SecurityFocus Microsoft Newsletter #105

From: Marc Fossi (marc_fossi@symantec.com)
Date: 09/23/02

• Previous message: Gerson Brunhara Guimaraes: "I'm falling my hairs with this domain gpo problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: focus-ms@securityfocus.com
From: "Marc Fossi" <marc_fossi@symantec.com>
Date: Mon, 23 Sep 2002 14:20:21 -0600

SecurityFocus Microsoft Newsletter #105
---------------------------------------

This Issue is Sponsored by: SPI Dynamics

ALERT! - Cross-site scripting vulnerabilities in web applications allow
hackers to compromise confidential information, manipulate or steal
cookies, and create requests that can be mistaken for those of a valid
user!! All via port 80 and 443! Download this *FREE* white paper from SPI
Dynamics for a complete guide to protection!

Please visit us at: http://www.spidynamics.com/mktg/xss1/

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. Detecting and Removing Trojans and Malicious Code from Win2K
     2. Who Goes There? An Introduction to On-Access Virus Scanning...
     3. Privacy Losses Around the World
     4. A Cybersecurity Sleeping Pill
     5. Hackback or the High Road? The question goes beyond Nimda
     6. SecurityFocus DPP Program
     7. IIR's 3G Fraud & Security Forum
II. MICROSOFT VULNERABILITY SUMMARY
     1. Trend Micro InterScan VirusWall Content-Encoding Bypass...
     2. PlanetWeb Long GET Request Buffer Overflow Vulnerability
     3. Microsoft Windows Encrypted RDP Packet Information Leakage...
     4. Microsoft Windows RDP Keystroke Injection Vulnerability
     5. Microsoft Windows XP Professional Remote Desktop Denial Of...
     6. Microsoft Netmeeting Local Session Hijacking Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. Remote data services in IIS 5 (Thread)
     2. XP Hardening (Thread)
     3. win xp sp1 changes ICF settings/rules and/or default behavior...
     4. Hosting multiple sites/ASP.NET security (Thread)
     5. AW: XP Hardening (Thread)
     6. AW: Hosting multiple sites/ASP.NET security (Thread)
     7. Database security (Thread)
     8. Restricting access to a CD-WR drive on a Win2K Server (Thread)
     9. 3 Strikes Your Out Password Policy (Thread)
     10. win xp sp1 changes ICF settings/rules and/or default behavior...
     11. Internet Explorer using LoopBack (Thread)
     12. Authentication problems using VPN on MS ISA (Thread)
     13. Does W2K hold user's email, EFS etc private key securely ?...
     14. RRAS with PPTP connections security (Thread)
     15. SecurityFocus Microsoft Newsletter #104 (Thread)
     16. AW: Database security (Thread)
     17. Remote Shutdown (Thread)
     18. AW: Suspicious URLScan.log (Thread)
IV. MICROSOFT PRODUCTS
     1. Spybuddy Spy Software
     2. Outpost Personal Firewall
     3. Enterprise Directory Reporter (EDR)
V. MICROSOFT TOOLS
     1. Server Scan 2002
     2. NTFS Reader for DOS v1.0
     3. File::Scan v0.32
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. Detecting and Removing Trojans and Malicious Code from Win2K
By H. Carvey

The amount of malicious code directed at Windows systems seems to be
increasing on a continual curve The purpose of this article is to
recommend steps that an administrator can use to determine whether or not
a Win2K system has been infected with malicious code or "malware" and, if
so, to remove it.

http://online.securityfocus.com/infocus/1627

2. Who Goes There? An Introduction to On-Access Virus Scanning, Part Two
by Bill Hayes

By now, most savvy computer users have anti-virus software (AV) installed
on their machines and use it as part of their regular computing routine.
However, most average users do not know how anti-virus software works.
This article is the second in a two-part series that will offer a brief
overview of a particular type of anti-virus technique known as on-access
scanning.

http://online.securityfocus.com/infocus/1626

3. Privacy Losses Around the World
By David Banisar

It has now been one year since the horrific events of September 11th,
2001. It is often said that "everything has changed." That includes
privacy, and the changes are not limited to the United States.

http://online.securityfocus.com/columnists/108

4. A Cybersecurity Sleeping Pill
By George Smith

From a White House given to dramatic warnings of electronic Pearl Harbors
comes an incongruously meek national strategy. Did industry lobbyists slip
someone a Mickey?

http://online.securityfocus.com/columnists/110

5.

6. Hackback or the High Road? The question goes beyond Nimda

A SecurityFocus Guest Feature by Markus DeShon, PhD

http://online.securityfocus.com/guest/16531

7. SecurityFocus DPP Program

Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

8. IIR's 3G Fraud & Security Forum (21-23 October, London)

A specialized conference designed specifically for Fraud and Security
Managers in the 3G and mobile commerce space. This year's agenda focuses
on technical strategies for detecting and minimizing the fraud risks in 3G
services: what will be the key vulnerabilities in 3G and how can you
manage the increased risks of content partner fraud, transaction-based
roaming and m-commerce fraud? We will also be devoting a whole day to 3G
network security - penetration testing, third party access risks, IDS,
with even a live hack demonstration of Internet fraud.

Key speakers include Radicchio, Orange, Optimus, Vodafone, Visa, BTexact,
CFCA, with a keynote from security guru Charles Brookson, Chair of the GSM
Association Security Group.

For more details please visit http://www.iir-conferences.com/3GFraud

II. BUGTRAQ SUMMARY
-------------------
1. Trend Micro InterScan VirusWall Content-Encoding Bypass Vulnerability
BugTraq ID: 5701
Remote: Yes
Date Published: Sep 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5701
Summary:

Trend Micro InterScan VirusWall is an internet gateway virus scanning
package. It is capable of scanning incoming content over HTTP, SMTP and
FTP for viruses and other malicious code.

A vulnerability has been discovered in some Microsoft Windows versions
VirusWall, that allows specially encoded data to bypass scanning
procedures.

The HTTP 1.0 protocol specifies a method of data encoding called 'Chunked
Content-Encoding' designed to facilitate fragmentation of HTTP requests in
transit. It has been reported that InterScan VirusWall does not support
'gzip content-encoding' allowing for malicious files transferred using
this method to bypass scanning procedures.

It should be noted that although gzip compression format is not a
standard, due to it's frequent use, it is important for applications to
support it.

2. PlanetWeb Long GET Request Buffer Overflow Vulnerability
BugTraq ID: 5710
Remote: Yes
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5710
Summary:

PlanetWeb is a commercially available web server distributed by PlanetDNS.
It is available for the Microsoft Windows platform.

PlanetWeb is vulnerable to a buffer overflow condition when handling GET
requests of excessive length. Upon receiving a GET request containing a
1024 byte or greater URL, an exploitable buffer overflow occurs.

By sending a maliciously crafted GET request, it is possible for an
attacker to corrupt memory, and potentially execute arbitrary
instructions. This may result in the remote execution of arbitrary code
within the context of the web server process.

3. Microsoft Windows Encrypted RDP Packet Information Leakage Vulnerability
BugTraq ID: 5711
Remote: Yes
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5711
Summary:

Microsoft Windows Remote Desktop Protocol (RDP) allows for remote display
and input over network connections.

Microsoft Windows Terminal Services encrypted RDP is prone to a weakness
which has the potential to leak information to attackers with the ability
to intercept network traffic.

It is possible to enable encryption for RDP. RDP packets are encrypted
using the RC4 algorithm. An 8 byte HMAC checksum of the packet plaintext
is prepended to each packet. While the key for the RC4 encryption changes
every 4096 packets, the HMAC key remains static for the entire session.
The checksum is derived from packet length, contents and the HMAC key and
is 8 bytes in length. As a result, packets with identical contents will
have the same checksum. If the same packet is sent repeatedly, this has
the potential to leak potentially useful information to attackers who can
intercept the traffic. An attacker may be able to deduce certain things
about the nature of the traffic, such as when certain events occur during
the session.

Any plug-ins which use Microsoft's Terminal Services Virtual Channels are
also affected by this vulnerability.

4. Microsoft Windows RDP Keystroke Injection Vulnerability
BugTraq ID: 5712
Remote: Yes
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5712
Summary:

Microsoft Windows Remote Desktop Protocol (RDP) allows for remote display
and input over network connections.

Microsoft Windows Remote Desktop Protocol (RDP) version 5.0 introduced a
feature which may potentially be abused by remote attackers with the
ability to intercept network traffic.

When common commands and input events are sent during a RDP session, a
checksum is added to each packet. In older versions of RDP, the checksum
is calculated using a unique timestamp, key code and key event type.
This ensured that the checksum for each of these packets was unique.

Version 5.0 of Microsoft Windows RDP introduced support for abbreviating
packets for common commands and input events. As a result, the method
used to calculate the checksum does not use a unique timestamp. This
makes it possible to deduce particular events (such as individual
keystrokes) based on the checksum.

Given the ability to observe network traffic and deduce which events are
occurring, it is possible for an attacker to inject maliciously crafted
packets into a session which may cause certain events to occur.

5. Microsoft Windows XP Professional Remote Desktop Denial Of Service
Vulnerability
BugTraq ID: 5713
Remote: Yes
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5713
Summary:

Microsoft Windows XP Professional includes a single-user Remote Desktop
Protocol (RDP) Server, which allows for remote display and input over
network connections.

The Microsoft Windows XP Professional Remote Desktop implementation is
prone to a denial of service.

It is possible for a malicious client to trigger this condition by sending
a maliciously crafted packet to the vulnerable host during the negotiation
of client/server graphics capabilities. Graphic capabilities are
negotiated with PDU Confirm Active packets.

Clients may specify drawing commands based on what is supported. If the
Pattern BLT command is specified in the PDU Confirm Active packet,
Microsoft Windows XP Professional will crash when it tries to render the
pattern. It is possible to custom craft a packet with the Pattern BLT
command toggled, and cause this condition to occur.

The server is exposed to this issue before authentication occurs, when the
login screen is being drawn.

Microsoft Windows XP Professional is only prone to this issue when the
Remote Desktop has been enabled. This issue also exists in Microsoft
Windows .NET Standard Server Beta 3.

6. Microsoft Netmeeting Local Session Hijacking Vulnerability
BugTraq ID: 5715
Remote: No
Date Published: Sep 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5715
Summary:

Microsoft Netmeeting is a real-time collaboration and conferencing client
for Microsoft Windows. Netmeeting contains a Remote Desktop Sharing (RDS)
component that allows a remote user to take control of the client desktop
similarly to remote administration utilities.

Netmeeting can be configured to use a password-protected screensaver if
the Remote Desktop Sharing session is interrupted in any way. While the
RDS session is active, the actions being performed by the remote user can
be observed on the display of the host system.

A local user can monitor the actions during the session and wait for the
user to modify a document of some sort. If the local user enters a
CTRL-ALT-DEL sequence, the remote user will lose control of the session
and the local user will be given the option to log off or shut down the
system. If the local user chooses to log off, the system will begin the
log off process, but while closing the modified document, the system will
ask the user if they want to save changes to the document. The system
will remain in this state until the user chooses to save or abandon the
changes. During this time, the local user has access to the local system
with the privileges of the locally logged on user.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Remote data services in IIS 5 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292637

2. XP Hardening (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292585

3. win xp sp1 changes ICF settings/rules and/or default behavior for
snmp packet processing on udp 162? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292591

4. Hosting multiple sites/ASP.NET security (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292588

5. AW: XP Hardening (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292583

6. AW: Hosting multiple sites/ASP.NET security (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292586

7. Database security (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292535

8. Restricting access to a CD-WR drive on a Win2K Server (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292536

9. 3 Strikes Your Out Password Policy (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292540

10. win xp sp1 changes ICF settings/rules and/or default behavior for snmp
packet processing on udp 162? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292544

11. Internet Explorer using LoopBack (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292415

12. Authentication problems using VPN on MS ISA (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292380

13. Does W2K hold user's email, EFS etc private key securely ? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292390

14. RRAS with PPTP connections security (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292325

15. SecurityFocus Microsoft Newsletter #104 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292228

16. AW: Database security (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292372

17. Remote Shutdown (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/292061

18. AW: Suspicious URLScan.log (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/291708

IV. MICROSOFT PRODUCTS
-----------------------
1. Spybuddy Spy Software
by SpyPatrol Computer Monitoring
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.spy-patrol.com/spybuddy.htm
Summary:

Spybuddy software offers a powerful keylogging utility that converts and
formats keystrokes into several formats for easy viewing.

2. Outpost Personal Firewall
by Agnitum
Platforms: Windows 2000, Windows 3.x, Windows 95/98, Windows CE, Windows
NT, Windows XP
Relevant URL:
http://www.agnitum.com/products/outpost/
Summary:

The Outpost Personal Firewall system is the world's most advanced firewall
software for Windows. It combines power and advanced features with a
remarkably easy-to-use interface. With Outpost, you'll have security,
privacy, control and ease of use.

3. Enterprise Directory Reporter (EDR)
by Aelita Software
Platforms: Windows 2000, Windows NT
Relevant URL:
http://www.aelita.com/products/EDR.htm
Summary:

Enterprise Directory Reporter (EDR) offers a comprehensive directory
reporting and security assessment solution for large-scale Windows NT/2000
networks, Active Directory, and Microsoft Exchange. For Windows 2000
migration, EDR enables you to analyze your current domains and directories
for pre-migration planning and cleanup.

V. MICROSOFT TOOLS
-------------------
1. Server Scan 2002
by Security Storm http://www.securitystorm.com
Relevant URL:
http://www.securitystorm.net/products/tools/serverscan/index.asp
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:

Server Scan is a simple tool for detecting web servers on a network.
Created originally to detect unauthorized web servers on a network, server
scan can serve many purposes from detecting unauthorized web servers to
checking what types of web servers are running on your network. Server
Scan is compatible with Windows 95, Windows 98, Windows Me, Windows NT 4,
Windows 2000, and Windows XP.

2. NTFS Reader for DOS v1.0
by Active@ Data Recovery Software
Relevant URL:"
http://online.securityfocus.com/tools/2823
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

NTFS Reader for DOS is a freeware tool that provides read access to NTFS
partitions within the MS-DOS environment. You can preview files on NTFS
and copy files from NTFS to FAT volumes or network drives. Can be run from
DOS bootable floppy.

3. File::Scan v0.32
by Henrique Dias hdias@aeiou.pt
Relevant URL:
http://www.cpan.org/authors/id/H/HD/HDIAS/
Platforms: N/A
Summary:

File::Scan allows users to make multiplataform virus scanners which can
detect Windows/DOS/Mac viruses. It include a virus scanner and signatures
database.

VI. SPONSORSHIP INFORMATION
---------------------------
This Issue is Sponsored by: SPI Dynamics

ALERT! - Cross-site scripting vulnerabilities in web applications allow
hackers to compromise confidential information, manipulate or steal
cookies, and create requests that can be mistaken for those of a valid
user!! All via port 80 and 443! Download this *FREE* white paper from SPI
Dynamics for a complete guide to protection!

Please visit us at: http://www.spidynamics.com/mktg/xss1/

-------------------------------------------------------------------------------

---

• Previous message: Gerson Brunhara Guimaraes: "I'm falling my hairs with this domain gpo problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2002-09