SecurityFocus Microsoft Newsletter #129
From: Marc Fossi (mfossi@securityfocus.com)
Date: 03/17/03
- Previous message: Joseph Burton: "RE: Exchange/MAPI/RPC"
- Next in thread: Douglas R. Wilson: "Microsoft Security Advisory MS 03-007"
- Reply: Douglas R. Wilson: "Microsoft Security Advisory MS 03-007"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 17 Mar 2003 12:01:25 -0700 (MST) From: Marc Fossi <mfossi@securityfocus.com> To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #129
---------------------------------------
This Issue is Sponsored By: NetIQ
Need security policies? Don't start from scratch..."Information Security
Policies Made Easy" is the best security policy resource guide you can
buy with 1300+ ready-to-use security policies that can be quickly
customized for any company. Build best practice security policies in
half the time and expense. Also check out "Information Security Roles &
Responsibilities Made Easy. "
Download a free policy now at http://www.netiq.com/order/publications.asp
------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Open Source Honeypots, Part Two: Deploying Honeyd in the Wild
2. IP Spoofing: An Introduction
3. Iraqi Cyberwar: an Ageless Joke
4. SecurityFocus DPP Program
II. MICROSOFT VULNERABILITY SUMMARY
1. DBTools DBManager Professional Information Disclosure Weakness
2. Ethereal SOCKS Dissector Format String Vulnerability
3. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability
4. MySQL mysqld Privilege Escalation Vulnerability
5. PHP-Nuke Multiple SQL Injection Vulnerabilities
6. NetScreen ScreenOS Loss of Configuration Vulnerability
7. DeleGate HTTP Proxy Robot.TXT User-Agent: Buffer Overflow...
8. Multiple PHP-Nuke Forums/Private_Messages SQL Injection...
9. SaveMyModem Statusbar_Set_Text Buffer Overflow Vulnerability
10. Microsoft Windows XP Safe Mode Policy Bypass Weakness
11. PHPPing Remote Command Execution Vulnerability
12. Opera Long Filename Download Buffer Overrun Vulnerability
13. Microsoft Internet Explorer .MHT File Buffer Overflow...
III. MICROSOFT FOCUS LIST SUMMARY
1. SQL Service Pack doesn't upgrade SQL Server (Thread)
2. Exchange/MAPI/RPC (Thread)
3. DisableIPSourceRouting registry key (Thread)
4. SecurityFocus Microsoft Newsletter #128 (Thread)
5. AW: Exchange/MAPI/RPC (Thread)
6. SV: DisableIPSourceRouting registry key (Thread)
7. Worm.Dvldr analysis report (Thread)
8. Article Announcement: Cryptographic Filesystems: Design and...
9. Free SQL chapter available on www.SpecialOpsSecurity.com (Thread)
10. AD replication - IP site to site encryption? (Thread)
11. User rights on Terminal Services (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. EverLink SRAC Gateway
2. iChain
3. NetOp Remote Control
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. WaveLock v1.0
2. NtDump v1
3. SMAC v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Open Source Honeypots, Part Two: Deploying Honeyd in the Wild
By Lance Spitzner
This is the second part of a three-part series looking at Honeyd, the
open source honeypot. In this paper we we will deploy Honeyd on the
Internet for one week and watch what happens. The intent is to test
Honeyd by letting real bad guys interact with and attack it. We will then
analyze how the honeypot performed and what it discovered
http://www.securityfocus.com/infocus/1675
2. IP Spoofing: An Introduction
by Matthew Tanase
Criminals have long employed the tactic of masking their true identity,
from disguises to aliases to caller-id blocking. It should come as no
surprise then, that criminals who conduct their nefarious activities on
networks and computers should employ such techniques. IP spoofing is one
of the most common forms of on-line camouflage. In IP spoofing, an
attacker gains unauthorized access to a computer or a network by making
it appear that a malicious message has come from a trusted machine by
spoofing” the IP address of that machine. In this article, we will
examine the concepts of IP spoofing: why it is possible, how it works,
what it is used for and how to defend against it.
http://www.securityfocus.com/infocus/1674
3. Iraqi Cyberwar: an Ageless Joke
By George Smith
Did U.S. infowar commandos smuggle a deadly computer virus into Iraq
inside a printer? Of course not. So why does it keep getting reported?
http://www.securityfocus.com/columnists/147
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. DBTools DBManager Professional Information Disclosure Weakness
BugTraq ID: 7040
Remote: No
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7040
Summary:
DBManager Professional is database management software for MySQL and
PostgreSQL. It is available for Microsoft Windows operating systems.
Sensitive DBManager Professional configuration information, including
authentication credentials, is stored in plaintext on the system hosting
the software. This information is typically stored in the "catalog.mdb"
in the "DATA" directory of the program folder.
It has been reported that this information may also be readable by other
local users in the default installation of the software. As a result,
sensitive information which is sufficient to compromise the database may
be exposed to malicious local users.
2. Ethereal SOCKS Dissector Format String Vulnerability
BugTraq ID: 7049
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7049
Summary:
Ethereal is a freely available, open source network traffic analysis
tool. It is maintained by the Ethereal Project and is available for most
Unix and Linux variants as well as Microsoft Windows operating systems.
The Ethereal SOCKS dissector is a mechanism for decoding the SOCKS
protocol. A format string vulnerability has been reported in some
versions of this dissector. The vulnerability exists in the
packet-socks.c source file.
An attacker can exploit this vulnerability by connecting to a vulnerable
SOCKS server and sending malicious format string specifiers to the SOCKS
server. If Ethereal is being used as a security tool to monitor network
packets, it is possible that sensitive memory may be corrupted.
This has been confirmed to result in a denial of service condition.
Additionally, it may be possible to cause Ethereal to execute malicious
attacker-supplied code.
This vulnerability affects Ethereal 0.9.9 and earlier.
3. Ethereal NTLMSSP Dissector Heap Corruption Vulnerability
BugTraq ID: 7050
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7050
Summary:
Ethereal is a freely available, open source network traffic analysis
tool. It is maintained by the Ethereal Project and is available for most
Unix and Linux variants as well as Microsoft Windows operating systems.
The NTLMSSP (NTLM Security Support Provider) dissector is a mechanism for
evaluating packets that use the NTLM protocol. A heap corruption
vulnerability has been reported for some versions of the dissector.
The precise technical details of this vulnerability are currently
unknown. This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the NTLMSSP
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.9 and earlier.
4. MySQL mysqld Privilege Escalation Vulnerability
BugTraq ID: 7052
Remote: Yes
Date Published: Mar 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7052
Summary:
MySQL is an open source relational database project. It is available for
the Microsoft Windows, Linux, and Unix operating systems.
A vulnerability has been discovered for MySQL that may allow the mysqld
service to start with elevated privileges.
MySQL uses a series of configuration files to set the privileges of the
service. The configuration files are typically stored in /etc/my.cnf,
DATADIR/my.cnf and ~/.my.cnf. When executed, the mysqld service reads
configuration information from /etc/my.cnf first, then DATADIR/my.cnf and
finally ~/.my.cnf.
An attacker can exploit this vulnerability by creating a DATADIR/my.cnf
that includes the line 'user=root' under the '[mysqld]' option section.
Furthermore, the ~/.my.cnf file must not exist.
When the mysqld service is executed, it will run as the root user instead
of the default user.
This may allow an attacker to obtain elevated privileges on a compromised
system.
This vulnerability was reported for MySQL 3.23.55.
5. PHP-Nuke Multiple SQL Injection Vulnerabilities
BugTraq ID: 7031
Remote: Yes
Date Published: Mar 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7031
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is
available for a range of systems, including Unix, Linux, and Microsoft
Windows.
Multiple SQL injection vulnerabilities were reported in the
'Members_List' and 'Your_Account' modules of PHP-Nuke. This is due to
insufficient sanitization of externally supplied data which is used to
construct SQL queries. This data may be supplied via URI parameters in
requests for certain module functions. A remote attacker may take
advantage of these issues to inject malicious data into SQL queries,
possibly resulting in modification of query logic.
The consequences may vary depending on the particular database
implementation and the nature of the specific queries. At the very
least, it is possible to compromise the PHP-Nuke web portal. SQL
injection also makes it possible, under some circumstances, to exploit
vulnerabilities that may exist in the database implementation.
This BID will be divided into separate BIDs for each distinct issue and
retired when further analysis of these vulnerabilities is complete.
6. NetScreen ScreenOS Loss of Configuration Vulnerability
BugTraq ID: 7042
Remote: Yes
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7042
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.
Under certain circumstances, the device may lose its configuration during
periods of heavy load.
When the configuration is lost, the device will revert to its factory
configuration settings, which rejects all inbound traffic on the
untrusted interface. At the same time, the device will NAT all traffic
on the trusted interface to the untrusted interface. The external
network will not be accessible to the internal network since the device
no longer has a default route defined. This results in a denial of
service to external hosts requiring access to resources behind the device
and internal hosts requiring access to resources on the external network.
In addition, if the default settings are considered insecure, this
condition may result in an exposure.
7. DeleGate HTTP Proxy Robot.TXT User-Agent: Buffer Overflow Vulnerability
BugTraq ID: 7054
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7054
Summary:
DeleGate is an open source proxy server developed by Yutaka Sato.
DeleGate allows for proxying of several application protocols, including
HTTP. It is available for multiple platforms, including Microsoft
Windows and Unix and Linux variants.
The DeleGate HTTP Proxy component is prone to a remotely exploitable
buffer overflow vulnerability. This is due to insufficient bounds
checking of User-Agent: fields in remote 'robot.txt' files. It is
reported that it is possible to trigger this issue by specifying multiple
lines of User-Agent: data in the file, which will cause an internal array
of pointers to be overflowed with attacker-supplied data. This will
occur when a malicious 'robot.txt' file is retrieved via the proxy.
Successful exploitation may result in execution of malicious code in the
security context of the DeleGate proxy server.
This issue was reported in DeleGate versions 8.3.4 and 8.4.0. Other
versions may also be affected.
8. Multiple PHP-Nuke Forums/Private_Messages SQL Injection Vulnerabilities
BugTraq ID: 7060
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7060
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is
available for a range of systems, including Unix, Linux, and Microsoft
Windows.
Multiple SQL injection vulnerabilities were reported in the Forums
scripts and 'Private_Messages' module of PHP-Nuke. This is due to
insufficient sanitization of externally supplied data which is used to
construct SQL queries. This data may be supplied via URI parameters in
requests for certain functions. A remote attacker may take advantage of
these issues to inject malicious data into SQL queries, possibly
resulting in modification of query logic.
The consequences may vary depending on the particular database
implementation and the nature of the specific queries. At the very
least, it is possible to compromise the PHP-Nuke web portal. SQL
injection also makes it possible, under some circumstances, to exploit
vulnerabilities that may exist in the database implementation.
This BID will be divided into separate BIDs for each distinct issue and
retired when further analysis of these vulnerabilities is complete.
9. SaveMyModem Statusbar_Set_Text Buffer Overflow Vulnerability
BugTraq ID: 7068
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7068
Summary:
SaveMyModem is mail filtering software. It is available for Microsoft
Windows and Unix and Linux platforms.
SaveMyModem is prone to a buffer overflow in the 'statusbar_set_text'
function. In some instances, this function will be called with
externally supplied data, such as when messages are processed. The
vulnerable function includes a call to vsnprintf(), specifying a source
buffer that is much larger than the destination buffer.
When the vulnerable function is called with externally supplied data, it
may be possible to corrupt sensitive regions of data. This may
potentially occur if a message is processed with an excessively long
subject.
Successful exploitation will result in code execution in the context of
the SaveMyModem process.
10. Microsoft Windows XP Safe Mode Policy Bypass Weakness
BugTraq ID: 7046
Remote: No
Date Published: Mar 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7046
Summary:
Microsoft Windows allows users to start the operating system in "Safe
Mode" to allow troubleshooting of configuration settings and device
driver conflicts.
The Microsoft Knowledgebase states that only members of the local
Administrators group are able to log in to a system that has been started
in Safe Mode.
When the Windows XP "Welcome Screen" is enabled, it is possible for
unprivileged users to log into the system when it is started in Safe
Mode. Normally in Safe Mode with the Welcome Screen enabled, only the
names of administrative accounts are visible. If the user holds down the
left CTRL and ALT keys and presses delete twice, the normal login prompt
will be displayed. At this point, an unprivileged user can log in to the
system in Safe Mode.
11. PHPPing Remote Command Execution Vulnerability
BugTraq ID: 7030
Remote: Yes
Date Published: Mar 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7030
Summary:
PHPPing is a PHP script designed to test to see whether hosts are alive
on a network. It is designed to be used in a networked Microsoft Windows
environment.
A vulnerability has been reported in PHPPing that may allow remote
attackers to execute commands on vulnerable systems.
The vulnerability exists in the index.php script file. Specifically, the
variable $cible is not properly sanitized of malicious shell
metacharacters. An attacker can exploit this vulnerability by executing
the PHPPing script and include malicious shell metacharacters as values
for the $cible parameter.
This vulnerability was reported for PHPPing 0.1.
12. Opera Long Filename Download Buffer Overrun Vulnerability
BugTraq ID: 7056
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7056
Summary:
Opera is a web browser available for a number of platforms, including
Microsoft Windows, Linux and Unix variants and Apple MacOS.
A vulnerability has been discovered in various versions of Opera on the
Microsoft Windows platform.
When specific types of files are downloaded by Opera, the transfer is
displayed within a 'Download Dialog'. Due to insufficient bounds checking
when processing the requested filename, it may be possible for memory to
be corrupted.
Specifically, when a filename is to be displayed within the 'Download
Dialog' the type of file must be verified. When this occurs, the filename
in question is copied into a static buffer on the stack.
By hosting a downloadable file containing a name of excessive length, it
may be possible for an attacker to overwrite sensitive memory locations
within Opera. Successful exploitation of this issue would result in the
execution of arbitrary attacker-supplied commands.
It should be noted that this issue affects Opera versions 6 and 7 on the
Microsoft Windows platform.
13. Microsoft Internet Explorer .MHT File Buffer Overflow Vulnerability
BugTraq ID: 7057
Remote: Yes
Date Published: Mar 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7057
Summary:
Microsoft Internet Explorer allows a web page and all content embedded
within to be saved in a Web Archive format using Multipurpose Internet
Mail Extension HTML (MHTML) format. This format saves the entire page
and all the embedded content as a single .mht file.
The .mht files are encoded and decoded by the inetcomm.dll component.
This component does not appear to perform sufficient bounds checking on
the .mht files.
If encoded data within the .mht file is designated as executable or the
Content-Type is not defined and has a single word 'MZP' encoded within, a
buffer will be overrun and Internet Explorer will fail. If the encoded
content begins with 'TvPQ' it will be interpreted by Internet Explorer as
a Win32 executable file, but inetcomm.dll will decode it as plain text
data and assign a small buffer to the data.
Internet Explorer creates a stream for the executable file with a smaller
buffer than is required by the Base64 decoder. This results in the
buffer being overrun and Internet Explorer failing. The EIP register may
also be overwritten, potentially allowing for execution of arbitrary code
within the security context of Internet Explorer.
The Web Archive feature was introduced in Internet Explorer 5, therefore
earlier versions are not affected. Outlook Express must be installed in
order to obtain the Web Archive functionality through Internet Explorer.
Applications that use Internet Explorer to render HTML content, such as
Outlook and Outlook Express, may also be indirectly vulnerable. An HTML
email message containing a malicious .mht file would be executed by
Internet Explorer.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SQL Service Pack doesn't upgrade SQL Server (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314825
2. Exchange/MAPI/RPC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314807
3. DisableIPSourceRouting registry key (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314667
4. SecurityFocus Microsoft Newsletter #128 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314565
5. AW: Exchange/MAPI/RPC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314561
6. SV: DisableIPSourceRouting registry key (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314493
7. Worm.Dvldr analysis report (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314519
8. Article Announcement: Cryptographic Filesystems: Design and Implementation (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314351
9. Free SQL chapter available on www.SpecialOpsSecurity.com (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314324
10. AD replication - IP site to site encryption? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314292
11. User rights on Terminal Services (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/314294
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. EverLink SRAC Gateway
by Anyware Technology
Platforms: N/A
Relevant URL:
http://www.anywareusa.com/products/srac_gateway.htm
Summary:
EverLink SRAC Gateway is a high performance network appliance that
integrates many security technologies into a simple network device.
Operating at the application layer, the Gateway allows enterprises to
build fully secured Virtual Private Network as easy as PLUG AND PLAY. By
incorporating all authentication methods, including PKI and dynamic
password, the Gateway provides the most thorough check of a user's
identity. For those who have installed VPNs, the Gateway provides
enterprises with significant added functionalities and security features
to instantly accommodate mobile users anywhere in the world.
2. iChain
by Novell
Platforms: N/A
Relevant URL:
http://www.novell.com/products/ichain/
Summary:
iChain provides identity-based web security services that control access
to application and network resources across technical and organizational
boundaries, as one Net.
3. NetOp Remote Control
by CrossTec Corporation
Platforms: DOS, Linux, OS/2, Windows 2000, Windows 95/98, Windows CE,
Windows NT, Windows XP
Relevant URL:
http://www.crossteccorp.com/netopremote/index.html
Summary:
With New NetOp Remote Control v7.5 you can easily reach any Windows,
Linux, Sun Solaris or legacy OS/2 and DOS PC from your desktop or even
via any Internet connected PC via our new IE browser Guest. View the
remote PC's screen, control its keyboard and mouse, synchronize files,
inventory its hardware and software, launch applications or chat with
someone at the remote PC -- just as if you were seated at that computer.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. WaveLock v1.0
by SecureWave http://www.securewave.com
Relevant URL:
http://www.securewave.com/products/free_utilities/wavelock.html
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
Windows 2000 and Windows XP come with drivers for several wireless LAN
("WLAN") adapters; installation requires only insertion of one of those
adapters. Administrative privileges are not required, as no new drivers
must be registered with the operating system. WaveLock assists in
enforcing security policies by blocking access to these adapters, making
it harder to circumvent firewalls, filters, proxies, and other required
safeguards.
To install WaveLock, download and uncompress wavelock.zip. Execute the
resulting wavelock.msi file (a Windows Installer setup), which installs
wavelock.sys. Reboot to load and activate WaveLock.
A list of the wireless network adapters supported out-of-the-box on
Windows 2000 and Windows XP can be found below. Note that WaveLock cannot
know about and will therefore not block additional drivers installed by
administrators.
2. NtDump v1
by Ben Maurer bmaurer@users.sf.net
Relevant URL:
http://ntdump.sourceforge.net/
Platforms: Windows 2000, Windows NT
Summary:
NtDump allows the dumping of password hashes and LSA secrets on Windows
NT computers. NtDump is small as so to reduce network traffic. It is also
able to run in a batch-mode in which it can dump from multiple computers
with maximum performance.
3. SMAC v1.0
by KLC Consulting Security Team
Relevant URL:
http://www.klcconsulting.net/smac/
Platforms: Windows 2000, Windows XP
Summary:
SMAC is a free GUI tool, which allows users to change MAC address for
almost any Network Interface Cards (NIC) on the Windows 2000 and XP
systems, whether the manufactures allow this option or not.
SMAC does not change the hardware burned-in MAC addresses. It is not
necessary. SMAC changes the "software based" MAC addresses on the Windows
2000 & XP systems, and the new MAC addresses you change will sustain from
the reboots.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: NetIQ
Need security policies? Don't start from scratch..."Information Security
Policies Made Easy" is the best security policy resource guide you can
buy with 1300+ ready-to-use security policies that can be quickly
customized for any company. Build best practice security policies in
half the time and expense. Also check out "Information Security Roles &
Responsibilities Made Easy. "
Download a free policy now at http://www.netiq.com/order/publications.asp
------------------------------------------------------------------------------
----------------------------------------------------------------------
ALERT: How a Hacker Uses SQL Injection to Steal Your SQL Data!
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
http://www.spidynamics.com/mktg/sqlinjection33
- Previous message: Joseph Burton: "RE: Exchange/MAPI/RPC"
- Next in thread: Douglas R. Wilson: "Microsoft Security Advisory MS 03-007"
- Reply: Douglas R. Wilson: "Microsoft Security Advisory MS 03-007"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
