SecurityFocus Microsoft Newsletter #115
From: Marc Fossi (mfossi@securityfocus.com)
Date: 12/02/02
- Previous message: Stefan Lister: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 2 Dec 2002 13:41:50 -0700 (MST) From: Marc Fossi <mfossi@securityfocus.com> To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #115
---------------------------------------
This issue is sponsored by: St. Bernard Software
Double Security In One Investment
Reinforce your network security policy with the Retina®/ UpdateEXPERT(tm)
bundle from eEye and St. Bernard Software. Award- winning Retina scans
networks for early detection of vulnerabilities, while UpdateEXPERT
provides critical patch management assistance. Reliably identify and
remediate your network with this security combo.
Free trial: http://www.eeye.com/ctrack.asp?ref=STBJOINT1
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Secure Programming with .NET
2. When Washington Mimics Sci Fi
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. SSH Communications SSH Server Privilege Escalation Vulnerability
2. acFTP Invalid Password Weak Authentication Vulnerability
3. acFreeProxy Cross Site Scripting Vulnerability
4. Working Resources BadBlue Information Disclosure Vulnerability
5. PHP-Nuke Multiple Cross Site Scripting Vulnerabilities
6. NetScreen Malicious URL Filter Bypassing Vulnerability
7. VBulletin members2.php Cross Site Scripting Vulnerability
8. N etScreen H.323 Control Session Denial Of Service Vulnerability
9. Working Resources BadBlue Search Page Cross Site Scripting...
10. Netscape/Mozilla POP3 Mail Handler Integer Overflow Vulnerability
11. AOL Instant Messenger Forced File Download Vulnerability
12. phpBB Script Injection Vulnerability
13. Bugzilla quips Feature Cross Site Scripting Vulnerability
14. Sybase Adaptive Server DBCC CHECKVERIFY Buffer Overflow...
15. YaBB YaBB.pl Cross Site Scripting Vulnerability
16. NetScreen ScreenOS Predictable Initial TCP Sequence Number...
17. SSH Communications Secure Shell Windows Client URL Catcher...
18. Moby NetSuite POST Handler Buffer Overflow Vulnerability
19. Netscape Java canConvert() Buffer Overflow Vulnerability
20. PortailPHP SQL Injection Vulnerability
21. Sybase Adaptive Server xp_freedll Buffer Overrun Vulnerability
22. pWins Web Server Directory Traversal Vulnerability
23. Sybase Adaptive Server DROP DATABASE Buffer Overflow...
III. MICROSOFT FOCUS LIST SUMMARY
1. Secure / Encrypt Terminal Services (Thread)
2. Question: Buffer Overrun in Microsoft Data Access Components Coul
3. Question: Buffer Overrun in Microsoft Data Access Components Coul
4. Odd entries in Win XP Pro Certificate MMC snap-in (Thread)
5. Embedded NT/XP security (Thread)
6. IIS Log exactly 65.536 bytes ??? (Thread)
7. Exchange in the DMZ (Thread)
8. Question: Buffer Overrun in Microsoft Data Access Components
9. SecurityFocus Microsoft Newsletter #114 (Thread)
10. ASP, BizTalk server SQL DB and Firewall architecture. (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. ScanDo Vulnerability Assessment Scanner
2. ArcSight Enterprise Security Management Software
3. WebMarshal
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. GPG-Ezmlm encrypted mailing list v0.3
2. Sysload server monitor v4.5
3. ABC CHAOS v2.1
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Secure Programming with .NET
byRohyt Belani and David Wong
At the core of Microsoft's .NET initiative is the goal of interconnecting
businesses, users, applications, and data. However, with all the concerns
regarding security and privacy of data, many individuals and companies are
reluctant to connect their business systems and place their data in reach
of hackers thousands of miles away. Microsoft understands the challenges
and concerns facing early adopters of their technology, and has made
security one of their top priorities. The fundamental pillar for building
applications is the security surrounding the .NET framework and the
security services it provides. In this article, we will provide an
overview of .NET framework security features and provide practical tips on
how to write secure code in the .NET framework. More importantly, we will
discuss which pitfalls to avoid.
http://online.securityfocus.com/infocus/1645
2. When Washington Mimics Sci Fi
By George Smith
John Poindexter's evil design for an all-seeing God Machine seems torn
from the pages of visionary science fiction, where such schemes rarely end
well.
http://online.securityfocus.com/columnists/126
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today’s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. SSH Communications SSH Server Privilege Escalation Vulnerability
BugTraq ID: 6247
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6247
Summary:
Secure Shell is the commercial SSH implementation distributed and
maintained by SSH Communications. It is available for the Unix, Linux, and
Microsoft Windows platforms.
SSH Communications has reported a vulnerability in SSH server, which could
result in local privilege escalation.
The setsid() function is used to create a new process group for forked
processes. It has been reported that SSH server fails to run setsid() on
non-interactive sessions, resulting in user processes in the parent
process group and retaining the 'root' login name.
By executing programs that verify privileges against the login name (for
example, those that rely on the BSD getlogin() function), it may be
possible to execute various actions with escalated privileges.
Exploiting this issue has varied results depending on the operating
system.
For this issue to be exploitable an attacker must have a local account on
the target system.
2. acFTP Invalid Password Weak Authentication Vulnerability
BugTraq ID: 6235
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6235
Summary:
acFTP is a freely available FTP server designed for use with Microsoft
Windows operating systems.
A vulnerability has been reported for acFTP. Reportedly, acFTP allows
users to authenticate with an invalid password.
An attacker can exploit this vulnerability and log on to the vulnerable
FTP server using any string as a password. When an invalid password is
entered, acFTP will reportedly reject the password but will treat the
attacker as a valid user.
This vulnerability has been reported for acFTP 1.4. It is not known
whether other versions are affected.
3. acFreeProxy Cross Site Scripting Vulnerability
BugTraq ID: 6236
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6236
Summary:
acFreeProxy is a freely available proxy server designed for use with
Microsoft Windows operating systems.
It has been reported that acFreeProxy is prone to cross site scripting
attacks. Specifically, acFreeProxy does not properly sanitize any
user-supplied input when it generates error pages.
As this vulnerability exists in acFreeProxy, it is possible for a remote
attacker to create a malicious link containing script code which will be
executed in the browser of a legitimate user, in the context of any
domain.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the vulnerable software. Cookie-based
authentication credentials may be used by the attacker to hijack the
session of the legitimate user.
4. Working Resources BadBlue Information Disclosure Vulnerability
BugTraq ID: 6243
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6243
Summary:
BadBlue is a P2P file sharing application distributed by Working
Resources. It is available for Microsoft Windows operating systems.
A problem with BadBlue could make it possible for a remote user to
disclose sensitive server information.
An information disclosure bug has been discovered in a default php script
included with BadBlue. The 'soinfo.php' script executes the 'phpinfo()'
function. By running the 'soinfo.php' script, it is possible for a remote
attacker to access information returned by the 'phpinfo()' script, which
may include sensitive data such as ODBC passwords.
Information disclosed in this manner may aid an attacker in launching
further attacks against the target system.
It should be noted that PHP must be enabled on a target BadBlue server,
for this issue to be exploitable
5. PHP-Nuke Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 6244
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6244
Summary:
PHP-Nuke is a web based Portal system. Implemented in PHP, it is available
for a range of systems, including Microsoft Windows and Linux.
Several cross site scripting vulnerabilities have been reported for
PHP-Nuke. Affected modules include the Discussion module, News module, and
PM module among others. This vulnerability is due to insufficient
sanitization of all HTML tags.
An attacker may exploit this vulnerability by enticing a victim user to
follow a malicious link. Attacker-supplied HTML and script code may be
executed on a web client in the context of the site hosting the web-based
forum.
Attackers may potentially exploit this issue to manipulate web content or
to steal cookie-based authentication credentials. It may be possible to
take arbitrary actions as the victim user.
These vulnerabilities have been reported for PHP-Nuke 6.5b1 and earlier.
6. NetScreen Malicious URL Filter Bypassing Vulnerability
BugTraq ID: 6245
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6245
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients. A vulnerability has been reported for
NetScreen.
An administrator is able to restrict access to certain URLs by defining a
malicious URL pattern. Reportedly, it is possible to circumvent rules for
malicious URLs by fragmenting the request.
An attacker can exploit this vulnerability to access URLs that are
normally unaccessible to hosts behind the NetScreen appliance.
This vulnerability was reported for NetScreen appliances using ScreenOS
v3.0.1r2.0. Older versions of ScreenOS are likely to be affected as well.
7. VBulletin members2.php Cross Site Scripting Vulnerability
BugTraq ID: 6246
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6246
Summary:
vBulletin is commercial web forum software written in PHP and back-ended
by a MySQL database. It will run on most Linux and Unix variants, as well
as Microsoft operating systems.
The $perpage variable is used to control the way of reciting subscribed
threads. This variable is later added to a query that is used to fetch
database records. If an invalid value is passed to the $perpage variable,
an error page is generated. Due to insufficient sanitization of data
passed to the $perpage variable, it is possible to inject script code into
the variable, which will be included in the error page.
As a result, it is possible for a remote attacker to create a malicious
link containing script code which will be executed in the browser of a
legitimate user, in the context of the website running vBulletin.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may use cookie-based authentication credentials to
hijack the session of the legitimate user.
8. NetScreen H.323 Control Session Denial Of Service Vulnerability
BugTraq ID: 6250
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6250
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
H.323 is a network specification to guarantee a certain QoS (Quality of
Service) for video and audio conferencing applications.
A denial of service vulnerability has been reported for all NetScreen
appliances related to the processing of H.323 control sessions. The
vulnerability is due to inadequate clean up of existing, half-open H.323
control sessions that can eventually result in the consumption of all
firewall session table entries.
This vulnerability has been reported to only affect NetScreen appliance
configurations that explicitly permit the forwarding of H.323 or
Netmeeting traffic.
This vulnerability only affects ScreenOS versions 2.8 and later.
9. Working Resources BadBlue Search Page Cross Site Scripting Vulnerability
BugTraq ID: 6253
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6253
Summary:
BadBlue is a P2P file sharing application distributed by Working
Resources. It is designed for use on Microsoft Windows operating systems.
A problem with the application could make it possible to launch a
cross-site scripting attack.
When started, BadBlue launches a web server on a client system. When a
user executes a search using the search interface provided with BadBlue,
the ext.dll ISAPI is used by BadBlue to handle the request. Users of the
local system, as well as remote users may reach this interface.
The ext.dll ISAPI does not sufficiently sanitize user-supplied input in
the 'style' parameter, when processing search queries. This may allow an
attacker to create a custom URL containing script code that, when viewed
in a browser by a legitimate user, will result in the execution of
arbitrary script code.
This problem makes it possible to execute script code within the context
of an arbitrary BadBlue server.
10. Netscape/Mozilla POP3 Mail Handler Integer Overflow Vulnerability
BugTraq ID: 6254
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6254
Summary:
The Netscape Communicator and Mozilla browsers include support for email,
and the ability to fetch mail through a POP3 server. Both products are
available for a range of platforms, including Microsoft Windows and Linux.
An integer overflow vulnerability has been reported for the
Netscape/Mozilla POP3 mail handler routines. These routines are found in
'mozilla/mailnews/local/src/nsPop3Protocol.cpp'. Reportedly, insufficient
checks are performed on some server-supplied values. Specifically, the
value for m_pop3ConData->number_of_messages is not sufficiently checked
for large values.
An attacker may exploit this vulnerability through an attacker-controlled
POP3 server. By issuing a very large integer value that is used by the
Netscape/Mozilla POP3 mail handler, it may be possible to cause the
integer overflow condition and allocate a buffer that is too small. A
buffer overflow condition may result if the malicious attacker-controlled
server attempts to write into the buffer at a location beyond the boundary
of what was actually allocated.
Successful exploitation of this vulnerability may allow an attacker to
obtain control over the execution of the vulnerable Netscape/Mozilla
process.
11. AOL Instant Messenger Forced File Download Vulnerability
BugTraq ID: 6259
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6259
Summary:
AOL Instant Messenger (AIM) is an instant messenging client. It is
available for various platforms including MacOS and Microsoft Windows
operating systems.
AIM contains an option which will allow remote users to download shared
files without prompting the owner. It has been reported that enabling this
option may contain a vulnerability which would allow a remote attacker to
force a target user to download a malicious file without prompting for
authorization.
If an attacker were to download a target users's 'USER.lst' file, it may
be possible to rename an arbitrary file to 'USER.lst' and force the target
to download it. If this were to occur, the download would begin without
first prompting for prior authorization.
Exploiting this issue may allow an attacker to fill a victims hard drive
with a file of excessive length.
12. phpBB Script Injection Vulnerability
BugTraq ID: 6248
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6248
Summary:
phpBB2 is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
phpBB does not properly sanitize script code from HTML tags embedded in a
forum posting. This vulnerability could allow a user to inject malicious
script code into forum postings that would in turn be executed when the
page is viewed by a legitimate user of the forum. The attacker-supplied
code would be executed in the security context of the phpBB site.
The attacker supplied code would be able to access cookie data, including
authentication credentials, and to take actions on the vulnerable site as
the currently authenticated user.
13. Bugzilla quips Feature Cross Site Scripting Vulnerability
BugTraq ID: 6257
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6257
Summary:
Bugzilla is a freely available, open source bug tracking software package.
It is available for Linux, Unix, and Microsoft Operating Systems.
A cross site scripting vulnerability has been reported for Bugzilla. This
vulnerability only affects users who have the 'quips' feature enabled.
The quips feature is designed to put short, user-supplied comments at the
top of bug lists. Reportedly, Bugzilla does not properly sanitize any
input submitted by users.
As a result, it is possible for a remote attacker to create a malicious
link containing script code which will be executed in the browser of a
legitimate user, in the context of the website running Bugzilla.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software.
14. Sybase Adaptive Server DBCC CHECKVERIFY Buffer Overflow Vulnerability
BugTraq ID: 6269
Remote: Yes
Date Published: Nov 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6269
Summary:
Sybase Adaptive Server is a full SQL relational database management
system. It is available for a variety of platforms including Microsoft
Windows operating systems.
A buffer overflow vulnerability has been reported for the Sybase Adapative
Server. The vulnerability exists in the DBCC CHECKVERIFY function. This
function is used to verify the results of the most recent run of DBCC
CHECKSTORAGE.
The DBCC CHECKVERIFY function accepts a single parameter for the name of
the database to verify. This function does not perform sufficient checks
on the length of the string that is supplied as the value for the
parameter.
An attacker may exploit this vulnerability to cause the database process
to execute malicious attacker-supplied code.
This vulnerability was reported for Sybase Adaptive Server 12.0 and 12.5.
15. YaBB YaBB.pl Cross Site Scripting Vulnerability
BugTraq ID: 6272
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6272
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl. YaBB will run on most Unix/Linux variants, MacOS,
and Microsoft Windows 9x/ME/NT/2000/XP platforms.
A cross-site scripting vulnerability has been reported in the YaBB forum
'YaBB.pl' script. This vulnerability is due to insufficient sanitization
of URI parameters.
As a result, it is possible for a remote attacker to create a malicious
link to the login page of a site hosting the web forum. The malicious link
may contain arbitrary HTML code in URI parameters. When this link is
visited by an unsuspecting web user, the attacker-supplied code will be
executed in their browser in the security context of the vulnerable
website.
It has been demonstrated that this vulnerability may be exploited to steal
cookie-based authentication credentials.
This vulnerability has been reported for YaBB 1 Gold - SP 1. It is not
known if other versions are affected.
16. NetScreen ScreenOS Predictable Initial TCP Sequence Number Vulnerability
BugTraq ID: 6249
Remote: Yes
Date Published: Nov 25 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6249
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
NetScreen has discovered a vulnerability in the algorithms used by
ScreenOS to generate initial TCP sequence numbers. The ability to predict
TCP sequence numbers may allow a remote attacker to inject packets into a
vulnerable data stream.
It may also be possible for an attacker to launch man-in-the-middle
attacks or hijack network sessions which would allow her to bypass any
necessary authentication procedures.
For this issue to be exploitable the attacker must be able to access to
network session traffic, possibily requiring access to a local network.
17. SSH Communications Secure Shell Windows Client URL Catcher Buffer Overflow Vulnerability
BugTraq ID: 6263
Remote: Yes
Date Published: Nov 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6263
Summary:
Secure Shell is the commercial SSH implementation distributed and
maintained by SSH Communications. It is available for the Unix, Linux, and
Microsoft Windows platforms.
A buffer overflow vulnerability has been reported for the Secure Shell
Windows client. The vulnerability is due to an error in the URL handling
of the Secure Shell client. Reportedly, it is possible for a buffer
overflow condition to be triggered when a user clicks on a very long URL.
An attacker can exploit this vulnerability by crafting a malicious link,
containing at least 480 characters, and enticing a victim user to click
it. This will result in the buffer overflow condition being triggered and
causing sensitive areas in memory to be overwritten with attacker-supplied
values. Any malicious attacker-supplied code embedded in the URL will be
executed on the victim system.
This vulnerability affects the Secure Shell client for Microsoft Windows.
18. Moby NetSuite POST Handler Buffer Overflow Vulnerability
BugTraq ID: 6277
Remote: Yes
Date Published: Nov 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6277
Summary:
Moby NetSuite is a small SMTP and HTTP/CGI server designed for use with
the Microsoft Windows operating system.
A buffer overflow vulnerability has been reported for Moby NetSuite that
may result in a denial of service condition. Reportedly, it is possible to
cause NetSuite to crash when a malformed POST request is received.
Specifically, the denial of service condition is triggered when a POST
request is received that has an overly large integer value as the value
for the 'Content-Length' header field.
An attacker can exploit this vulnerability by issuing a POST request with
a 'Content-Length' value that is a very large integer. When NetSuite
attempts to service the malformed POST request, it will crash resulting in
a denial of service. Restarting the service is neccessary to restore
functionality.
Although unconfirmed, this may be a remotely exploitable buffer overflow
condition and code execution may be possible.
19. Netscape Java canConvert() Buffer Overflow Vulnerability
BugTraq ID: 6256
Remote: Yes
Date Published: Nov 26 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6256
Summary:
Netscape Communications Corp.'s Communicator is a popular package that
includes a web browser (Navigator), e-mail client, news client, and
address book.
The Java implementation in Netscape 4 contains an unchecked buffer in the
canConvert() method of the sun.awt.windows.WDefaultFontCharset class.
A malicious Java applet could trigger the overflow by passing a long
string to the class constructor and invoking the canConvert() method on
the newly created instance:
new WDefaultFontCharset(long_string).canConvert('x');
Arbitrary code execution is possible in the security context of the web
browser.
This vulnerability is only reported to affect Netscape 4 browsers running
on Microsoft Windows platforms.
20. PortailPHP SQL Injection Vulnerability
BugTraq ID: 6273
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6273
Summary:
Portail PHP is a Web portal project based PHP and MySQL. It is available
for the Linux, Unix, and Microsoft Windows operating systems.
A vulnerability exists in the mod_search module included with PortailPHP.
The vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'index.php' script. Specifically, the 'rech'
variable is not sanitized of malicious SQL input. It is possible to modify
the logic of SQL queries through malformed query strings in requests for
the vulnerable script.
By injecting SQL code into the 'rech' variable, it may be possible for an
attacker to corrupt database information.
21. Sybase Adaptive Server xp_freedll Buffer Overrun Vulnerability
BugTraq ID: 6266
Remote: Yes
Date Published: Nov 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6266
Summary:
Sybase Adaptive Server is a full SQL relational database management
system. It is available for a variety of platforms including Microsoft
Windows operating systems.
The Sybase Adaptive Server provides an extended stored procedure (ESP)
called xp_freedll in the database. This ESP is used to released a loaded
library file.
It is possible to overrun a buffer in xp_freedll by providing a 57 byte
string as the name parameter. This may result in the corruption of
sensitive memory. By overwriting memory with attacker-supplied values, it
may be possible to direct program flow to execute malicious instructions.
Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary system commands with the privileges of the database
server.
22. pWins Web Server Directory Traversal Vulnerability
BugTraq ID: 6271
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6271
Summary:
pWins is a Web server implemented using Ruby and Perl. It is designed for
use on Linux variant and Microsoft Windows operating environments.
It has been reported that pWins fails to properly sanitize web requests.
By sending a malicious web request to the vulnerable server, using
directory traversal sequences, it is possible for a remote attacker to
access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability has been reported for pWins 0.2.5 for the Microsoft
Windows platform.
23. Sybase Adaptive Server DROP DATABASE Buffer Overflow Vulnerability
BugTraq ID: 6267
Remote: Yes
Date Published: Nov 27 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6267
Summary:
Sybase Adaptive Server is a full SQL relational database management
system. It is available for a variety of platforms including Microsoft
Windows operating systems.
A buffer overflow vulnerability has been reported for the Sybase Adapative
Server. The vulnerability exists in the DROP DATABASE function. This
function is used to remove any databases from the server.
The DROP DATABASE function accepts a single parameter for the name of the
database to remove. This function does not perform sufficient checks on
the length of the string that is supplied as the value for the parameter.
An attacker may exploit this vulnerability to cause the database process
to execute malicious attacker-supplied code.
This vulnerability was reported for Sybase Adaptive Server 12.0 and 12.5.
24. Microsoft Windows XP Fast User Switching Process Viewing Weakness
BugTraq ID: 6280
Remote: No
Date Published: Nov 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6280
Summary:
Microsoft Windows XP contains a feature called Fast User Switching (FUS).
This allows multiple users to be concurrently logged onto the system; only
one user can interact with the system at a time. FUS is enabled by
default on Windows XP Home edition, but not on Professional edition. It
cannot be enabled on systems that are members of a domain.
FUS contains a weakness that could allow unprivileged users to view other
users' process lists.
Members of the Administrators group can enable an option to view other
users' process lists. If a member of the Administrators group enables
this option and is subsequently removed from the group, they are still
able to view other users' process lists.
While this is not directly exploitable, it may violate other users'
privacy or the information obtained may potentially be used to mount
attacks on other local users.
IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Secure / Encrypt Terminal Services (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301663
2. Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301562
3. Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301573
4. Odd entries in Win XP Pro Certificate MMC snap-in (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301538
5. Embedded NT/XP security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301502
6. IIS Log exactly 65.536 bytes ??? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301490
7. Exchange in the DMZ (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301255
8. Question: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301213
9. SecurityFocus Microsoft Newsletter #114 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301098
10. ASP, BizTalk server SQL DB and Firewall architecture. (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301041
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. ScanDo Vulnerability Assessment Scanner
by KaVaDo
Platforms: Windows 2000, Windows NT, Windows XP
http://www.kavado.com/ProductsScando.htmL
Summary:
ScanDo is a comprehensive vulnerability-assessment scanner that audits the
entire Web application environment (Web servers, application servers,
business logic etc.) and uncovers both known and unknown vulnerabilities
that create security risks.
2. ArcSight Enterprise Security Management Software
by ArcSight
Platforms: AIX, Linux, Solaris, Windows 2000, Windows NT
http://www.arcsight.com/product.htm
Summary:
ArcSight is designed to distribute agents throughout the network, which
will report events to central management stations. Administrators can then
view events, control security policies and even replay a sequence of
events to watch the attack unfold.
3. WebMarshal
by Marshal Software
Platforms: Windows 2000, Windows NT
http://www.webmarshall.com/default.asp?page=%2Fproducts%2Easp%3FREFID%3DMARSHAL&RefID=MARSHAL
Summary:
WebMarshal is an employee Internet management solution designed to promote
responsible web use while providing protection from viruses,
confidentiality breaches, and the downloading of non-business material.
WebMarshal eliminates unproductive browsing by directing users to approved
sites, while blocking offensive and unproductive sites. Detailed reporting
by user and site allows management to refine Web policy so that the
business can better take advantage of the Web. WebMarshal gives an
organization easy, practical and customized control of Web browsing.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. GPG-Ezmlm encrypted mailing list v0.3
by Todd MacDermid
Relevant URL:
http://www.synacklabs.net/projects/crypt-ml/
Platforms: Perl (any system supporting perl)
Summary:
GPG-Ezmlm contains a set of scripts which adds the ability to handle
OpenPGP-encrypted email to Ezmlm. Email encrypted to the list key is
re-encrypted to the keys of the subscribers. Key exchange during list
subscription is supported.
2. Sysload server monitor v4.5
by Good NRG
Relevant URL:
http://www.nrgglobal.com/products/sysload.php
Platforms: AS/400, Linux, Netware, UNIX, Windows 2000, Windows NT, Windows
XP
Summary:
Sysload does system performance monitoring on operating systems (Unix,
Linux, Windows 2000/XP and NT, Netware, AS/400, GC0S7), databases (Oracle,
SQL Server, DB2, Informix, Sybase), and applications (including Oracle
Applications, SAP, Exchange, and IIS). It offers robust alerting and
monitoring, and performance management solutions.
3. ABC CHAOS v2.1
by Investment Resources Group
Relevant URL:
http://www.safechaos.com/abc.htm
Platforms: Windows 2000, Windows 95/98, Windows CE, Windows NT, Windows XP
Summary:
Easily encrypt files into your personal data archive. You can be confident
that the data is safely secured. The additional special protection
completely excludes an opportunity of selection of the password to the
encrypted information at use of the generator of the passwords and keys.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: St. Bernard Software
Double Security In One Investment
Reinforce your network security policy with the Retina®/ UpdateEXPERT(tm)
bundle from eEye and St. Bernard Software. Award- winning Retina scans
networks for early detection of vulnerabilities, while UpdateEXPERT
provides critical patch management assistance. Reliably identify and
remediate your network with this security combo.
Free trial: http://www.eeye.com/ctrack.asp?ref=STBJOINT1
-------------------------------------------------------------------------------
- Next message: Mike Coppins: "Re: issues with syskey in NT 4.0"
- Previous message: Stefan Lister: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
