SecurityFocus Microsoft Newsletter #291



SecurityFocus Microsoft Newsletter #291
----------------------------------------

This issue is sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!" - SPI Dynamics White Paper
It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70130000000COFe

------------------------------------------------------------------
I. FRONT AND CENTER
1. Protection from prying NSA eyes
2. The quest for ring 0
3. Malicious cryptography, part two
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Windows Impersonation Privilege Escalation Weakness
2. Caucho Resin Viewfile Information Disclosure Vulnerability
3. Pragma FortressSSH SSH_MSG_KEXINIT Remote Buffer Overflow Vulnerability
4. Raydium Multiple Remote Buffer Overflow and Denial Of Service Vulnerabilities
5. FileZilla Client Unspecified Remote Buffer Overflow Vulnerability
6. Apple QuickTime Multiple Integer and Buffer Overflow Vulnerabilities
7. EMC Dantz Retrospect Backup Client Remote Buffer Overflow Vulnerability
8. ManageEngine OpManager Search.DO Cross-Site Scripting Vulnerability
9. Verisign i-Nav ActiveX Control Remote Buffer Overflow Vulnerability
10. Adobe ColdFusion Required Fields Cross-Site Scripting Vulnerability
11. Symantec Enterprise Firewall / Gateway Security HTTP Proxy Internal IP Leakage Weakness
12. Microsoft Windows Path Conversion Weakness
13. Microsoft Internet Explorer Position CSS Denial of Service Vulnerability
14. PAFileDB Pafiledb_Constants.PHP Remote File Include Vulnerability
15. Microsoft Infotech Storage Library Heap Corruption Vulnerability
16. ICQ Banner Ad Cross-Application Scripting Vulnerability
17. Microsoft Exchange Server Calendar Remote Code Execution Vulnerability
18. Microsoft Windows MSDTC Invalid Memory Access Denial Of Service Vulnerability
19. Microsoft Windows MSDTC Heap Buffer Overflow Vulnerability
20. Drupal Project Module HTML Injection Vulnerability
21. Intervations FileCopa User Command Remote Buffer Overflow Vulnerability
22. Sophos Anti-Virus CAB File Scanning Remote Heap Overflow Vulnerability
23. Cisco Secure ACS Insecure Password Storage Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Front End/Back End communication
2. RDP to XP clients
3. Restricting Remote Registry Access
4. Autorun in screensaver
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION

I. FRONT AND CENTER
---------------------
1. Protection from prying NSA eyes
By Mark Rasch
From the U.S. Fourth Amendment, the Stored Communications Act and U.S. wiretap laws to the Pen-register statute, Mark Rasch looks at legal protections available to the telecommunication companies and individual Americans in the wake of the NSA's massive spying program.
http://www.securityfocus.com/columnists/403

2. The quest for ring 0
By Federico Biancuzzi
Federico Biancuzzi interviews French researcher Loïc Duflot to learn more about the System Management Mode attack, how to mitigate it, what hardware is vulnerable, and why we should be concerned with recent X Server bugs.
http://www.securityfocus.com/columnists/402

3. Malicious cryptography, part two
By Frederic Raynal
This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. Then it is shown how Skype can be used for malicious purposes, with a crypto-virus that is very difficult to detect.
http://www.securityfocus.com/infocus/1866


II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. Microsoft Windows Impersonation Privilege Escalation Weakness
BugTraq ID: 18008
Remote: Yes
Date Published: 2006-05-16
Relevant URL: http://www.securityfocus.com/bid/18008
Summary:
Microsoft Windows is susceptible to a weakness that may allow attackers to gain elevated privileges. This issue is due to the ability of services to impersonate clients after they have authenticated.

Microsoft encourages the use of the 'Local Service' and 'Network Service' accounts to mitigate the consequences of exploiting vulnerabilities in services. Attackers exploiting latent vulnerabilities in services running with these low-privilege accounts may take advantage of this weakness to gain elevated privileges.

Under certain circumstances, this issue may aid attackers that can exploit latent vulnerabilities in low-privileged services in gaining elevated privileges, allowing them to fully compromise targeted computers.

This issue is similar to the one documented in BID 8276 (Microsoft SQL Server / MSDE Named Pipes Privilege Escalation Vulnerability)LoadDocument.aspx?guid=4E4FB9BA810E48B186E99FAFC7E3462C

2. Caucho Resin Viewfile Information Disclosure Vulnerability
BugTraq ID: 18007
Remote: Yes
Date Published: 2006-05-16
Relevant URL: http://www.securityfocus.com/bid/18007
Summary:
Resin is prone to an information-disclosure vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to retrieve the contents of arbitrary files from the vulnerable system in the context of the affected application. Information obtained may aid attackers in further attacks.

3. Pragma FortressSSH SSH_MSG_KEXINIT Remote Buffer Overflow Vulnerability
BugTraq ID: 17991
Remote: Yes
Date Published: 2006-05-16
Relevant URL: http://www.securityfocus.com/bid/17991
Summary:
A remote buffer-overflow vulnerability exits in FortressSSH.

This issue may permit remote code execution in vulnerable servers. A complete compromise leading to SYSTEM level access may be possible.

FortressSSH 4.0.7.20 is reported to be vulnerable. Other versions may be affected as well.

4. Raydium Multiple Remote Buffer Overflow and Denial Of Service Vulnerabilities
BugTraq ID: 17986
Remote: Yes
Date Published: 2006-05-15
Relevant URL: http://www.securityfocus.com/bid/17986
Summary:
Raydium is susceptible to multiple remote vulnerabilities:

- Multiple buffer-overflow vulnerabilities in both client and server instances.
- A format-string vulnerability in both client and server instances.
- A NULL-pointer dereference denial-of-service vulnerability in both client and server instances.
- A buffer-overflow vulnerability in client instances.

These vulnerabilities allow remote attackers to execute arbitrary machine code in the context of affected client and server instances of games that use the affected game engine software. Attackers may also crash vulnerable instances, denying service to legitimate users.

5. FileZilla Client Unspecified Remote Buffer Overflow Vulnerability
BugTraq ID: 17972
Remote: Yes
Date Published: 2006-05-15
Relevant URL: http://www.securityfocus.com/bid/17972
Summary:
FileZilla client is prone to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, denying further service to legitimate users.

FileZilla versions prior to 2.2.23 are vulnerable to this issue.

6. Apple QuickTime Multiple Integer and Buffer Overflow Vulnerabilities
BugTraq ID: 17953
Remote: Yes
Date Published: 2006-05-11
Relevant URL: http://www.securityfocus.com/bid/17953
Summary:
Multiple integer-overflow and buffer-overflow vulnerabilities affect QuickTime. These issues affect both Mac OS X and Microsoft Windows releases of the software.

Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely cause denial-of-service conditions.

7. EMC Dantz Retrospect Backup Client Remote Buffer Overflow Vulnerability
BugTraq ID: 17948
Remote: Yes
Date Published: 2006-05-11
Relevant URL: http://www.securityfocus.com/bid/17948
Summary:
Dantz Retrospect Backup Client is prone to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, denying further service to legitimate users.

8. ManageEngine OpManager Search.DO Cross-Site Scripting Vulnerability
BugTraq ID: 17944
Remote: Yes
Date Published: 2006-05-11
Relevant URL: http://www.securityfocus.com/bid/17944
Summary:
ManageEngine OpManager is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

This issue affects version 6.0; other versions may also be vulnerable.

9. Verisign i-Nav ActiveX Control Remote Buffer Overflow Vulnerability
BugTraq ID: 17939
Remote: Yes
Date Published: 2006-05-10
Relevant URL: http://www.securityfocus.com/bid/17939
Summary:
Verisign i-Nav ActiveX control is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer.

Invoking the object from a malicious website or HTML email may trigger the condition. If the vulnerability were successfully exploited, this would corrupt process memory, resulting in arbitrary code execution. Arbitrary code would be executed in the context of the client application using the affected ActiveX control.

10. Adobe ColdFusion Required Fields Cross-Site Scripting Vulnerability
BugTraq ID: 17938
Remote: Yes
Date Published: 2006-05-10
Relevant URL: http://www.securityfocus.com/bid/17938
Summary:
ColdFusion is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.

This issue affects older versions of ColdFusion, version 5 and earlier.

11. Symantec Enterprise Firewall / Gateway Security HTTP Proxy Internal IP Leakage Weakness
BugTraq ID: 17936
Remote: Yes
Date Published: 2006-05-10
Relevant URL: http://www.securityfocus.com/bid/17936
Summary:
Symantec Enterprise Firewall and Gateway Security products are prone to an information-disclosure weakness.

The vendor has reported that the NAT/HTTP proxy component of the products may reveal the internal IP addresses of protected computers.

An attacker may use this information to carry out targeted attacks against a potentially vulnerable host.

12. Microsoft Windows Path Conversion Weakness
BugTraq ID: 17934
Remote: Yes
Date Published: 2006-05-10
Relevant URL: http://www.securityfocus.com/bid/17934
Summary:
Microsoft Windows is susceptible to a path-conversion weakness that may allow attackers to bypass security applications. This issue occurs because the operating system uses multiple differing algorithms to resolve file paths.

Attackers may exploit this issue to bypass security software such as antivirus and antispyware products. Other attacks may also be possible.

Any software using the affected function (or APIs and other functions that in turn use the affected function) may be affected by this issue. Specific information regarding affected software and versions is known to be incomplete and possibly inaccurate. This BID will be updated as further information is disclosed.

13. Microsoft Internet Explorer Position CSS Denial of Service Vulnerability
BugTraq ID: 17932
Remote: Yes
Date Published: 2006-05-10
Relevant URL: http://www.securityfocus.com/bid/17932
Summary:
Microsoft Internet Explorer is affected by a denial-of-service vulnerability. This issue arises because the application fails to handle exceptional conditions in a proper manner.

An attacker may exploit this issue by enticing a user to visit a malicious site, resulting in a denial-of-service condition in the application.

Since exploiting this issue requires only standard HTML and CSS, it may not be easily mitigated.

Internet Explorer 6 is vulnerable to this issue; other versions may also be affected.

14. PAFileDB Pafiledb_Constants.PHP Remote File Include Vulnerability
BugTraq ID: 17930
Remote: Yes
Date Published: 2006-05-09
Relevant URL: http://www.securityfocus.com/bid/17930
Summary:
paFileDB is prone to a remote file-include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects version 2.0.1 and prior.

15. Microsoft Infotech Storage Library Heap Corruption Vulnerability
BugTraq ID: 17926
Remote: Yes
Date Published: 2006-05-09
Relevant URL: http://www.securityfocus.com/bid/17926
Summary:
Microsoft Windows is susceptible to a heap-corruption vulnerability while attempting to read specially crafted CHM or ITS files. This occurs in the 'ITSS.DLL' library.

This vulnerability allows remote attackers to execute arbitrary machine code in the context of applications using the affected library.

Attackers may exploit this issue by coercing users to open malicious CHM or ITS files with Internet Explorer, or when users try to decompile such files using the 'hh -decompile' command. CHM files are considered unsafe files, so there is a possibility that advanced users or security researchers may try to decompile these files to inspect their contents.

16. ICQ Banner Ad Cross-Application Scripting Vulnerability
BugTraq ID: 17913
Remote: Yes
Date Published: 2006-05-09
Relevant URL: http://www.securityfocus.com/bid/17913
Summary:
ICQ is prone to a cross-application scripting vulnerability. This issue is a result of the application accessing content in a different and presumably higher security context than the original content.

An attacker can exploit this issue to have arbitrary attacker-supplied HTML or JavaScript executed on a victim user's computer in the 'My Computer' security zone.

17. Microsoft Exchange Server Calendar Remote Code Execution Vulnerability
BugTraq ID: 17908
Remote: Yes
Date Published: 2006-05-09
Relevant URL: http://www.securityfocus.com/bid/17908
Summary:
Microsoft Exchange Server is prone to a vulnerability that may let attackers execute code remotely. This issue is exposed when the server handles emails that contain malicious calendar data that is included in meeting requests.

If the issue is successfully exploited, this could completely compromise the computer hosting the mail server.

18. Microsoft Windows MSDTC Invalid Memory Access Denial Of Service Vulnerability
BugTraq ID: 17906
Remote: Yes
Date Published: 2006-05-09
Relevant URL: http://www.securityfocus.com/bid/17906
Summary:
Microsoft Windows Distributed Transaction Coordinator is prone to a denial-of-service vulnerability.

Attackers can exploit this vulnerability remotely to disrupt the MSDTC service and any services that depend on MSDTC.

This vulnerability affects Windows NT and Windows 2000 by default, since the service comes enabled. The vulnerability affects Windows XP and Windows Server 2003 only if the service is manually enabled.

19. Microsoft Windows MSDTC Heap Buffer Overflow Vulnerability
BugTraq ID: 17905
Remote: Yes
Date Published: 2006-05-09
Relevant URL: http://www.securityfocus.com/bid/17905
Summary:
Microsoft Windows Distributed Transaction Coordinator is prone to a remote heap buffer-overflow vulnerability. This issue is due to the failure of the software to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

This BID is flagged with the 'Conflicting Details' credibility rating because of the discrepancy between the vendor and the discoverer as to the possibility of remote code execution.

Microsoft states that this issue may be exploited only to disrupt the MSDTC service and any services that depend on MSDTC, but the discoverer of this issue states that it may be exploited for remote code execution.

This vulnerability affects Windows NT and Windows 2000 by default, since the service comes enabled. The vulnerability affects Windows XP and Windows Server 2003 only if the service is manually enabled.

20. Drupal Project Module HTML Injection Vulnerability
BugTraq ID: 17885
Remote: Yes
Date Published: 2006-05-08
Relevant URL: http://www.securityfocus.com/bid/17885
Summary:
Drupal is prone to an HTML-injection vulnerability. This issue is due to the application's failure to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.

21. Intervations FileCopa User Command Remote Buffer Overflow Vulnerability
BugTraq ID: 17881
Remote: Yes
Date Published: 2006-05-08
Relevant URL: http://www.securityfocus.com/bid/17881
Summary:
FileCopa is prone to a buffer-overflow vulnerability when handling data through the USER command.
Reportedly, passing excessive data may overflow a finite-sized internal memory buffer. A successful attack may result in memory corruption as memory adjacent to the buffer is overwritten with user-supplied data.

This issue may lead to a denial-of-service condition or the execution of arbitrary code.

22. Sophos Anti-Virus CAB File Scanning Remote Heap Overflow Vulnerability
BugTraq ID: 17876
Remote: Yes
Date Published: 2006-05-08
Relevant URL: http://www.securityfocus.com/bid/17876
Summary:
A remote heap-overflow vulnerability exists in Sophos Anti-Virus Library when scanning CAB files. This issue is due to the library's failure to properly bounds-check user-supplied input before copying data to an internal memory buffer.

Successfully exploiting this vulnerability could result in arbitrary code execution with the privileges of the application.

23. Cisco Secure ACS Insecure Password Storage Vulnerability
BugTraq ID: 16743
Remote: Yes
Date Published: 2006-05-08
Relevant URL: http://www.securityfocus.com/bid/16743
Summary:
Cisco Secure ACS is susceptible to an insecure password-storage vulnerability. This issue is due to a failure of the application to properly secure sensitive password information.

This issue allows attackers to gain access to encrypted passwords and to the key used to encrypt them. This allows them to obtain the plaintext passwords, aiding them in attacking other services that depend on the ACS server for authentication.

Cisco Secure Access Control Server for Windows versions 3.x are affected by this issue.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Front End/Back End communication
http://www.securityfocus.com/archive/88/434013

2. RDP to XP clients
http://www.securityfocus.com/archive/88/433664

3. Restricting Remote Registry Access
http://www.securityfocus.com/archive/88/433671

4. Autorun in screensaver
http://www.securityfocus.com/archive/88/433357

IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to ms-secnews-unsubscribe@xxxxxxxxxxxxxxxxx from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer. Alternatively you can also visit http://www.securityfocus.com/newsletters and unsubscribe via the website.

If your email address has changed email listadmin@xxxxxxxxxxxxxxxxx and ask to be manually removed.

V. SPONSOR INFORMATION
------------------------
This issue is sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!" - SPI Dynamics White Paper
It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70130000000COFe



---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • SecurityFocus Microsoft Newsletter #131
    ... MICROSOFT VULNERABILITY SUMMARY ... Advanced Poll Remote Information Disclosure Vulnerability ... PHPNuke News Module Article.PHP SQL Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #441
    ... MICROSOFT VULNERABILITY SUMMARY ... Popcorn POP3 Response Remote Heap Buffer Overflow Vulnerability ... Home Web Server Graphical User Interface Remote Denial Of Service Vulnerability ... Attackers can exploit this issue to cause the graphical interface of the server to stop responding, ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #211
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Kernel Local Denial of Service Vulnerabili... ... OCPortal Content Management System Remote File Include Vulne... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #229
    ... Windows NTFS Alternate Data Streams ... MICROSOFT VULNERABILITY SUMMARY ... VBulletin Forumdisplay.PHP Remote Command Execution Vulnerab... ... AWStats Debug Remote Information Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #237
    ... MICROSOFT VULNERABILITY SUMMARY ... JPortal Banner.PHP SQL Injection Vulnerability ... Microsoft Windows Kernel Object Management Denial Of Service... ... Microsoft Windows Message Queuing Remote Buffer Overflow Vul... ...
    (Focus-Microsoft)