remote: Yes
Date Published: Jul 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5202
Summary:
NAI PGP tools provide privacy and data confidentiality for secure
communications. The Outlook Plug-in allows users to send and receive
encrypted mail via Microsoft Outlook mail clients. A vulnerability has
been reported for some versions of PGP that may allow a remote attacker to
execute arbitrary code on the vulnerable system. It is possible for an
attacker to craft a specially formatted email such that the message
decoding functionality of the Outlook Plug-in can be manipulated to
overwrite various structures existing on the heap.
When an attack is performed against a vulnerable system, any attacker
supplied code will be executed in the context of the user receiving the
email. This can lead to the compromise of the user's PGP communication
mechanisms as well as the user's operating environment.
5. Microsoft SQL Server 2000 Incorrect Registry Key Permissions Vulnerability
BugTraq ID: 5205
Remote: Yes
Date Published: Jul 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5205
Summary:
SQL Server 2000 is a commercially available enterprise level database
product from Microsoft.
A vulnerability has been reported for SQL Server 2000 that may allow an
attacker to execute SQL Server with elevated privileges. This is a result
of incorrect permissions placed upon the SQL Server Service Account
Registry Key.
An attacker who is able to load and execute queries on SQL Server may be
able to cause SQL Server to change permissions for its associated registry
key.
By default, the permissions of the registry key used to specify the
account used by the SQL server process are insecure. Through SQL queries,
the key may be modified without administrative privileges. If the server
has been configured to run with non-administrative privileges, an attacker
may exploit this vulnerability to configure the server so that it runs
with higher privileges when it is next started.
This may result in elevation of privileges through exploitation of other
vulnerabilities (BugTraq ID 4857, Microsoft SQL Server 2000 Bulk Insert
Procedure Buffer Overflow Vulnerability and BugTraq ID 5204, Microsoft SQL
Server 2000 Password Encrypt Procedure Buffer Overflow Vulnerability).
** This vulnerability was first issued as BugTraq ID 5204, Multiple
Microsoft SQLServer 2000 Vulnerabilities and is now assigned a separate
BugTraq ID.
6. Entercept Agent Password Disclosure Vulnerability
BugTraq ID: 5206
Remote: Yes
Date Published: Jul 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5206
Summary:
Entercept Agent is designed by Entercept Security Technologies to
intercept system calls to the operating system and block calls that would
result in malicious behavior. Entercept Agent is designed for use with
Microsoft Windows and Sun Solaris operating environments.
A vulnerability has been reported that affects the Microsoft Windows
version of Entercept Agent. The vulnerability allows a local administrator
to obtain the password of the entercept_agent account. This account is
part of the Local Administrators group.
Once a malicious administrative user gains the account password, they are
able to use the entercept_agent account to engage in malicious activities
on the vulnerable system while concealing their true identity. This may
present a violation of security policy if other administrative users are
not intended to access the entercept_agent.
The vendor has reported that Entercept Agent for Sun Solaris is not
affected by this vulnerability. The vulnerability only affects Entercept
Agent for Microsoft Windows downloaded prior to May 21, 2002.
7. Microsoft MS-SQL Server Installation Password Caching Vulnerability
BugTraq ID: 5203
Remote: No
Date Published: Jul 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5203
Summary:
During the initial installation of Microsoft SQL Server 7 (including MSDE
1.0) or 2000, or when applying service packs, information is gathered and
stored in a special file that can later be used to automate other MS-SQL
Server installations. This file, setup.iss, may contain passwords supplied
during the installation process. In addition, the log file documenting the
installation process will also contain any passwords entered.
Prior to SQL Server 7.0 SP4, these passwords were stored in clear text in
the file. After SQL Server 7.0 SP4, and SQL Server 2000, the passwords are
encrypted and then stored. The Microsoft bulletin does note that the
encryption is potentially weak.
During the installation, two copies of setup.iss are created depending on
the version of SQL Server. The files are stored in '%windir%\setup.iss' or
'%sqlserverinstance%\install\'.
The file '%windir%\setup.iss' is created with "Full Control" permissions
granted to the "Everyone" group.
* If the SQL Server is being set up in "Mixed Mode", a password for the
SQL Server administrator (the 'sa' account) must be supplied and is stored
in setup.iss.
* Whether in Mixed Mode or Windows Authentication Mode, a User ID and
password can optionally be supplied for the purpose of starting up SQL
Server service accounts.
Contributing to the vulnerability, in versions of SQL Server 7.0, this
file is stored on the server in a location that can be viewed by anyone
with rights to log on interactively. Thus an attacker with access to the
setup.iss file could decode the password and gain unauthorized access to
SQL Server.
Microsoft has provided a utility, killpwd.exe, that will remove the
setup.iss files.
8. Microsoft SQL Server 2000 Password Encrypt Procedure Buffer Overflow Vulnerability
BugTraq ID: 5204
Remote: Yes
Date Published: Jul 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5204
Summary:
SQL Server 2000 is a commercially available enterprise level database
product from Microsoft.
A buffer overflow vulnerability has been reported in SQL Server 2000. The
vunerability is a result of an unchecked buffer when using the password
encrypt procedure. This procedure is used by administrators to provides
support for the storage of SQL Server Authentication credentials..
The overrun condition is due to an unbounded data copy operation that
occurs when processing the procedure arguments. Attackers may exploit this
vulnerability by invoking the password encrypt procedure with excessive
input.
An attacker may be able to exploit this vulnerability by calling the
function and providing it with excessive input such that the buffer is
overrun and the memory within the SQL Server process is overwritten,
possibly to execute arbitrary code.
** This BugTraq ID has been reissued as an individual vulnerability. See
BugTraq IDs 4847, Microsoft SQL Server 2000 Bulk Insert Procedure Buffer
Overflow Vulnerability and BugTraq ID 5205, Microsoft SQL Server 2000
Incorrect Registry Key Permissions Vulnerability, for details of the other
related vulnerabilties.
9. Microsoft IIS SMTP Service Encapsulated SMTP Address Vulnerability
BugTraq ID: 5213
Remote: Yes
Date Published: Jul 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5213
Summary:
Microsoft Exchange 5.5 and the SMTP (Simple Mail Transfer Protocol)
service included with IIS (Internet Information Services) 4.0 and 5.0 are
vulnerable to an encapsulated SMTP address vulnerability.
The vulnerability was originally announced in Microsoft Security Bulletin
MS99-027 and reported to affect Exchange Server 5.5. Microsoft released a
patch to fix the vulnerability for Exchange Server 5.5 only. It has been
recently reported that this vulnerability also affects the SMTP service
included with Microsoft IIS 4.0 and 5.0. There exists no patch for the
IIS SMTP service.
It is possible for a remote attacker to perform mail relaying via an
Exchange server that is configured to act as a gateway for other Exchange
sites, using the Internet Messaging Service. Mail-relaying is a practice
where remote attackers cause an email server to forward email from the
attacker, as though the server were the sender of the mail. Open mail
relays are used primarily by "spammers" to obscure the origin of
unsolicited email.
Microsoft Exchange Server implements security features designed to defeat
email relaying. However, a vulnerability exists in this feature that would
allow an attacker to circumvent the anti-relaying features of the Exchange
Server.
The vulnerability is a result of the way that site-to-site relaying is
performed via SMTP. Any SMTP addresses that are encapsulated can be used
to send mail to any desired e-mail address.
10. Real Networks RealJukebox/RealOne Player Gold Skinfile Buffer Overflow
BugTraq ID: 5217
Remote: Yes
Date Published: Jul 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5217
Summary:
RealJukebox and RealOne Player Gold are multimedia applications for
Microsoft Windows operating systems.
Real Software has announced a vulnerability in RealJukebox2 and Real
Player Gold.
A buffer overflow condition exists due to insufficient bounds checking of
fields in skinfiles. Skinfiles are archives comprised of a number of
files containing skin data. One of the files, "skin.ini", contains
information about how the skin is to be displayed. There is an unchecked
buffer for the "CONTROLnImage" field of this file. By supplying an overly
long filename as a value for this field, it is possible to overwrite stack
variables. An attacker may exploit this condition to overwrite the return
address with a pointer to embedded attacker-supplied instructions.
To exploit this issue the attacker must transmit the maliciously
constructed skinfile to a victim of the attack. This may be done via a
webpage or HTML e-mail. Exploitation of this issue may result in
execution of attacker-supplied instructions with the privileges of the
user opening the malicious skinfile.
11. Ultrafunk Popcorn Multiple Denial of Service Vulnerabilities
BugTraq ID: 5212
Remote: Yes
Date Published: Jul 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5212
Summary:
Ultrafunk Popcorn email client is designed for Microsoft Windows systems
and is no longer being maintained.
Due to the handling of malformed email messages, Popcorn email client
could stop responding.
If a message contains an unusual string of characters or an unusal amount
of data (approx 490 bytes) in the subject field, upon opening the message,
Popcorn will stop responding.
Popcorn has also been reported to fail if the date field of a email
message has the year specified higher than 2037.
A restart of the client may be required in order to regain normal
functionality.
It is possible that the issue with oversized subject lines is the result
of a buffer overflow. If this is the case, it may be possible to exploit
this issue to execute arbitrary code as the user process. This possibility
has not, however, been confirmed.
12. Working Resources BadBlue Null Byte File Disclosure Vulnerability
BugTraq ID: 5226
Remote: Yes
Date Published: Jul 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5226
Summary:
BadBlue is a P2P file sharing application distributed by Working
Resources. It is available for Microsoft Windows operating systems.
Working Resources BadBlue may disclose the contents of restricted files.
Under some circumstances, it may be possible to pass a null byte request
to a BadBlue server. By creating a request that contains a null byte at
the end of a file name, and including white space between certain elements
of the file name, it is possible to bypass the filtering imposed by the
server.
It has been discovered that a request passed to a BadBlue server
containing a null byte at the end of a file name will return the contents
of the file. This type of request can be applied to gain access to
sensitive information, such as the BadBlue configuration file.
This problem can allow a user to gain access to sensitive files, including
the BadBlue configuration file.
13. Hosting Controller Hidden Field Password Changing Vulnerability
BugTraq ID: 5229
Remote: Yes
Date Published: Jul 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5229
Summary:
Hosting Controller is an application which consolidates all hosting tasks
into one interface. Hosting Controller runs on Microsoft Windows operating
systems.
A problem with Hosting Controller may make it possible for a user to
change arbitrary passwords.
A problem has been discovered that could allow users with valid accounts
via Hosting Controller to change arbitrary passwords. Hosting Controller
uses a hidden field to specify the username when a password change is
performed. By changing the name of the user specified in the hidden
field, it is possible to change the password for that respective user.
This function is performed with the /accounts/updateuserdesc.asp script.
This problem could make it possible for an attacker to change a password
for any user. This includes Administrator, and could allow a remote user
to gain administrative access to a vulnerable Hosting Controller system.
14. Novell NetMail ModWeb Buffer Overflow Vulnerability
BugTraq ID: 5230
Remote: Yes
Date Published: Jul 15 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5230
Summary:
Novell NetMail is an e-mail and calendaring system for use with Microsoft
Windows and Linux and Unix variant operating systems.
A vulnerability has been reported for Novell Netmail versions 3.1 and
3.0.3. A buffer overflow condition exists in the vulnerable versions of
the software that may allow a remote attacker to obtain root privileges.
The vulnerabilty exists in the ModWeb module of Netmail. When certain data
is received by the ModWeb module, the buffer overflow condition is
triggered. This may allow, under certain circumstances, for an attacker to
supply malicious code that may be executed by the vulnerable process.
In situations like this, it is possible for a remote attacker to obtain
root privileges.
15. Symantec Norton Personal Firewall/Internet Security 2001 Buffer Overflow Vulnerability
BugTraq ID: 5237
Remote: Yes
Date Published: Jul 15 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5237
Summary:
Symantec Norton Personal Firewall 2001 is a firewall for home and small
office machines based on some versions of the Microsoft Windows operating
systems. Norton Internet Security 2001 is a suite of Norton security
utilities including Norton Personal Firewall and Norton Antivirus.
It has been reported that Norton Personal Firewall and Norton Internet
Security are vulnerable to a buffer overflow condition in the HTTP proxy.
The condition is reportedly due to an inability to handle large requests.
When such a request is processed, 3 bytes of a 32-bit word stored in the
EDI register are overwritten by client-supplied data. Control over this
value may result in the ability to execute code within the kernel.
The vulnerability may be exploited by malicious users behind the proxy
server. Attackers outside of the proxy server may also be able to exploit
this vulnerability by placing a maliciously constructed link on a website.
If the victim user behind the proxy server is enticed into clicking on the
link, the overflow will be triggered.
The overflow occurs in kernel memory. It may be possible to execute
arbitrary code in this context to compromise the system.
16. IMHO Webmail Account Hijacking Vulnerability
BugTraq ID: 5238
Remote: Yes
Date Published: Jul 15 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5238
Summary:
IMHO is a webmail module for Roxen webserver. It will run on any
operating system Roxen is compatible with, including Linux and Unix
variants as well as Microsoft Windows.
A vulnerability has been reported in the IMHO Roxen webmail module which
may enable a malicious user of the webmail system to gain access to the
account of another user. This issue is in part due to a Roxen
configuration error which may cause potentially sensitive information to
be leaked in error pages. In this instance, the REFERER may be leaked to
an attacker, which the attacker may use to access another webmail account.
17. Real Networks RealJukebox Predictable File Extraction Vulnerability
BugTraq ID: 5210
Remote: Yes
Date Published: Jul 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5210
Summary:
RealJukebox is a multimedia application for Microsoft Windows operating
systems.
Real Software has announced a vulnerability in RealJukebox2 and Real
Player Gold. When skin files are opened, the files comprising the skin
are extracted to a known location on client filesystems.
This may provide a remote attacker with the ability to plant a file on a
victim filesystem by transmitting a seemingly benign skin. The presence
of a file in a specific location may provide the attacker the ability
carry out more complex attacks.
For example: the attacker may embed malicoius HTML content, including
script code inside of a skin. When it is opened by the victim, the
embedded HTML will be stored in a file in a directory known by the
attacker. The attacker may then provide a 'file://' link to this file in
a HTML email or on a website. If the link is followed by the victim, the
malicious file may be interpreted as HTML content, and the script code
executed within the Local Security Zone. This Security Zone has relaxed
restrictions. Malicious script code executed in this Security Zone may
compromise the host.
The ability to plant a file on the victim filesystem may also be levaraged
in conjunction with other vulnerabilities such as that described by
Bugtraq ID 3867.
The vendor has addressed this issue in affected products by making the
location of skinfile extractions less predictable.
18. Novell NetMail IMAP Agent Denial Of Service Vulnerability
BugTraq ID: 5232
Remote: Yes
Date Published: Jul 15 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5232
Summary:
Novell NetMail is an e-mail and calendaring system for use with Microsoft
Windows and Linux and Unix variant operating systems.
A vulnerability has been reported for Novell Netmail versions 3.1 and
3.0.3. The IMAP (Internet Message Access Protocol) Agent is prone to a
denial of service condition when certain malformed data is received.
When certain data is received by the IMAP Agent, the Agent may crash. This
leads to a denial of service condition. Repeated attacks against a
vulnerable system will cause the server to reboot in a Novell NetWare
environment.
A manual restart of the IMAP Agent is required for services to resume.
It has been reported that this issue is the result of a buffer overflow
condition. If that is the case, it may prove possible to exploit this
vulnerability to execute arbitrary code as the IMAP Agent process. This
possibility has not, however, been confirmed.
19. Fastlink Software TheServer Plain Text Password Storage Vulnerability
BugTraq ID: 5250
Remote: Yes
Date Published: Jul 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5250
Summary:
Fastlink Software TheServer is a small webserver designed for use with
Microsoft Windows operating systems.
A problem with TheServer 1.75 may make it possible for remote attackers to
gain access to sensitive information.
TheServer does not cryptographically protect stored passwords. Passwords
contained in the configuration file, server.ini, are stored in plain text.
They may be read by simply viewing the file. The file, server.ini, is
stored in a web accessible location and is, itself, accessible for
retrieval. Thus it is trivial for an attacker to obtain the password
necessary to view logfiles.
This problem could allow an attacker to request TheServer's configuration
file to gain access to the passwords to protected resources.
20. Microsoft Windows 2000 Narrator Password Disclosure Vulnerability
BugTraq ID: 5253
Remote: No
Date Published: Jul 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5253
Summary:
Microsoft Windows 2000 contains an accessibility feature for visually
impaired users called Narrator. This utility is a synthesized
text-to-speech utility that reads on screen text for the user.
When logging into a Terminal Services session, Narrator will read the
username, domain name, and password out loud. This is because the
Terminal Services login dialog is simply displayed as a bitmap image.
The image does not send any information describing the fields to the
system requesting the session. Therefore, Narrator is unaware that it
should mask the password field keystrokes.
21. Working Resources BadBlue Plain Text Password Storage Vulnerability
BugTraq ID: 5228
Remote: No
Date Published: Jul 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5228
Summary:
BadBlue is a P2P file sharing application distributed by Working
Resources. It is available for Microsoft Windows operating systems.
A problem with BadBlue may make it possible for local users to gain access
to sensitive information.
BadBlue does not cryptographically protect stored passwords. Passwords
contained in the configuration file are stored in plain text. They may be
read by simply viewing the file.
This problem could allow a local user with read access to the BadBlue
configuration file to gain access to user passwords, and the passwords to
protected resources. This problem is compounded by the vulnerability
described in Bugtraq ID 5226.
22. Novell NetMail WebAdmin Buffer Overflow Vulnerability
BugTraq ID: 5231
Remote: Yes
Date Published: Jul 15 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5231
Summary:
Novell NetMail is an e-mail and calendaring system for use with Microsoft
Windows and Linux and Unix variant operating systems.
A vulnerability has been reported for Novell Netmail versions 3.1 and
3.0.3. A buffer overflow condition exists in the vulnerable versions of
the software that may allow a remote attacker to obtain root privileges.
The vulnerabilty exists in the WebAdmin module of Netmail. WebAdmin is
used by administrators of Netmail to configure and change parameters
necessary for operation. When certain data is received by the WebAdmin
module, the buffer overflow condition is triggered. This may allow, under
certain circumstances, for an attacker to supply malicious code that may
be executed by the vulnerable process.
In situations like this, it is possible for a remote attacker to obtain
root privileges.
23. Thorsten Korner 123tkShop Arbitrary File Include Vulnerability
BugTraq ID: 5243
Remote: Yes
Date Published: Jul 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5243
Summary:
123tkShop is a a freely available, open source e-business application
written using PHP. It will run on most Linux and Unix variants, in
addition to Microsoft Windows operating systems.
A vulnerability has been reported for 123tkShop for versions prior to
0.3.1. Reportedly, an attacker may be able to read arbitrary files on the
vulnerable system with the privilege level of the 123tkShop process.
Almost all PHP files distributed with 123tkShop include other files
dynamically. Most of them are included with a statement like:
include("path/$var/file.inc.php");
If 'register_globals' is enabled in the local PHP configuration file, a
remote attacker may be able to subvert the contents of the variable
interpolated into the include statement. Through the usage of '../'
character sequences, an arbitrary file location may be specified.
If the 'magic_quotes_gcp' configuration parameter is disabled, the
attacker may additionally include a null character in this variable,
terminating the string and allow the specification of an arbitrary system
file. This file will then be disclosed to the remote user.
24. Thorsten Korner 123tkShop SQL Injection Vulnerability
BugTraq ID: 5244
Remote: Yes
Date Published: Jul 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5244
Summary:
123tkShop is a a freely available, open source e-business application
written using PHP. It will run on most Linux and Unix variants, in
addition to Microsoft Windows operating systems.
A vulnerability has been reported for 123tkShop. Reportedly, 123tkShop
suffers from a SQL injection vulnerability. User supplied data is used to
construct SQL statements, and special characters such as ''' and '"' are
not properly escaped. An attacker may be able to pass malicious data to
the system which modifies SQL queries.
If 'magic_quotes_gcp' is disabled in PHP configuration file, php.ini, it
is possible for an intruder to inject malicious SQL code into queries to
123tkShop.
This may be exploited by the attacker to view or modify the contents of
sensitive database files.
25. Mirabilis ICQ Sound Scheme Predictable File Location Vulnerability
BugTraq ID: 5247
Remote: Yes
Date Published: Jul 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5247
Summary:
ICQ is an instant messenger client for Microsoft Windows systems. ICQ
includes support for sound schemes. ICQ sound scheme files are generally
given the .scm extension.
When installed, a sound scheme places a number of wav sound files in a
predictable location within the installation directory of ICQ. An attacker
may exploit this vulnerability to place malicious content in a known
location. A URL reference to the file may then cause malicious content or
code to be executed within local context.
It has been demonstrated that a .mht file may be renamed as a .wav file
and deposited in this way. If referenced through some browsers with the
protocol specified as mhtml, attached executable content may be
automatically dropped to a defined directory on the local system, and then
referenced in turn.
The ability to plant a file on the victim filesystem may also be leveraged
in conjunction with other vulnerabilities such as that described by
Bugtraq ID 3867.
26. Caucho Technology Resin Server Device Name Path Disclosure Vulnerability
BugTraq ID: 5252
Remote: Yes
Date Published: Jul 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5252
Summary:
Resin is a XML-based application server. It is available for Microsoft
Windows operating systems, in addition to Linux and Unix variants.
Resin discloses sensitive information when handling malformed web
requests. When a request for certain MS-DOS device names is made, the
server will respond with an error page that contains the absolute path to
the webroot directory.
This type of sensitive information may be used in further attacks on the
host.
This issue has been reported in Resin running on Microsoft Windows
platforms.
27. AOL Instant Messenger Unauthorized Actions Vulnerability
BugTraq ID: 5246
Remote: Yes
Date Published: Jul 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5246
Summary:
AIM (AOL Instant Messenger) is an instant messenging client for Microsoft
Windows, MacOS, and other platforms.
AIM is prone to an issue which may allow maliciously crafted HTML to
perform unauthorized actions on behalf of a user of the vulnerable client.
AIM installs a handler for "aim:" URIs. The "aim:" URIs can be used to
perform configuration changes and other actions specific to the AIM
client. Actions that may be performed include adding entries to the buddy
list, adding a new group, etc. Once the handler is invoked, the specified
action will be carried out without prompting or notifying the user.
The attacker may exploit this vulnerability by obscuring a "aim:" link and
enticing the victim to click on it. More dangerously, it has been
reported that this can be exploited automatically once a victim visits a
website if the attacker uses HTTP REFRESH to reload pages as "aim:" URIs.
This issue was reported for versions of AIM running on Microsoft Windows
and MacOS. The Linux version of the client is not affected by this
vulnerability.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Exchange Information Store Replication (Thread)
Relevant URL:
4D5D8A4276CCD411BEB400A0C9E105C402D6AC75@chaka.orthodon.com">http://online.securityfocus.com/archive/88/4D5D8A4276CCD411BEB400A0C9E105C402D6AC75@chaka.orthodon.com
2. write permissions for IIS (Thread)
Relevant URL:
8BD7226E07DDFF49AF5EF4030ACE0B7E0613E8A5@red-msg-06.redmond.corp.microsoft.com">http://online.securityfocus.com/archive/88/8BD7226E07DDFF49AF5EF4030ACE0B7E0613E8A5@red-msg-06.redmond.corp.microsoft.com
3. Need security proposal for Win2K upgrade... (Thread)
Relevant URL:
20020718204342.83411.qmail@web12305.mail.yahoo.com">http://online.securityfocus.com/archive/88/20020718204342.83411.qmail@web12305.mail.yahoo.com
4. Announcement (Thread)
Relevant URL:
Pine.LNX.4.43.0207171447160.23053-100000@mail.securityfocus.com">http://online.securityfocus.com/archive/88/Pine.LNX.4.43.0207171447160.23053-100000@mail.securityfocus.com
5. Win32 Apache service not run as System... (Thread)
Relevant URL:
BFCC17728801D311A6A90001FA7EA13610881B58@xcem-aztem-04.wellsfargo.com">http://online.securityfocus.com/archive/88/BFCC17728801D311A6A90001FA7EA13610881B58@xcem-aztem-04.wellsfargo.com
6. Exchange 2000 ms02-025 hotfix Q320436 caused SA to hang on restart[Scanned] (Thread)
Relevant URL:
D93407A0B187D411AED100D0B77222B6088C0926@xau02.aus.hp.com">http://online.securityfocus.com/archive/88/D93407A0B187D411AED100D0B77222B6088C0926@xau02.aus.hp.com
7. SecurityFocus Microsoft Newsletter #95 (Thread)
Relevant URL:
6AA3020BB6C49E4EBDB05588474253321B63F9@dieppe.calgary.securityfocus.com">http://online.securityfocus.com/archive/88/6AA3020BB6C49E4EBDB05588474253321B63F9@dieppe.calgary.securityfocus.com
8. Exchange 2000 ms02-025 hotfix Q320436 caused SA to hang on restart (Thread)
Relevant URL:
D93407A0B187D411AED100D0B77222B6088C0916@xau02.aus.hp.com">http://online.securityfocus.com/archive/88/D93407A0B187D411AED100D0B77222B6088C0916@xau02.aus.hp.com
9. Exchange2K/DMZ (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/010801c22b5b$9750fa00$32f4450a@deth
IV. MICROSOFT PRODUCTS
----------------------
1. TermiNET
by CenturionSoft
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.centurionsoft.com/Danu/terminet.htm
Summary:
TermiNET is a "Personal Firewall" which protects your PC from outside
attack while you browse the web or connect to other networks. It is an
ideal low cost solution for SME's, SOHO and home users who wish to connect
to the Internet but do not have the resources or support of a large
security infrastructure. Simply install TermiNET on each machine, and
using the simple interface, apply access rights to the Internet in a
controlled manner.
2. SecureNT
by SecureWave
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.securewave.com/products/securent/secure_nt.html
Summary:
SecureNT is a powerful desktop security enhancer that allows system
administrators to implement strict security policies by controlling
end-user access to I/O devices such as the floppy drive, CD-ROM, serial
and parallel ports, as well as other devices. SecureNT allows you as well
to track down files being copied to the floppy drive as well as removable
devices such as Zip and Jaz drives.
3. SoftClan Security Suite
by CenturionSoft
Platforms: Windows 95/98
Relevant URL:
http://www.centurionsoft.com/SoftClan/securitysuite.htm
Summary:
SoftClan SecuritySuite is a new Security and Auditing program able to
provide Windows 95/98/Me with protection levels similar to those of
Windows NT on NTFS, and it even adds a rich set of security features not
present on it.
V. MICROSOFT TOOLS
-------------------
1. SQL Server Password Auditing Tool v1.0.1
by Patrik Karlsson
Relevant URL:
http://www.cqure.net/tools10.html
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
This tool should be used to audit the strength of Microsoft SQL Server
passwords offline. The tool can be used either in BruteForce mode or in
Dictionary attack mode. The performance on a 1 Ghz pentium (256mb) is
around 750 000 guesses/sec.
To be able to perform an audit one needs the password hashes that are
stored in the sysxlogins table int the master database. The program needs
to have them formated in a textfile accordingly (look at the included file
hashes.txt)
2. Inzider 1.2
by Arne Vidstrom
Relevant URL:
http://ntsecurity.nu/toolbox/inzider/
Platforms: Windows 95/98, Windows NT
Summary:
This is a very useful tool that lists the current processes in your
Windows system and which ports they listen on. It is written to work on
Windows NT and Windows 9x. There have been some stability problems on
Windows 9x, but they seem to have been solved now. On Windows NT, inzider
is unable to check processes that are started as services.
3. Simp (Secway's Instant Messenger Privacy) v1.1.0
by Secway
Relevant URL:
http://www.secway.com/lab/simp.php?PARAM=us,ie#download
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Simp (Secway's Instant Messenger Privacy) is a tool developed by Secway to
secure your online MSN Messenger conversations. Simp works by encrypting
messages before they are sent over the Internet and decrypting them when
they arrive at your contacts. Once installed on your and your friends
computer, Simp will prevent anyone from reading your conversations.
VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System
From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.
With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.
Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "Re: Exporting GPOs from Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
