SecurityFocus Microsoft Newsletter #112

From: Marc Fossi (mfossi@securityfocus.com)
Date: 11/11/02


Date: Mon, 11 Nov 2002 13:26:16 -0700 (MST)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>


SecurityFocus Microsoft Newsletter #112
---------------------------------------

This issue sponsored by: SecurityFocus DPP Program

Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

---------------------------------------------------------------

I. FRONT AND CENTER
     1. Complete Snort-based IDS Architecture, Part One
     2. Polymorphic Macro Viruses, Part Two
     3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
     1. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability
     2.
     3. Northern Solutions Xeneo Web Server Denial Of Service Vulnerability
     4. Jason Orcutt Prometheus Remote File Include Vulnerability
     5. ION Script Remote File Disclosure Vulnerability
     6. Iomega NAS A300U Plaintext NAS Administration Credentials Vulnerability
     7. Iomega NAS A300U CIFS/SMB Mounts Plaintext Authentication Vulnerability
     9. Pablo Software Solutions FTP Server Format String Vulnerability
     10. RhinoSoft Serv-U FTP Server Denial Of Service Vulnerability
     11. Pine From: Field Heap Corruption Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. Win 2000 passsword Complexity Requirements (Thread)
     2. IIS 5 and client certificates (Thread)
     3. Any way to remove ADMIN$ only? (Thread)
     4. Certification for Win2k Web Servers (Thread)
     5. Win2k IPSec -Default behavior (Thread)
     6. Win2K IPSec -Default behavior - XP has same problem (Thread)
     7. was - RE: Access to well-known ports on Win2K -now [IPSec (Thread)
     8. Win2k IPSec -Default behavior (Thread)
     9. Access to well-known ports on Win2K (Thread)
     10. Active Directory network security (Thread)
     11. EFS in WinXP - how good is it? (Thread)
     12. SecurityFocus Microsoft Newsletter #111 (Thread)
     13. [RE: Access to well-known ports on Win2K] (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. iPassConnect Service
     2. BlackBerry (RIM)
     3. ServerCluster
     4. NetPilot Plus
     5. AccessMaster NetWall
     6. CipherPack Pro
     7. Preventon Web Protect (Beta)
     8. Preventon Desktop Security
     9. Preventon Personal Firewall Pro 1.1
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. MAILMILL
     2. Annoyance Filter
     3. Tnefclean
     4. IP Blocker
     5. MailStripper
VI. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Complete Snort-based IDS Architecture, Part One

Many companies find it hard to justify acquiring the IDS systems due to
their perceived high cost of ownership. However, not all IDS systems are
prohibitively expensive. This two-part article will provide a set of
detailed directions to build an affordable intrusion detection
architecture from hardware and freely available software.

http://online.securityfocus.com/infocus/1640

2. Polymorphic Macro Viruses, Part Two

This article is the second of a two-part series that will offer a brief
overview of polymorphic strategies in macro viruses. This installment will
look at the first serious polymorphic macro viruses, as well as the
evolution of viruses into true polymorphic and, ultimately, metamorphic
viruses.

http://online.securityfocus.com/infocus/1638

3. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)

Optional Workshops March 8, 9, 12, 13, & 14
Vendor Expo March 10 & 11

Solutions to today’s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all! Go to:
http://www.misti.com/10/os03nl37inf.html

II. BUGTRAQ SUMMARY
-------------------

1. PHP-Nuke 5.6 Modules.PHP SQL Injection Vulnerability
BugTraq ID: 6088
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6088
Summary:

PHP-Nuke is a web based Portal system. Implemented in PHP, it is available
for a range of systems, including Microsoft Windows and Linux.

A SQL injection vulnerability has been reported for PHP-Nuke 5.6.

The vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'modules.php' script. It is possible to
modify the logic of SQL queries through malformed query strings in
requests for the vulnerable script.

By injecting SQL code into variables, it may be possible for an attacker
to corrupt database information.

This issue was reported in PHPNuke version 5.6. Other versions may also be
affected.

2. Heysoft EventSave Event Log Notification Weakness
BugTraq ID: 6095
Remote: No
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6095
Summary:

EventSave is a utility that allows administrators to easily back up
Microsoft Windows NT event logs.

EventSave creates files based on the month for which the event took place.
If EventSave is executed more than once a month, it will append any new
data to the backup log file for the current month.

EventSave may not properly back up event logs if the Microsoft Windows
Event Viewer is used to view the event log for the current month. This
weakness occurs because when the Windows Event Viewer opens an event log,
it does not permit other applications to write to the opened file. Thus
EventSave is not able to update the backup event log and events may not be
adequately backed up.

EventSave 5.3 is not vulnerable to this issue.

3. Northern Solutions Xeneo Web Server Denial Of Service Vulnerability
BugTraq ID: 6098
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6098
Summary:

Northern Solutions Xeneo is a web server designed for use with the
Microsoft Windows operating system.

A denial of service vulnerability has been reported for Xeneo web server.
The vulnerability occurs when Xeneo attempts to process malformed HTTP
requests.

An attacker can exploit this vulnerability by issuing a HTTP request that
begins with a '%' character. When the web server processes this request,
it will crash and lead to the denial of service condition.

4. Jason Orcutt Prometheus Remote File Include Vulnerability
BugTraq ID: 6087
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6087
Summary:

Jason Orcutt Prometheus is a collection of tools to facilitate the design
and implementation of active content Web sites. It is implemented in PHP
and is available for Unix and Linux variants as well as Microsoft Windows
operating systems.

Prometheus is prone to an issue which may allow remote attackers to
include arbitrary files located on remote servers. This issue is present
in the following PHP script files provided with Prometheus:
index.php
install.php
test_*.php

An attacker may exploit this by supplying a path to a maliciously created
'autoload.lib' file, located on an attacker-controlled host as a value for
the 'PROMETHEUS_LIBRARY_BASE' parameter.

If the remote file is a PHP script, this may allow for execution of
attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.

5. ION Script Remote File Disclosure Vulnerability
BugTraq ID: 6091
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6091
Summary:

ION Script is language that is used to create IDL-driven Web documents. It
is available for the Microsoft Windows and Unix operating systems.

A vulnerability has been discovered in the 'ion-p' script included with
ION Script.

It is possible to disclose known sensitive resources by entering malicious
values into the 'page' variable, used by 'ion-p'.

By sending a maliciously constructed HTTP request to a vulnerable
webserver, it is possible for a remote attacker to disclose arbitrary
webserver readable files. As webservers are often run with high
privileges, it may be possible to disclose sensitive system files.

Exploiting this issue may allow an attacker to gain information rquired to
launch further attacks against the target system.

ION Script for UNIX has also been confirmed vulnerable to this issue.

It is not yet known exactly which ION Script versions are vulnerable to
this issue.

6. Iomega NAS A300U Plaintext NAS Administration Credentials Vulnerability
BugTraq ID: 6092
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6092
Summary:

Iomega NAS A300U (Network Attached Storage) is a network storage device
that supports Unix variants and Microsoft Windows operating systems.

Iomega NAS A300U devices provide a web interface for remote
administration.

Iomega NAS A300U is reported to send NAS administrative interface
authentication credentials in plaintext across the network. The
credentials may be disclosed to attackers with the ability to intercept
network traffic, which may enable them to gain unauthorized access to the
NAS administrative interface.

It has also been reported that the documentation for the device claims
that authentication credentials will be sent encrypted. Users of the
device may be led to believe that credentials are sent encrypted, creating
a false sense of security.

This issue was reported for Iomega NAS A300U on Unix platforms. Other
platforms and Iomega devices may also be affected.

7. Iomega NAS A300U CIFS/SMB Mounts Plaintext Authentication Vulnerability
BugTraq ID: 6093
Remote: Yes
Date Published: Nov 01 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6093
Summary:

Iomega NAS A300U (Network Attached Storage) is a network storage device
that supports Unix variants and Microsoft Windows operating systems.

Iomega NAS A300U devices provide support for drive mounts using CIFS/SMB.

Iomega NAS A300U devices are reported to use LANMAN authentication for
access to CIFS/SMB mounts.

LANMAN authentication credentials are sent across the network in plaintext
and may be intercepted by attackers with the ability to sniff network
traffic. It has also been reported that this may allow session hijacking
attacks to occur. Exploitation of this issue will allow attackers to gain
unauthorized access to CIFS/SMB mounts.

This issue was reported for Iomega NAS A300U on Unix platforms. Other
platforms and Iomega devices may also be affected.

8. Microsoft SQL Server Login Weak Authentication Mechanism
BugTraq ID: 6097
Remote: Yes
Date Published: Nov 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6097
Summary:

Microsoft SQL Server Logins employ a weak method of password obfuscation.

One method of authentication against a SQL Server is to use Windows
Authentication and the other is to use SQL Server Logins. Reportedly,
passwords used for SQL Server Logins are sent across the network using a
weak password obfuscation algorithm.

An attacker can exploit this weakness to sniff network traffic to obtain
SQL Server user and related password authentication credentials.

The weakness is due to the weak obfuscation algorithm which simply
converts information to UNICODE format. Then, the four MSBs (most
significant bits) are swapped with the four LSBs (least significant bits)
of every byte and XOR-ed with a fixed value of 0xA5. This will result in a
predictable sequence of network traffic that can be easily deciphered by
an attacker.

This weakness may give users a false sense of security and should not be
used as the primary means of authentication in critical and sensitive
systems.

9. Pablo Software Solutions FTP Server Format String Vulnerability
BugTraq ID: 6099
Remote: Yes
Date Published: Nov 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6099
Summary:

Pablo Software Solutions FTP Server is freely available software for
Microsoft Windows operating systems.

A format string vulnerability has been reported in Pablo Software
Solutions FTP Server. The vulnerability occurs due to inadequate checking
of user-supplied input for the login credentials.

An attacker can exploit this vulnerability by logging into the FTP server
with a username that includes malicious format specifiers. This may result
in memory being overwritten by remote attackers, possibly to execute
arbitrary code. Any attacker-supplied code will executed with the
privileges of the FTP server.

This vulnerability was reported for FTP server versions earlier than 1.51.

10. RhinoSoft Serv-U FTP Server Denial Of Service Vulnerability
BugTraq ID: 6112
Remote: Yes
Date Published: Nov 06 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6112
Summary:

RhinoSoft Serv-U FTP Server is designed for use with Microsoft Windows
operating systems.

A denial of service vulnerability has been reported for Serv-U FTP server.
The vulnerability is a result of Serv-U FTP Server processing certain
commands. When the Serv-U server receives a MKD command it attempts to
verify whether the user that issued the command has sufficient rights.
When performing this verification, it will not accept any more
connections.

An attacker is able to exploit this vulnerability by connecting to the
vulnerable server and issuing many MKD commands. As the server will not
accept any connections when validating the user's permissions, potential
clients will not be able to connect. This will result in a denial of
service to legitimate clients.

This vulnerability was reported for Serv-U FTP Server 4.0.0.4 and earlier.

11. Pine From: Field Heap Corruption Vulnerability
BugTraq ID: 6120
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6120
Summary:

Pine is an open source mail user agent distributed by the University of
Washington. It is freely available for Unix, Linux, and Microsoft
operating systems.

It is possible to cause a denial of service in Pine by sending an email
message with a specially crafted "From:" address. According to the
report, the crash can be reproduced by setting the "From:" address to a
value such as:

"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.tld

A stack trace suggests that this behaviour may be due to corruption of
data in the heap. If that is the case, execution of arbitrary code may be
possible.

Note that the user does not have to view the message in order for the
denial of service to take place; the message simply has to be present in
the user's Inbox. While a message with this address is present in the
Pine Inbox, it is not possible to start Pine again. The message
containing this address must be manually removed from the spool or by
using another MUA.

It is important to note that this specially crafted "From:" address is RFC
legal.

This issue will reportedly be fixed in Pine 4.50.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------

1. Win 2000 passsword Complexity Requirements (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298907

2. IIS 5 and client certificates (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298899

3. Any way to remove ADMIN$ only? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/299058

4. Certification for Win2k Web Servers (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298895

5. Win2k IPSec -Default behavior (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298825

6. Win2K IPSec -Default behavior - XP has same problem (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298758

7. was - RE: Access to well-known ports on Win2K -now [IPSec -Default behavior]
Relevant URL:

http://online.securityfocus.com/archive/88/298756

8. Win2k IPSec -Default behavior (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298755

9. Access to well-known ports on Win2K (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/299059

10. Active Directory network security (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/299078

11. EFS in WinXP - how good is it? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298537

12. SecurityFocus Microsoft Newsletter #111 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298514

13. [RE: Access to well-known ports on Win2K] (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/298500

IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------

1. iPassConnect Service
by iPass Inc.
Platforms: MacOS, PalmOS, Windows 2000, Windows 95/98, Windows NT, Windows XP

Connect to the Internet anywhere in the world quickly and securely with
the award-winning iPassConnect client software. With support for multiple
platforms including Windows, Mac OS, Palm OS and Windows CE/Pocket PC,
iPassConnect ensures that the Internet is always accessible for the
mobile, connected professional. iPassConnect gives users access to the
iPass global network of 14,000+ access points in 150 countries via
dial-up, ISDN, PHS and high speed broadband connections.

2. BlackBerry (RIM)
by Research In Motion
Platforms: N/A

BlackBerry™ is an end-to-end wireless email solution that provides quick,
easy access to your email, contacts, calendar and task list wherever you
go. With BlackBerry, mobile professionals get effortless access to email
while on the road and IT departments get centralized administration in a
secure solution.

3. ServerCluster
by Stonesoft
Platforms: Linux, Solaris

ServerCluster is a High Availability software solution that: • clusters up
to 32 servers and applications such as databases, web, mail etc. •
Provides continuous 24x7 monitoring with comprehensive fault detection and
automated failover to secondary nodes in the cluster and therefore service
continuity in the event of a failure, without the need for immediate
on-site manual intervention.

4. NetPilot Plus
by Equiinet
Platforms: N/A

NetPilot Plus is an enhanced version of the market-leading NetPilot. This
product enables organisations to easily and securely deploy secure
Internet based IPSec-based VPNs, Internet access and email facilities,
while integrating key communications, networking and server elements into
a single secure appliance.

5. AccessMaster NetWall
by Evidian Inc.
Platforms: IRIX, Solaris, Windows 2000, Windows 95/98, Windows NT

Intranets and extranets are now key resources for growing your business.
The ultimate Internet security and firewall software, AccessMaster NetWall
is the first truly manageable solution for opening your networks to the
world while protecting them against threat by: Enforcing network
protection from internal and external threats Allowing easy deployment of
e-business Reducing internet security management costs

6. CipherPack Pro
by PentaSafe
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP

CipherPack Pro quickly and simply compresses and encrypts files or folders
producing a stand-alone Windows executable file. This file contains the
decompression and decryption code as well as the encrypted file contents.
All that is required is for the correct key to be entered for the data to
be recreated. Without the correct key, there is no way that the original
contents can ever be viewed.

7. Preventon Web Protect (Beta)
by Preventon
Platforms: Windows 2000, Windows 95/98, Windows XP

Preventon™ Web Protect is an advanced defence system for protecting your
website against attack! This exceptional security software provides
control over the communications between the Internet and your web server
by filtering out malicious attacks that it recognises, including: worm
attacks, buffer overflows attacks, unauthorised page uploads, and many
others!

8. Preventon Desktop Security
by Preventon
Platforms: Windows 2000, Windows 95/98, Windows XP

Preventon™ Veto gives you back control of your PC! With its user-friendly
interface you can control exactly what Windows® programs may be run on
your computer - and more importantly - those that can't! Preventon Veto
can be used to prevent unauthorised software by providing a complete
'lockdown' of your machine, and can even help fight against Trojans and
viruses

9. Preventon Personal Firewall Pro 1.1
by Preventon
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP

Preventon Personal Firewall Pro beats back Internet hacking attacks trying
to get into your computer and even has enhanced protection against
advanced Trojan attack programs. Preventon uses a patent pending intuitive
interface that enables you to take the guesswork out of configuring your
personal firewall in order to maximise the security.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------

1. MAILMILL v0.1
by less random
Relevant URL: http://www.metamagix.net/mailmill.html
Platforms: UNIX

MAILMILL is a lightweight mail-receiving component built in Java. It
listens on the SMTP port for incoming messages, and once they arrive it
looks in its XML-based ruleset for corresponding filters to apply. It is
intended for Java developers who need mailserver functionality and want to
build their own Java classes for processing incoming mail. Standard
filters include forwarding, SMS, SMTP/HTTP conversion (e.g., send a google
request by mail) and more.

2. Annoyance Filter v1.0-RC1
by John Walker (kelvin@fourmilab.ch)
Relevant URL: http://www.fourmilab.ch/annoyance-filter/
Platforms: OS Independent

Annoyance Filter sifts mail you wish to read from junk arriving in your
mailbox by an adaptive process which gives priority to mail you're
interested in reading, and evolves to block cleverly disguised junk mail.

3. Tnefclean v1.0
by The Midnite Marauder
Relevant URL: http://www.dread.net/~striker/tnefclean/
Platforms: UNIX

tnefclean is a Perl script to convert attachments from Microsoft Outlook
to a readable format. Previously, people would have to find a way to
decipher the winmail.dat attachments that came from Outlook users. This
tool will either remove the attachment if there is nothing in it, or
change it to represent the proper attachment if it actually exists.

4. IP Blocker v1.0.20021107
by Rob Patrick (freshmeat.net@NOSPAMrpatrick.com)
Relevant URL: http://www.ipblocker.org/
Platforms: UNIX

IP Blocker is an incident response tool for network admins that
automatically updates access control lists (ACL) on Cisco routers and
other devices. Web and CLI are both supported. Logging, email
notification, and automatic expiration of blocks using policy-based TTL
values are all supported.

5. MailStripper v0.62
by Michael McConnell
Relevant URL: http://www.eridani.co.uk/MailStripper/
Platforms: Linux, Os Independent, POSIX

MailStripper is a mail scanner that aims to remove spam and viruses from
incoming mail. AV capability is provided by a hook to an external virus
scanner. Written from the ground up in Tcl, it aims to be MTA-independent,
by working on the SMTP transaction.

VI. SPONSOR INFORMATION
-----------------------

This issue sponsored by: SecurityFocus DPP Program

Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml