SecurityFocus Microsoft Newsletter #246

From: Marc Fossi (mfossi_at_securityfocus.com)
Date: 06/29/05

  • Next message: francois: "Re: Local admin password"
    Date: Wed, 29 Jun 2005 11:37:29 -0600 (MDT)
    To: Focus-MS <focus-ms@securityfocus.com>
    
    

    SecurityFocus Microsoft Newsletter #246
    ----------------------------------------

    This Issue is Sponsored By: Black Hat

    Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las
    Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 29 hands-on training courses and 10 conference tracks, networking opportunities with over 2,000 delegates from 30+ nations.

    http://www.securityfocus.com/sponsor/BlackHat_sf-news_050628

    ------------------------------------------------------------------
    I. FRONT AND CENTER
           1. Where's the threat?
           2. Software Firewalls: Made of Straw? Part 2 of 2
    II. MICROSOFT VULNERABILITY SUMMARY
           1. Novell NetMail Patch Packaging Insecure File Permissions Vulnerability
           2. Microsoft Internet Explorer Dialog Box Origin Spoofing Vulnerability
           3. Veritas Backup Exec Server Remote Registry Access Vulnerability
           4. Veritas Backup Exec Remote Agent Null Pointer Dereference Denial Of Service Vulnerability
           5. Veritas Backup Exec Admin Plus Pack Option Remote Heap Overflow Vulnerability
           6. Veritas Backup Exec Web Administration Console Remote Buffer Overflow Vulnerability
           7. Veritas Backup Exec Remote Agent for Windows Servers Privilege Escalation Vulnerability
           8. DUware DUforum Multiple SQL Injection Vulnerabilities
           9. Ipswitch WhatsUp Professional LOGIN.ASP SQL Injection Vulnerability
           10. Simple Machines Msg Parameter SQL Injection Vulnerability
           11. Sendmail Milter Remote Denial Of Service Weakness
           12. PHP-Nuke Avatar HTML Injection Vulnerability
           13. IBM DB2 Universal Database Unspecified Authorization Bypass Vulnerability
    III. MICROSOFT FOCUS LIST SUMMARY
           1. Local admin password
           2. Windows firewall spontaneously changes profiles
           3. disable shell: command on Windows 2000
           4. ISA 2004 FTP SSL
           5. Windows 98 autoupdate
    IV. UNSUBSCRIBE INSTRUCTIONS
    V. SPONSOR INFORMATION

    I. FRONT AND CENTER
    ---------------------
    1. Where's the threat?
    By Matthew Tanase
    I'm sure everyone remembers the story of Goldilocks and the three bears
    http://www.securityfocus.com/columnists/335

    2. Software Firewalls: Made of Straw? Part 2 of 2
    By Israel G. Lugo, Don Parker
    In part two we look at how easily the firewall's operation can be circumvented by inserting a malicious Trojan into the network stack itself.
    http://www.securityfocus.com/infocus/1840

    II. MICROSOFT VULNERABILITY SUMMARY
    ------------------------------------
    1. Novell NetMail Patch Packaging Insecure File Permissions Vulnerability
    BugTraq ID: 14005
    Remote: No
    Date Published: 2005-06-21
    Relevant URL: http://www.securityfocus.com/bid/14005
    Summary:
    Novell NetMail is susceptible to an insecure file permissions vulnerability. This issue is due to a flaw in the patch packaging system used to update NetMail. This vulnerability only presents itself on Linux installations of NetMail.

    This vulnerability allows local attackers to modify or replace NetMail binaries. This will result in the compromise of the NetMail account.

    Computers running versions 3.52A, 3.52B, or 3.52C on Linux are affected by this issue.

    2. Microsoft Internet Explorer Dialog Box Origin Spoofing Vulnerability
    BugTraq ID: 14007
    Remote: Yes
    Date Published: 2005-06-21
    Relevant URL: http://www.securityfocus.com/bid/14007
    Summary:
    Microsoft Internet Explorer is prone to a dialog box origin spoofing vulnerability.

    An attacker may exploit this vulnerability to spoof an interface of a trusted web site. This issue may allow a remote attacker to carry out phishing style attacks.

    3. Veritas Backup Exec Server Remote Registry Access Vulnerability
    BugTraq ID: 14020
    Remote: Yes
    Date Published: 2005-06-22
    Relevant URL: http://www.securityfocus.com/bid/14020
    Summary:
    VERITAS Backup Exec for Windows Servers is prone to an access validation vulnerability.

    The issue may be leveraged by a remote attacker to gain 'Administrator' access to the vulnerable computer's registry. This access may be further leveraged to gain unfettered access to the target computer.

    4. Veritas Backup Exec Remote Agent Null Pointer Dereference Denial Of Service Vulnerability
    BugTraq ID: 14021
    Remote: Yes
    Date Published: 2005-06-22
    Relevant URL: http://www.securityfocus.com/bid/14021
    Summary:
    VERITAS Backup Exec Remote Agent is prone to a remotely exploitable denial of service vulnerability. This could cause a denial of service on the computer hosting the application.

    This issue only affects the application on Microsoft Windows platforms.

    5. Veritas Backup Exec Admin Plus Pack Option Remote Heap Overflow Vulnerability
    BugTraq ID: 14023
    Remote: Yes
    Date Published: 2005-06-22
    Relevant URL: http://www.securityfocus.com/bid/14023
    Summary:
    Veritas Backup Exec is affected by a remote heap overflow vulnerability.

    This issue affects servers using the Admin Plus Pack Option. A remote attacker can exploit this issue by crafting and sending malicious data to the service and executing arbitrary code.

    It is conjectured that successful exploitation may result in a superuser compromise.

    This issue affects Backup Exec running on Microsoft Windows platforms.

    6. Veritas Backup Exec Web Administration Console Remote Buffer Overflow Vulnerability
    BugTraq ID: 14025
    Remote: Yes
    Date Published: 2005-06-22
    Relevant URL: http://www.securityfocus.com/bid/14025
    Summary:
    VERITAS Backup Exec Web Administration Console is prone to a remote buffer overflow vulnerability.

    An attacker can exploit this issue by crafting a malicious request. This request must contain excessive string data that triggers this issue, replacement memory addresses, and executable instructions. When the Web Administration Console processes this request, the attacker-supplied instructions may be executed on the vulnerable computer.

    7. Veritas Backup Exec Remote Agent for Windows Servers Privilege Escalation Vulnerability
    BugTraq ID: 14026
    Remote: Yes
    Date Published: 2005-06-22
    Relevant URL: http://www.securityfocus.com/bid/14026
    Summary:
    Veritas Backup Exec Remote Agent for Windows Servers is affected by a privilege escalation vulnerability. This issue can allow remote users to gain elevated privileges and completely compromise an affected computer.

    A successful attack allows non-privileged users to gain SYSTEM level privileges.

    8. DUware DUforum Multiple SQL Injection Vulnerabilities
    BugTraq ID: 14035
    Remote: Yes
    Date Published: 2005-06-22
    Relevant URL: http://www.securityfocus.com/bid/14035
    Summary:
    DUforum is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.

    Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

    9. Ipswitch WhatsUp Professional LOGIN.ASP SQL Injection Vulnerability
    BugTraq ID: 14039
    Remote: Yes
    Date Published: 2005-06-22
    Relevant URL: http://www.securityfocus.com/bid/14039
    Summary:
    WhatsUp Professional is prone to an SQL injection vulnerability affecting its Web-based front end. This issue is due to a failure in the application to properly sanitize user-supplied input to the 'login.asp' script before using it in an SQL query.

    Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. It should be noted that by supplying a 'or' value through the 'password' parameter, an attacker can gain unauthorized access to an affected site.

    10. Simple Machines Msg Parameter SQL Injection Vulnerability
    BugTraq ID: 14043
    Remote: Yes
    Date Published: 2005-06-23
    Relevant URL: http://www.securityfocus.com/bid/14043
    Summary:
    Simple Machines is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.

    Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

    This issue is reported to affect Simple Machines version 1.0.4; earlier versions may also be vulnerable.

    11. Sendmail Milter Remote Denial Of Service Weakness
    BugTraq ID: 14047
    Remote: Yes
    Date Published: 2005-06-23
    Relevant URL: http://www.securityfocus.com/bid/14047
    Summary:
    Sendmail is susceptible to a remote denial of service weakness in its milter interface. This issue is due to overly long default timeouts configured for milters.

    This issue is demonstrated with ClamAV versions prior to 0.86. Any other milter that utilizes similar operating methods as the older ClamAV milter will also expose this vulnerability in Sendmail.

    Depending on the configuration of the milter interface, attackers may either exploit this issue to bypass milters, or to deny further email delivery on affected sites.

    12. PHP-Nuke Avatar HTML Injection Vulnerability
    BugTraq ID: 14056
    Remote: Yes
    Date Published: 2005-06-24
    Relevant URL: http://www.securityfocus.com/bid/14056
    Summary:
    PHP-Nuke is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.

    Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

    This issue is reported to affect all versions of PHP-Nuke up to version 7.7, this has not been confirmed.

    13. IBM DB2 Universal Database Unspecified Authorization Bypass Vulnerability
    BugTraq ID: 14057
    Remote: Yes
    Date Published: 2005-06-24
    Relevant URL: http://www.securityfocus.com/bid/14057
    Summary:
    IBM DB2 Universal Database is susceptible to an authorization bypass vulnerability. This issue is due to a failure of the application to properly enforce authorization restrictions for database users.

    Users with SELECT privileges on in a database may bypass authorization checks to execute INSERT, UPDATE, or DELETE statements. Further details are not available at this time. This BID will be updated as more information is disclosed.

    This vulnerability allows attackers to modify or destroy data without having proper authorization to do so.

    III. MICROSOFT FOCUS LIST SUMMARY
    ---------------------------------
    1. Local admin password
    http://www.securityfocus.com/archive/88/403594

    2. Windows firewall spontaneously changes profiles
    http://www.securityfocus.com/archive/88/403542

    3. disable shell: command on Windows 2000
    http://www.securityfocus.com/archive/88/403498

    4. ISA 2004 FTP SSL
    http://www.securityfocus.com/archive/88/403301

    5. Windows 98 autoupdate
    http://www.securityfocus.com/archive/88/403192

    IV. UNSUBSCRIBE INSTRUCTIONS
    -----------------------------
    To unsubscribe send an e-mail message to ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

    If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

    V. SPONSOR INFORMATION
    ------------------------
    This Issue is Sponsored By: Black Hat

    Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las
    Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 29 hands-on training courses and 10 conference tracks, networking opportunities with over 2,000 delegates from 30+ nations.

    http://www.securityfocus.com/sponsor/BlackHat_sf-news_050628

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: francois: "Re: Local admin password"