RE: WINS CLient Service

From: Gilmore, Corey (DPC) (Corey_Gilmore_at_dpc.senate.gov)
Date: 12/08/03

  • Next message: Craig Broad: "forcdos.exe = serv-u...." 
    Date: Mon, 8 Dec 2003 14:41:39 -0500
To: "Ziots, Edward" <EZiots@Lifespan.org>, <incidents@securityfocus.com>

    If you're asking about the files in %system%\wins, they're installed by
    Welchia/Nachia. You'll find them on any infected PC, workstation or
    server.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm
    .html#technicaldetails

    You can remove them with the removal tool,
    http://www.symantec.com/avcenter/FixWelch.exe

    > -----Original Message-----
    > From: Ziots, Edward [mailto:EZiots@Lifespan.org]
    > Sent: Monday, December 08, 2003 9:17 AM
    > To: 'incidents@securityfocus.com'
    > Subject: RE: WINS CLient Service
    >
    > Has anyone seen a virus/worm or misconfiguration load the WINS Client
    > > Service on a Win2k Server? In all the servers I have built I have
    > > never
    > seen
    > > this service, it basically had a dllhost.exe and
    > svchost.exe copy in
    > > the c:\winnt\system32\wins directory, and svchost.exe was a renamed
    > > copy of tftp.exe, and dllhost.exe had a alternative stream
    > of nc.exe in it.
    > >
    > > If anyone has run into this before let me know what solutions you
    > > might
    > have
    > > found,
    > >
    > >
    > > Edward Ziots
    > > Windows NT/Citrix Administrator
    > > Lifespan Network Services
    > > MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziots@lifespan.org
    > > Cell:401-639-3505
    > > Pager:401-350-5284
    >
    > Edward Ziots
    > Windows NT/Citrix Administrator
    > Lifespan Network Services
    > MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziots@lifespan.org
    > Cell:401-639-3505
    > Pager:401-350-5284
    >
    > **********************
    > Confidentiality Notice
    > **********************
    > The information transmitted in this e-mail is intended only
    > for the person or entity to which it is addressed and may
    > contain confidential and/or privileged information. Any
    > review, retransmission, dissemination or other use of or
    > taking of any action in reliance upon this information by
    > persons or entities other than the intended recipient is prohibited.
    > If you received this e-mail in error, please contact the
    > sender and delete the e-mail and any attached material
    > immediately. Thank you.
    >
    >
    >
    >
    >
    > -----Original Message-----
    > From: David Ahmad [mailto:da@securityfocus.com]
    > Sent: Friday, December 05, 2003 5:05 PM
    > To: Ziots, Edward
    > Subject: Re: WINS CLient Service
    >
    >
    >
    > Please post this to the INCIDENTS mailing list
    > <incidents@securityfocus.com>.
    >
    > On Fri, Dec 05, 2003 at 05:19:59PM -0500, Ziots, Edward wrote:
    > > Has anyone seen a virus/worm or misconfiguration load the
    > WINS Client
    > > Service on a Win2k Server? In all the servers I have built I have
    > > never
    > seen
    > > this service, it basically had a dllhost.exe and
    > svchost.exe copy in
    > > the c:\winnt\system32\wins directory, and svchost.exe was a renamed
    > > copy of tftp.exe, and dllhost.exe had a alternative stream
    > of nc.exe in it.
    > >
    > > If anyone has run into this before let me know what solutions you
    > > might
    > have
    > > found,
    > >
    > >
    > > Edward Ziots
    > > Windows NT/Citrix Administrator
    > > Lifespan Network Services
    > > MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziots@lifespan.org
    > > Cell:401-639-3505
    > > Pager:401-350-5284
    > >
    > > **********************
    > > Confidentiality Notice
    > > **********************
    > > The information transmitted in this e-mail is intended only for the
    > > person or entity to which it is addressed and may contain
    > confidential
    > > and/or privileged information. Any review, retransmission,
    > > dissemination or other use of or taking of any action in
    > reliance upon
    > > this information by
    > persons
    > > or entities other than the intended recipient is prohibited.
    > > If you received this e-mail in error, please contact the sender and
    > > delete the e-mail and any attached material immediately. Thank you.
    > >
    > >
    > >
    > >
    > >
    > > -----Original Message-----
    > > From: Greg Meehan [mailto:GMeehan@LifeTimeFitness.com]
    > > Sent: Friday, December 05, 2003 3:05 PM
    > > To: 3APA3A; Mr. P.Taylor
    > > Cc: aleph1@securityfocus.com; bugtraq@securityfocus.com
    > > Subject: RE: Websense Blocked Sites XSS
    > >
    > >
    > >
    > > FYI: You can use a customized block page in /custom that does not
    > > display the URL, such as creating a "Sorry, This URL is
    > Blocked" page
    > > with your company's logo. Heck, you can also just edit the
    > > "master.html" block page
    > in
    > > the /default dir to remove the URL displayed field.
    > >
    > > -Greg
    > >
    > > -----Original Message-----
    > > From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]
    > > Sent: Friday, December 05, 2003 7:09 AM
    > > To: Mr. P.Taylor
    > > Cc: aleph1@securityfocus.com; bugtraq@securityfocus.com
    > > Subject: Re: Websense Blocked Sites XSS
    > >
    > >
    > > Dear Mr. P.Taylor,
    > >
    > > It runs error message in context of blocked site. Now lets try to
    > > find out possible impacts:
    > >
    > > 1. It's possible to run javascript on the user host
    > in context
    > > of blocked site. But it's most likely blocked site is not in
    > > list of trusted web sites on user's host, so it's
    > impossible to get
    > > something different from running same script on another webpage.
    > >
    > > 2. It possible to steal cookie, submit some forms, etc, on
    > blocked site.
    > > But site is blocked. So, it's impossible to steal something or
    > > submit something to this site.
    > >
    > > Conclusion: there is no security impact
    > >
    > > Post Conclusion: Guys, it's perfect you can find all these XSS/CSS
    > > bugs in John Doe's guest books, Read-Doc-from-CDRom
    > servers, etc. But
    > > please think about _security_ impact before submitting
    > this to
    > > _security_ related lists.
    > >
    > > --Wednesday, December 3, 2003, 7:35:39 PM, you wrote to
    > > dhubbard@websense.com:
    > >
    > >
    > > MPT> Websense Blocked Sites XSS
    > >
    > > MPT> Risk: High
    > >
    > > MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybe
    > others we only
    > > MPT> tested this version)
    > >
    > > MPT> Product URL: http://www.websense.com
    > >
    > > MPT> Found By: PeterT - petert@imagine-sw.com
    > >
    > > MPT> Problem:
    > > MPT> When Websense blocks a web site, it returns a web page to the
    > > MPT> browser stating that the site has been blocked. This error
    > > MPT> message contains the URL
    > > which
    > > MPT> was
    > > MPT> requested. Websense does not do any validation or
    > encoding of the
    > > MPT> URL
    > > before
    > > MPT> returning it in the error message. This allows an attacker to
    > > MPT> supply
    > a
    > > URL
    > > MPT> that
    > > MPT> contains script <JavaScript, ActiveX, VB). This script
    > will run
    > > MPT> in
    > the
    > > MPT> context
    > > MPT> of a server in the trusted domain and combined with other IE
    > > MPT> flaws
    > can
    > > have
    > > MPT> serious consequences.
    > >
    > > MPT> We have marked this as a High risk because we believe that
    > > MPT> allowing attackers to run arbitrary programs on your
    > desktop at
    > > MPT> will, is a serious
    > > problem.
    > >
    > >
    > > MPT> Proof of Concept:
    > > MPT> A URL like
    > > MPT> http://BlockedSite?>alert('hello')</SCRIPT>
    > will run script.
    > >
    > > MPT> Resolution:
    > > MPT> The vendor has come out with a patch. Notified on Nov 29, 2003.
    > >
    > > MPT> Thanks to Websense for fixing this issue.
    > >
    > > MPT> Disclaimer:
    > > MPT> Standard disclaimer applies. The opinions expressed in this
    > > MPT> advisory
    > > are
    > > MPT> our own and not of any company. The information within this
    > > MPT> advisory
    > > may
    > > MPT> change without notice. Use of this information constitutes
    > > MPT> acceptance
    > > for
    > > MPT> use in an AS IS condition. There are no warranties
    > with regard to
    > this
    > > MPT> information. In no event shall the author be liable for any
    > > MPT> damages whatsoever arising out of or in connection
    > with the use
    > > MPT> or spread of
    > > this
    > > MPT> information. Any use of this information is at the
    > user's own risk.
    > >
    > >
    > >
    > > --
    > > ~/ZARAZA
    > > ??? ????? ???? ?????, ? ???????? ??? ???? ??? ????, ?????
    > ?? ?????? ? ?
    > ???
    > > ????????. (????)
    >
    > --
    > David Mirza Ahmad
    > Symantec
    >
    > PGP: 0x26005712
    > 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
    > --
    > The battle for the past is for the future.
    > We must be the winners of the memory war.
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Craig Broad: "forcdos.exe = serv-u...."