SecurityFocus Microsoft Newsletter #100

From: John Boletta (jboletta@securityfocus.com)
Date: 08/19/02


Date: Mon, 19 Aug 2002 12:37:26 -0600 (MDT)
From: John Boletta <jboletta@securityfocus.com>
To: ms-secnews@securityfocus.com


SecurityFocus Microsoft Newsletter #100
---------------------------------------

This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System

From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.

With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.

Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. No Stone Unturned, Part Six
     2. Unlocking the Secrets of Crypto: Cryptography, Encryption...
     3. The Original Anti-Piracy Hack
     4. SecurityFocus DPP Program
     5. InforwarCon 2002
     6. SpiDynamics ALERT
II. MICROSOFT VULNERABILITY SUMMARY
     1. Cisco VPN Client Zero Length IKE Packet Denial Of Service...
     2. Google Toolbar Unauthorized JavaScript Configuration...
     3. Google Toolbar Keypress Monitoring Information Disclosure...
     4. Ipswitch WS_FTP Server CPWD Remote Buffer Overflow Vulnerability
     5. BlueFace Falcon Web Server Error Message Cross-Site Scripting...
     6. Midicart ASP Remote Customer Information Retrieval Vulnerability
     7. Citrix Metaframe Java ICA Environment Denial Of Service...
     8. Cisco VPN Client IKE Security Parameter Index Payload Buffer...
     9. PGP / GnuPG Chosen Ciphertext Message Disclosure Vulnerability
     10. Cisco VPN Client IKE Packet Excessive Payloads Vulnerability
     11. Microsoft Internet Explorer File Attachment Script Execution...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Win2k network changes (Thread)
     2. SP3 Problems? (Thread)
     3. Exchange SSL Connection warning message (Thread)
     4. Patch for ms02-40 "HELLO BUG" doesn't working (Thread)
     5. Problems using Windows Update on Windows XP Pro (Thread)
     6. .Net Server and 'taskkill' (Thread)
     7. Win2k Terminal Services (Thread)
     8. Client certificates in M$ outlook (Thread)
     9. Password change utility (Thread)
     10. SCE Templates from a Network Drive (Thread)
     11. SecurityFocus Microsoft Newsletter #99 (Thread)
     12. Another SUS / Autoupdate question (Thread)
     13. AW: SP3 Problems? (Thread)
     14. SP3 Article Updated on Microsoft Technet (Thread)
IV. MICROSOFT PRODUCTS
     1. entercept 2.0 Web Server Edition
     2. SmartFilter
     3. EventAdmin
V. MICROSOFT TOOLS
     1. pdd
     2. Sniff'em
     3. WinARP Watch
     4. GNOME Workstation Command Center
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. No Stone Unturned, Part Six
by H. Carvey

This is an additional installment to the No Stone Unturned series, which
was written to help clarify to NT/2K admins the steps they can take to
determine the nature and purpose of suspicious files found on their
systems. In Part Five of the series, our heroic system administrator found
an unusual file on a compromised system. In this bonus installment, he
attempts to determine the nature and purpose of that file.

http://online.securityfocus.com/infocus/1618

2. Unlocking the Secrets of Crypto: Cryptography, Encryption, and
Cryptology Explained
by Sarah Granger

Encryption, decryption and code breaking came into the public
consciousness in the 1980s with popularity of the movie War Games. It
became newsworthy in the 1990s with the legal battles surrounding PGP and
the political discussion of the Clipper Chip. Now, with information
security becoming more and more of a common concern, the terms encryption,
cryptography and cryptology - commonly grouped together under the term
crypto” - are seeping into our daily language. Still, many people are
unsure of what these terms refer to. The purpose of this article is to
demystify crypto and break it down to simple tools that aid us in
achieving satisfactory privacy and security.

http://online.securityfocus.com/infocus/1617

3. The Original Anti-Piracy Hack
By George Smith

The entertainment industry's plan to use malicious cyber attacks to
enforce its copyrights has precedent in a strange British case from a
decade past

http://online.securityfocus.com/columnists/102

4. SecurityFocus DPP Program

Attention Non-profit Organizations and Universities!! Sign-up now for
preferred pricing on the only global early-warning system for cyber
attacks - SecurityFocus DeepSight Threat Management System.

Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml

5. InforwarCon 2002

InforwarCon 2002: Homeland Defense and Cyber-Terrorism, Washington, DC
September 4-5, 2002, optional workshops September 3 & 6. Presented by MIS
Training Institute and Interpact, Inc. Proven strategies for protecting
against threats to critical infrastructures and government systems.

Visit us at:
http://www.misti.com/08/iw02nl26inf.html

6. SpiDynamics

ALERT: Top 14 Web Application Attack Techniques and Methods to Combat them
Firewalls, IDS and Access Controls don't stop these attacks because
hackers using the web application layer are NOT seen as intruders. Learn
why 75% of today's successful system hacks involve Web Application
vulnerabilities, not network security flaws. Download this *FREE* white
paper from SPI Dynamics for a complete guide of Web application
vulnerabilities.

http://www.spidynamics.com/mktg/webappsecurity20

II. BUGTRAQ SUMMARY
-------------------
1. Cisco VPN Client Zero Length IKE Packet Denial Of Service Vulnerability
BugTraq ID: 5440
Remote: Yes
Date Published: Aug 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5440
Summary:

The Cisco VPN Client is Virtual Private Network software. It is available
for a number of platforms including Microsoft Windows and Unix and Linux
variants.

Some versions of the VPN Client are vulnerable to a denial of service
attack.

When vulnerable clients receive a specific IKE packet with a zero length
payload, the VPN client will consume all available processor time. This
may result in a denial of service condition, and require that the VPN
client process be manually killed and restarted in order to regain normal
functionality.

It may be possible to exploit this vulnerability with a malicious server.
It may also be possible to exploit this issue by injecting a malicious
packet into a legitimate VPN connection. The ability to inject data will
depend on network proximity of the attacker, however VPN connections are
commonly made when traffic must pass through untrusted network space.

2. Google Toolbar Unauthorized JavaScript Configuration Modification Vulnerability
BugTraq ID: 5424
Remote: Yes
Date Published: Aug 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5424
Summary:

The Google Toolbar is an ActiveX control for Microsoft Internet Explorer,
which provides functionality related to the Google search engine. An error
has been reported in the method in which the Google Toolbar updates
configuration options.

It is possible to modify configuration settings by visiting a specific URL
that accepts commands as CGI parameters. While any page may reference this
URL, requests are only honored if they are received from within the
google.com domain, or URLs using the local res:// protocol.

It is possible, however, for malicious scripts to open a new page in
either of the allowed domains, and then reset the location to a URL that
will modify toolbar settings. It is possible to change most options of the
toolbar configuration.

It is also possible to pass arbitrary JavaScript to the configuration URL.
This script code will execute within the context of the referencing site.
If local files referenced with the res:// protocol are used, attacker
supplied script code may execute within the Local Computer security zone.

3. Google Toolbar Keypress Monitoring Information Disclosure Vulnerability
BugTraq ID: 5426
Remote: Yes
Date Published: Aug 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5426
Summary:

The Google Toolbar is an ActiveX control for Microsoft Internet Explorer,
which provides functionality related to the Google search engine.

It has been reported that keypress events in some versions of the Google
Toolbar are also sent to the underlying browser window. A malicious script
executing in the current browser window may monitor keypress events, and
access whatever is typed into the toolbar.

Under some circumstances, this may lead to the disclosure of potentially
sensitive information.

4. Ipswitch WS_FTP Server CPWD Remote Buffer Overflow Vulnerability
BugTraq ID: 5427
Remote: Yes
Date Published: Aug 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5427
Summary:

Ipswitch WS_FTP Server is a FTP server for Microsoft Windows platforms.
WS_FTP Server is vulnerable to a buffer overflow condition when a user
submits a specially crafted FTP command.

The buffer overflow is related to the handling of the CPWD command, used
to modify an authenticated user's password. Reportedly, oversized
parameters to this command allow an attacker to corrupt sensitive process
memory, including stack frame information.

Exploitation may lead to the remote execution of arbitrary code, possibly
with SYSTEM privileges. It may also be possible to crash the server
process by sending arbitrary oversized data, leading to a denial of
service condition.

This issue has been reported in WS_FTP Server 3.1.1. Earlier versions may
share this vulnerability, this has not however been confirmed.

5. BlueFace Falcon Web Server Error Message Cross-Site Scripting Vulnerability
BugTraq ID: 5435
Remote: Yes
Date Published: Aug 09 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5435
Summary:

Falcon Web Server is a small web server that runs on several Microsoft
Windows platforms. It is mainly intended for small to medium sized
businesses.

Falcon Webserver does not sufficiently sanitize HTML tags from error
message output. In particular, attackers may inject HTML into 301 and 404
error pages. It is possible to cause the server to generate a 301 error
page by making a request for a non-existent file and then not terminating
the request with a slash (/). 404 error messages are displayed by the
server when a request for a non-existent file is made and is terminated
with a slash. When a 301 error message is generated, the server will add
a slash the request and a 404 error message will be generated in turn,
which may cause the attacker's script code or HTML to be rendered twice.

It is possible to create a malicious link to the server which will
generate an error page with attacker-supplied HTML and script code when
visited. Arbitrary HTML and script code will be executed by the web
client of the user visiting the server, in the security context of the
server.

6. Midicart ASP Remote Customer Information Retrieval Vulnerability
BugTraq ID: 5438
Remote: Yes
Date Published: Aug 10 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5438
Summary:

Midicart ASP is a commercially available e-commerce solution distributed
by Coxco Support. It is available for the Microsoft Windows operating
system.

A problem with the default installation of Midicart ASP may make it
possible for remote users to gain access to sensitive information.

Midicart ASP uses Microsoft Access database files to store information
about customers. These database files are stored in the web path, and
require restrictive permissions to prevent retrieval by users via the web.

The default installation of Midicart ASP does not place sufficient access
control on the midicart.mdb file. Due to this lack of access control, it
is possible for a remote user to gain access to this file. This file may
yield sensitive customer information, such as customer names, addresses,
and credit card information.

7. Citrix Metaframe Java ICA Environment Denial Of Service Vulnerability
BugTraq ID: 5439
Remote: Yes
Date Published: Aug 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5439
Summary:

Citrix Metaframe is a commercially available remote desktop application.
This issue affects Metaframe on the Microsoft Windows platform.

A problem with Citrix Metaframe could make it possible for a remote user
to crash the system.

It has been discovered that Metaframe can be made to become unstable. By
connecting to the Metaframe server using custom-crafted Java ICA files, a
remote user may be able to create instability in the Metaframe server.
The server typically reacts to this vulnerability by disconnecting all
users, and either crashing requiring a manual reboot, or crashing and
rebooting.

The problem is in the handling of variables specified in the Java ICA
files. Though the exact nature of this vulnerability is unknown, an
attacker needs only edit a Java ICA file. Upon loading the file in a
browser such as Internet Explorer, and setting the browser to full-screen
mode and refreshing, the vulnerable server hosting Citrix crashes.

8. Cisco VPN Client IKE Security Parameter Index Payload Buffer Overflow Vulnerability
BugTraq ID: 5441
Remote: Yes
Date Published: Aug 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5441
Summary:

The Cisco VPN Client is Virtual Private Network software. It is available
for a number of platforms including Microsoft Windows and Unix and Linux
variants.

The Cisco VPN Client is prone to a remotely exploitable buffer overflow
condition. It is possible to trigger this condition by sending malformed
IKE packets to the client. The overflow occurs when the Security
Parameter Index payload of the IKE packet is longer than 16 bytes in
length. When the malformed packet is handled by the client, memory can be
corrupted with attacker-supplied values, which may enable the attacker to
execute arbitrary instructions.

An attacker would most likely exploit this vulnerability with a malicious
server. It may also be possible to exploit this issue by injecting a
malicious packet into a legitimate VPN connection. The ability to inject
data will depend on network proximity of the attacker, however VPN
connections are commonly made when traffic must pass through untrusted
network space.

It may be possible to exploit this condition to execute arbitrary code
with the privileges of the client. It is possible that exploitation of
this vulnerability may affect availability of the client, resulting in a
denial of service condition.

This issue is reported to be exploitable when the client software is
operating in Aggressive Mode during a phase 1 IKE exchange.

This vulnerability affects versions of the client on all platforms.

9. PGP / GnuPG Chosen Ciphertext Message Disclosure Vulnerability
BugTraq ID: 5446
Remote: Yes
Date Published: Aug 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5446
Summary:

PGP and GnuPG are two popular implementations of the OpenPGP encryption
specification. Both are available for a range of platforms, including
Microsoft Windows and Linux based systems.

A weakness in the OpenPGP specification, as implemented by both products,
may allow an attacker to learn the plaintext contents of encrypted
communications. While some degree of user interaction is required, the
attack is very plausible against non-technical end users.

In order to exploit this issue, an attacker E must first intercept an
encrypted message of interest between two users, B and A. The attacker may
modify this message and inject additional content into the encrypted
content. This modified message must then be transmitted to A, the
recipient of the original message.

The attacker must then entice A into decrypting this message, and
revealing the results of the decrypted message. This may occur if A
responds to the malicious message with text that includes the decrypted
contents. As the results of decryption will appear garbled and
meaningless, it is conceivable that A would reply and include the original
"quoted" message in an attempt to determine what has gone wrong.

Given the decrypted version of the malicious message, and the original
encrypted message, the attacker may recover a portion of the original
plaintext. In general the attacker will be able to recover at best half of
the plaintext content per attack, as it is difficult to modify the
encrypted length of the message, and an equal amount of injected content
is required in order to implement the attack. Under many applications this
will be sufficient, however multiple attacks may result in full disclosure
of the plaintext message.

It is not believed to be possible to exploit this weakness against message
content which is compressed during the OpenPGP encryption process.
Attacker supplied content will cause an error in the decompression process
with a high degree of probability, which may alert the end user or prevent
the display of the decrypted content. Compression is reported to be
enabled in both products by default. Files which are already compressed,
however, may not be compressed again, allowing exploitation.

It is important to note that exploitation of this issue will result in the
plaintext contents of a specific, intercepted message being disclosed to a
third party. The integrity of the private keys involved in the original
communication is not compromised, and widespread exploitation of this
weakness is extremely likely to be noticed by the end user.

10. Cisco VPN Client IKE Packet Excessive Payloads Vulnerability
BugTraq ID: 5443
Remote: Yes
Date Published: Aug 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5443
Summary:

The Cisco VPN Client is Virtual Private Network software. It is available
for a number of platforms including Microsoft Windows and Unix and Linux
variants.

The Cisco VPN Client is prone to a remotely exploitable buffer overflow
condition. It is possible to trigger this condition by sending malformed
IKE packets to the client. The overflow is known to occur when the client
attempts to process an IKE packet with more than 57 valid payloads. When
the malformed packet is handled by the client, memory can be corrupted
with attacker-supplied values, which may enable the attacker to execute
arbitrary instructions.

An attacker would most likely exploit this vulnerability with a malicious
server. It may also be possible to exploit this issue by injecting a
malicious packet into a legitimate VPN connection. The ability to inject
data will depend on network proximity of the attacker, however VPN
connections are commonly made when traffic must pass through untrusted
network space.

It may be possible to exploit this condition to execute arbitrary code
with the privileges of the client. It is possible that exploitation of
this vulnerability may affect availability of the client, resulting in a
denial of service condition.

This issue is reported to be exploitable when the client software is
operating in Aggressive Mode during a phase 1 IKE exchange.

This vulnerability affects versions of the client on all platforms.

11. Microsoft Internet Explorer File Attachment Script Execution Vulnerability
BugTraq ID: 5450
Remote: Yes
Date Published: Aug 13 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/5450
Summary:

An error has been reported in Microsoft Internet Explorer 6, which may
allow malicious file attachments to execute arbitrary code in the context
of the local system.

Due to a mismatched MIME type on the server, where file of type text/html
are read as text/htm, it is possible for for an attacker to cause Internet
Explorer to force a download of a malicious HTM file. HTM files are
associated with Internet Explorer. The downloaded HTM file may include
malicious attacker-supplied script instructions that will be executed on
the victim user's system.

When script code executes, it is able to determine the location of the
document, and in turn the location of the Temporary Internet File (TIF)
directory the document is stored in.

Information about the location of the TIF directory can be used to
reference additional malicious attachments in the body of the downloaded
HTM file, including executable content, within the context of the local
file system. This can in turn lead to the execution of arbitrary code
within the Local System security zone.

This behavior has been reported in Internet Explorer 6. Other versions of
Internet Explorer may share this vulnerability, this has not however been
confirmed.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Win2k network changes (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287571

2. SP3 Problems? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287558

3. Exchange SSL Connection warning message (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287584

4. Patch for ms02-40 "HELLO BUG" doesn't working (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287352

5. Problems using Windows Update on Windows XP Pro (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287348

6. .Net Server and 'taskkill' (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287309

7. Win2k Terminal Services (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287211

8. Client certificates in M$ outlook (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287215

9. Password change utility (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287160

10. SCE Templates from a Network Drive (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287155

11. SecurityFocus Microsoft Newsletter #99 (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287081

12. Another SUS / Autoupdate question (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/287054

13. AW: SP3 Problems? (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/286995

14. SP3 Article Updated on Microsoft Technet (Thread)
Relevant URL:

http://online.securityfocus.com/archive/88/286967

IV. MICROSOFT PRODUCTS
----------------------
1. entercept 2.0 Web Server Edition
by Entercept Security Technologies
Platforms: Solaris, Windows NT, Windows 2000
Relevant URL:
http://www.clicknet.com/products/WSE/
Summary:

Entercept 2.0 delivers technology that provides real-time analysis and
reaction to hacking attempts. Entercept. 2.0 is able to identify the
attack and prevents access to critical server resources before any
unauthorized transactions occur. Unlike traditional detection products,
Entercept 2.0 proactively protects the host by evaluating requests to the
operating system and the application programming interface (API) before
they are processed. Using a blend of 'signature' and resource access
control techniques, Entercept 2.0 is able to stop both known and unknown
attacks.

2. SmartFilter
by Secure Computing
Platforms: UNIX, Windows NT, Netware
Relevant URL:
http://www.securecomputing.com/index.cfm?skey=85
Summary:

SmartFilter features the highest quality and most comprehensive database
of Uniform Resource Locators (URLs) available today. Yet, it is easily
customized, transparent to end users, and has minimal system requirements.
As the industry's first montoring and control Web tool, SmartFilter
software has proven its value and strength in Fortune 500 corporate
networks since 1995.

3. EventAdmin
by Aelita Software
Platforms: Windows NT, Windows 2000
Relevant URL:
http://www.aelita.com/products/EventAdmin.htm
Summary:

EventAdmin is a comprehensive, robust, and flexible enterprise event
management, analysis and auditing system for Windows NT and Windows 2000
networks and infrastructure applications. EventAdmin gives you the power
to track and analyze user activity patterns, applications behavior and
systems health and performance.

V. MICROSOFT TOOLS
-------------------
1. pdd v1.00
by jgrand@atstake.com
Relevant URL:
http://www.atstake.com/research/tools/index.html#pdd
Platforms: PalmOS, Windows 2000, Windows 95/98, Windows NT
Summary:

The first tool of its kind for forensic analysis of Palm OS platform
devices. pdd (Palm dd) is a Windows-based tool for Palm OS memory imaging
and forensic acquisition. The Palm OS Console Mode is used to acquire
memory card information and to create a bit-for-bit image of the selected
memory region. No data is modified on the target device and the data
retrieval is not detectable by the user of the PDA. Source code is
available for research and legal verification purposes.

2. Sniff'em
by YASC
Relevant URL:
http://www.sniff-em.com/sniffem.download.html
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:

Sniff'em is a performance minded Windows based Packetsniffer, a new
network management tool designed from the ground up with ease and
functionality in mind

3. WinARP Watch v1.0
by Andreas Vernersson andver-8@student.luth.se
Relevant URL:
http://jota.sm.luth.se/~andver-8/warp/
Platforms: Windows 2000, Windows 95/98, Windows XP
Summary:

WinARP Watch is a program that monitors Windows ARP cache. The ARP cache
contains IP/MAC translations so that every time an IP packet are to be
sent, the MAC address doesn't have to queried through a broadcast, instead
it uses the cached address.

The problem with this is that someone can send faked ARP responses, which
gets stored in the cache too. Which is called ARP poisoning and that is no
good for you.

So this program watches the cache and stores every new IP/MAC combination
to it's own lists. If a combination is already known, the program compares
it with the cache to see if has changed.

4. GNOME Workstation Command Center v0.9.7
by Brent Ely sfbrent@users.sourceforge.net
Relevant URL:
http://gwcc.sourceforge.net/
Platforms: Linux, UNIX
Summary:

GWCC allows users to execute network utilities (ping, nslookup,
traceroute), workstation commands (netstat, df, lpr), and do cool things
like process grep from a single tabbed window. Command flags are highly
configurable, results windows are savable and printable, and there is a
System Stats tab showing you process info, current users, Apache server
status, Samba status, and more.

VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by: SecurityFocus DeepSight Threat Management
System

From June 24th - August 31st, 2002, SecurityFocus announces a FREE
two-week trial of the DeepSight Threat Management System: the only early
warning system providing customizable and comprehensive early warning of
cyber attacks and bulletproof countermeasures to prevent attacks before
they hit your network.

With the DeepSight Threat Management System, you can focus on proactively
deploying prioritized and specific patches to protect your systems from
attacks, rather than reactively searching dozens of Web sites or hundreds
of emails frantically trying to gather information on the attack and how
to recover from it.

Sign up today!
http://www.securityfocus.com/corporate/products/promo/tmstrial-ms.shtml
-------------------------------------------------------------------------------