SecurityFocus Microsoft Newsletter #156
From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 09/30/03
- Previous message: Combs, Christopher (Christopher): "RE: IPsec vs any personal software firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Sep 2003 07:05:24 -0600 (MDT) To: Focus-MS <focus-ms@securityfocus.com>
SecurityFocus Microsoft Newsletter #156
----------------------------------------
This Issue is Sponsored By: AirDefense
*** Technical White Paper - Wireless LAN Layers of Security ***
Gartner & other industry experts suggest a layered approach for security &
management of wireless LANs:
* Secure WLAN Devices - Lock-down & secure access points & laptops
* Secure Communication - Encryption & Authentication for data integrity
* Network Monitoring - Detect rogues, block intruders & enforce policy
Click here to request this complimentary technical white paper.
http://www.securityfocus.com/sponsor/AirDefense_sf-news_030922
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Exploiting Cisco Routers (Part One)
2. Intrusion Detection Terminology (Part Two)
3. The Subpoenas are Coming!
4. Lost in Translation
5. SPECIAL ANNOUNCEMENT
II. MICROSOFT VULNERABILITY SUMMARY
1. IBM DB2 Discovery Service UDP Denial Of Service Vulnerabilit...
2. ColdFusionMX Error Handler Pages Cross-Site Scripting Vulner...
3. Microsoft BizTalk Server Documentation/WebDAV Weak Permissio...
4. myPHPNuke auth.inc.php SQL Injection Vulnerability
5. Imatix Xitami Long Header Denial Of Service Vulnerability
6. Multiple Plug And Play Web Server FTP Service Command Handle...
7. Speak Freely Show Your Face Malformed Gif Denial Of Service ...
8. Speak Freely Spoofed UDP Packet Flood Remote Denial Of Servi...
9. NetUP UTM Web Interface Session ID SQL Injection Vulnerabili...
10. NetUP UTM Web Interface utm_stat Script SQL Injection Vulner...
11. NetUp UTM Web Interface Local Privilege Escalation Vulnerabi...
12. wzdftpd Login Remote Denial of Service Vulnerability
13. Mondosoft MondoSearch MsmSetup.exe ASP Code Injection Vulner...
14. BRS WebWeaver Long URL Request Logging Failure Weakness
15. Comment Board HTML Injection Vulnerabilities
16. yMonda Thread-IT Multiple Fields HTML Injection Vulnerabilit...
17. Thread-ITSQL HTML Injection Vulnerabilities
18. Software602 602Pro LAN SUITE 2003 Sensitive User Information...
19. Software602 602Pro LAN SUITE 2003 Directory Traversal Vulner...
20. WodFTPServer FTP Command Buffer Overflow Vulnerability
21. Software602 602Pro LAN SUITE 2003 Multiple Remote Vulnerabil...
III. MICROSOFT FOCUS LIST SUMMARY
1. Blocking and allowing ActiveX (Thread)
2. Vulnerability scanner for SQL injection, HTML injec... (Thread)
3. IPsec vs any personal software firewall (Thread)
4. Vulnerability scanner for SQL injection, HTML injec... (Thread)
5. Blank passwords, TsInternetUser added to Administrat... (Thread)
6. Disabling Internet Explorer "Save my password" check... (Thread)
7. SecurityFocus Microsoft Newsletter #155 (Thread)
8. Disabling Internet Explorer "Save my password" check... (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Sophos Anti-Virus
2. East-Tec Eraser 2003 v4.0
3. Enterprise Manager
4. ZoneAlarm Pro 4.0
5. ActiveScout Enterprise
6. Immunity CANVAS
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. borZoi v1.0.2
2. Shishi v0.0.7
3. Glub Tech Secure FTP v2.0.9.2
4. Bugs Dynamic Cryptography v4.1.1
5. East-Tec Eraser v4.0
6. John the Ripper v1.6.35(dev)
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Exploiting Cisco Routers (Part One)
By Mark Wolfgang
This is the first of a three-part series that will focus on identifying
and then exploiting vulnerabilities and poor configurations in Cisco
routers.
http://www.securityfocus.com/infocus/1734
2. Intrusion Detection Terminology (Part Two)
By Andy Cuff
This is the second and final part of the series that discusses IDS
terminology, including terms where there may be disagreement from within
the security community.
http://www.securityfocus.com/infocus/1733
3. The Subpoenas are Coming!
By Mark Rasch
Citing a provision of the Patriot Act, the FBI is sending letters to
journalists telling them to secretly prepare to turn over their notes, e-
mails and sources to the bureau. Should we throw out the First Amendment
to nail a hacker?
http://www.securityfocus.com/columnists/187
4. Lost in Translation
By Tim Mullen
We spend money, increase administration, and take away functionality. Is
it any wonder that security people are so misunderstood?
http://www.securityfocus.com/columnists/186
5. SPECIAL ANNOUNCEMENT
We are pleased to announce that The Basics infocus area has been renamed
to Foundations, in order to accommodate a wider range of security-related
articles that are not necessarily basic, but do not fit into one of the
seven other infocus areas either.
http://www.securityfocus.com/foundations
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. IBM DB2 Discovery Service UDP Denial Of Service Vulnerabilit...
BugTraq ID: 8653
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8653
Summary:
IBM DB2 is a commercial relational database implementation that is
available for a number of operating systems including Microsoft Windows
and Unix/Linux variants.
IBM DB2 includes a Discovery Service that is used to locate other
databases on the network. By default, this service listens on UDP port
523.
The IBM DB2 Discovery Service is prone to denial of service attacks. The
service expects to receive messages of a certain size. If a UDP packet
larger than 20 bytes is received by the service, it will shut down. The
"DB2 - DB2DAS00" service must then be restarted to regain normal
functionality.
2. ColdFusionMX Error Handler Pages Cross-Site Scripting Vulner...
BugTraq ID: 8660
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8660
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a standalone
product for Unix, Linux, and Microsoft Operating Systems.
ColdFusionMX has been reported prone to a cross-site scripting
vulnerability, under some circumstances.
The issue has been reported to present itself in web sites that harness
the default ColdFusionMX Site-Wide Error Handler page, the default
ColdFusionMX Missing Template Handler has additionally been reported
vulnerable.
The vendor has reported that a HTTP header, containing malicious content
in the 'referer' field, may be used as an attack vector to inject
malicious content into the aforementioned Error handler pages of
ColdFusionMX.
This vulnerability may be exploited by malicious attackers, to execute
arbitrary HTML or Script code in the context of the affected site, in the
browsers of unsuspecting users.
This vulnerability has been reported to affect ColdFusion MX 6.0, 6.1(All
editions), 6.0 J2EE (All editions), 6.1 J2EE (All editions),and ColdFusion
5.0 and prior versions.
3. Microsoft BizTalk Server Documentation/WebDAV Weak Permissio...
BugTraq ID: 8661
Remote: Yes
Date Published: Sep 19 2003
Relevant URL: http://www.securityfocus.com/bid/8661
Summary:
Microsoft BizTalk Server 2002 allows application integration, process
automation, and is capable of receiving documents through HTTP, SMTP, and
SOAP.
A vulnerability has been reported to exist in the software that may allow
unauthorized modification and replacement of HTML and XML files on the
server.
The problem is reported to exist in two virtual directories installed by
default. Microsoft BizTalk Server installs and configures the following
virtual directories in IIS: BizTalkServerDocs and BizTalkServerRepository.
BizTalkServerDocs is used to store server documentation and
BizTalkServerRepository is a WebDAV repository for XML files.
It has been reported that the software grants full privileges to the users
group on the following folders: "...\Microsoft BizTalk
Server\Documentation\" and "...\Microsoft BizTalk
Server\BizTalkServerRepository\". Due to these weak permissions it may be
possible for an attacker to replace or modify HTML documents in
BizTalkServerDocs and XML files in BizTalkServerRepository with
attacker-supplied arbitrary files.
4. myPHPNuke auth.inc.php SQL Injection Vulnerability
BugTraq ID: 8663
Remote: Yes
Date Published: Sep 20 2003
Relevant URL: http://www.securityfocus.com/bid/8663
Summary:
myPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available
for the Linux and Microsoft Windows operating systems.
A vulnerability has been reported to exist in myPHPNuke that may allow a
remote attacker to inject malicious SQL syntax into database queries. The
source of this issue is insufficient sanitization of user-supplied input.
The problem is reported to exist in the $aid variable contained within the
auth.inc.php module. It has been reported that $aid is not sanitized for
user-supplied input before it is included in the database. A remote
attacker may exploit this issue to influence SQL query logic.
A malicious user may influence database queries in order to view or modify
sensitive information, potentially compromising the software or the
database.
myPHPNuke version 1.8.8 has been reported to be prone to this issue,
however other versions may be affected as well.
5. Imatix Xitami Long Header Denial Of Service Vulnerability
BugTraq ID: 8665
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8665
Summary:
Xitami is a web server product that is available for Microsoft Windows and
other platforms.
Xitami is prone to a denial of service vulnerability. This condition is
known to occur when a .shtm file is requested with an overly long HTTP
header. In particular, a header that is greater than or equal to 5154
bytes followed by a colon (:) will trigger this condition. Exploitation
will cause a runtime error in XIWIN32.EXE, resulting in a server crash.
The server will need to be restarted to regain normal functionality.
The server crash may be the result of a boundary condition error, though
this has not been confirmed. If this is the case, it may also be possible
to exploit this issue to execute arbitrary code.
This vulnerability is reported to affect Xitami on Windows platforms. It
is not currently known if releases for other platforms are similarly
affected.
6. Multiple Plug And Play Web Server FTP Service Command Handle...
BugTraq ID: 8667
Remote: Yes
Date Published: Sep 21 2003
Relevant URL: http://www.securityfocus.com/bid/8667
Summary:
Plug and Play Web Server is a suite of server components, including an FTP
server, designed to run on Microsoft Windows platforms.
Plug and Play Web Server FTP service has been reported prone to multiple
buffer overflow issues, The issues present themselves when the affected
FTP service handles FTP command arguments of excessive size. This is
likely due to insufficient boundary checks performed on FTP commands and
associated arguments that are issued to the affected server.
It has been demonstrated that a remote attacker may exploit this condition
to trigger a denial of service in the affected FTP server. However, due to
the nature of this vulnerability, although unconfirmed, it has been
conjectured that a remote attacker may leverage this vulnerability to have
arbitrary code executed in the context of the vulnerable service.
Although Plug and Play Web Server version 1.0002c has been reported prone
to this vulnerability, other versions may also be affected.
7. Speak Freely Show Your Face Malformed Gif Denial Of Service ...
BugTraq ID: 8669
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8669
Summary:
Speak Freely is a freely available Internet voice communication
application. It is available for the Unix, Linux, and Microsoft Windows
platforms.
Speak Freely clients may crash when processing malformed GIF images. This
vulnerability is exposed via the "Show Your Face" feature, which allows
clients to send images to other clients. In particular, a GIF with "Image
width" and "Image height" header fields that are too large or equal to
zero will trigger this issue.
When such a malformed "Show Your Face" GIF is received and processed by a
client, the client will crash.
Though unconfirmed, this could permit an attacker to corrupt memory with
specific values, potentially leading to arbitrary code execution.
This issue is reported to affect Speak Freely on Windows platforms only.
8. Speak Freely Spoofed UDP Packet Flood Remote Denial Of Servi...
BugTraq ID: 8670
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8670
Summary:
Speak Freely is a freely available Internet voice communication
application. It is available for the Unix, Linux, and Microsoft Windows
platforms.
Speak Freely for Microsoft Windows has been reported prone to a remote
denial of service vulnerability. The issue presents itself when the Speak
Freely software handles multiple UDP connections in quick succession that
have spoofed IP addresses. It has been reported that the software will
exponentially consume resources until it fails shortly after displaying
the following error message: "Cannot create transmit socket for host
(x.x.x.x), error 10055. No buffer space is available".
It has been reported that this vulnerability may also be exploited on a
low speed network, due to the low UDP packet size required to trigger the
issue.
This vulnerability has been reported to affect Speak Freely versions up to
and including 7.6a, for Microsoft Windows platforms. The Unix version is
not reported prone to this issue.
9. NetUP UTM Web Interface Session ID SQL Injection Vulnerabili...
BugTraq ID: 8671
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8671
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in NetUp UTM that may allow a
remote attacker to inject malicious SQL syntax into specific database
queries. The source of this issue is insufficient sanitization of
user-supplied input.
The problem is reported to exist in the $sid variable, used to supply a
current session id. It has been reported that potential control characters
stored within the $sid variable are not escaped prior to being included
within a SELECT statement. As a result, an attacker may be capable of
hijacking a users session by supplying malicious SQL data within a request
to the NetUp UTM web interface. This could be accomplished by including
commands designed to escape the context of the expected data and influence
the logic of the query.
Successful exploitation of this issue could allow an attacker to gain
access to the account of another user whose has an active session. It
should be noted that a malicious user might also be capable of influencing
database queries in order to view or modify sensitive information,
potentially compromising the software or underlying database.
10. NetUP UTM Web Interface utm_stat Script SQL Injection Vulner...
BugTraq ID: 8672
Remote: Yes
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8672
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been reported to exist in NetUp UTM that may allow a
remote attacker to inject malicious SQL syntax into specific database
queries. The source of this issue is insufficient sanitization of
user-supplied input.
The problem is reported to exist when handling data passed to the
'utm_stat' script. It has been reported that potential control characters
stored within variables passed to this script are not escaped prior to
being included within various SQL queries. As a result, an attacker may
be capable of modifying sensitive attributes of their user account. This
may include current money balance and bill status. It may also be possible
to influence the configuration behavior of the server, potentially making
it possible to execute arbitrary shell commands with 'nobody' privileges.
This could be accomplished by including commands designed to escape the
context of the expected data and influence the logic of the query.
It should be noted that the implications of this vulnerability might be
exaggerated by the issue described in BID 8671. If used in conjunction,
these issues may allow an attacker to modify the account data of arbitrary
ISP users.
11. NetUp UTM Web Interface Local Privilege Escalation Vulnerabi...
BugTraq ID: 8673
Remote: No
Date Published: Sep 22 2003
Relevant URL: http://www.securityfocus.com/bid/8673
Summary:
NetUp UTM is a billing system for Internet Service Providers (ISP). It
includes a web interface, which allows users to log in and manage their
accounts. It is available for the Linux, FreeBSD, and Microsoft Windows
operating systems.
A vulnerability has been discovered in NetUP UTM that may allow a user who
is capable of executing code locally, gain elevated privileges. The
problem occurs due to the 'nobody' users sudoers entry allowing the use of
the '/bin/mv' utility with root privileges. As a result, a malicious user
with 'nobody' privileges may be capable of gaining root privileges on a
target system.
The implications of this vulnerability may be exaggerated by the issues
described in BID 8671, and BID 8672. If used in conjunction with these
issues an unauthorized remote attacker may be capable of gaining root
privileges on a target system.
12. wzdftpd Login Remote Denial of Service Vulnerability
BugTraq ID: 8678
Remote: Yes
Date Published: Sep 23 2003
Relevant URL: http://www.securityfocus.com/bid/8678
Summary:
wzdftpd is an FTP server implementation that is available for the Unix,
Linux, and Microsoft Windows platforms.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to cause a denial of service condition. The issue
presents itself when a remote attacker sends a single CRLF character to
the program during the login process. The attack may cause the software
to act in an unstable manner.
This issue occurs due to improper sanitizing of user-supplied input and a
successful attack may allow a remote attacker to cause the vulnerable
process to crash.
wzdftpd version 0.1rc5 has been reported to be prone to this
vulnerability, however other versions across various platforms may be
affected as well.
13. Mondosoft MondoSearch MsmSetup.exe ASP Code Injection Vulner...
BugTraq ID: 8684
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8684
Summary:
MondoSearch is a Microsoft .NET based search engine utility that allows
users to integrate search features into their websites.
A vulnerability is reported to exist in MondoSearch that may allow a
remote attacker to inject arbitrary ASP code to be executed on a host
running a vulnerable version of the software. The issue is reported to
present itself when a malicious string value is sent to the MsmSetup.exe
module of the software. Although complete details are unavailable at the
moment, this issue may potentially be exploited by passing malicious input
via a vulnerable URI parameter.
Successful exploitation of this issue may allow an attacker to execute
arbitrary code in the context of the server hosting the software.
Mondosoft MondoSearch versions 4.4, 5.0, and 5.1 are reported to be prone
to this issue, however other versions may be affected as well.
14. BRS WebWeaver Long URL Request Logging Failure Weakness
BugTraq ID: 8690
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8690
Summary:
BRS WebWeaver is a small personal web server available for the Microsoft
Windows operating systems.
A problem has been reported in the logging of some types of requests to
BRS WebWeaver. Because of this, an attacker may be able to launch an
unrecorded denial of service against vulnerable hosts.
The problem is in the handling of requests of excessive length. When an
attacker places a request for a URI that exceeds the length limitations
imposed by WebWeaver, the program correctly returns a 414 error, as
defined in RFC specifications. However, the program does not log the
request.
15. Comment Board HTML Injection Vulnerabilities
BugTraq ID: 8691
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8691
Summary:
Comment Board is a web-based application that is implemented in ASP and
available for Microsoft Windows operating systems.
Comment Board is prone to a number of HTML injection issues. In
particular, when users submit comments, input supplied via the Topic
Title, Name and Message form fields will not be adequately sanitized of
HTML and script code. Remote attackers could exploit this issue to inject
hostile HTML and script into the site hosting the software, which could be
rendered in the browsers of users visiting the site.
These issues will permit the attacker to execute hostile code in the
context of the site hosting the software. This will allow for theft of
cookie-based authentication credentials, which could lead to hijacking of
user and administrative sessions. This issue will also allow an attacker
to influence how a vulnerable site is rendered to the issue, allowing for
content manipulation or other attacks.
16. yMonda Thread-IT Multiple Fields HTML Injection Vulnerabilit...
BugTraq ID: 8692
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8692
Summary:
yMonda Thread-IT is an ASP based message board system. The system also
employs Microsoft Access database.
A vulnerability has been reported in the software that may allow a remote
attacker to execute HTML code in a user's browser. The issue is reported
to be present in the 'Topic Title', 'Name', and 'Message' fields. The
problem exists due to insufficient sanitization of user-supplied input.
It may be possible for an attacker to include malicious HTML code in one
of the vulnerable fields. The injected code could then be interpreted by
the browser of a user visiting the vulnerable site. This attack would
occur in the security context of the affected site.
Successful exploitation of this issue may allow a remote attacker to steal
cookie-based authentication credentials. Other attacks are possible as
well.
Thread-IT version 1.6 and prior may be vulnerable to this issue.
17. Thread-ITSQL HTML Injection Vulnerabilities
BugTraq ID: 8698
Remote: Yes
Date Published: Sep 24 2003
Relevant URL: http://www.securityfocus.com/bid/8698
Summary:
Thread-ITSQL is a web-based discussion board implemented in ASP and
available for Microsoft Windows operating systems.
Thread-ITSQL is prone to a number of HTML injection issues. In
particular, when users submit messages, input supplied via the Topic
Title, Name and Message form fields will not be adequately sanitized of
HTML and script code. Remote attackers could exploit this issue to inject
hostile HTML and script into the site hosting the software, which could be
rendered in the browsers of users visiting the site.
These issues will permit the attacker to execute hostile code in the
context of the site hosting the software. This will allow for theft of
cookie-based authentication credentials, which could lead to hijacking of
user and administrative sessions. This issue will also allow an attacker
to influence how a vulnerable site is rendered to the issue, allowing for
content manipulation or other attacks.
18. Software602 602Pro LAN SUITE 2003 Sensitive User Information...
BugTraq ID: 8700
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8700
Summary:
602Pro LAN SUITE 2003 is a all-in-one server application maintained by
Software602 for Microsoft Windows platforms.
A problem with the storage of user credentials has been identified in
Software602 602Pro LAN SUITE 2003. Because of this, an attacker may be
able to gain access to potentially sensitive information.
The problem is in the storage of information in plain text files that may
be reached through the server. Users that log into the webmail interface
have their information such as user id, IP address, and login time
recorded in a file in web-reachable file /mail/S<date>L.LOG, where date is
a six number representation of the day (for example, S030904L.LOG).
Additionally, LAN SUITE 2003 stores sensitive information in plain text in
other files. The file Tempdirs.lst maintains a list of the temporary
directories in use by current webmail users. The MSGlist.mid is created
in user temporary directories to hold message ids, and the MSGlist.mil
file is created to store the username and mailbox number. These issues
are further aggravated by the issue described in Bugtraq ID 8701.
19. Software602 602Pro LAN SUITE 2003 Directory Traversal Vulner...
BugTraq ID: 8701
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8701
Summary:
602Pro LAN SUITE 2003 is a all-in-one server application maintained by
Software602 for Microsoft Windows platforms.
A problem with the handling of directory traversal requests has been
identified in Software602 602Pro LAN SUITE 2003. Because of this, an
attacker may be able to gain access to potentially sensitive information.
The problem is in the handling of dot-dot-slash (../) notation by the
software. When a user places a request to the m602cl3w.exe using the
GetFile function with a request for a file outside of the web root
directory using dot-dot-slash notation, it is possible for an attacker to
access that file with the privileges of the 602Pro LAN SUITE 2003 user.
An attacker can use this issue to take advantage of the problems described
in the latter part of Bugtraq ID 8700.
This problem may also allow an attacker to gain access other sensitive
information on the local host, depending upon configuration.
20. WodFTPServer FTP Command Buffer Overflow Vulnerability
BugTraq ID: 8703
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8703
Summary:
wodFTPServer is a commercially available FTP server software package
implemented as ActiveX controls and COM objects and distributed by
WeOnlyDo! Software. It is available for the Microsoft Windows platform.
A problem in the FTP Server command handling has been identified in
wodFTPServer. Because of this, an attacker may be able to execute
arbitrary code, potentially gaining unauthorized access to affected
systems.
The problem is in bounds checking on commands issued to the FTP server.
wodFTPServer does not properly handle long requests, making it possible to
overwrite sensitive regions of memory within the executing process. This
could be exploited to gain access to the system using the affected
software with the privileges of the FTP server process.
21. Software602 602Pro LAN SUITE 2003 Multiple Remote Vulnerabil...
BugTraq ID: 8706
Remote: Yes
Date Published: Sep 25 2003
Relevant URL: http://www.securityfocus.com/bid/8706
Summary:
602Pro LAN SUITE 2003 is a all-in-one server application maintained by
Software602 for Microsoft Windows platforms.
Several vulnerabilities have been identified in Software602 602Pro LAN
SUITE. These problems may allow a remote user to gain unauthorized
privileges, and potentially unauthorized access to a system hosting the
vulnerable software.
Several problems have been identified to exist:
1. The message window source discloses information about the design of
the system. Specifically, one can gather information about the
installation by viewing the message window source code.
2. It is possible to delete e-mail belonging to other users. Due to
insufficient checking of privileges, an attacker can supply the user id of
a specific user to the "A=DELETEFOLDER" function to destroy files
belonging to a target user.
3. It is possible to create arbitrary folders. By supplying an arbitrary
path and location to the FolderDir parameter, it is possible to create a
folder in any location on the system.
4. It is possible to rename folders belonging to other users. By
supplying the name of an arbitrary folder to rename to in the FolderDir
parameter, it is possible to rename a specified folder.
5. A buffer overflow in the CGI handling code exists. By supplying a
value of 5000 or more characters as a subdirectory to the /mail/
directory, it is possible to overwrite process memory.
6. HTTP authorization is vulnerable to a buffer overflow. By supplying a
username of excessive length to the service, it is possible to overwrite
sensitive process memory.
These issues are pending further analysis. When analysis is complete, the
issues will be divided into separate BIDs.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Blocking and allowing ActiveX (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/339516
2. Vulnerability scanner for SQL injection, HTML injec... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/339515
3. IPsec vs any personal software firewall (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/339487
4. Vulnerability scanner for SQL injection, HTML injec... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/339149
5. Blank passwords, TsInternetUser added to Administrat... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/338688
6. Disabling Internet Explorer "Save my password" check... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/338686
7. SecurityFocus Microsoft Newsletter #155 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/338502
8. Disabling Internet Explorer "Save my password" check... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/338500
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Sophos Anti-Virus
By: Sophos
Platforms: AIX, DOS, FreeBSD, HP-UX, Linux, MacOS, Netware, OS/2, Solaris,
UNIX, VMS, Windows 3.x, Windows 95/98, Windows NT
Relevant URL: http://www.sophos.com/products/sav/
Summary:
Sophos Anti-Virus is a unique solution to the virus problem, providing
true cross-platform protection in a single, fully integrated product. The
network-centric design provides a host of benefits for the protection of
servers, workstations and portables. Sophos's ground-breaking architecture
maximises protection, while minimising performance and administrative
overheads.
2. East-Tec Eraser 2003 v4.0
By: EAST Technologies
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.east-tec.com/eraser/index.htm
Summary:
East-Tec Eraser ("Eraser" in short) is an advanced security application
for Windows 95/98/Me/NT/2000/XP designed to help you completely eliminate
sensitive data from your computer and protect your computer and Internet
privacy.
Eraser introduces a new meaning for the verb TO ERASE. Erasing a file now
means wiping its contents beyond recovery, scrambling its name and dates
and finally removing it from disk. When you want to get rid of sensitive
files or folders beyond recovery, add them to the Eraser list of doomed
files and ask Eraser to do the job. Eraser offers tight integration with
the Windows shell, so you can drag files and folders from Explorer and
drop them in Eraser, or you can erase them directly from Explorer by
selecting Erase beyond recovery from the context menu.
3. Enterprise Manager
By: Sophos
Platforms: Windows 2000, Windows NT
Relevant URL: http://www.sophos.com/products/em/
Summary:
The Enterprise Manager suite is a powerful set of tools allowing fully
automated web-based installation and updating of Sophos software across a
network and even to remote users.
Network administrators are put in full control and can monitor their
network at all times. Unprotected computers or those running an
out-of-date version of Sophos Anti-Virus can be immediately and
automatically updated. In practice, a network of 1000 or more clients can
be updated from a single, central Windows machine within five minutes.
4. ZoneAlarm Pro 4.0
By: Zone Labs
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.zonelabs.com
Summary:
Hackers lurk everywhere on the Internet, waiting for an "in" into your
personal and financial information. Even legitimate Web sites have
sophisticated methods of snooping, such as cookies that track your
identity and browsing habits. You need nothing less than the industry's
best protection?ZoneAlarm Pro. It offers you the award-winning firewall
that Zone Labs is famous for. Plus, it stops annoying and potentially
malicious cookies and pop-ups from invading your system.
5. ActiveScout Enterprise
By: ForeScout Technologies
Platforms: Linux, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.forescout.com/enterprise.html
Summary:
ActiveScout Enterprises actively protects a network with multiple access
points. In addition to the identification of attackers and automatic
action to stop them, this solution offers full management capabilities,
from configuration and reporting, to the sharing of threat information
between multiple deployed scouts.
6. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. borZoi v1.0.2
By: Anthony Mulcahy
Relevant URL: http://dragongate-technologies.com/products.html
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:
borZoi is an elliptic curve cryptography library for developers who want a
simple means of adding privacy protection to their applications. Ease of
use and a minimum risk of security problems due to incorrect use are its
strong points.
2. Shishi v0.0.7
By: Simon Josefsson
Relevant URL: http://www.gnu.org/software/shishi/
Platforms: UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Shishi is a (still incomplete) implementation of Kerberos 5, which can be
used to authenticate users in distributed systems. It contains a library
that can be used by application developers, and a command line utility for
users. Shishi supports Kerberos authenticated telnet client/server, IMAP
client/server (via GSSAPI), SSH client/server (via GSSAPI), rsh/rlogin
client, and a PAM module for host security.
3. Glub Tech Secure FTP v2.0.9.2
By: glub
Relevant URL: http://secureftp.glub.com
Platforms: MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
Glub Tech Secure FTP is a command-line utility that allows FTP connections
to be made using SSL.
4. Bugs Dynamic Cryptography v4.1.1
By: Sylvain Martinez <bugs_contact@encryptsolutions.com>
Relevant URL: http://www.encryptsolutions.com/
Platforms: UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Bugs Dynamic Cryptography is a private key cryptography algorithm. The
package includes a C Library and many sample applications, including ones
for file encryption, secure chatting, and login applications. The
algorithm handles stream and block encryption, unlimited Keylength, and a
strong key generator. Documentation and a developer HOWTO are included.
5. East-Tec Eraser v4.0
By: EAST Technologies, eraser@east-tec.com
Relevant URL: http://www.east-tec.com
Platforms: Windows 95/98, Windows NT
Summary:
East-Tec Eraser ("Eraser" in short) is a security application for Windows
95/98/Me/NT/2000/XP designed to help you completely eliminate sensitive
data from your computer and protect your computer and Internet privacy.
Eraser introduces a new meaning for the verb TO ERASE. Erasing a file now
means wiping its contents beyond recovery, scrambling its name and dates
and finally removing it from disk. When you want to get rid of sensitive
files or folders beyond recovery, add them to the Eraser list of doomed
files and ask Eraser to do the job. Eraser offers tight integration with
the Windows shell, so you can drag files and folders from Explorer and
drop them in Eraser, or you can erase them directly from Explorer by
selecting Erase beyond recovery from the context menu.
6. John the Ripper v1.6.35(dev)
By: Solar Designer
Relevant URL: http://www.openwall.com/john/
Platforms: BeOS, DOS, MacOS, Windows 2000, Windows 95/98, Windows NT
Summary:
John the Ripper is a fast password cracker, currently available for many
flavors of Unix (11 are officially supported, not counting different
architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to
detect weak Unix passwords. It supports several crypt(3) password hash
types which are most commonly found on various Unix flavors, as well as
Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types
are added with contributed patches.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: AirDefense
*** Technical White Paper - Wireless LAN Layers of Security ***
Gartner & other industry experts suggest a layered approach for security &
management of wireless LANs:
* Secure WLAN Devices - Lock-down & secure access points & laptops
* Secure Communication - Encryption & Authentication for data integrity
* Network Monitoring - Detect rogues, block intruders & enforce policy
Click here to request this complimentary technical white paper.
http://www.securityfocus.com/sponsor/AirDefense_sf-news_030922
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Combs, Christopher (Christopher): "RE: IPsec vs any personal software firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
