SecurityFocus Microsoft Newsletter #103

From: Marc Fossi (mfossi@securityfocus.com)
Date: 09/10/02


Date: Mon, 9 Sep 2002 16:53:44 -0600 (MDT)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>


SecurityFocus Microsoft Newsletter #103
--------------------------------

This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System

From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.

With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.

Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Win2K First Responder's Guide
     2. Who Goes There? An Introduction to On-Access Virus Scanning...
     3. Cheap Thrills on the Cyberterror Beat
     4. SecurityFocus DPP Program
     5. IIR's 3G Fraud & Security Forum
II. MICROSOFT VULNERABILITY SUMMARY
     1. Alan Ward A-Cart Web Accessable Database File Vulnerability
     2. Microsoft ActiveX Certificate Enrollment Control Certificate...
     3. Computalynx CMail POP3 Server DELE Function Denial Of Service...
     4. FactoSystem Weblog Multiple SQL Injection Vulnerabilities
     5. Cerulean Studios Trillian Skins Colors File Name Buffer...
     7. Microsoft Internet Explorer HTML Same Origin Policy Violation...
     8. Multiple Cisco VPN 3000 Vulnerabilities
III. MICROSOFT FOCUS LIST SUMMARY
     1. SMBdie exploit testing (Thread)
     2. Does W2K hold user's email, EFS etc private key securely ?...
     3. SecurityFocus Microsoft Newsletter #102 (Thread)
     4. Anyone know what "piiserviceO" is? (Thread)
     5. IUSR_machinename (Thread)
     6. SecureIIS - protecting IIS (Thread)
     7. Windows 2000 Application log corruption (Thread)
     8. IIS and Frontpage Extensions Vulnerability. (Thread)
IV. MICROSOFT PRODUCTS
     1. Anti-Virus Toolkit for Microsoft Exchage
     2. Exceleration PolicyWare
     3. Storage Management
V. MICROSOFT TOOLS
     1. Mailscanner for Postfix v0.0.6pl1
     2. File::Scan v0.24
     3. DreamSys Server Monitor v3.1
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Win2K First Responder's Guide
By H. Carvey

This article will offer a brief overview of some of the steps security
administrators and incident handlers should take as part of the first
response to security incidents. This article will focus on incidents in
Microsoft Windows 2000, due to its popularity in both the corporate and
server environments.

http://online.securityfocus.com/infocus/1624

2. Who Goes There: An Introduction to On-Access Virus Scanning, Part One
by Bill Hayes

By now, most savvy computer users have anti-virus software (AV) installed
on their machines and use it as part of their regular computing routine.
However, most average users do not know how anti-virus software works.
This two-part series will offer a brief overview of a particular type of
anti-virus mechanism know as on-access virus scanners. These programs are
loaded at during the operation system start-up and interact with programs
in the background until the system is shut down. In the Microsoft Windows
world, which this article will focus on, they must function reliably and
speedily across a range of Windows flavors. They must also be able to
correctly identify and disinfect thousands of viruses -- known and
unknown. On-access scanners must stand in the gap, ensuring that nothing
passes the ground they defend.

http://online.securityfocus.com/infocus/1622

3. Cheap Thrills on the Cyberterror Beat
By George Smith

Are computer viruses really on the verge of becoming instruments of
bloodshed, or is the press just addicted to disaster journalism?

http://online.securityfocus.com/

4. SecurityFocus DPP Program

Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. IIR's 3G Fraud & Security Forum (21-23 October, London)

A specialized conference designed specifically for Fraud and Security
Managers in the 3G and mobile commerce space. This year's agenda focuses
on technical strategies for detecting and minimizing the fraud risks in 3G
services: what will be the key vulnerabilities in 3G and how can you
manage the increased risks of content partner fraud, transaction-based
roaming and m-commerce fraud? We will also be devoting a whole day to 3G
network security - penetration testing, third party access risks, IDS,
with even a live hack demonstration of Internet fraud.

Key speakers include Radicchio, Orange, Optimus, Vodafone, Visa, BTexact,
CFCA, with a keynote from security guru Charles Brookson, Chair of the GSM
Association Security Group.

For more details please visit http://www.iir-conferences.com/3GFraud

II. BUGTRAQ SUMMARY
-------------------
1. Alan Ward A-Cart Web Accessable Database File Vulnerability
BugTraq ID: 5597
Remote: Yes
Date Published: Aug 30 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5597
Summary:

Alan Ward's A-Cart is a web based shopping cart application. It is
implemented in ASP, and designed for use with Microsoft Access under
Microsoft Windows based servers.

A vulnerability has been reported in some versions of A-Cart. By default,
the database file 'acart2_0.mdb' is stored within the web directory. If
the web server is not configured to deny access to this file or the .mdb
extension, the database may be available to any remote user.

Exploitation of this issue could result in the contents of the A-Cart
system being exposed to remote attackers. It is possible that this data
includes sensitive information on orders and customers, although this has
not been confirmed.

This issue has been reported in A-Cart 2.0. Other versions may share this
vulnerability, this has not however been confirmed.

2. Microsoft ActiveX Certificate Enrollment Control Certificate Destruction Vulnerability
BugTraq ID: 5593
Remote: Yes
Date Published: Aug 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5593
Summary:

A flaw has been discovered in the ActiveX control Certificate Enrollment
Control. This control is used for Public Key Cryptography Standards
(PKCS) #10 certficate requests.

The flaw in Certificate Enrollment Control may allow maliciously designed
HTML content to delete certificates on a vulnerable system. This control
could delete all stored certificates on the system, including trusted root
certificates, Encrypted File System (EFS) certificates, and email signing
certificates. The loss of this data could result in a range of problems
such as the inability to communicate via a cryptographically secure
channel, or the inability to decrypt locally stored data.

It should be noted that this attack may be carried out via HTML. While it
is likely an attack would come in the form of a maliciously crafted
webpage, it is also possible that an attack could come in the form of HTML
email.

3. Computalynx CMail POP3 Server DELE Function Denial Of Service Vulnerability
BugTraq ID: 5595
Remote: Yes
Date Published: Aug 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5595
Summary:

CMail is a commercially available email server distributed by Computalynx.
It is available for Microsoft Windows operating systems.

A problem with CMail could make it possible for an attacker to deny
service to the mail server.

It has been reported that a memory corruption vulnerability exists in
CMail. The POP3 server included with CMail does not properly handle some
types of requests. By submitting a maliciously crafted request to the
POP3 server, an attacker could crash the system, resulting in a denial of
service.

The problem is reported as being in the handling of input by the POP3
server. As demonstrated in RFC 1939, the DELE function of a POP3 server
is designed to instruct the server to delete a message on the basis of
it's "number" in the mail spool. However, when a user enters letters
instead of numbers, unpredictable results happen. This can cause the
server to become unstable and crash.

4. FactoSystem Weblog Multiple SQL Injection Vulnerabilities
BugTraq ID: 5600
Remote: Yes
Date Published: Aug 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5600
Summary:

FactoSystem Weblog is a freely available, open source software package for
weblogging and managing content. It is available for Microsoft Windows
operating systems.

A problem with FactoSystem could lead to a possible SQL injection attack.

FactoSystem does not adequately filter special characters from requests.
Because of this, it may be possible for a remote user to submit a request
containing encoded special characters and SQL, and execute arbitrary
commands. This could lead to execution of SQL commands in the security
context of web database user.

By passing custom requests through the authornumber, discussblurbid, name,
and email fields in the author.asp, discuss.asp, and holdcomment.asp
pages, an attacker could potentially execute SQL commands on the database
backending the weblog. It is possible to pass special characters through
the Weblog by sending them as their hex values.

It should be noted that this problem affects systems that run IIS and have
ASP enabled. This problem may allow an attacker to perform various
functions on a vulnerable server, and could potentially lead to the
retrieval of sensitive information.

5. Cerulean Studios Trillian Skins Colors File Name Buffer Overflow Vulnerability
BugTraq ID: 5601
Remote: No
Date Published: Aug 31 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5601
Summary:

Trillian is a freely available instant message software package. It is
designed for use on the Microsoft Windows operating system.

A problem with the handling a variable in the skins file may make it
possible to execute arbitrary code.

Trillian skins files are XML forms designed to allow the easy creation of
custom interfaces, or "skins" for the Trillian client. When a colors file
name of excessive length is supplied in a skin, a buffer overflow occurs.
This could make it possible deny service to a Trillian client, and
possibly to execute arbitrary code through a malicious skin.

This buffer overflow occurs when the colors file field contains 4096 or
more characters. It should be noted it can be determined whether a skin
is malicious or not by auditing the skin for a color file field containing
malicious content. Exploitation of this overflow to execute code would
result in the execution of code in the security context of the Trillian
user.

6. Microsoft SQL Server Stored Procedure Low Privilege Weakness
BugTraq ID: 5604
Remote: Yes
Date Published: Sep 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5604
Summary:

Microsoft SQL Server 2000 uses various stored procedures to allow database
administrators to perform simplified administration.

Two of the stored procedures supplied by Microsoft contain weak
permissions and can be accessed by an unprivileged user:
sp_MSSetServerProperties sp_MSsetalertinfo

sp_MSSetServerProperties can be used by the administrator to configure
whether the SQL server starts manually or automatically at startup.
sp_MSsetalertinfo can be used to configure the email address that alerts
should be sent to.

Neither of these stored procedures can be used to compromise the server or
its data, however, they may be combined with other SQL vulnerabilities to
allow system compromise.

7. Microsoft Internet Explorer HTML Same Origin Policy Violation Vulnerability
BugTraq ID: 5610
Remote: Yes
Date Published: Sep 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5610
Summary:

A vulnerability exists in Microsoft Internet Explorer that can allow for a
violation of the same origin policy.

In modern browsers, script code executing in the context of one website
should not be able to access the properties of another. This is a
security feature known as the 'same origin policy', and it is put in place
to prevent malicious websites from interacting with and possibly stealing
sensitive information from others in different windows.

When MSIE is evaluating whether access across windows should be permitted,
the domain of the parent window is compared to the child. A vulnerability
in this process has been reported that is related to the handling of HTTP
usernames included in the URL. If the username value is suffixed with
"%2f", MSIE will not remove the username when performing the same-origin
check. Therefore it is possible to bypass the check if a username is
included in a URL that matches the domain of the parent window and is
appended with "%2f". For example, the URL:

www.childdomain.ooo%2f@otherdomain will match 'www.childdomain.ooo' when
the same origin check is carried out.

Attackers can construct websites that, for example:

- Steal cookies associated with arbitrary websites.
- Perform actions on different websites through script code (for example, may be possible to delete mail on a webmail system).
- Transmit the contents of local files (parseable as type text/html) to attacker-controlled webservers.
- Write to windows containing different websites, effectively 'spoofing' the content. This is probably the most serious consequence, as trusted websites can be replaced with entirely attacker-created HTML.
- Access other objects through MSIE, such as MSN contacts.

8. Multiple Cisco VPN 3000 Vulnerabilities
BugTraq ID: 5609
Remote: Yes
Date Published: Sep 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5609
Summary:

Cisco has reported a number of vulnerabilities in the VPN 3000 series
concentrators. These issues affect models 3005, 3015, 3030, 3060, 3080
and the Cisco VPN 3002 Hardware Client.

The first issue affects PPTP and IPSEC internal authentication. It is
possible for a user to login to the VPN from the external network using
group authentication credentials designed for the internal network. This
can occur when the concentrator is configured for group accounts but no
user accounts have been created. This may allow a malicious user to
violate the security policy. The Cisco VPN 3002 Hardware Client is not
affected by this issue.

The second issue is a denial of service condition in the HTML interface of
the concentrators. An overly long request may cause the IP stack of the
device to stop responding, due to resource exhaustion. The device is said
to recover approximately 5 minutes after the overly long request is
processed.

The third issue is an information disclosure problem with the affected
devices. Sensitive information is disclosed in the SSH and FTP banners.
HTTP error pages also give out sensitive information about the device.
An attacker may use this sensitive information to assist in mounting
further attacks against the device.

The fourth issue is a buffer overflow in the telnet daemon included with
the device. It is reported that this may be exploited to cause a denial
of service. It should be noted that the telnetd interface is not enabled
by default in the affected concentrators, nor can it be enabled on Cisco
VPN 3002 Hardware Client.

The fifth issue could result in a denial of service attack against a
vulnerable device. A native Microsoft Windows PPTP client connecting with
the "No Encryption" option set cause result in a VPN 3000 series
concentrator arbitrarily reloading. This could result in a denial of
service.

The sixth issue has the potential to disclose user credentials to remote
attackers. Any administrative HTML pages which contain user credentials
will disclose the plaintext password in the page source code. This may
allow restricted access administrative users to gain access to the
credentials.

The seventh issue also has the potential to disclose sensitive
authentication credentials. Certificate credentials are contained in
plaintext in the source code of Certificate Management HTML pages and will
be viewable by administrative users.

The eighth issue may potentially allow traffic for any protocol to be sent
across an arbitrary port on the concentrator. This issue occurs when the
XML filter is enabled on the public interface, causing a misconfigured
rule to be added to the device.

The ninth issue is that users may access a limited number of HTML pages
for the device without authentication being required. This has the
potential to disclose some amount of sensitive information.

The tenth issue is a denial of service condition related to handling of
overly long username and password strings submitted via a modified HTML
page. If the attacker posts overly long values for these strings, the
device will reportedly reload.

The eleventh issue is also a denial of service condition related to the
handling of an overly long username string. The malformed string may be
submitted with a VPN client and may cause the device to reload when it is
processed.

The twelfth issue is a failure to drop a new incoming LAN-to-LAN
connection in circumstances when the connection already has a security
association with the same remote network on another device. The previous
connection will be dropped and a connection will be made with the new,
possibly untrusted device on the remote network. This may potentially
allow unauthorized access by untrusted devices on a supposedly trusted
network. The device also reportedly does not verify the data coming
across the connection to determine if it is coming from the correct
network.

The final issue is a denial of service condition which may be caused by
malformed ISAKMP packets. Various types of malformed packets may cause
the device to reload, under different settings.

** These issues will be divided seperated into individual Bugtraq IDs when
further analysis is completed. A new alert with more detailed information
will be sent out for each individual record.

IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SMBdie exploit testing (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/290595

2. Does W2K hold user's email, EFS etc private key securely ? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/290596

3. SecurityFocus Microsoft Newsletter #102 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/290385

4. Anyone know what "piiserviceO" is? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/290405

5. IUSR_machinename (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/290407

6. SecureIIS - protecting IIS (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/290213

7. Windows 2000 Application log corruption (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289994

8. IIS and Frontpage Extensions Vulnerability. (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/289941

IV. MICROSOFT PRODUCTS
-----------------------
1. Anti-Virus Toolkit for Microsoft Exchage
by Dr Solomon
Platforms: Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=73
Summary:

Complete anti-virus protection for Microsoft Exchange, Server and Client.
Dr Solomon's Anti-Virus Toolkit automatically scans each e-mail message
and attachment, leaving virus-free files undisturbed. All infected files
are immediately isolated or disinfected and forwarded using Dr Solomon's
award winning anti-virus engine.

2. Exceleration PolicyWare
by NetBoost
Platforms: Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=897
Summary:

NetBoost's PolicyWare provides a new platform for building and deploying
an emerging breed of network policy enforcement applications that address
the complexities of today's corporate networks. Network policy enforcement
applications translate business policies into network behavior and include
firewall, intrusion detection, VPN, RMON probe, rate shaping, and web
caching systems.

NetBoost partners with leading vendors of policy enforcement applications
and platforms to create flexible, scalable solutions that make today's
high–speed corporate networks more efficient, controllable and
intelligent. NetBoost provides significant time to market and performance
advantages for ISVs and network equipment manufacturers, offering the
flexibility of software development with the high–speed performance of
custom silicon.

In implementation, NetBoost PolicyWare solutions allow CIOs, network
security managers, and network administrators to deploy, update, and
enforce network policies more efficiently, as well as, maximize the
performance of policy enforcement applications and platforms.

3. Storage Management
by St. Bernard Software
Platforms: Windows 2000 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1407
Summary:

Open File Manager is a utility that enables your existing backup software
to successfully capture open files - even if they are changing during the
backup. There is no need to close applications or lock out users. With
Open File Manager you can run your backup at anytime - all without any
interruption to users.

V. MICROSOFT TOOLS
-------------------
1. Mailscanner for Postfix v0.0.6pl1
by Peter Turczak p_turczak@gmx.de
Relevant URL:
http://online.securityfocus.com/tools/2069
Platforms: Windows 95/98, Windows NT
Summary:

This program is invoked from the .forward file of a user and scans the
incoming mails for .vbs .exe .com .bat, and similar attachments. If a
message is clean, it is inserted into the users qmail-style Maildir.
Otherwise, it is bounced.

2. File::Scan v0.24 by Henrique Dias
hdias@aeiou.pt http://www.cpan.org/authors/id/H/HD/HDIAS/
Platforms: Windows 2000, Windows NT, Windows XP
Summary:

File::Scan allows users to make multiplataform virus scanners which can
detect Windows/DOS/Mac viruses. It include a virus scanner and signatures
database.

3. DreamSys Server Monitor v3.1
by DreamSys Software
Relevant URL:
http://www.mikersoft.com/servermonitor/
Platforms: Windows 2000, Windows NT, Windows XP
Summary:

Monitor servers over a network or the Internet. Connect, Receive, or Send
& Receive tests on TCP connections. Simple Ping tests. Test services on
remote machines, and restart services if necessary. Quick and Easy to use
Windows interface. Save/Load host lists as separate documents.

VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System

From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.

With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.

Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml

-------------------------------------------------------------------------------



Relevant Pages

  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Vulnerability in the Microsoft Collaboration Data Objects Allows Remote Code Execution (MS05-04
    ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Collaboration Data Objects ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service ...
    (Securiteam)