SecurityFocus Microsoft Newsletter #104

From: Marc Fossi (mfossi@securityfocus.com)
Date: 09/18/02 

Date: Wed, 18 Sep 2002 07:45:17 -0600 (MDT)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #104
---------------------------------------

I. FRONT AND CENTER
     1. Evaluating Network Intrusion Detection Signatures, Part 1
     2. SecurityFocus DPP Program
     3. IIR's 3G Fraud & Security Forum
II. MICROSOFT VULNERABILITY SUMMARY
     1. Cisco VPN Client NETBIOS TCP Packet Denial Of Service...
     2. Cisco VPN Client Password Disclosure Vulnerability
     3. Cisco VPN Client TCP Filter Information Leakage Vulnerability
     4. Cisco VPN Client Distinguished Name Validation Vulnerability
     5. Cisco VPN Client Predictable Sequence Number Vulnerability
     6. Ultimate PHP Board Unauthorized Administrative Access...
     7. Netscreen-Remote VPN Client IKE Packet Excessive Payloads...
     8. PHP Header Function Script Injection Vulnerability
     9. Multiple Microsoft JVM Vulnerabilities
     10. Microsoft Internet Explorer IFrame/Frame Cross-Site/Zone...
     11. phpGB SQL Injection Vulnerability
     13. phpGB PHP Code Injection Vulnerability
     14. PHP Function CRLF Injection Vulnerability
     15. Alleged Outlook Express Link Denial of Service Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. Authentication problems using VPN on MS ISA (Thread)
     2. Suspicious URLScan.log (Thread)
     3. Windows XP file deletion (Thread)
     4. AW: ASP Dot Net Security Guidelines (Thread)
     5. ASP Dot Net Security Guidelines (Thread)
     6. new unknown ms problem... (Thread)
     7. Thanks and a follow-up question on private keys (Thread)
     8. track acount activity in W2K (Thread)
     9. Administrivia: Spamarrest (Thread)
     10. SecurityFocus Microsoft Newsletter #103 (Thread)
     11. Does W2K hold user's email, EFS etc private key securely ?...
     12. SMBdie exploit testing (Thread)
IV. MICROSOFT PRODUCTS
     1. NetMAX Professional Suite
     2. NetMAX VPN Server Suite
     3. Kerio MailServer
V. MICROSOFT TOOLS
     1. Simp (Secway's Instant Messenger Privacy) v1.1.0
     2. SQL Server Password Auditing Tool v1.0.1
     3. Demarc PureSecure v1.6

I. FRONT AND CENTER
-------------------
1. Evaluating Network Intrusion Detection Signatures, Part 1
By Karen Kent Frederick

This article is the first is a series that will help readers to evaluate
NID signatures. Properly testing NID signatures is a surprisingly complex
topic. This installment will discuss some of the basics of evaluating NID
signature quality, and then look at issues relating to selecting attacks
to be used in testing.

http://online.securityfocus.com/infocus/1623

2. SecurityFocus DPP Program

Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

3. IIR's 3G Fraud & Security Forum (21-23 October, London)

A specialized conference designed specifically for Fraud and Security
Managers in the 3G and mobile commerce space. This year's agenda focuses
on technical strategies for detecting and minimizing the fraud risks in 3G
services: what will be the key vulnerabilities in 3G and how can you
manage the increased risks of content partner fraud, transaction-based
roaming and m-commerce fraud? We will also be devoting a whole day to 3G
network security - penetration testing, third party access risks, IDS,
with even a live hack demonstration of Internet fraud.

Key speakers include Radicchio, Orange, Optimus, Vodafone, Visa, BTexact,
CFCA, with a keynote from security guru Charles Brookson, Chair of the GSM
Association Security Group.

For more details please visit http://www.iir-conferences.com/3GFraud

II. BUGTRAQ SUMMARY
-------------------
1. Cisco VPN Client NETBIOS TCP Packet Denial Of Service Vulnerability
BugTraq ID: 5649
Remote: Yes
Date Published: Sep 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5649
Summary:

The Cisco VPN Client is software for communicating securely via VPN
(Virtual Private Networks). It is available for a number of platforms,
including Microsoft Windows, MacOS X, Solaris and Linux.

Cisco VPN Client is reported to be prone to a denial of service condition
upon receipt of NETBIOS TCP packets. It is possible for a remote attacker
to exploit this condition to shut down a connection that the client has
initiated by sending a NETBIOS packet to port 137 of the host running the
client.

Exploitation of this issue will cause the client to crash. An attacker
may potentially make a prolonged attack, which will effectively restrict
the ability of the user to make a VPN connection using the client.

2. Cisco VPN Client Password Disclosure Vulnerability
BugTraq ID: 5650
Remote: No
Date Published: Sep 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5650
Summary:

The Cisco VPN Client is software for communicating securely via VPN
(Virtual Private Networks). It is available for a number of platforms,
including Microsoft Windows, MacOS X, Solaris and Linux.

Cisco has reported that a vulnerability exists in the Windows VPN client
that may result in unintended disclosure of the password. It is possible
to extract the plaintext password value from a "shaded" (replaced with
asterisks) field in the authentication property page using a utility.
This utility may be the publicly available "Revelation" tool, however this
is unconfirmed.

Exploitation requires local access to the desktop.

3. Cisco VPN Client TCP Filter Information Leakage Vulnerability
BugTraq ID: 5651
Remote: Yes
Date Published: Sep 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5651
Summary:

The Cisco VPN Client is software for communicating securely via VPN
(Virtual Private Networks). It is available for a number of platforms,
including Microsoft Windows, MacOS X, Solaris and Linux.

Cisco VPN Client, when running in "all tunnel" mode, will acknowledge
packets that originate from outside the tunnel, via the tunnel-assigned IP
address. This has the potential to leak information about the client
system to attackers.

This issue does not occur if "split tunneling" mode is enabled.
Furthermore, 3.5.x releases of the client are not prone to this issue if
the firewall is configured to run in "always on" mode. The 3.6(Rel)
version of the client is prone to this issue even under circumstances
where the firewall is run in "always on" mode.

4. Cisco VPN Client Distinguished Name Validation Vulnerability
BugTraq ID: 5652
Remote: Yes
Date Published: Sep 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5652
Summary:

The Cisco VPN Client is software for communicating securely via VPN
(Virtual Private Networks). It is available for a number of platforms,
including Microsoft Windows, MacOS X, Solaris and Linux.

A problem has been discovered that may allow a man-in-the-middle attack.

A flaw in the Cisco VPN Client prevents the client from sufficiently
validating credentials supplied in a certificate used for VPN privacy.
The client does not properly validate Distinguished Names (DN) contained
in some certificates, and may trust certificates supplied by a third party
that represent a malicious host. This could result in a third party
gaining a man-in-the-middle position between a VPN client and concentrator
with the ability to monitor traffic in an unencrypted state between the
two entities.

5. Cisco VPN Client Predictable Sequence Number Vulnerability
BugTraq ID: 5653
Remote: Yes
Date Published: Sep 05 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5653
Summary:

The Cisco VPN Client is software for communicating securely via VPN
(Virtual Private Networks). It is available for a number of platforms,
including Microsoft Windows, MacOS X, Solaris and Linux.

Cisco has reported that random number generation has been improved in
Cisco VPN Client. Weak random number generation may present a security
vulnerability to users of the client software, since these random numbers
will be used when VPN sessions are negotiated.

It has not been confirmed, but it may be possible under some circumstances
for attackers to anticipate numbers that are generated by the software.

If an attacker can anticipate sequence numbers for VPN sessions, it may be
possible to mount man-in-the-middle attacks against a connection or
possibly inject packets into a connection. The attacker may need to be
within the VPN to exploit this issue.

6. Ultimate PHP Board Unauthorized Administrative Access Vulnerability
BugTraq ID: 5666
Remote: Yes
Date Published: Sep 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5666
Summary:

Ultimate PHP Board is a freely available, open source PHP bulletin board.
It is available for Unix, Linux, and Microsoft Operating Systems.

Ultimate PHP Board does not sufficiently validate whether authenticated
users possess administrative privileges before granting access to some
administrative facilities.

Access is not sufficiently validated for the following administrative
scripts:

admin_members.php, admin_config.php, admin_cat.php, admin_forum.php

Ultimate PHP Board checks that the scripts are being accessed by a user
who is currently logged in, but does not validate the permissions of the
user before allowing access.

Authenticated users may exploit this issue to perform administrative
actions.

7. Netscreen-Remote VPN Client IKE Packet Excessive Payloads Vulnerability
BugTraq ID: 5668
Remote: Yes
Date Published: Sep 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5668
Summary:

The Netscreen-Remote VPN Client is Virtual Private Network software. It is
available for the Microsoft Windows platform. The Netscreen-Remote Client
is prone to a remotely exploitable buffer overflow condition. It is
possible to trigger this condition by sending malformed IKE packets to the
client. The overflow is known to occur when the client attempts to process
an IKE packet with several valid payloads. When the malformed packet is
handled by the client, memory can be corrupted with attacker-supplied
values.

An attacker would most likely exploit this vulnerability with a malicious
server. It may also be possible to exploit this issue by injecting a
malicious packet into a legitimate VPN connection. The ability to inject
data will depend on network proximity of the attacker, however VPN
connections are commonly made when traffic must pass through untrusted
network space.

It may be possible to exploit this condition to execute arbitrary code
with the privileges of the client, though this has not been confirmed. It
has been confirmed that this issue can result in a denial of service to
the client system, causing a consumption of resources, and making the
client system unresponsive.

This issue is reported to be exploitable when the client software is
operating in Aggressive Mode during a phase 1 IKE exchange.

8. PHP Header Function Script Injection Vulnerability
BugTraq ID: 5669
Remote: Yes
Date Published: Sep 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5669
Summary:

PHP is a freely available, open source web scripting language package.
It is available for Microsoft Windows, Linux, and Unix operating systems.

A problem with PHP may make it possible to execute arbitrary script code.

It has been reported that a vulnerability in the PHP header function
exists. It may be possible for a user to supply arbitrary script code in
an URL that would allow the injection of script code into the HTTP header.

In such a scenario, a piece of code using the header function as in the
following example would be vulnerable:

<?php header("Location: $_GET['$url']"); ?>

This problem could lead to the execution of arbitrary script code in the
security context of the redirected site.

9. Multiple Microsoft JVM Vulnerabilities
BugTraq ID: 5670
Remote: Yes
Date Published: Sep 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5670
Summary:

A reliable source has reported multiple vulnerabilities in Microsoft's
implementation of the Java Virtual Machine (JVM). According to the
report, the vulnerabilities are related to Microsoft-specific native
methods used within the various classes.

There are numerous input validation and memory corruption issues in these
methods. It is possible to invoke them through other, public methods that
are accessible by Applets. Attackers may write applets designed to
exploit the vulnerabilities and place them on websites or embed them in
HTML mail. Exploitation occurs when the applets are run.

It may be possible for attackers to exploit these vulnerabilities to
access the file system or execute hostile code on the target system
outside of the sandbox restrictions. The individual who reported this
issue has stated that the Sun JVM was tested and found not vulnerable.

10. Microsoft Internet Explorer IFrame/Frame Cross-Site/Zone Script Execution Vulnerability
BugTraq ID: 5672
Remote: Yes
Date Published: Sep 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5672
Summary:

When a Microsoft Internet Explorer (MSIE) window opens another window,
security checks should prevent the parent from accessing the child if the
latter is of another domain or Security Zone. Several vulnerabilities
have been reported in the past related to this process.

It has been reported that such checks fails to occur against attempts to
access the frames of child window documents. It is possible for a parent
window to set the URL of frames or iframes within a child window
regardless of the domain or Security Zone. This has serious security
implications as the parent can cause script code to be executed within the
context of the child domain by setting the URL to the "javascript"
protocol, followed by the desired code.

Attackers may exploit this vulnerability to obtain cookie values for other
domains/websites, modify content, and perform other similar attacks.
Attackers may also execute script code within the "My Computer" Zone.
This may have more severe consequences. This is possible if a HTML file
exists on the client filesystem that contains frames. For users of MSIE6,
the file "res://shdoclc.dll/privacypolicy.dlg" may be used. There may
exist similar files for users of earlier versions of MSIE.

11. phpGB SQL Injection Vulnerability
BugTraq ID: 5673
Remote: Yes
Date Published: Sep 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5673
Summary:

phpGB is a PHP/MySQL based guestbook. It is available for all operating
systems that support PHP, including Unix, Linux, and Microsoft Windows.

The cause of the issue is that the bulletin board relies on the PHP
magic_quotes_gpc directive to sanitize variables that are used in SQL
queries.

If magic_quotes_gpc is not enabled, then it will be possible for attackers
to mount SQL injection attacks through the guestbook. Variables will not
be properly sanitized of potentially malicious input, which may allow an
attacker to inject SQL code into variables which will be used to construct
database queries.

It is possible to exploit this issue to modify the logic of SQL queries,
which may allow attackers to corrupt the database. It is also possible to
exploit this issue to gain administrative guestbook privileges.

12. Trillian Instant Messaging Credential Encryption Weakness
BugTraq ID: 5677
Remote: No
Date Published: Sep 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5677
Summary:

Trillian is an instant messaging client that supports a number of
protocols (including IRC, ICQ, MSN). It is available for Microsoft
Windows systems.

Users of the software may opt to save their credentials for instant
messaging services to allow automatic access.

Trillian uses weak encryption to store saved authentication credentials
for instant messaging services. The credentials are encrypted by using
XOR with a static key that is used with every installation of the
software. The encryption may be trivially reversed, yielding
authentication credentials for instant messaging services.

Exploit code has been released which will allow local attackers to decrypt
the instant messaging credentials of other users on the system.

13. phpGB PHP Code Injection Vulnerability
BugTraq ID: 5679
Remote: Yes
Date Published: Sep 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5679
Summary:

phpGB is a PHP/MySQL based guestbook. phpGB is available on all platforms
that support PHP, including Unix, Linux, and Microsoft Windows.

phpGB is subject to a PHP code injection vulnerability.

It is possible to inject code into the guestbook configuration file
(config.php) by supplying malicious parameters for the savesettings.php
script. The configuration file is referenced in most of the other
guestbook scripts, so each time one of the scripts is accessed the
attacker-supplied PHP code will be executed.

It should be noted that normally authentication is required to access the
savesettings.php script, however, the script authenticates by checking
that it was request via a HTTP POST request and does not further
authenticate users.

Injection of improper syntax will result in a denial of service on the
entire guestbook, since this will cause an error to occur when the
configuration file is interpreted.

It is also possible for an attacker to exploit this condition to execute
operating system commands with the privileges of the webserver via PHP
code injection.

14. PHP Function CRLF Injection Vulnerability
BugTraq ID: 5681
Remote: Yes
Date Published: Sep 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5681
Summary:

PHP is a freely available, open source web scripting language package. It
is available for Microsoft Windows, Linux, and Unix operating systems.

PHP includes a number of functions, such as fopen() and file(), which are
used to reference external resources, such as other PHP files. If the
allow_url_fopen() PHP directive is enabled, these functions may be used to
access resources that exist on remote hosts by supplying a URL as an
argument to the function. When these functions are used to reference a
remote resource, PHP constructs a request for the resource using the
appropriate protocol.

A vulnerability has been discovered in PHP which may allow an attacker to
add arbitrary data to headers constructed by PHP when remote resources are
retrieved using these functions. This may be accomplished by embedding
CRLF (carriage returns/linefeed pairs) in variables included in the URL.
For example, if fopen() is called with an include_path to a remote web
server, then a HTTP GET request will be constructed to access the remote
resource. It is possible, by injecting CRLFs into parameters of a
vulnerable script, to add arbitrary header information (such as the Host:
field, cookies, etc) to the request that is constructed by PHP.

This input validation condition may allow for a number of attacks. For
example, attackers may modify the Host: field. This may theoretically
result in a file other than that expected being included in a PHP script.
Furthermore, under some circumstances it is possible to trick the PHP
interpreter into connecting to an arbitrary port and transmitting
commands. This was demonstrated by the individual who reported this
issue.

15. Alleged Outlook Express Link Denial of Service Vulnerability
BugTraq ID: 5682
Remote: Yes
Date Published: Sep 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5682
Summary:

A denial of service issue has been reported in Microsoft Outlook Express.

Reportedly, when decoding a HTML email, Outlook Express will stop
responding upon encountering a <A HREF> link longer than 4095 characters.
It is not confirmed why this behaviour occurs or clear whether the
vulnerability is in Outlook or Internet Explorer. Though the reported
issue cannot always be reproduced, Microsoft has confirmed it's existence.
It may affect only certain, localized versions.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Authentication problems using VPN on MS ISA (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291565

2. Suspicious URLScan.log (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291571

3. Windows XP file deletion (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291570

4. AW: ASP Dot Net Security Guidelines (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291564

5. ASP Dot Net Security Guidelines (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291436

6. new unknown ms problem... (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291404

7. Thanks and a follow-up question on private keys (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291389

8. track acount activity in W2K (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291320

9. Administrivia: Spamarrest (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291314

10. SecurityFocus Microsoft Newsletter #103 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291094

11. Does W2K hold user's email, EFS etc private key securely ? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291083

12. SMBdie exploit testing (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/290787

IV. MICROSOFT PRODUCTS
----------------------
1. NetMAX Professional Suite
by Cybernet Systems
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT Score: Not
scored yet
Relevant URL:
http://www.netmax.com/products/pro_prods.html
Summary:

NetMAX Professional Suite provides a complete set of networking tools,
integrating NetMAX's FireWall ProSuite, Internet Server ProSuite, and
FileServer Suite (Linux) or FireWall, WebServer, and FileServer (FreeBSD)
into one comprehensive Internet appliance package. Our Professional Suite
enables you to use the power and reliability of either Linux or FreeBSD as
well as popular applications such as Apache, Sendmail, and Samba which are
integrated into this product. The browser-based interface helps you to
quickly and easily configure and manage the required network services,
freeing network administrators from routine tasks.

2. NetMAX VPN Server Suite
by Cybernet Systems
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT Score: Not
scored yet
Relevant URL:
http://www.netmax.com/products/vpn_prods.html
Summary:

The NetMAX VPN Server Suite simplifies Linux servers by installing a
ready-to-configure network security solution consisting of a Virtual
Private Network (VPN) server, firewall, router, and proxy/cache server,
along with the Linux operating system. NetMAX Internet Appliance Software
provides small/medium sized businesses and enterprise workgroups easy use
of a browser-based administration and pre-configured suite of
applications, along with the strength and reliability of Linux.

3. Kerio MailServer
by Kerio Technologies Inc.
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT, Windows XP
Score: Not scored yet
Relevant URL:
http://www.kerio.com/us/kms_home.html
Summary:

Kerio MailServer represents a new generation of mail servers designed for
corporate networks. To help combat increasing security threats, Kerio
MailServer offers a wide range of features to keep email from being
intercepted, infected by computer viruses, or sent as spam

V. MICROSOFT TOOLS
-------------------
1. Simp (Secway's Instant Messenger Privacy) v1.1.0
by Secway
Relevant URL:
http://www.secway.com/lab/simp.php?PARAM=us,ie#download
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

Simp (Secway's Instant Messenger Privacy) is a tool developed by Secway to
secure your online MSN Messenger conversations. Simp works by encrypting
messages before they are sent over the Internet and decrypting them when
they arrive at your contacts. Once installed on your and your friends
computer, Simp will prevent anyone from reading your conversations.

2. SQL Server Password Auditing Tool v1.0.1
by Patrik Karlsson
Relevant URL:
http://www.cqure.net/tools10.html
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:

This tool should be used to audit the strength of Microsoft SQL Server
passwords offline. The tool can be used either in BruteForce mode or in
Dictionary attack mode. The performance on a 1 Ghz pentium (256mb) is
around 750 000 guesses/sec.

To be able to perform an audit one needs the password hashes that are
stored in the sysxlogins table int the master database. The program needs
to have them formated in a textfile accordingly (look at the included file
hashes.txt)

3. Demarc PureSecure v1.6
by DEMARC Security
Relevant URL:
http://www.demarc.com/
Platforms: BSDI, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Perl (any system
supporting perl), UNIX, Windows 2000, Windows NT, Windows XP
Summary:

Instead of having one program perform file integrity checks, another
program monitoring the connectivity and health of your network, and yet
another monitoring your network for intrusion detection attempts, Demarc
PureSecure combines all these services into one powerful client/server
program. Not only can you monitor the status of the different machines in
your network, but you can also respond to changes in your network all from
one centralized location.

Security is already a full time job in any network, and the burden of
monitoring the reports from multiple programs across dozens of servers can
result in information overload. The human mind can only process so much
data at any given time before it simply becomes too much to analyze.
Demarc PureSecure centralizes the reporting and analysis for the entire
network which allows you to more easily weed out the important data from
the superfluous background noise, thereby targeting your efforts where
they really belong.

Quantcast