SecurityFocus Microsoft Newsletter #125
From: Marc Fossi (mfossi@securityfocus.com)
Date: 02/17/03
- Previous message: Deus, Attonbitus: "RE: Website inside or outside domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 17 Feb 2003 12:22:52 -0700 (MST) From: Marc Fossi <mfossi@securityfocus.com> To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #125
---------------------------------------
I. FRONT AND CENTER
1. Are You Infected? Detecting Malware Infection
2. Forensics on the Windows Platform, Part Two
3. Suing Over Slammer
4. The First Honeyd Challenge
5. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Cedric Email Reader Skin Configuration Script Remote File...
2. GlobalScape CuteFTP Clipboard URL Buffer Overflow Vulnerability
3. Eset Software NOD32 Antivirus Local Buffer Overflow Vulnerability
4. Gupta SQLBase EXECUTE Buffer Overflow Vulnerability
5. CryptoBuddy Predictable Encrypted Passphrase Weakness
6. Opera opera.PluginContext Native Method Denial Of Service...
7. CryptoBuddy Long Passphrase Truncation Weakness
8. Alt-N MDaemon/WorldClient Form2Raw Mail Header Spoofing...
9. Microsoft Windows NT/2000 cmd.exe CD Buffer Overflow Vulnerability
10. Cedric Email Reader Global Configuration Script Remote File...
11. Celestial Software AbsoluteTelnet Title Bar Buffer Overflow...
12. Opera Username URI Warning Dialog Buffer Overflow Vulnerability
13. CryptoBuddy Unused Encryption Passphrase Vulnerability
14. RARLAB FAR File Manager Buffer Overflow Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Unhappy face icon on NT 4 workstation (Thread)
2. Windows 2000 Static arp not static (Thread)
3. Ye Olde OWA Topic (Was Website inside or outside domain) (Thread)
4. Website inside or outside domain (Thread)
5. website inside or outside the domain? (Thread)
6. Secure Instant Messenger for Windows? (Thread)
7. SecurityFocus Microsoft Newsletter #124 (Thread)
8. L0phtCrack and Windows 2000 LM Hashes (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. RegRun 3 Security Suite
2. Steganos Internet Security
3. Symantec's Norton Internet Security 2003
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Intrusion Detection Exchange Architecture v1.0.1
2. CVS-SSH2 Plug-in for Eclipse v0.0.3
3. StatFreak v0.5.3 beta
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Are You Infected? Detecting Malware Infection
By Jong Purisima
Once executed, malware can perform its intended malicious function on a
system. Unfortunately, it may not always be apparent to users that their
system is indeed infected. This article will discuss how to determine
whether or not the system has been infected and will offer some tips on to
manually disinfect the system.
http://online.securityfocus.com/infocus/1666
2. Forensics on the Windows Platform, Part Two
by Jamie Morris
This is the second of a two-part series of articles discussing the use of
computer forensics in the examination of Windows-based computers. In Part
One we discussed the wider legal issues raised by computer forensics and
the benefits of pre-investigation preparation. In this article we will
concentrate on the areas of a Windows file system that are likely to be of
most interest to forensic investigators and the software tools that can be
used to carry out an investigation.
http://online.securityfocus.com/infocus/1665
4. Suing Over Slammer
By Mark Rasch
In the aftermath of the SQL Slammer worm, companies have once again
claimed massive financial losses as a result of malicious code. As with
the Code Red and Nimda worms, the Melissa virus and the Mafiaboy
distributed denial of service attack, the press has reported widespread
system disruption with "losses" in the hundreds of millions -- if not
billions -- of dollars worldwide.
http://online.securityfocus.com/columnists/141
5. With the release of Honeyd 0.5 over the weekend, Niels Provos is
pleased to also announce the first Honeyd challenge!
Honeyd is a virtual honeypot running as a small daemon to create
virtual hosts on a network. The hosts can be configured to run
arbitrary services, and their personality can be adapted so that they
appear to be running certain operating systems.
The goal of this challenge is to develop interesting feature additions
to Honeyd. Possible improvements are forensic analysis tools for
Honeyd log files, passive fingerprinting of connections, realistic
routing topologies, etc. Your submissions will be judged by a panel
of experienced volunteers, rated, and shared with the security
community.
We are able to award prizes to the best submissions. Top prizes
include a free pass to CanSecWest/core03 including a free hotel room
for up to four days, a $200 and a $100 Amazon gift certificate.
Furthermore, the top ten entries receive a copy of Lance Spitzner's
new book "Honeypots: Tracking Hackers," signed by Lance and Niels. Judges
include:
- Mike Clark
- Job de Haas
- Niels Provos
- Rain Forest Puppy
- Lance Spitzner
The challenge officially begins on Monday the 17th of February. You
have four weeks to complete your submissions. Please, send your
results no later than 24:00 GMT, Friday, March 14th. Submissions will
be judged and released on Friday the 21th of March. More information
on the challenge and submission requirements can be found at
http://www.citi.umich.edu/u/provos/honeyd/challenge.html
All questions, concerns, and submissions should be sent with a subject
including "Honeyd Challenge" to provos-honeyd@citi.umich.edu.
6. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today’s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Cedric Email Reader Skin Configuration Script Remote File Include Vulnerability
BugTraq ID: 6818
Remote: Yes
Date Published: Feb 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6818
Summary:
Cedric Email Reader is a web mail application. It is implemented in PHP
and available for Unix and Linux variants as well as Microsoft Windows
operating systems.
It has been reported that Cedric Email Reader is prone to an issue that
may allow remote attackers to include files located on remote servers.
This issue is present in the 'email.php' script.
Under some circumstances, it is possible for remote attackers to influence
the include path for a configuration file to point to an external file on
a remote server. The attacker may cause this to occur by submitting a
path to an external file as the '$cer_skin' URI parameter.
If the remote file is a PHP script, this may be exploited to execute
arbitrary system commands in the context of the web server.
It has also been reported that it is possible to cause local files to be
included, resulting in disclosure of webserver readable files to the
attacker. This has not been confirmed.
2. GlobalScape CuteFTP Clipboard URL Buffer Overflow Vulnerability
BugTraq ID: 6786
Remote: No
Date Published: Feb 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6786
Summary:
CuteFTP is a commercially available FTP client distributed by GlobalScape.
It is available for the Microsoft Windows platform.
A buffer overflow condition has been reported for the CuteFTP application.
This is due to insufficient bounds checking that is performed on URLs
passed to CuteFTP from the clipboard.
When an 'ftp:' URL is present in the clipboard and CuteFTP is running, it
will automatically attempt to open the URL. If the URL in the clipboard
is unusually long, CuteFTP will fail immediately upon attempting to open
the URL. It is not currently known if this vulnerability could lead to
code execution.
3. Eset Software NOD32 Antivirus Local Buffer Overflow Vulnerability
BugTraq ID: 6803
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6803
Summary:
Eset Software's NOD32 Antivirus System is a cross-platform anti-virus
application. It is available for a variety of platforms including the
Microsoft Windows, Linux, and BSD-derived operating systems.
A vulnerability has been discovered in NOD32 for the Linux and Unix
platforms. Due to insufficient bounds checking a buffer overflow occurs
when NOD32 processes file system paths of excessive length. Specifically,
a path name containing 500, or more, bytes of data will trigger memory
corruption.
This vulnerability could be exploited by coaxing a user to scan a
malicious location with the NOD32 Antivirus software. When the path of
excessive length is processed by NOD32, sensitive memory will be
corrupted. By exploiting this issue to execute code it is possible run
arbitrary commands with the privileges of the user running NOD32.
This issue affects NOD32 versions 1.012 and earlier.
4. Gupta SQLBase EXECUTE Buffer Overflow Vulnerability
BugTraq ID: 6808
Remote: Yes
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6808
Summary:
Gupta SQLBase is an embedded SQL Database designed for use with Microsoft
Windows and Novell Netware environments.
A buffer overflow vulnerability has been reported for SQLBase when using
the EXECUTE command. This command is used by the database to execute a
stored command or procedure.
An attacker can exploit this vulnerability by issuing an EXECUTE command
with an overly large value, consisting of at least 700 characters, as a
parameter. This will cause SQLBase to crash and may result in the
execution of attacker-supplied code with elevated privileges.
This vulnerability is exacerbated by the fact that the SYSADM account
allows access with a blank password for the default ISLAND database.
This vulnerability was reported for SQLBase 8.1.0. It is not known whether
earlier versions are affected.
5. CryptoBuddy Predictable Encrypted Passphrase Weakness
BugTraq ID: 6810
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6810
Summary:
CryptoBuddy is security software designed to encrypt files. It is designed
for use on Microsoft Windows operating systems.
It has been reported that the passphrase encryption algorithm employed by
CryptoBuddy is weak. Specifically, the passphrase is broken into 4-byte
blocks and then encrypted. Furthermore, the encryption algorithm used
generates predictable ciphertext for specific 4-byte sequence of
characters.
An attacker can exploit this weakness to build a dictionary of encrypted
passphrases and use this to decrypt stolen files.
This vulnerability was reported for CryptoBuddy 1.2 and earlier.
6. Opera opera.PluginContext Native Method Denial Of Service Vulnerability
BugTraq ID: 6814
Remote: Yes
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6814
Summary:
Opera is a web client available for a number of platforms including Unix
and Linux variants, and Microsoft Windows operating systems.
Opera ships with a trusted Java class ('opera.PluginContext') that
includes a native method that is reportedly vulnerable to denial of
service attacks. This issue exists in the 'showDocument' method of the
'opera.PluginContext' class. If a URL object containing a URL String of
excessive length is passed to the method, the JVM and browser will crash.
Other malformed data may also trigger this condition.
The issue is apparently caused when the PluginContext constructor handles
unacceptable data.
This issue was reported in versions of Opera for Microsoft Windows
operating systems. It is not known if other platforms are also affected.
Java support must enabled for this issue to be present and can be disabled
to prevent attacks.
7. CryptoBuddy Long Passphrase Truncation Weakness
BugTraq ID: 6815
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6815
Summary:
CryptoBuddy is security software designed to encrypt files. It is designed
for use on Microsoft Windows operating systems.
It has been reported that CryptoBuddy will truncate passphrases over 55
characters in length. Furthermore, bytes 53 to 55 of the passphrase are
stored in plain text. This weakness employed by the encryption algorithm
of CryptoBuddy may result in a user having a false sense of security.
This vulnerability was reported for CryptoBuddy 1.2 and earlier.
8. Alt-N MDaemon/WorldClient Form2Raw Mail Header Spoofing Vulnerability
BugTraq ID: 6816
Remote: Yes
Date Published: Feb 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6816
Summary:
MDaemon is a mail server for Microsoft Windows operating systems. It
includes WorldClient, which is a web-based email client.
Alt-N MDaemon/Worldclient is prone to a vulnerability which may enable a
remote user to send mail with spoofed headers.
The WorldClient component of MDaemon contains a utility, 'Form2Raw.exe',
which may be used to construct email from data submitted in a form.
Remote users may submit a malicious form through the 'Form2Raw.exe'
utility (accessible from the web through the 'Form2Raw.cgi' alias), which
will cause mail with attacker-supplied headers to be sent via the mail
server. Access to this utility is enabled in the default configuration.
As a result, the software may be abused by unauthorized users to send
email to arbitrary hosts. Spammers may potentially exploit this issue to
obscure the origin of a mass mailing.
9. Microsoft Windows NT/2000 cmd.exe CD Buffer Overflow Vulnerability
BugTraq ID: 6829
Remote: No
Date Published: Feb 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6829
Summary:
Microsoft Windows NT 4.0 and Windows 2000 use cmd.exe as their command
interpreter.
There are reported problems in the Windows API that prevent paths
containing more than 256 characters from being handled properly. The cd
command in the command interpreter cmd.exe fails to handle these long
paths properly, resulting in a denial of service to the cmd.exe session,
or potential code execution.
On Windows NT 4.0 systems, if the cd command was issued to change to a
directory whose name contained 200 characters (ie. C:\<200 A's>), followed
by another cd command to change to a subdirectory containing 57 or more
characters (ie. C:\<200 A's>\<57 B's>), cmd.exe would fail. This is
reportedly caused by overflowing a buffer when the second cd command is
issued. EIP may be overwritten, potentially allowing for code execution.
On Windows 2000 systems, using the cd command to change to the second
directory would cause cmd.exe to become 'jailed' in that directory.
Using the cd command (ie. cd..) will not be able to change the directory.
Automated scripts that traverse and preform operations on arbitrary
directories are particularly vulnerable.
10. Cedric Email Reader Global Configuration Script Remote File Include Vulnerability
BugTraq ID: 6820
Remote: Yes
Date Published: Feb 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6820
Summary:
Cedric Email Reader is a web mail application. It is implemented in PHP
and available for Unix and Linux variants as well as Microsoft Windows
operating systems.
It has been reported that Cedric Email Reader is prone to an issue that
may allow remote attackers to include files located on remote servers.
This issue is present in the 'emailreader_execute_on_each_page.inc.php'
script.
Under some circumstances, it is possible for remote attackers to influence
the include path for a configuration file to point to an external file on
a remote server. The attacker may cause this to occur by submitting a
path to an external file as the '$emailreader_ini' URI parameter.
If the remote file is a PHP script, this may be exploited to execute
arbitrary system commands in the context of the web server.
It has also been reported that it is possible to cause local files to be
included, resulting in disclosure of webserver readable files to the
attacker. This has not been confirmed.
11. Celestial Software AbsoluteTelnet Title Bar Buffer Overflow Vulnerability
BugTraq ID: 6785
Remote: Yes
Date Published: Feb 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6785
Summary:
AbsoluteTelnet is a freely available Telnet and Secure Shell (SSH) client
for Microsoft Windows operating systems. It is maintained and distributed
by Celestial Software.
A buffer overflow vulnerability was reported for AbsoluteTelnet. The
vulnerability exists due to insufficient bounds checking performed when
setting the title bar of the client. For this issue to occur the set title
bar must contain 296, or more, bytes of data.
An attacker can exploit this vulnerability by enticing a victim user to
view a website with malicious HTML tags. If AbsoluteTelnet is configured
as the default application for 'telnet://' URLs, connected to a malicious
host may trigger the buffer overflow condition and will cause
AbsoluteTelnet to crash and possibly execute malicious attacker-supplied
code.
This vulnerability was reported for AbsoluteTelnet 2.0 and 2.11.
12. Opera Username URI Warning Dialog Buffer Overflow Vulnerability
BugTraq ID: 6811
Remote: Yes
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6811
Summary:
Opera is a web client available for a number of platforms including Unix
and Linux variants, and Microsoft Windows operating systems.
For security purposes, Opera will display a warning any time a user of the
client visits a link containing a username as part of the URI. Bounds
checking is not performed on the length of the username when it is copied
into a local buffer for display in the warning message.
An excessively long username in a link will trigger a buffer overflow
condition that may overwrite the stack frame of the affected function.
Attackers may exploit this vulnerability to execute instructions on client
systems. This condition may be exploited from a malicious webpage.
Exploitation may occur through links, image tags, frames or other means.
This issue was reported for Opera on Microsoft Windows platforms. It is
not known if other platforms are affected.
13. CryptoBuddy Unused Encryption Passphrase Vulnerability
BugTraq ID: 6812
Remote: No
Date Published: Feb 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6812
Summary:
CryptoBuddy is security software designed to encrypt files. It is designed
for use on the Microsoft Windows operating environment.
A vulnerability has been reported for CryptoBuddy that may result in
attackers intercepting and decoding encrypted information. The
vulnerability exists because CryptoBuddy does not use the user-supplied
passphrase to encrypt files. Instead, the passphrase is encrypted and
stored at a known offset in the encrypted file.
An attacker can exploit this vulnerability by creating an encrypted file
and passphrase. By copying the encrypted passphrase at offset 0x120 to
0x15A to the same offset of any intercepted file, an attacker may be able
to decrypt the target file using the modified passphrase.
Exploitation of this vulnerability may result in the disclosure of
sensitive information. Any information obtained in this manner may be used
by an attacker to launch other attacks on a vulnerable system or user.
Although it has not been confirmed, it is likely that the user-supplied
passphrase stored in the file is prompted for and used to initiate the
decryption of the file using the CryptoBuddy algorithm.
This vulnerability was reported for CryptoBuddy 1.2 and earlier.
14. RARLAB FAR File Manager Buffer Overflow Vulnerability
BugTraq ID: 6822
Remote: No
Date Published: Feb 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6822
Summary:
FAR is a file manager developed for Microsoft Windows environments. It is
developed by RARLAB.
A buffer overflow vulnerability has been reported for FAR that may result
in a denial of service condition. The vulnerability exists due to
insufficient bounds checking performed by FAR when parsing directory
paths. Specifically, when FAR attempts to parse paths consisting of more
than 260 characters it will crash.
A local attacker can exploit this vulnerability by nesting several folders
such that the total length is greater than 260 characters. When an
unsuspecting victim user attempts to view the contents of these folders,
the buffer overflow condition is triggered and will result in FAR
crashing.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Unhappy face icon on NT 4 workstation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/311815
2. Windows 2000 Static arp not static (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/311811
3. Ye Olde OWA Topic (Was Website inside or outside domain) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/311823
4. Website inside or outside domain (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/311812
5. website inside or outside the domain? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/311813
6. Secure Instant Messenger for Windows? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/311546
7. SecurityFocus Microsoft Newsletter #124 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/311246
8. L0phtCrack and Windows 2000 LM Hashes (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/311191
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. RegRun 3 Security Suite
by Greatis Software
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL:
http://www.greatis.com/regrun3.htm
Summary:
RegRun Security Suite 3 has been designed to be a very effective system,
tailored to individual user needs. We now offer three versions of RegRun
Security Suite. Please read our on-line guide located at :
http://www.greatis.com/regrun3detail.htm to know how RegRun can help you.
2. Steganos Internet Security
by Steganos
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL:
http://www.steganos.com/en/sis/index.htm
Summary:
Steganos Internet Security gives you sure protection against: - Annoying
viruses that you receive via e-mail - Trojan horses - Hackers who, for
example, try to delete your hard disk - Script viruses like the I LOVE YOU
virus - Spyware, which sends your user profile to questionable Web
operators. - Snoopers, who follow your activities on the Internet. -
Tell-tale traces left behind on your PC after your web browsing sessions
3. Symantec's Norton Internet Security 2003
by Symantec
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL:
http://www.symantec.com/sabu/nis/nis_pe/
Summary:
Symantec's Norton Internet Security 2003 provides essential protection
from viruses, hackers, and privacy threats. Included are full versions of
Norton AntiVirus and Norton Personal Firewall, which efficiently defend
your PC from the most common Internet dangers. You also get Norton Spam
Alert to block unwanted email, and Norton Parental Control to protect your
children online.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. Intrusion Detection Exchange Architecture v1.0.1
by Ian Duffy
Relevant uRL:
http://www.sourceforge.net/projects/idea-arch
Platforms: Os Independent
Summary:
IDEA is an architecture for implementing a distributed intrusion detection
system on a computer network. It provides a way to incorporate many
different IDS sensors into an architecture, and have them report to a
central IDS server. This server collects, aggregates, and correlates data
from the sensors, providing a unified view of network activity. By
specifying an open API, many different clients can connect to the IDEA
server and "subscribe" to the event notification service so that the
client will be notified any time a new alert is received from any of the
sensors.
2. CVS-SSH2 Plug-in for Eclipse v0.0.3
by ymnk ymnk@jcraft.com
Relevant URL:
http://www.jcraft.com/eclipse-cvsssh2/
Platforms: Os Independent
Summary:
CVS-SSH2 Plug-in for Eclipse is an Eclipse plug-in to allow CVS access on
an encrypted session by SSH2 protocol.
3. StatFreak v0.5.3 beta
by Pistos
Relevant URL:
http://www.catholicinfo.ca/statfreak/
Platforms: Linux, Solaris, SunOS, UNIX, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Summary:
StatFreak is a Perl script which reads eggdrop and mIRC logs and outputs
an XHTML file containing statistical information. StatFreak was created to
appease the hunger of statistics fanatics around the world.
- Next message: Tom-Rune.Berg@telenor.com: "RE: Unhappy face icon on NT 4 workstation"
- Previous message: Deus, Attonbitus: "RE: Website inside or outside domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
