SecurityFocus Microsoft Newsletter #99
From: Marc Fossi (mfossi@securityfocus.com)Date: 08/12/02
- Previous message: csdgp@ux1.cts.eiu.edu: "Re: Password change utility"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 12 Aug 2002 15:07:48 -0600 From: "Marc Fossi" <mfossi@securityfocus.com> To: <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #99
--------------------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System
From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.
With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.
Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Malware Infection Vectors: Past, Present, and Future
2. Post to Bugtraq -- Go to Jail
3. InforwarCon 2002
4. SecurityFocus DPP Program
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Windows Window Message Subsystem Design Error...
2. Multiple Microsoft Content Management Server 2001 Vulnerabilities
3. Microsoft Exchange 2000 Multiple MSRPC Denial Of Service...
4. Microsoft Content Management Server 2001 Arbitrary Upload...
5. Google Toolbar Unauthorized JavaScript Configuration...
6. Microsoft Windows 2000 Insecure Default File Permissions...
7. ArGoSoft Mail Server Pro Mail Loop Denial of Service Vulnerability
8. Multiple Vendor calloc() Implementation Integer Overflow...
9. Nullsoft WinAmp HTML Playlist Script Injection Vulnerability
10. Microsoft Internet Explorer Invalid SSL Certificate Chain...
11. Microsoft SQL Server Remote Buffer Overflow Vulnerability
12. Microsoft Exchange 2000 Post Authorization License Exhaustion...
13. Nullsoft SHOUTCast Insecure Permissions Information Disclosure...
14. Ensim Webppliance Unauthorized Email Access Vulnerability
15. Microsoft Content Management Server 2001 SQL Injection...
16. Google Toolbar Keypress Monitoring Information Disclosure...
17. Ipswitch WS_FTP Server CPWD Remote Buffer Overflow Vulnerability
18. Microsoft Content Management Server 2001 User Authentication...
19. BlueFace Falcon Web Server Error Message Cross-Site Scripting...
III. MICROSOFT FOCUS LIST SUMMARY
1. Password change utility (Thread)
2. SP3 Problems? (Thread)
3. Another SUS / Autoupdate question (Thread)
4. Risks posed by Windows XP Scheduled Tasks? (Thread)
5. Looking for a recent IE SSL bug.. (Thread)
6. Closed thread --> windows update reporting info back to MS?...
7. windows update reporting info back to MS? (and .NET fw SP1)...
8. Re[2]: windows update reporting info back to MS? (and .NET fw...
9. local admin passwords (Thread)
10. Using LDAP Authentication (Thread)
11. FW: White paper: Exploiting the Win32 API. (Thread)
12. windows update reporting info back to MS? (and .NET fwSP1)...
13. SecurityFocus Microsoft Newsletter #98 (Thread)
14. QChain obsolete? (Thread)
15. Synchronising NT User Accounts with a database. (Thread)
16. Windows 2000 special folder restrictions (Thread)
IV. MICROSOFT PRODUCTS
1. SecureStack
2. AppDetective for Oracle
3. DbEncrypt for Oracle
V. MICROSOFT TOOLS
1. single-honeypot v0.1
2. myNetMon v1.0.3
3. Secure Cryptographic Instant Messaging v1.04
4. IDScenter v1.09 b2
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. Malware Infection Vectors: Past, Present, and Future
By Paul Schmehl
The vectors that malicious software use to invade systems are constantly
evolving: adapting to new technologies, changing to avoid defense
mechanisms and adding on to attack new weaknesses. This article will look
at what infection vectors have been historically effective, how they've
changed over time and what they probably will do in the future.
http://online.securityfocus.com/infocus/1615
2. Post to Bugtraq -- Go to Jail
By Mark Rasch
Imagine discovering a flaw in an operating system that would permit you to
obtain root privileges. Imagine then posting information about this
vulnerability to a message board dedicated to information security, along
with a link to an exploit that could be assembled to take advantage of the
vulnerability. Does the vendor of the OS congratulate you?
http://online.securityfocus.com/columnists/100
3. InforwarCon 2002
InforwarCon 2002: Homeland Defense and Cyber-Terrorism, Washington, DC
September 4-5, 2002, optional workshops September 3 & 6. Presented by MIS
Training Institute and Interpact, Inc. Proven strategies for protecting
against threats to critical infrastructures and government systems.
Go to: http://www.misti.com/08/iw02nl26inf.html
4. SecurityFocus DPP Program
Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Windows Window Message Subsystem Design Error Vulnerability
BugTraq ID: 5408
Remote: No
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5408
Summary:
A serious design error in the Win32 API has been reported. The issue is
related to the inter-window message passing system.
In the Win32 model, all windows on the desktop are considered peers. As
such, windows may pass messages to each other without respect to the
access level of the controlling processes.
This is a fundamental design flaw, as certain messages may adversely
affect the operation of the receiving process. Win32 messages are fairly
powerful. For example, messages may manipulate the properties of window
components (such as the length limit of a text input field). Altering
these properties may create exploitable conditions. The obvious example is
exposing a buffer overflow condition by changing the length limit of an
input field.
Furthermore, the message 'WM_TIMER' can be used to execute arbitrary code
if instructions can be placed in executable memory of the victim process.
The 'WM_TIMER' message can include the address of a callback function in
process memory. If the address parameter is set to the location of
instructions placed in memory of the target process (through an input
field or some other method), the code will be executed by the target
process. The message 'EM_GETLINE' may also be used to write the
instructions to any location in process memory.
This flaw is wide-ranging, likely affecting almost every Win32
window-based application. Attackers with local access may exploit this
vulnerability to elevate privileges if a window belonging to another
process with higher privileges is present. One example of such a process
is antivirus software, which often must run with LocalSystem privileges.
2. Multiple Microsoft Content Management Server 2001 Vulnerabilities
BugTraq ID: 5419
Remote: Yes
Date Published: Aug 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5419
Summary:
Microsoft has reported three vulnerabilities in Microsoft Content
Management Server (MCMS) 2001. Microsoft Content Management Server 2001
is a .NET Enterprise Server product for development and management of
e-business websites.
The first issue is reported to be a buffer overflow condition in a
low-level function that facilitates user-authentication. At least one
webpage that ships with the product contains an exposure to the vulnerable
function, and may allow attackers to exploit the condition. This may be
exploited by a remote attacker to execute arbitrary instructions in the
Local System context or potentially create a denial of service condition.
Malformed authentication information may trigger this condition in a
webpage which provides authentication and calls the vulnerable function.
The second issue is reported to be the result of two flaws in a particular
function (MCMS Authoring) and may potentially allow remote attackers to
upload files to arbitrary locations on a vulnerable system. The first
flaw is in the user authentication aspect of the vulnerable function, and
may allow arbitrary users to submit upload requests to the server.
Additionally, a flaw exists which may allow files to be uploaded to an
arbitrary location. Normally, uploaded files are stored in a directory
without execute permissions. However, the existence of this second flaw
in the affected function may allow for files to be uploaded to an
attacker-specified location, where they will reside for a short period of
time. This may allow for execution of arbitrary attacker-supplied files.
Successful exploitation would cause the file to be executed in the context
of the Web Application Manager.
The third issue is reported to be an SQL injection vulnerability in the
MCMS Resource Request function. This function is used to handle requests
for image files and other types of resources on the server. This issue
could effectively be exploited to execute commands in the context of the
SQL Server 2000 service, which amounts to the privileges of the Domain
user.
** This vulnerability record will be divided into seperate entries for
each individual vulnerability.
3. Microsoft Exchange 2000 Multiple MSRPC Denial Of Service Vulnerabilities
BugTraq ID: 5412
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5412
Summary:
Microsoft Exchange makes usage of the MSRPC, the Microsoft Remote
Procedure Call framework. Several potential issues have been reported in
MSRPC, as used in conjunction with Microsoft Exchange.
Reportedly, it is possible to cause the Exchange process to crash with an
Access Violation error. This may occur if malicious MSRPC messages are
recieved. It has been reported that authentication is not required. If
this condition is exploited, the Exchange service may have to be restarted
in order to regain normal functionality.
Additionally, it may be possible to consume all available system memory
through a malformed MSRPC call. This can lead to the system halting with a
blue screen error. In either case, a system restart will be required in
order to regain normal functionality.
The nature of these issues suggests that memory corruption may be
occuring. If that is the case, it is possible that these issues may be
remotely exploitable to execute arbitrary code as a system process,
possibly leading to local access to the vulnerable system. This
possibility has not, however, been confirmed.
4. Microsoft Content Management Server 2001 Arbitrary Upload Location Vulnerability
BugTraq ID: 5421
Remote: Yes
Date Published: Aug 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5421
Summary:
Microsoft Content Management Server (MCMS) 2001 is a .NET Enterprise
Server product for development and management of e-business websites. A
vulnerability has been reported in some versions of MCMS which may allow
the remote execution of arbitrary code.
MCMS provides functionality for authenticated users to upload additional
content to the server. Normally, this content is forced into a safe
location, where it can not be remotely executed. However, the flaw allows
the remote user to specify an arbitrary location on the server.
A malicious user may place executable content such as ASP files in a
public directory. If then requested, the supplied code will execute on the
local machine. By default, code will run as the non-privileged
IWAM_machinename account. Exploitation may, however, provide local access
to the vulnerable system.
Reportedly uploaded files will reside in the specified location for a
short time before being deleted. Some degree of timing may be required in
order to implement a successful attack.
An additional flaw in some versions of MCMS may allow an arbitrary remote
user to upload content without authentication. In conjunction, this may
allow any attacker able to connect to the vulnerable service to exploit
this vulnerability.
** This issue was originally described in Bugtraq ID 4519 "Multiple
Microsoft Content Management Server 2001 Vulnerabilities" and has been
divided into this individual record.
5. Google Toolbar Unauthorized JavaScript Configuration Modification Vulnerability
BugTraq ID: 5424
Remote: Yes
Date Published: Aug 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5424
Summary:
The Google Toolbar is an ActiveX control for Microsoft Internet Explorer,
which provides functionality related to the Google search engine. An error
has been reported in the method in which the Google Toolbar updates
configuration options.
It is possible to modify configuration settings by visiting a specific URL
that accepts commands as CGI parameters. While any page may reference this
URL, requests are only honored if they are received from within the
google.com domain, or URLs using the local res:// protocol.
It is possible, however, for malicious scripts to open a new page in
either of the allowed domains, and then reset the location to a URL that
will modify toolbar settings. It is possible to change most options of the
toolbar configuration.
It is also possible to pass arbitrary JavaScript to the configuration URL.
This script code will execute within the context of the referencing site.
If local files referenced with the res:// protocol are used, attacker
supplied script code may execute within the Local Computer security zone.
6. Microsoft Windows 2000 Insecure Default File Permissions Vulnerability
BugTraq ID: 5415
Remote: No
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5415
Summary:
Microsoft Windows 2000 sets the default file permissions on a number of
sensitive system files to prevent modification by unprivileged users.
Files such as boot.ini, autoexec.bat and ntldr are only readable by
non-privileged users. Administrative or 'Power User' access is required to
modify such files.
By default, however, the main system directory which contains these files
is world read and writable. As a result, a non-privileged user may delete
these sensitive files. Once deleted, the files may be replaced with
malicious versions owned by the non-privileged user. If accessed by
automatic system processes, such as during bootup, privileged access may
be trivial to obtain.
7. ArGoSoft Mail Server Pro Mail Loop Denial of Service Vulnerability
BugTraq ID: 5395
Remote: Yes
Date Published: Aug 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5395
Summary:
ArGoSoft Mail Server is an STMP, POP3 and Finger server for Microsoft
Windows environments. ArGoSoft has a built in web server to enable remote
access to mail.
A remotely exploitable denial of service vulnerability in ArGoSoft Mail
Server Pro has been reported. It is possible for remote attackers with
regular user privileges to create a mail-loop condition that will consume
all available system resources.
ArGoSoft Mail Server Pro implements mail-loop protection that will prevent
loops when a user account is forwarding mail to itself. When autoreplies
are enabled, however, this protection is not put into place. It is
possible for a user to create a loop condition that is not detected or
stopped by forwarding mail to themselves with autoreplies enabled.
An attacker may consume resources by creating loop conditions with
multiple accounts.
In addition to a denial of mail service, degradation of overall system
performance may result. Furthermore, disk space may be consumed when the
messages are stored.
8. Multiple Vendor calloc() Implementation Integer Overflow Vulnerability
BugTraq ID: 5398
Remote: Unknown
Date Published: Aug 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5398
Summary:
The calloc() C library call is used to dynamically allocate memory. It
differs from malloc() in that it facilitates allocation of a number of
elements of a specified size in one call. In various different
programming languages there exists similiar language-specific operations.
For example, instantiating an array of objects in C++:
pointer = new SomeClass[n];
When calculating the total amount of memory to allocate, several of these
implementations do not check for integer overflow conditions. If the
amount of memory requested exceeds the greatest value that can be
represented by a machine word, a buffer that is too small may be
allocated. As this is not caught, the procedure will return successfully
and the invoking application will operate as though the requested buffer
has been allocated.
This condition may have security implications. A heap overrun condition
may result if the invoking application attempts to write into the buffer
at a location beyond the boundary of what was actually allocated. This
vulnerability is of particular importance if the attacker has full or
limited control over the arguments to the vulnerable operation.
9. Nullsoft WinAmp HTML Playlist Script Injection Vulnerability
BugTraq ID: 5407
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5407
Summary:
Nullsoft Winamp is a skinable media player for Microsoft Windows
supporting MP3 and other filetypes.
A script injection vulnerability has been reported for WinAmp. Reportedly,
WinAmp does not properly sanitize user supplied input before being
included when generating HTML playlists. It is possible for an attacker to
include malicious HTML code using certain fields of the ID3v2 file tags.
The vulnerability occurs when malicious HTML code is included as part of
the 'Title' and 'Artist' fields.
An attacker may construct a malicious ID3v2 tag containing dangerous HTML
code and entice a vulnerable user to download the media file. If the
victim user downloads the media file and chooses to create a HTML
playlist, the script code will be rendered, and execute within the context
of the vulnerable system.
It is likely that the script code will execute within the context of the
local system. In this case, it may be possible for the malicious script to
take arbitrary local actions, with the permissions granted by the web
browser software.
This vulnerability was reported for Nullsoft WinAmp 2.76 and 2.79 on
Microsoft Windows 98.
It has been reported that WinAmp 2.80 is not vulnerable to this issue.
This information has not been confirmed by the vendor.
10. Microsoft Internet Explorer Invalid SSL Certificate Chain Vulnerability
BugTraq ID: 5410
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5410
Summary:
A flaw has been reported in the handling of SSL certificates by
Microsoft's Internet Explorer web browser. It may be possible for a
malicious party to create SSL certificates for arbitrary domains, which
will be treated as trusted by the vulnerable browser.
SSL certificates are normally granted and signed by a trusted root
authority, several of which are defined by default in most major web
browsers. It is possible, however, to create a chain of certificates. In
this case, the root certificate must be trusted, and intermediate
certificates should possess a Basic Constraints field which states the
certificate may be used as a signing authority.
Reportedly, Microsoft Internet Explorer does not require the Basic
Constraints field be properly defined. As a result, arbitrary certificates
may be used as intermediate authorities in a certificate chain. A
malicious party with one valid certificate may sign a new certificate for
an arbitrary domain.
The attacker may use the new certificate in order to impersonate a domain.
If the attacker is in a position to spoof the domain, or to implement a
man-in-the-middle attack, the malicious certificate may allow the attack
to go undetected.
Reportedly, Internet Explorer 6.0 will honor a Basic Constraints field
which is explicitely set to False. However, certificates without an
explicitely defined value for this field are still accepted as valid
intermediate authorities.
11. Microsoft SQL Server Remote Buffer Overflow Vulnerability
BugTraq ID: 5411
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5411
Summary:
A vulnerability has been discovered in Microsoft SQL Server that could
make it possible for remote attackers to gain access to target hosts.
It is possible for an attacker to cause a buffer overflow condition on the
vulnerable SQL server.
This vulnerability reportedly occurs even before authentication can
proceed. Reportedly, this is due to a default system configuration.
Microsoft SQL Server listens for connections on TCP port 1433.
An attacker can exploit this vulnerability by sending specially crafted
packets to TCP port 1433 which causes SQL Server to crash and possibly
execute attacker supplied code.
It is not known which versions of SQL Server are vulnerable. This BID will
be updated as further information becomes available.
It is possible that this issue may be remotely exploitable to execute
arbitrary code as a system process, possibly leading to local access to
the vulnerable system.
12. Microsoft Exchange 2000 Post Authorization License Exhaustion Denial Of Service Vulnerability
BugTraq ID: 5413
Remote: Yes
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5413
Summary:
A vulnerability has been reported for Microsoft Exchange 2000.
Allegedly, Exchange 2000 will experience a denial of service condition
when an authenticated user makes many requests. The vulnerability is due
to IIS incorrectly allocating licenses to Exchange. Making numerous, rapid
requests will exhaust available licenses granted to Exchange by IIS.
Successful exploitation of this vulnerability will result in Exchange not
responding to further, legitimate requests for service.
This vulnerability has been reported for Microsoft Exhange 2000. It is not
known whether other versions are affected. This BID will be updated as
further information becomes available.
13. Nullsoft SHOUTCast Insecure Permissions Information Disclosure Vulnerability
BugTraq ID: 5414
Remote: No
Date Published: Aug 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5414
Summary:
Nullsoft SHOUTCast Server is used to broadcast Shoutcast music. It is
available for Unix and Linux operating systems, as well as Microsoft
Windows.
Nullsoft SHOUTCast may, under some circumstances, leave administrative
credentials stored in a world-readable logfile.
When failed authentication requests (specifically a GET / request) are
made to the SHOUTCast server via TCP port 8001, the real authentication
credentials will be logged to a SHOUTCast server logfile (sc_serv.log),
which is located in the SHOUTCast directory. Local attackers may
trivially gain access to these credentials since the logfile by default
has world-readable permissions.
This issue was reported for versions of the software running and Unix and
Linux platforms. Other versions may also be affected.
14. Ensim Webppliance Unauthorized Email Access Vulnerability
BugTraq ID: 5418
Remote: Yes
Date Published: Aug 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5418
Summary:
Webppliance is a webhosting solution provided by Ensim. It is developed
for use with Linux and Unix variant as well as Microsoft Windows operating
environments.
A vulnerability has been reported for Ensim Webppliance. Reportedly, it is
possible for malicious users of Webppliance to receive other users'
emails.
The vulnerability is the result of Webppliance incorrectly processing an
existing user's email alias. Reportedly, users that are allocated email
and user accounts can intercept another user's email.
An attacker can exploit this vulnerability by selecting to add a valid
email account as an alias. Once this alias has been established, any
emails that arrive for the victim user will be intercepted by the attacker
and arrive in the attacker's inbox.
This vulnerability was reported for Ensim Webppliance 3.0 and 3.1. It is
not known whether other versions are affected.
15. Microsoft Content Management Server 2001 SQL Injection Vulnerability
BugTraq ID: 5422
Remote: Yes
Date Published: Aug 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5422
Summary:
Microsoft Content Management Server (MCMS) 2001 is a .NET Enterprise
Server product for development and management of e-business websites.
MCMS allows users and web pages to request files such as images, from a
database residing on a Microsoft SQL 2000 Server.
The function that accepts these requests does not properly sanitize data
that is accepted from the interface. SQL code may be inserted into the
requests and executed by the server. These requests could include adding,
deleting, and modifying data.
It is also possible for the user to execute operating system commands
through this vulnerability. The commands would be executed with the
privileges of the SQL Server service.
By default, SQL Server has full access to the databases, but only domain
user privileges on the operating system.
** This issue was originally described in Bugtraq ID 4519 "Multiple
Microsoft Content Management Server 2001 Vulnerabilities" and has been
divided into this individual record.
16. Google Toolbar Keypress Monitoring Information Disclosure Vulnerability
BugTraq ID: 5426
Remote: Yes
Date Published: Aug 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5426
Summary:
The Google Toolbar is an ActiveX control for Microsoft Internet Explorer,
which provides functionality related to the Google search engine.
It has been reported that keypress events in some versions of the Google
Toolbar are also sent to the underlying browser window. A malicious script
executing in the current browser window may monitor keypress events, and
access whatever is typed into the toolbar.
Under some circumstances, this may lead to the disclosure of potentially
sensitive information.
17. Ipswitch WS_FTP Server CPWD Remote Buffer Overflow Vulnerability
BugTraq ID: 5427
Remote: Yes
Date Published: Aug 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5427
Summary:
Ipswitch WS_FTP Server is a FTP server for Microsoft Windows platforms.
WS_FTP Server is vulnerable to a buffer overflow condition when a user
submits a specially crafted FTP command.
The buffer overflow is related to the handling of the CPWD command, used
to modify an authenticated user's password. Reportedly, oversized
parameters to this command allow an attacker to corrupt sensitive process
memory, including stack frame information.
Exploitation may lead to the remote execution of arbitrary code, possibly
with SYSTEM privileges. It may also be possible to crash the server
process by sending arbitrary oversized data, leading to a denial of
service condition.
This issue has been reported in WS_FTP Server 3.1.1. Earlier versions may
share this vulnerability, this has not however been confirmed.
18. Microsoft Content Management Server 2001 User Authentication Buffer Overflow Vulnerability
BugTraq ID: 5420
Remote: Yes
Date Published: Aug 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5420
Summary:
Microsoft Content Management Server (MCMS) 2001 is a .NET Enterprise
Server product for development and management of e-business websites. A
remotely exploitable buffer overflow condition was reported in the
low-level MCMS Authentication Operation function.
At least one webpage that ships with the product contains an exposure to
the vulnerable user authentication function, and may allow attackers to
exploit the condition. Any created webpages which include authentication
and a call to the vulnerable function may also be prone to this
vulnerability.
An attacker must supply malformed authentication information to trigger
this condition in a webpage which calls the vulnerable function. By
providing appropriately malformed authentication information, it is
possible to corrupt memory with attacker-supplied values. This may be
exploited by a remote attacker to execute arbitrary instructions in the
Local System context or potentially create a denial of service condition.
** This issue was originally described in Bugtraq ID 4519 "Multiple
Microsoft Content Management Server 2001 Vulnerabilities" and has been
divided into this individual record.
19. BlueFace Falcon Web Server Error Message Cross-Site Scripting Vulnerability
BugTraq ID: 5435
Remote: Yes
Date Published: Aug 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5435
Summary:
Falcon Web Server is a small web server that runs on several Microsoft
Windows platforms. It is mainly intended for small to medium sized
businesses.
Falcon Webserver does not sufficiently sanitize HTML tags from error
message output. In particular, attackers may inject HTML into 301 and 404
error pages. It is possible to cause the server to generate a 301 error
page by making a request for a non-existent file and then not terminating
the request with a slash (/). 404 error messages are displayed by the
server when a request for a non-existent file is made and is terminated
with a slash. When a 301 error message is generated, the server will add
a slash the request and a 404 error message will be generated in turn,
which may cause the attacker's script code or HTML to be rendered twice.
It is possible to create a malicious link to the server which will
generate an error page with attacker-supplied HTML and script code when
visited. Arbitrary HTML and script code will be executed by the web
client of the user visiting the server, in the security context of the
server.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Password change utility (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286700
2. SP3 Problems? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286702
3. Another SUS / Autoupdate question (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286617
4. Risks posed by Windows XP Scheduled Tasks? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286505
5. Looking for a recent IE SSL bug.. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286504
6. Closed thread --> windows update reporting info back to MS? (and .NET fw SP1) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286434
7. windows update reporting info back to MS? (and .NET fw SP1) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286390
8. Re[2]: windows update reporting info back to MS? (and .NET fw SP1) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286331
9. local admin passwords (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286317
10. Using LDAP Authentication (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286333
11. FW: White paper: Exploiting the Win32 API. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286214
12. windows update reporting info back to MS? (and .NET fwSP1) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286211
13. SecurityFocus Microsoft Newsletter #98 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286198
14. QChain obsolete? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286173
15. Synchronising NT User Accounts with a database. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286184
16. Windows 2000 special folder restrictions (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/286188
IV. MICROSOFT PRODUCTS
----------------------
1. SecureStack
by SecureWave
Platforms: Windows 2000, Windows NT
Relevant URL:
http://www.securewave.com/products/securestack/secure_stack.html
Summary:
SecureStack is a definitive solution that will protect mission critical
Windows NT4/2000 servers from all types of Buffer Overflow attacks.
2. AppDetective for Oracle
by Application Security, Inc. (ASI)
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.appsecinc.com/products/appdetective/oracle/
Summary:
AppDetective for Oracle is a network-based, penetration
testing/vulnerability assessment scanner that locates and assesses the
security strength of database and groupware applications within your
network. Armed with a revolutionary security methodology together with an
extensive knowledgebase of vulnerabilities, AppDetective for Oracle will
locate, examine, report, and help fix your security holes and
misconfigurations at your command.
3. DbEncrypt for Oracle
by Application Security, Inc. (ASI)
Platforms: HP-UX, Linux, Solaris, SunOS, Windows 2000, Windows NT, Windows
XP
Relevant URL:
http://www.appsecinc.com/products/dbencrypt/oracle/
Summary:
DbEncrypt for Oracle is a flexible solution providing a means of
encrypting rows and columns in a database. DbEncrypt for Oracle provides
you a complete database encryption solution including a variety of strong
encryption algorithms to pick from, templates to build your own encryption
procedures from, as well as a point-and-click user interface for
installing and managing the encryption, all at an affordable price.
DbEncrypt for Oracle provides protection for your most valuable assets -
the information in your database.
V. MICROSOFT TOOLS
-------------------
1. single-honeypot v0.1
by Luis Wong lwong@mpsnet.net.mx
Relevant URL:
http://sourceforge.net/projects/single-honeypot/
Platforms: POSIX
Summary:
single-honeypot simulates many services like SMTP, HTTP, shell, and FTP.
It can show many different faces, including those of Windows FTP systems,
Windows SMTP systems, different Linux distributions, and some Posix
distributions.
2. myNetMon v1.0.3
by Ekrem ORAL
Relevant URL:
http://www.trsecurity.net/mynetmon/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
myNetMon is windows based network monitor and packet analyzing (sniffer)
tool. myNetMon uses WinPcap, a windows port of Libpcap which is a packet
capturing library.
3. Secure Cryptographic Instant Messaging v1.04
by The Project SCIM team
Relevant URL:
http://www.projectscim.com/
Platforms: AIX, AS/400, BeOS, BSDI, DG-UX, Digital UNIX/Alpha, FreeBSD,
HP-UX, IRIX, Java, Linux, MacOS, NetBSD, OpenBSD, OpenVMS, Os Independent,
SCO, SecureBSD, Solaris, SunOS, True64 UNIX, UNIX, Unixware, VMS, Windows
2000, Windows 3.x, Windows 95/98, Windows CE, Windows NT, Windows XP
Summary:
The Project SCIM application allows you to send Encrypted Instant Messages
to your friends and other contacts. The software is free for
non-commercial users and contains a load of cool features.
4. IDScenter v1.09 b2
by Ueli Kistler
Relevant URL:
http://www.packx.net/packx/html/en/idscenter/index-idscenter.htm
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:
Snort IDScenter is a GUI for Snort IDS on Windows platforms. Configuration
and management of the IDS can be done using IDScenter. Main features are:
- Snort configuration wizard (variables, preprocessor plugins, output
plugins, rulesets)
- Alert notification via e-mail, sound or only visual notification
- Alert file monitoring (up to 10 files)
- MySQL alert detection
- Log rotation (compressed archiving of log files)
- AutoBlock (using NetworkICE BlackICE Defender you can block attackers
IP's that Snort logged)
- Integrated log viewer (supports text files, XML and HTML/webpages)
- Program execution if an attack was detected
- Test configuration feature: fast testing of your IDS configuration, and
more .
VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System
From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.
With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.
Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------
- Previous message: csdgp@ux1.cts.eiu.edu: "Re: Password change utility"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
