SecurityFocus Microsoft Newsletter #44
From: John Boletta (jboletta@securityfocus.com)Date: 07/23/01
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Jul 2001 09:28:28 -0600 (MDT) From: John Boletta <jboletta@securityfocus.com> To: <ms-secnews@securityfocus.com> Subject: SecurityFocus Microsoft Newsletter #44 Message-ID: <Pine.GSO.4.30.0107230926510.21526-100000@mail>
SecurityFocus Microsoft Newsletter #44
--------------------------------
I. FRONT AND CENTER
1. Intrusion Detection Systems Terminology, Part Two: H - Z
2. Hardening Windows 2000: Seeing the Forest In Spite of the Trees,
Part Three
3. How Fast is Fast: Vendor Response to New Virus Reports
II. MICROSOFT VULNERABILITY SUMMARY
1. MS Visual Studio RAD Support Buffer Overflow Vulnerability
2. Multiple Vendor Small TCP MSS Denial of Service Vulnerability
3. Microsoft Windows 2000 LDAP SSL Password Modification...
4. Microsoft Windows 2000 SMTP Improper Authentication Vulnerability
5. Windows 2000 Active Directory Authentication Vulnerability
6. Microsoft Windows 2000 Task Manager Process Termination...
7. Microsoft Outlook Express Address Book Spoofing Vulnerability
8. Microsoft Outlook Unauthorized Email Access Vulnerability
9. Microsoft Outlook Arbitrary Code Execution Vulnerability
10. Microsoft IIS Unicode .asp Source Code Disclosure Vulnerability
11. Microsoft IIS Device File Local DoS Vulnerability
12. Microsoft Word Document Macro Execution Vulnerability
13. Microsoft SQL Server Administrator Cached Connection...
14. Microsoft Exchange OWA Embedded Script Execution Vulnerability
15. Microsoft Exchange 5.5 LDAP Denial of Service Vulnerabilities
16. MS Index Server and Indexing Service ISAPI Extension Buffer...
17. Microsoft Internet Explorer File Contents Disclosure...
18. Microsoft Internet Explorer File Disclosure Vulnerability
19. Microsoft Windows 2000 Telnet Username DoS Vulnerability
20. Microsoft Windows 2000 Telnet Multiple Sessions DoS Vulnerability
21. Microsoft Windows 2000 Telnet Service DoS Vulnerability
22. Microsoft Windows 2000 Telnet System Call DoS Vulnerability
23. Microsoft W2K Telnet Various Domain User Account Access...
24. Microsoft Windows 2000 Telnet Privilege Escalation Vulnerability
25. Windows Media Player Internet Shortcut Execution Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. IIS 4.0 DOS attack? (Thread)
2. IIS and SQL through the firewall (Thread)
3. IIS + DOS attacks = headache (Thread)
4. IIS 3.0 (Thread)
5. SecurityFocus Call for Microsoft Articles (Thread)
6. Word of caution (Thread)
7. Full analysis of the .ida "Code Red" worm. (Thread)
8. Windows Scripting Host (Thread)
9. Webserver, DMZ, ports questions (Thread)
10. Your Virus Protection Programs (Thread)
11. Bad PGP Key from Microsoft Security Response Center (Thread)
12. NT "net use" Malfunctions (Thread)
13. IIS 5.0 IN A DOMAIN? (Thread)
14. PART II : Webserver, DMZ, ports questions (Thread)
15. Yet another IIS compromise (Thread)
16. MALWARE HOAX FW: Microsoft Security Bulletin MS01-039 (fwd)
17. EFS Stability (Thread)
18. Is netbios safe on a 2nd NIC? (Thread)
19. file hiding in win2k (Thread)
20. IE settings changed by websites (Thread)
21. Malware masquerading as MS patch (Thread)
22. Initial analysis of the .ida "Code Red" Worm (Thread)
23. Fw: Windows Scripting Host (Thread)
24. FW: FW: Is netbios safe on a 2nd NIC? (Thread)
25. FW: Is netbios safe on a 2nd NIC? (Thread)
26. Proxy files PFxxxxxx (Thread)
27. Files Auditing Utility (Thread)
28. SecurityFocus Microsoft Newsletter #43 (Thread)
29. 2k kerbos & time. (Thread)
30. Media Player Privacy Option (Thread)
31. Win 2K Ports continued... (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Cisco VPN 5000 series
2. RSA SecurID Web Express
3. PestPatrol
4. NetWatcher 2000
5. Tiny Personal Firewall
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Dreamscape Keylogger v2.83
2. ScoopLm v1.4.1
3. PromiScan
4. Invisible Secrets v3
5. Archaeopteryx v1.0
I. FRONT AND CENTER
-------------------
1. Intrusion Detection Systems Terminology, Part Two: H - Z
by A. Cliff
Intrusion Detection Systems (IDS) are still very much in their infancy,
but in terms of development they are growing at an extraordinary rate. The
terminology associated with IDS is also growing at rapidly. This is the
second article of a two-part series, is intended to introduce readers to
some IDS terminology, some of it basic and relatively common, some of it
somewhat more obscure.
http://www.securityfocus.com/focus/ids/articles/idsterms2.html
2. Hardening Windows 2000: Seeing the Forest In Spite of the Trees, Part
Three
by Tim Mullen
This is the third article in a three part series by SecurityFocus writer
Tim Mullen devoted to hardening Windows 2000 across the enterprise, as
opposed to focusing on individual servers or workstations. In the first
two installments, the author discussed some of the security-enhancing
tools that Windows 2000 offers as well as the security policy options that
can be used to strengthen Win2k installations. In this article, the author
looks at Group Policy.
http://www.securityfocus.com/focus/microsoft/2k/harden2k3.html
3. How Fast is Fast: Vendor Response to New Virus Reports
by Robert Vibert
You've just come across a suspicious file that seems to be causing
problems on a machine in your organization. You think it may be a virus,
but all of the antivirus programs you use to scan it say the file is
clean. What's your logical next step? For many people, the best thing to
do is to send the suspicious file to one or more antivirus software
developers for analysis. Just what do you think the response from these
specialists should be?
http://www.securityfocus.com/focus/virus/articles/virussample.html
II. BUGTRAQ SUMMARY
-------------------
1. MS Visual Studio RAD Support Buffer Overflow Vulnerability
BugTraq ID: 2906
Remote: Yes
Date Published: 2001-06-21
Relevant URL:
http://www.securityfocus.com/bid/2906
Summary:
FrontPage Server Extensions (FPSE) ships with Microsoft Office 2000 and
Office XP. FPSE are components that run on IIS servers and are used for
the development of websites via FrontPage and Visual InterDev.
Visual InterDev is a member of the Visual Studio web development tools,
and is used to design web applications that bring together web content,
database resources and various programs. A subcomponent of FPSE called
Visual InterDev RAD Remote Deployment Support, enables the Visual InterDev
developer to easily register COM objects on a web server.
Due to an unchecked buffer in 'fp30reg.dll' of Visual InterDev RAD Remote
Deployment Support, a user could execute arbitrary commands on a target
host. If the host is running IIS 5.0, the commands could be executed in
the context of IWAM_machinename. A host running IIS 4.0, could allow the
execution of arbitrary commands in the SYSTEM context.
The problem lies in the section of code which specifically processes COM
object register requests (fp30reg.dll). If a specially crafted request
composed of 258 bytes is sent to a server with RAD Remote Deployment
Support installed, the buffer could overrun and allow the execution of
arbitrary code.
It should be noted that Visual Studio RAD Deployment Support must be
manually installed and configured by a user. It is not installed by
default.
Successful exploitation of this vulnerability could lead to a complete
compromise of the host.
2. Multiple Vendor Small TCP MSS Denial of Service Vulnerability
BugTraq ID: 2997
Remote: Yes
Date Published: 2001-07-07
Relevant URL:
http://www.securityfocus.com/bid/2997
Summary:
A potential denial of service vulnerability exists in several TCP stack
implementations.
TCP has a MSS (maximum segment size) option that is used by a TCP client
to announce to a peer the maximum amount of TCP data that can be sent per
segment. The MSS is sent during connection establishment, and is often
set to the interface MTU minus the fixed sizes of the IP and TCP headers.
This is usually 1460 on an Ethernet using IPv4, or 1440 on an Ethernet
using IPv6.
When data of a length exceeding the MSS is written to a TCP socket, it is
broken down into segments before being passed to IP. For example, if an
application writes 2048 bytes of data to a TCP socket with the MSS set to
256, a total of 8 segments are transmitted. Using IPv4, this incurs an
additional 320 bytes for IP and TCP header data. Using IPv6, the amount
increases to 480 bytes. Sending a large number of packets often also
means a significant increase in the workload of the system sending the
data.
The potential for attacks against TCP stack implementations exists because
in many cases only a small minimum value is enforced for the MSS. By
setting the MSS to a low value (such as 1) and making requests for large
amounts of data through a TCP service, an attacker could effectively cause
a denial of service by causing a large workload on a system.
3. Microsoft Windows 2000 LDAP SSL Password Modification Vulnerability
BugTraq ID: 2929
Remote: Yes
Date Published: 2001-06-25
Relevant URL:
http://www.securityfocus.com/bid/2929
Summary:
Lightweight Directory Access Protocol (LDAP) is a protocol used to access
the Active Directory service. The Active Directory maintains information
about network resources and users. It organizes and controls user's
privileges to various network resources.
Due to inproper permissions verification, a normal user can successfully
modify any user's Windows 2000 domain login password. This is accomplished
if LDAP requests are being made over a SSL session.
The file containing the relevant user privilege information is
'chPwd.ldif'. A user could edit this file and modify the 'unicodePwd'
attribute with the desired password. Once the password modify request
function has been submitted, the user's domain password will be reset with
the new one.
The vulnerable modify request function could be carried out by a non
domain user via tcp port 636.
Successful exploitation of this vulnerability could be used to prohibit
domain user's from authenticating. In the event that the domain
administrator's password is changed, a complete compromise of the host is
possible.
4. Microsoft Windows 2000 SMTP Improper Authentication Vulnerability
BugTraq ID: 2988
Remote: Yes
Date Published: 2001-07-05
Relevant URL:
http://www.securityfocus.com/bid/2988
Summary:
The SMTP (Simple Mail Transfer Protocol) server is an internet service
which implements mail transfer according to the SMTP protocol. SMTP
installs by default in Windows 2000.
Due to a flaw in the authentication process of the SMTP service in Windows
2000, it is possible for an unauthorized host to successfully authenticate
and use the SMTP service.
This behaviour occurs when invalid credentials are submitted to the
service during the authentication process. The precise technical details
are not currently known, however the result is that a user without valid
credentials can be successfully authenticated.
This vulnerability could enable an unauthorized user to abuse SMTP
services (mass e-mailing, forging, etc.).
The vendor has reported that this vulnerability only affects the SMTP
service and will not enable an attacker to execute operating system
commands or gain administrative access on the host.
It should be noted that only stand-alone machines are affected by this
issue and not domain members.
Unfortunately, no further technical details have been provided. Updates
will be published as more information becomes available.
5. Windows 2000 Active Directory Authentication Vulnerability
BugTraq ID: 3002
Remote: Yes
Date Published: 2001-06-14
Relevant URL:
http://www.securityfocus.com/bid/3002
Summary:
A vulnerability exists when using Windows 2000 authentication, which could
enable an unauthorized user to authenticate as an authorized user. This is
achieved when using an Active Directory Group name for authentication
along with any password.
This vulnerability is known to affect Mac OS servers when configured to
use Windows 2000 for authentication.
Unfortunately no further technical details have been provided.
6. Microsoft Windows 2000 Task Manager Process Termination Vulnerability
BugTraq ID: 3033
Remote: No
Date Published: 2001-07-16
Relevant URL:
http://www.securityfocus.com/bid/3033
Summary:
Microsoft Windows 2000 Task Manager is a system management program which
provides various types of information about a user's system. Task Manager
allows a user to end any program or process running, as well enables one
to view and monitor the CPU and memory usage of the system.
When ending a running process, using Task Manager, the user is prompted
with a warning message informing them of the risk involved when
terminating an application. However, when attempting to terminate a system
service, Task Manager will not end the process. The user will be prompted
with the following message: 'This is a critical system process. Task
Manager cannot end this process.' A few of the critical system services
include 'winlogon.exe', 'csrss.exe', 'services.exe' and 'smss.exe'.
Windows 2000 is not case sensitive when determing whether or not a process
is associated with the OS or not. If a file has the same name as a system
process, a user will not be able to terminate it. This could allow for a
malicious program to run on a system with out the possiblity of it being
terminated via Task Manager. If the malicious program is designed to run
on start up, termination of the program would not be possible.
It has been reported that using the 'kill' command along with the
appropriate Process ID (PID) will successfully terminate the questionable
program.
It may be necessary for the system to be re-built in order to regain
normal system functionality.
Successful exploitation of this vulnerability could lead to a complete
compromise of the host.
* Conflicting reports exist. It has been reported that it may be possible
to terminate the questionable process via Task Manager.
7. Microsoft Outlook Express Address Book Spoofing Vulnerability
BugTraq ID: 2823
Remote: Yes
Date Published: 2001-06-05
Relevant URL:
http://www.securityfocus.com/bid/2823
Summary:
Outlook Express is the standard e-mail client that is shipped with
Microsoft Windows 9x/ME/NT.
The address book in Outlook Express is normally configured to make entries
for all addresses that are replied to by the user of the mail client. An
attacker may construct a message header that tricks Address Book into
making an entry for an untrusted user under the guise of a trusted one.
The "From:" field has this format: name <emailaddress>.
If the name is of a trusted user and the address is of the attacker and
the message is replied to, then Address Book makes a misleading entry
under the name of the trusted user. All mail sent using the Address Book
entry will be intercepted by the attacker.
This vulnerability can lead to further social engineering attacks.
8. Microsoft Outlook Unauthorized Email Access Vulnerability
BugTraq ID: 3025
Remote: Yes
Date Published: 2001-07-12
Relevant URL:
http://www.securityfocus.com/bid/3025
Summary:
Microsoft Outlook introduces a vulnerability that may allow attackers to
access user email.
Outlook introduces an ActiveX control called "Microsoft Outlook View
Control". The flaw is that this control is marked 'safe for scripting'
when it should not be. It is therefore accessible to scripts embedded in
html documents, including email and remote websites.
Scripts can access user email through a property of this control called
'selection'.
It has been reported that malicious websites or html email messages may be
able to disclose email content to attackers, or may allow attackers to
delete emails without user knowledge or consent.
9. Microsoft Outlook Arbitrary Code Execution Vulnerability
BugTraq ID: 3026
Remote: Yes
Date Published: 2001-07-12
Relevant URL:
http://www.securityfocus.com/bid/3026
Summary:
Microsoft Outlook introduces a vulnerability that may allow attackers to
execute arbitrary commands.
Outlook introduces an ActiveX control called "Microsoft Outlook View
Control". The flaw is that this control is marked 'safe for scripting'
when it should not be. It is therefore accessible to scripts embedded in
html documents, including email and remote websites.
Scripts can execute commands through a property of this control called
'application'.
It may be possible for remote attacker to gain access to client systems if
victims view maliciously created websites or open hostile email messages.
10. Microsoft IIS Unicode .asp Source Code Disclosure Vulnerability
BugTraq ID: 2909
Remote: Yes
Date Published: 2001-06-21
Relevant URL:
http://www.securityfocus.com/bid/2909
Summary:
When a user requests for a resource residing on a remote host, depending
on what the file extensions is, the file will be returned and run
appropriately.
A flaw exists in the handling of .asp requests. Typically when a request
is made for an .asp file, IIS will identify that it is a script and run it
as such. However if the host is formatted with a FAT file system and a
request is made with an .asp Unicode encoded file extension, IIS may not
handle the request properly and return the source code of the file.
Sensitive information in scripts (such as database usernames and
passwords) may be disclosed to attackers. Vulnerabilities present in
scripts may also be revealed if the source code is disclosed. This may
facilitate further attacks against the server.
11. Microsoft IIS Device File Local DoS Vulnerability
BugTraq ID: 2973
Remote: No
Date Published: 2001-07-04
Relevant URL:
http://www.securityfocus.com/bid/2973
Summary:
Microsoft IIS is prone to denial of service attacks by local users.
This issue is exploitable if the local attacker can create an .asp file
which attempts to perform file I/O on various devices names.
When a script uses the 'Scripting.FileSystemObject' methods to open and
read from a 'dos device', the ASP interpreter will hang. This will result
in a denial of service.
This issue is exploitable if the local attacker can create an .asp file
which triggers the condition. A user on a webhosting service may for
example use this vulnerability to cause a denial of service to other
websites hosted by the vulnerable server.
This vulnerability may also be exploitable by remote attackers if existing
scripts use the 'Scripting.FileSystemObject' methods to open files with
filenames supplied remotely. If attackers can cause the target script to
open/read from a 'device name', the denial of service will be triggered.
The end result of exploiting this vulnerability is that the server will
crash and a denial of services will occur. The affected services must be
restarted to regain normal functionality.
12. Microsoft Word Document Macro Execution Vulnerability
BugTraq ID: 2876
Remote: Yes
Date Published: 2001-05-23
Relevant URL:
http://www.securityfocus.com/bid/2876
Summary:
Microsoft Word has a security feature which prompts a user before opening
a document containing macros. A vulnerability exists in the security
feature which could enable macros within .doc files to run without the
user's knowledge.
Word fails to properly check files for macros. A Word document containing
macros can be modified (by one byte using a hex editor) in such a way that
upon opening the file, the macros will execute without the user's
knowledge.
This vulnerability can be exploited regardless of the level of security
set.
Successful exploitation of this vulnerability could assist in further
attacks against the victim, or possibly lead to a complete compromise of
the target.
13. Microsoft SQL Server Administrator Cached Connection Vulnerability
BugTraq ID: 2863
Remote: No
Date Published: 2001-06-12
Relevant URL:
http://www.securityfocus.com/bid/2863
Summary:
Query methods are SQL Server commands used to request information from the
database. A flaw exists in the handling of specially structured ad hoc
queries, which could enable a normal user to gain administrative
privileges.
In order to gain access to information in the database, a user must make a
connection to the server. Once access to the database is no longer
required, the user logging off will terminate the connection. However, by
design, SQL Server will store the connection used by the user in cache for
a certain amount of time. This is done to improve the server's
performance. Next time that particular user logs in, SQL Server can
reinstate the cached connection rather than creating a new one.
It is possible for a logged in user to use an ad hoc query in a particular
way, that would invoke the cached connection of the system administrator
rather than that of the user. This would enable the user to access the
database with administrative privileges.
In order to successfully exploit this issue, Mixed Mode authentication
must be enabled. Hosts with Windows authentication enabled will not be
affected by this issue.
14. Microsoft Exchange OWA Embedded Script Execution Vulnerability
BugTraq ID: 2832
Remote: Yes
Date Published: 2001-06-06
Relevant URL:
http://www.securityfocus.com/bid/2832
Summary:
Microsoft Exchange 2000 enables users to access their inboxes and other
various resources located in the Web Storage System. Outlook Web Access
(OWA) enables user's to remotely access these resources via a URL. OWA
ships with Microsoft Exchange 2000 by default.
Due to a flaw in the interaction between Exchange's OWA service and
Internet Explorer, it is possible for an email attachment to execute
without prompting the user.
Typically, when opening email attachments, the operating system prompts a
user with a dialogue box requesting a selection of the appropriate
application to view the file. However, when viewing email via OWA using an
IE browser, upon opening an email attachment the dialogue is not displayed
and the file is automatically opened.
This vulnerability could enable a user to embed a malicious script into an
HTML attachment. Since IE parses any script in a file, upon the recipient
opening the file the script will run.
Successful exploitation of this vulnerability could lead to a complete
compromise of the host.
15. Microsoft Exchange 5.5 LDAP Denial of Service Vulnerabilities
BugTraq ID: 3045
Remote: Yes
Date Published: 2001-07-16
Relevant URL:
http://www.securityfocus.com/bid/3045
Summary:
Exchange Server is an email and directory server offered by Microsoft.
The LDAP component of Exchange Server reportedly contains a vulnerability
that can be exploited to cause a denial of service.
The vulnerability is due to an inability to handle malformed LDAP filter
type values. When an LDAP requests is recieved containing such a field,
the service reportedly becomes unresponsive. No other Exchange services
are affected.
Exploitation of this vulnerability may result in a prolonged denial of
LDAP service.
Further technical details are not yet available.
This problem was discovered using the PROTOS project's LDAPv3 test suite,
which tests the security of a server by presenting it with a wide variety
of sample packets containing unexpected values or illegally formatted
data.
16. MS Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability
BugTraq ID: 2880
Remote: Yes
Date Published: 2001-06-18
Relevant URL:
http://www.securityfocus.com/bid/2880
Summary:
Microsoft Index Server and Indexing Service enables text searches on an
internet or intranet site via a web browser. Index Server ships with
Windows NT 4.0 Option Pack and Indexing Service ships with Windows 2000.
An unchecked buffer exists in a certain ISAPI extension associated with
the Index Server and Indexing Service.
A host running Microsoft Index Server or Indexing Service is susceptible
to the execution of arbitrary code, due to an unchecked buffer in the
'idq.dll' ISAPI extension. If a request is made, in a particular manner,
to a host with 'idq.dll' installed, either Index Server or Indexing
Service will experience a buffer overflow and allow the execution of
arbitrary code. Unfortunately, the Index Server and Indexing Service runs
in the Local System context; therefore, the attacker can specify arbitrary
code to be run with Local System privileges.
'idq.dll' provides support for Internet Data Administration (.ida) files
and Internet Data Query (.idq) files. In order to exploit this
vulnerability script mappings that associate '.idq' and '.ida' files with
'idq.dll' must exist.
It should be noted that Index Server and Indexing Service do not need to
be running in order for an attacker to exploit this issue. 'idq.dll' is
installed by default when IIS is installed, subsequently IIS would need to
be the only service running.
Successful exploitation of this vulnerability could lead to complete
compromise of the target host.
It should be noted that this vulnerability is currently being exploited by
the 'Code Red' worm. Please see the reference section for further
information regarding this worm.
17. Microsoft Internet Explorer File Contents Disclosure Vulnerability
BugTraq ID: 2836
Remote: Yes
Date Published: 2001-06-06
Relevant URL:
http://www.securityfocus.com/bid/2836
Summary:
MSIE contains a vulnerability which may allow malicious website operators
to obtain data (non-cookie) from the filesystem of a remote client.
If a known local file on the client filesystem is referenced as script
source, some of its contents can be read if they are formatted in a
certain way. The contents have to be formatted as though script variables
are being assigned values, ie:
variablename=variablevalue
If a file containing data formatted in this manner exists on the client
filesystem at a known location, it may be possible for malicious
webmasters to obtain some of it's content.
The vulnerability lies in the fact that MSIE will read these name/value
pairs as variables and their values in the script interpreter. The values
can then be referenced simply by using the associated variables in the
script code, the names of which must also be known by the attacker.
Because of the knowledge required to exploit this vulnerability and the
fact that the file must be formatted correctly, real-world exploitation is
unlikely (but not out of the question). The primary concern is that MSIE
is providing data from files outside of the allowed areas to remote hosts.
Depending on the contents of the known file, this vulnerability could
reveal sensitive data and assist in further attacks against the target.
18. Microsoft Internet Explorer File Disclosure Vulnerability
BugTraq ID: 2833
Remote: Yes
Date Published: 2001-03-31
Relevant URL:
http://www.securityfocus.com/bid/2833
Summary:
Due to a flaw in Internet Explorer's handling of embedded script
(MSScriptControl.ScriptControl) combined with GetObject function in a web
page, it is possible for a remote web site operator to retrieve a known
file from a visiting user's system.
A web page containing script(MSScriptControl.ScriptControl) and the
GetObject function with the known path to an exisiting file, will return
the contents of the requested file back to the web server.
This vulnerability may allow the execution of arbitrary commands, although
it has not been confirmed.
Successful exploitation of this vulnerability could disclose sensitive
data, which may assist in further attacks against the target.
19. Microsoft Windows 2000 Telnet Username DoS Vulnerability
BugTraq ID: 2838
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2838
Summary:
Microsoft Windows 2000 ships with a telnet service. Due to a flaw in the
implementation of the telnet service, it is possible for a remote client
to cause a denial of service on the host.
By design, the telnet service will drop a connection if an exceptionally
long string of characters are received in the supplied username.
However, if approximately 4300 characters already exist in the input
buffer and approximately 127 ascii encoded backspaces (0x7b) are
submitted, the telnet service will crash.
A restart of the service is required in order to regain normal
functionality.
This vulnerability may be the result of a buffer overflow, although not
verified this could lead to the execution of arbitrary code on the target
host.
20. Microsoft Windows 2000 Telnet Multiple Sessions DoS Vulnerability
BugTraq ID: 2843
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2843
Summary:
Microsoft Windows 2000 ships with a telnet service. A vulnerability exists
in the telnet service which could enable a remote client to perform a
denial of service attack against a host.
It is possible for a remote client to connect to the telnet service and
leave the connection idle without the host terminating the session. If
this technique is performed as many times as the host allows connections,
other legitimate clients will not be able to connect to the service. Under
"normal" conditions idle connections time out after a certain amount of
time.
No further technical details have been provided.
A restart of the service is required in order to gain normal
functionality.
21. Microsoft Windows 2000 Telnet Service DoS Vulnerability
BugTraq ID: 2844
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2844
Summary:
Microsoft Windows 2000 ships with a telnet service. A vulnerability exists
in the telnet service which could enable a client to cause the host to
stop responding.
If a client makes numerous connections to the host in a particular way,
the telnet service could begin to consume all available system resources
and eventually crash.
This vulnerability is caused by the way handlers function in Windows 2000.
Under certain conditions, the handlers are not properly reinstated to the
system for reuse.
No further technical details have been provided.
A restart of the service is required in order to regain normal
functionality.
22. Microsoft Windows 2000 Telnet System Call DoS Vulnerability
BugTraq ID: 2846
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2846
Summary:
Microsoft Windows 2000 ships with a telnet service. A vulnerability exists
in the telnet service which could enable a user to terminate any telnet
session.
Admininstrative privileges are required in order to access the management
console of the telnet service, however a certain underlying system call
does not require admin privileges.
Typically, in order to make some system calls one requires a certain level
of privilege (admin), but a flaw exists which enables a normal user to
make a specific system call. If this system call is properly made it is
possible to terminate telnet sessions. This is achieved if a program
running on the server with normal privileges initiates the system call to
terminate a telnet session.
In order for a user to exploit this vulnerability, a user must log onto
the server and load a program that will run the system call.
A restart of the service is required in order to regain normal
functionality.
23. Microsoft W2K Telnet Various Domain User Account Access Vulnerability
BugTraq ID: 2847
Remote: Yes
Date Published: 2001-06-07
Relevant URL:
http://www.securityfocus.com/bid/2847
Summary:
Microsoft Windows 2000 contains a flaw in the handling of telnet domain
authentication.
If a user attempts to authenticate using a valid login name appended with
specially chosen characters, the telnet service will not require the user
to specify the domain which the account belongs. The service will instead
search the domain and all trusted domains for the user account, if the
account is enabled the user will have to complete authentication.
Once an attacker is aware of a valid user account, brute force techniques
can be used to attempt access into the trusted domain.
Successful exploitation of this vulnerability will disclose environment
information and username existance, both pieces of information could
assist in further attacks against the host.
24. Microsoft Windows 2000 Telnet Privilege Escalation Vulnerability
BugTraq ID: 2849
Remote: Yes
Date Published: 2001-06-08
Relevant URL:
http://www.securityfocus.com/bid/2849
Summary:
A vulnerability exists in the way Windows 2000 telnet service handles
server-side named pipes.
A server-side named pipe is created each time telnet starts a new session,
the pipes and are named in a predictable sequence.
Due to the predictability of server-side named pipes, any local user with
privileges to execute a program is able create a server-side named pipe
and assume the security context of the system service the next time a
session is started. By running the telnet service after arbitrary code has
been attached to the named pipe, the code will be run in the Local System
context as part of the initialization process.
It has been reported that this vulnerability can be exploited via two
methods. Unfortunately no further technical details have been provided.
Successful exploitation of this vulnerability could lead to the complete
compromise of the host.
25. Windows Media Player Internet Shortcut Execution Vulnerability
BugTraq ID: 2765
Remote: Yes
Date Published: 2001-05-23
Relevant URL:
http://www.securityfocus.com/bid/2765
Summary:
Windows Media Player is an application used for digital audio, and video
content viewing.
Typically internet shortcuts are created and saved on the user's system in
the MSIE Internet cache. Due to a flaw in the implementation of WMP,
internet shortcuts are created by WMP and saved in the temporary internet
files folder with known filenames.
When IE opens a file from its cache, it is opened in the Internet Zone,
which restricts what the HTML/Script can do. However, a file residing on
the local system outside of this cache is opened by IE in the Local
Computer Zone, which has considerably more privileges than the Internet
Zone.
When WMP creates Internet shortcuts, it stores them outside of the MSIE
cache. As a result, these shortcuts when opened are done so in the Local
Computer Zone. This may allow for maliciously crafted shortcuts to read
files and send back the data to webservers.
This particular vulnerability does not require that the user click on the
shortcut to execute the code, an attacker could execute the shortcut using
the same method used to create it. However, knowledge of the relative path
to the location where the shortcut is created must be known.
Knowledge of the relative path to the temporary internet files folder is
dependent on the operating system the target is using. Windows 95, 98 and
ME has a commonly known default location. However, Windows NT 4.0 and
Win2K's temporary internet files folder resides in the user's local
settings, which would vary from system to system.
Successful exploitation of this vulnerability could assist in further
attacks against the target host.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. IIS 4.0 DOS attack? (Thread)
Relevant URL:
2. IIS and SQL through the firewall (Thread)
Relevant URL:
3. IIS + DOS attacks = headache (Thread)
Relevant URL:
4. IIS 3.0 (Thread)
Relevant URL:
5. SecurityFocus Call for Microsoft Articles (Thread)
Relevant URL:
6. Word of caution (Thread)
Relevant URL:
7. Full analysis of the .ida "Code Red" worm. (Thread)
Relevant URL:
8. Windows Scripting Host (Thread)
Relevant URL:
9. Webserver, DMZ, ports questions (Thread)
Relevant URL:
10. Your Virus Protection Programs (Thread)
Relevant URL:
11. Bad PGP Key from Microsoft Security Response Center (Thread)
Relevant URL:
c503a8c0@waw.getin.pl">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-07-20%26thread%3d000b01c11027$1c622e90$c503a8c0@waw.getin.pl
12. NT "net use" Malfunctions (Thread)
Relevant URL:
13. IIS 5.0 IN A DOMAIN? (Thread)
Relevant URL:
14. PART II : Webserver, DMZ, ports questions (Thread)
Relevant URL:
15. Yet another IIS compromise (Thread)
Relevant URL:
c503a8c0@waw.getin.pl">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-07-20%26thread%3d005801c10f8e$15893210$c503a8c0@waw.getin.pl
16. MALWARE HOAX FW: Microsoft Security Bulletin MS01-039 (fwd) (Thread)
Relevant URL:
17. EFS Stability (Thread)
Relevant URL:
18. Is netbios safe on a 2nd NIC? (Thread)
Relevant URL:
19. file hiding in win2k (Thread)
Relevant URL:
20. IE settings changed by websites (Thread)
Relevant URL:
21. Malware masquerading as MS patch (Thread)
Relevant URL:
22. Initial analysis of the .ida "Code Red" Worm (Thread)
Relevant URL:
23. Fw: Windows Scripting Host (Thread)
Relevant URL:
24. FW: FW: Is netbios safe on a 2nd NIC? (Thread)
Relevant URL:
25. FW: Is netbios safe on a 2nd NIC? (Thread)
Relevant URL:
26. Proxy files PFxxxxxx (Thread)
Relevant URL:
27. Files Auditing Utility (Thread)
Relevant URL:
28. SecurityFocus Microsoft Newsletter #43 (Thread)
Relevant URL:
29. 2k kerbos & time. (Thread)
Relevant URL:
30. Media Player Privacy Option (Thread)
Relevant URL:
31. Win 2K Ports continued... (Thread)
Relevant URL:
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Cisco VPN 5000 series
by Cisco Systems
Platforms: Linux, MacOS, Solaris, Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1320
Summary:
The Cisco VPN 5000 series of concentrators, and associated VPN client
software, provide a comprehensive and flexible set of IPsec VPN
capabilities for both site to site and remote access services. This series
of products enables both customer premise equipment (CPE) and service
provider edge based depolyments utilizing the most advanced high
performance encyrption and authentication techniques available. The Cisco
VPN 5000 concentrator series is a feature rich carrier class VPN product
that supports the most demanding multiplatform, multiprotocol
environments.
2. RSA SecurID Web Express
by RSA Security
Platforms: Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1477
Summary:
RSA SecurID Web Express is an automated, Web-based workflow product that
enables users to rapidly deploy their own authentication credentials, such
as RSA SecurID. Since the tasks of requesting and activating RSA SecurID
no longer need to be handled prior to deployment, RSA SecurID Web Express
will reduce the time and cost associated with enterprise, B2B, B2C and ASP
credential rollouts of any size.
3. PestPatrol
by SaferSite
Platforms: Windows 2000, Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1474
Summary:
PestPatrol is a utility, similar to anti-virus products, but instead of
scanning for viruses it scans for worms and Trojans, and even tools and
utilities used by hackers and maybe even trusted employees. Used along
with anti-virus software, PestPatrol will keep you safe from malicious
objects, commonly referred to as Pests. You routinely scan for viruses,
why not make PestPatrol part of your daily routine?
4. NetWatcher 2000
by Moonlight Software
Platforms: Windows 2000, Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1472
Summary:
This utility runs in the background while you are connected to the
Internet, monitoring queries for information. If it detects one, it alerts
you and gives you the option of immediately closing the connection. The
program also logs the intruder's IP address, port number, and host,
letting you report the intruder to their Internet service provider.
5. Tiny Personal Firewall
by Tiny Software
Platforms: Windows 2000, Windows 95/98 and Windows NT
Relevant URL:
http://www.securityfocus.com/templates/product.html?id=1471
Summary:
Tiny Personal Firewall represents smart, easy-to-use personal security
technology that fully protects personal computers against hackers. Built
on ICSA-certified security technology, it is also an integral part of The
Tiny Software Centrally Managed Desktop Security (CMDS) system selected by
the US Air Force for its approximately 500,000 desktop computers.
V.NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Dreamscape Keylogger v2.83
by dome/redsand
Relevant URL:
http://www.securityfocus.com/tools/2118
Platforms: Windows 2000 and Windows 95/98
Summary:
Logs the key`s pressed by on a remote system, from a local host. With easy
configureable options.
2. ScoopLm v1.4.1
by urity@www.securityfriday.com
Relevant URL:
http://www.securityfocus.com/tools/1947
Platforms: Windows 2000 and Windows NT
Summary:
ScoopLm captures LM/NTLM authentication information (LanManager and
Windows NT challenge/response) on the network.
3. PromiScan
by Hyler<hyler@securityfriday.com>
Relevant URL:
http://www.securityfocus.com/tools/1980
Platforms: Windows 2000
Summary:
This is software searches for promiscuous nodes on the local net. It does
not create a heavy load on the network. And, PromiScan quickly searches
for promiscuous nodes. Finding a promiscuous node is very difficult. In
many cases, the result is not certain. The node likely to be a promiscuous
node is quickly listed by PromiScan. The listed nodes are clearly visible.
And, you can find the nodes that promiscuous mode are not permitted.
PromiScan is very useful for security management of a local network.
4. Invisible Secrets v3
by NeoByte Solutions
Relevant URL:
http://www.securityfocus.com/tools/2117
Platforms: Windows 2000, Windows 95/98 and Windows NT
Summary:
Invisible Secrets 3 not only encrypts your data and files for safe keeping
or for secure transfer across the net, it also hides them in places that
on the surface appear totally innocent, such as picture or sound files, or
web pages. These types of files are a perfect disguise for sensitive
information. With Invisible Secrets 3 you may encrypt and hide files
directly from Windows Explorer, and then automatically transfer them by
e-mail or via the Internet. Invisible Secrets 3 features strong encryption
algorithms, a wizard that guides you through all the necessary steps
needed to protect your data, a password management solution that stores
all your passwords securely and helps you create secure passwords and a
shredder that helps you destroy the originals after encryption.
5. Archaeopteryx v1.0
by FoxThree
Relevant URL:
http://www.securityfocus.com/tools/2115
Platforms: Windows 2000 and Windows NT
Summary:
Archaeopteryx is a Passive mode OS Identification Tool. It is based off
Siphon v.666 by SubTerrain. It has a great GUI and a highly configurable
OS signature file. It uses POSIX threads for multi-threading (pthreads for
Win32). Also requires WinPCAP Drivers. We plan to support this tool
actively! So, please send all new OS signatures to us
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
