ISS Security Alert Summary 5.2 - Summary of vulnerabilities discovered in February, 2000. Contains information on vulnerabilities in trin00-dos, netgear-multiple-dos, sambar-batfiles, win-media-dos, win-active-setup, siteserver-sitebuilder, netbsd-ptrace, netbsd-procfs, ie-image-source-redirect, sco-openserver-arc-symlink, iis-frontpage-info, and outlook-active-script-read.
89cecfdb05cb343985151b82b3473e9791dfd89baa14bde9b015b5bf1524206d
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Alert Summary
March 1, 2000
Volume 5 Number 2
X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to majordomo@iss.net, and within the body of the message
type: 'subscribe alert'.
_____
Contents
12 Reported Vulnerabilities
- trin00-dos
- netgear-multiple-dos
- sambar-batfiles
- win-media-dos
- win-active-setup
- siteserver-sitebuilder
- netbsd-ptrace
- netbsd-procfs
- ie-image-source-redirect
- sco-openserver-arc-symlink
- iis-frontpage-info
- outlook-active-script-read
Risk Factor Key
_____
Date Reported: 2/14/00
Attack: trin00-dos
Platforms Affected: Any
Risk Factor: High
Attack Type: Network Based
Trin00 is a Distributed Denial of Service system that allows a master
computer to launch a denial of service attack by enlisting the help of
several client computers that contain the Trin00 client. The Trin00 client
can be used by a Trin00 master to launch a DDoS attack.
References:
ISS Security Alert: "Denial of Service Attack using the TFN2K and
Stacheldraht programs" at: http://xforce.iss.net/alerts/advise43.php3
ISS Security Alert Update: "trin00 for Windows Distributed Denial of
Service Attack Tool" at: http://xforce.iss.net/alerts/advise44.php3
_____
Date Reported: 2/25/00
Vulnerability: netgear-multiple-dos
Platforms Affected: Netgear ISDN Router RH348 and RT328
Risk Factor: Medium
Attack Type: Network Based
Netgear ISDN Routers (RH348 and RT328) contain multiple denial of service
attacks. If a remote attacker runs a SYN scan against the router, it will
deny connections to port 23 for about 5 minutes per packet, effectively
shutting it down. If a remote attacker telnets to the router and remains
idle, it will not allow any other management session. Finally, if a remote
attacker sends a large number of ICMP redirect packets, it will stop
routing packets as long as the attack exists.
Reference:
BUGTRAQ Mailing List: "DoSing the Netgear ISDN RT34x router" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=Pine.LNX.4.20.0002251214450.23763-100000@voodoomindcontrol.jcius.com
_____
Date Reported: 2/23/00
Vulnerability: sambar-batfiles
Platforms Affected: Sambar Server for Windows 9x and NT
Risk Factor: High
Attack Type: Network Based
Sambar Server is a multi-threaded HTTP server for Windows 9x and NT
environments. Some beta versions of Sambar Server shipped with two files,
HELLO.BAT and ECHO.BAT, in the CGI directory. These two files, and .BAT
files like them, could allow remote attackers to execute arbitrary
commands on the server.
Reference:
BugTraq Mailing List: "Sambar Server alert!" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-22&msg=38B3E60A.6A84FEC3@cybcom.net
_____
Date Reported: 2/23/00
Vulnerability: win-media-dos
Platforms Affected: Microsoft Windows Media Services (4.0, 4.1)
Risk Factor: Medium
Attack Type: Network Based
Microsoft Windows Media Services contain a denial of service attack
against the media server. If a remote user sends client-side handshake
packets out of order to the server, the server will try to use resources
before it has been initialized causing the Windows Unicast Service to
crash.
Reference:
Microsoft Security Bulletin (MS00-013): "Patch Available for 'Misordered
Windows Media Services Handshake' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-013.asp
_____
Date Reported: 2/19/00
Vulnerability: win-active-setup
Platforms Affected: Microsoft Internet Explorer
Microsoft Outlook
Risk Factor: High
Attack Type: Network/Host Based
Microsoft signed ActiveX setup files are normally installed without
notification to the user. An attacker could have the operating system
install a Microsoft component with known vulnerabilities and then exploit
them accordingly.. This could be exploited remotely if it is executed via a
web page or an HTML email message.
Reference:
BUGTRAQ Mailing List: "Microsoft signed software can be install software
without prompting users" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000221103938.T21312@securityfocus.com
_____
Date Reported: 2/18/00
Vulnerability: siteserver-sitebuilder
Platforms Affected: Microsoft SiteServer 3.0
Risk Factor: High
Attack Type: Network Based
Microsoft SiteServer 3.0 (Commerce Edition) ships with a Site Builder
wizard used to build custom sites. A security vulnerability exists in the
"product.ast" file it creates that could allow a remote attacker to
execute arbitrary SQL commands. This hole also affects the "product.asp"
file, which is part of the Volcano Coffee sample site.
Reference:
Microsoft Security Bulletin MS00-010: "Patch Available for "Site Wizard
Input Validation" Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-010.asp
_____
Date Reported: 2/16/00
Vulnerability: netbsd-ptrace
Platforms Affected: NetBSD/vax 1.4.1
Risk Factor: Medium
Attack Type: Host Based
A vulnerability in NetBSD's ptrace command could allow a local user to
construct a wrapper program that can modify the hardware privileges of the
ptrace program.
Reference:
BUGTRAQ Mailing List: "NetBSD Security Advisory 1999-012" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=14505.23579.967265.266049@passion.geek.com.au
_____
Date Reported: 2/16/00
Vulnerability: netbsd-procfs
Platforms Affected: NetBSD 1.4.1
Risk Factor: High
Attack Type: Host Based
NetBSD's proc filesystem contains a vulnerability by which a local user
can trick a setuid binary into writing to /proc/<pid>. This would cause
the memory image of another setuid binary to execute a shell.
Reference:
BUGTRAQ Mailing List: "NetBSD Security Advisory 2000-001" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=14505.23693.773699.404104@passion.geek.com.au
_____
Date Reported: 2/16/00
Vulnerability: ie-image-source-redirect
Platforms Affected: Microsoft Internet Explorer (4.0, 4.01, 5.0, 5.01)
Risk Factor: Medium
Attack Type: Network Based
Microsoft Internet Explorer has a problem that allows a malicious web site
operator to read files on the affected system that is browsing his
website.
Reference:
Microsoft Security Bulletin (MS00-009) "Patch Available for 'Image Source
Redirect' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-009.asp
_____
Date Reported: 2/15/00
Vulnerability: sco-openserver-arc-symlink
Platforms Affected: SCO OpenServer 5.0.5
Risk Factor: High
Attack Type: Host Based
SCO OpenServer version 5.0.5 ARCserve agent /tmp files could allow a
symlink attack. The ARCserver agent startup script creates several files
in the /tmp directory with world writeable permissions (mode 777). An
attacker could replace these files with symlinks and create files anywhere
on the filesystem with root privileges.
Reference:
SCO Security Bulletin: "SSE063 - ARCserve startup script symlink
vulnerability in SCO OpenServer 5" at: http://www.sco.com/security
_____
Date Reported: 2/3/00
Vulnerability: iis-frontpage-info
Platforms Affected: IIS running Frontpage
Risk Factor: Medium
Attack Type: Network Based
Microsoft Windows NT 4 running Internet Information Server with Frontpage
contains a vulnerability that would allow a remote attacker to learn the
name of the anonymous Internet account and learn physical paths on the
affected system.
Reference:
BUGTRAQ Mailing List: "Alert: IIS 4 / IS 2 IDQ Cerberus Information
Security Advisory (CISADV000202)" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-29&msg=038201bf6dd8$249e2250$5802020a@cerberusinfosec.co.uk
_____
Date Repored: 2/1/00
Vulnerability: outlook-active-script-read
Platforms Affected: Microsoft Express 5.01
Internet Explorer 5.01
Risk Factor: Medium
Attack Type: Host/Network Based
Microsoft Outlook Express 5.01 and Internet Explorer 5.01 under Windows 95
(and possibly other versions) contains a vulnerability in when active
scripting is enabled. A malicious email message could run active
scripting that would read any new messages that arrive after malicious
email has been read.
Reference:
BUGTRAQ Mailing List: "Outlook Express 5 vulnerability - Active Scripting
may read email messages" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=896E440.553BD289@nat.bg
_____
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
Copyright (c) 1999 by Internet Security Systems, Inc. Permission is
hereby granted for the redistribution of this Alert Summary
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOL3AUzRfJiV99eG9AQEA3wQAtJ7M11joAtjI5sF/BiAE7X49Jr9gYPRL
oW8caEAqZ1dv+6Bm4p26EcBWGBdhCXgR56k+ul5q8ADzetMJXjLrAjGaYx6HflJH
EyCqUvFLuhby9LV3S85ZFXiZ7VyDA6K3Y4Nvaisq4DIOIHEOhkmLju63v5XoPrr6
ZqOzZKys3Sk=
=FS9Z
-----END PGP SIGNATURE-----