TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

TOP 10 VULNERABILITIES

The top 10 vulnerabilities represent the most commonly found and exploited
high-risk vulnerabilities on the Internet. This list is derived from
various trusted sources including ISS X-Force analysis, customer input,
ISS Professional Services, and security partners. The top 10 list is
maintained by ISS X-Force and distributed quarterly with the ISS Alert
Summary.

Security Advantage
Securing computers and networks from these vulnerabilities across the
enterprise assures protection from the most commonly exploited
vulnerabilities on the Internet. This list should be incorporated into
security policies to establish a reasonable level of protection.

TOP 10
1. Denial of service exploits
 -  TFN
 -  TFN2k
 -  Trin00
 -  Stacheldraht
 -  FunTime Apocalypse

2. Weak accounts
 -  Default accounts (routers, firewalls)
 -  Null passwords for admin/root accounts
 -  SNMP with public/private strings set

3. IIS (Microsoft Internet Information Server)
 -  RDS
 -  HTR
 -  Malformed header
 -  PWS File Access
 -  CGI Lasso 
 -  PHP3 metacharacters
 -  PHP mlog.html read files 

4. Open databases
 -  Oracle default account passwords
 -  Oracle setuid root oratclsh
 -  SQL Server Xp_sprintf buffer overflow
 -  SQL Server Xp_cmdshell extended

5. E-Business web applications
 -  NetscapeGetBo 
 -  HttpIndexserverPath 
 -  Frontpage Extensions 
 -  FrontpagePwdAdministrators 

6. Open Email
 -  Sendmail pipe attack 
 -  SendmailMIMEbo 
 
7. FileSharing 
 -  NetBIOS
 -  NFS

8. RPC
 -  rpc.cmsd 
 -  rpc-statd 
 -  Sadmin 
 -  Amd 
 -  Mountd 

9. BIND
 -  BIND nxt
 a.  Server to server response
 b.  Buffer handling overflows
 c.  More advanced
 -  BIND qinv
 a.  Compile flag on by default
 b.  Activated buffer overflow
 c.  Client request to server
 d.  Script kiddie
 -  Exposers outside firewall
 -  In.Named binary

10. Linux buffer overflows
 -  IMAP BO
 -  Qpopper BO
 -  Overwrite stack
 -  Common script kiddie exploits
 -  Poor coding standards
 -  WU-FTP BO

RECOMMENDED CORECTIVE ACTION
At a business level, Implement and manage security components across the
organization. Continue a process of being ever vigilant and apply new risk
reduction steps and monitor for threats.

ISS recommends establishing the following levels of security:
 -  Security Policy
 -  Secure management level (such as intranet)
 -  Security Software (Host based assessment and intrusion detection)
 -  Secure critical network components OS/net/db/web


 
VULNERABILITY DETAILS

1. Denial of service exploits
_____

Vulnerability:    TFN
Platforms Affected:  Linux, Solaris, Unix
Risk Level:    High
Attack Type:    Network Based, Host Based

Tribe Flood Network, TFN, is a distributed denial of service tool that
allows an attacker to use several hosts at once to flood a target. It has
four different kinds of floods -- ICMP Echo flood, UDP Flood, SYN Flood,
and Smurf attack. The TFN client and server use ICMP echo reply packets to
communicate with each other.

Reference:
CERT Advisory CA-99-17: "Distributed Denial-of-Service Tools" at:
http://www.cert.org/incident_notes/IN-99-07.html


Vulnerability:    TFN2k
Platforms Affected:  Linux, Solaris, Unix
Risk Level:    High
Attack Type:    Network Based, Host Based

Tribe Flood Network 2000 (TFN2k) is a distributed denial of service tool
that can perform a number of different types of floods against a host. It
consists of a client and a daemon. The client controls one or more
daemons, which flood a targeted host. The client can use UDP, TCP, or ICMP
to communicate with the daemon and can spoof (fake) the source IP address
of outgoing packets. Communication between the client and daemon is
encrypted.

Reference:
CERT Advisory CA-99-17: "Denial-of-Service Tools" at:
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html


Vulnerability:    Trin00
Platforms Affected:  Linux, Solaris, Unix
Risk Level:    High
Attack Type:    Network Based, Host Based

Trin00 is a distributed denial of service attack tool. It allows an
attacker to control several hosts to make them send a UDP flood to another
host. The Trin00 master can make several requests to the Trin00 daemon:
- - Start flooding a host with UDP packets
- - Stop flooding a host with UDP packets
- - Change the UDP flood configuration of the daemon

Reference:
CERT Advisory CA-99-17: "Denial-of-Service Tools" at:
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html


Vulnerability:    Stacheldraht
Platforms Affected:  Any
Risk Level:    High
Attack Type:    Network Based

Stacheldraht is a distributed denial of service tool based on the source
code of the Tribe Flood Network (TFN) and Trin00 tools. In addition to
providing the features of these tools, Stacheldraht encrypts communication
between clients, master servers (sometimes known as handlers), and agents.
It can also remotely upgrade agents with an account and server name using
the rcp command. 

Stacheldraht was designed to be built and installed on compromised Linux
and Solaris systems, but it potentially could be installed on any system
by modifying the source code.

Reference:
CERT Advisory CA-2000-01: "Denial of Service Developments" at:
http://www.cert.org/advisories/CA-2000-01.html

Vulnerability:    FunTime Apocalypse
Platforms Affected:  Windows 9x, NT, 2K
Risk Level:    High
Attack Type:    Network Based

Funtime Apocalypse is a distributed denial of service (DDoS) tool for
Windows 9x and Windows NT.  Attackers can launch a "timer fused" flood
against a target computer. Funtime Apocalypse consists of several
different files:
- - a flooding program (bmb2.exe)
- - a host file (funtime.txt)
- - some batch files (funtime.bat, timer98.bat, and timerNT.bat)
- - two Windows HTML applications (funtime98.hta and funtimeNT.hta)
Funtime requires an attacker to make major modifications to the batch
files and Windows HTML application files, or it will not work.


2. Weak accounts
_____

Vulnerability:    Default Accounts (Firewalls/Routers)
Platforms Affected:  Any
Risk Level:    High

Default accounts are usually unsafe and should always be changed.

Vulnerability:    Null passwords for admin/root accounts
Platforms Affected:  Any
Risk Level:    High

Null passwords for admin and root accounts allow anyone access with admin
or root privileges. A password should be added to protect the  computer or
network.

Vulnerability:    SNMP with public/private strings set
Platforms Affected:  Any
Risk Level:    High

An attacker can use SNMP strings to gain valuable information about a
computer. This information could be used at a later time to launch an
attack. 

Reference:
Microsoft Knowledge Base Article Q99880: "SNMP Agent Responds to Any
Community Name" at:
http://support.microsoft.com/support/kb/articles/q99/8/80.asp 


3. IIS (Microsoft Internet Information Server)
_____


Vulnerability:    IIS RDS 
Platforms Affected:  Microsoft IIS Servers
Risk Level:    High

Implicit remoting is enabled via the Microsoft Internet Information Server
(IIS) web server. RDS allows an unauthorized user access to ODBC databases
via IIS.

Reference:
Microsoft Security Bulletin: "Re-Release: Unauthorized Access to IIS
Servers through ODBC Data Access with RDS" at:
http://www.microsoft.com/security/bulletins/ms99-025.asp


Vulnerability:    IIS HTR
Platforms Affected:  Microsoft IIS Servers
Risk Level:    Medium

An attacker could gain access to the IIS server and run any program. 

Reference:
Microsoft Security Bulletin: "Workaround Available for 'Malformed HTR
Request' Vulnerability" at:
http://www.microsoft.com/security/bulletins/ms99-019.asp


Vulnerability:    IIS Malformed Header
Platforms Affected:  Microsoft IIS Servers
Risk Level:    Medium

A vulnerability in Microsoft Internet Information Server 4.0 (IIS) and
SiteServer 3.0 could cause the web server to consume all the memory on the
system, if a remote attacker sends a flood of specifically malformed HTTP
request headers. The service would have to be stopped and restarted in
order to resume normal operation.

Reference:
Microsoft Security Bulletin MS99-029: "Patch Available for 'Malformed HTTP
Request Header' Vulnerability" at:
http://www.microsoft.com/security/bulletins/ms99-029.asp


Vulnerability:    PWS File Access    
Platforms Affected:  Microsoft Personal Web Server 4.0
Risk Level:    Medium

A vulnerability in the file access protocols of the Microsoft Personal Web
Server (PWS) and FrontPage PWS could allow arbitrary files to be remotely
read. The attacker is required to have prior knowledge of file names to
exploit this vulnerability, which does not yield any other privileges than
read access.

Reference:
Microsoft Security Bulletin MS99-010: "Patch Available for File Access
Vulnerability in Personal Web Server" at:
http://www.microsoft.com/security/bulletins/ms99-010.asp


Vulnerability:    IIS CGI Lasso  
Platforms Affected:  CGI
Risk Level:    Medium

The Lasso CGI program installed on many web servers, especially WebSTAR
servers, contains a vulnerability that could allow remote attackers to
read arbitrary files from the system. While the problem does not lead to
direct access to the system, it could potentially compromise sensitive
files.

Reference:
BugTraq Mailing List: "Lasso CGI security hole (fwd)" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9708D&L=bugtraq&P=R1093


Vulnerability:    PHP3 Metacharacters
Platforms Affected:  PHP3
Risk Level:    High

PHP3 is a scripting language used in webhosting setups.  If safe_mode is
enabled in the hosting setup, a remote attacker can send metacharacters
from commands that are executed with popen. This could allow the attacker
to execute commands on the server.

Reference:
Microsoft Security Bulletin MS99-010: "Patch Available for File Access
Vulnerability in Personal Web Server" at:
http://www.microsoft.com/security/bulletins/ms99-010.asp


Vulnerability:    PHP mlog.html Read Files
Platforms Affected:  PHP, CGI
Risk Level:    Medium

The 'mlog.html' sample script shipped with the PHP/FI package allows
remote attackers to view any file on the system. Attackers are limited to
viewing files accessible to the user the httpd server is running under,
generally "nobody." This vulnerability also exists in the 'mylog.html'
script shipped with PHP/FI. Exploit information for this hole has been
widely published.

Reference:
BugTraq Mailing List: "Vulnerability in PHP Example Logging Scripts" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=3.0.3.32.19971019203840.0075b7b0@mail.underworld.net


4. Open databases
_____

Vulnerability:    Oracle default account passwords
Platforms Affected:  Unix
Risk Level:    High

Oracle databases have several well-known default username/password
combinations. These combinations include the following: SCOTT/TIGER,
DBSNMP/DBSNMP, SYSTEM/MANAGER, SYS/CHANGE_ON_INSTALL, TRACESVR/TRACE,
CTXSYS/CTXSYS, MDSYS/MDSYS, DEMO/DEMO, CTXDEMO/CTXDEMO, APPLSYS/FND,
PO8/PO8, NAMES/NAMES, SYSADM/SYSADM, ORDPLUGINS/ORDPLUGINS, OUTLN/OUTLN,
ADAMS/WOOD, BLAKE/PAPER, JONES/STEEL, CLARK/CLOTH,
AURORA$ORB$UNAUTHENTICATED/INVALID, and APPS/APPS.  These default
combinations could allow an attacker to may provide unauthorized access to
the server.


Vulnerability:    Oracle setuid root oratclsh 
Platforms Affected:  Unix
Risk Level:    High

The Oracle 8.x Intelligent Agent for Unix installs a program called
'oratclsh' that is suid root. This program allows full access to the Tcl
interpreter and can be used by any local user to run any program.

Reference:
BugTraq Mailing List: "Huge security hole in Oracle 8.0.5 with Intellegent
agent installed" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904E&L=bugtraq&P=R1249


Vulnerability:    SQL Server Xp_sprintf buffer overflow
Platforms Affected:  Any
Risk Level:    High

In versions of SQL Server earlier than Release 6.5, Service Pack 5 the
extended stored procedure xp_sprintf can be exploited using buffer
overflows. An attacker can use xp_sprintf to crash the server or to
possibly gain admin privileges on the system running SQL Server.


Vulnerability:    SQL Server Xp_cmdshell extended
Platforms Affected:  Windows
Risk Level:    Medium

Microsoft SQL Server extended stored procedure, xp_cmdshell, can be used
to gain Windows NT administrator rights.


5. E-Business web applications
_____

Vulnerability:    Netscape Get Buffer Overflow 
Platforms Affected:  Netscape FastTrack, Netscape Enterprise Server
Risk Level:    High

A vulnerability in the Netscape Enterprise Server and Netscape FastTrack
Server allows an attacker to send the web server an overly long HTTP GET
request, overflowing a buffer in the Netscape httpd service and
overwriting the process's stack. This allows a sophisticated attacker to
force the machine to execute any program code that they send. It is
possible to use this vulnerability to execute arbitrary code as SYSTEM on
the server, giving an attacker full control of the machine.

Reference:
Microsoft Knowledge Base Article: "Buffer Overflow in Netscape Enterprise
and FastTrack Web Servers" at:
http://xforce.iss.net/alerts/advise37.php3


Vulnerability:    Netscape HTTP Index Server Reveals Path
Platforms Affected:  IIS4, Microsoft Index Server
Risk Level:    Medium

Microsoft Index Server reveals sensitive path information in certain error
messages. Microsoft Index Server is a web search engine included in the
Windows NT 4.0 Option Pack. When a user requests a non-existent Internet
Data Query (IDQ) file, the program returns an error message that provides
the physical path to the web directory that was contained in the request.
An attacker could use this to gain information about the file structure of
the web server that would be helpful in an attack.

Reference:
Microsoft Security Bulletin MS00-006: "Patch Available for "Malformed
Hit-Highlighting Argument" Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp


Vulnerability:    Frontpage Extensions 
Platforms Affected:  Microsoft Frontpage
Risk Level:    High

Microsoft FrontPage extensions under Unix systems sporadically create
'service.pwd' files with world readable (or sometimes, world writable)
permissions. This file contains encrypted user passwords that can be later
cracked offline.

Reference:
BuqTraq Mailing List: "Some Past Frontpage Exploits" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9804D&L=bugtraq&P=R2547


Vulnerability:    Frontpage Pwd Administrators
Platforms Affected:  Microsoft Frontpage
Risk Level:    High

Microsoft FrontPage Extensions creates an administrators.pwd file inside
the _vti_pvt directory in the HTTP server's document root. This file
contains encrypted passwords which could be remotely retrieved by an
attacker and cracked offline. If the passwords in this file are weak
enough, or enough time is spent cracking them, the attacker could
potentially obtain the cleartext password and use it to access resources
on the server.

Reference:
BuqTraq Mailing List: "Some Past Frontpage Exploits" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9804D&L=bugtraq&P=R2547


6. Open Email

Vulnerability:    Sendmail pipe attack
Platforms Affected:  Sendmail
Risk Level:    High

By inserting a pipe character into certain fields in an e-mail, Sendmail
may be forced to execute a command on the remote machine. This behavior
may result in a remote attacker being able to execute commands as root.

Reference:
Sendmail Consortium: "Sendmail FAQ" at:
http://www.sendmail.org/faq


Vulnerability:    Sendmail MIME Buffer Overflow
Platforms Affected:  Sendmail versions 8.8.3 and 8.8.4
Risk Level:    High

A vulnerability exists in Sendmail 8.8.3 and 8.8.4 in the MIME handling
code. A buffer overflow in this code could allow a remote attacker to send
the server a message with specially crafted headers that would cause
Sendmail to execute arbitrary commands with root privileges.

Reference:
CERT Advisory CA-97.05: "MIME Conversion Buffer Overflow in Sendmail
Versions 8.8.3 and 8.8.4" at:
http://www.cert.org/advisories/CA-97.05.sendmail.html



Vulnerability:    Sendmail pipe attack
Platforms Affected:  Sendmail
Risk Level:    High

By inserting a pipe character into certain fields in an e-mail, Sendmail
may be forced to execute a command on the remote machine. This behavior
may result in a remote attacker being able to execute commands as root.

Reference:
Sendmail Consortium: "Sendmail FAQ" at:
http://www.sendmail.org/faq


7. FileSharing 
_____

Vulnerability:    NetBIOS
Platforms Affected:  NetBIOS
Risk Level:    High

NetBIOS file sharing could allow an attacker to access to files on the
system and perform brute force password cracking.


Vulnerability:    NFS
Platforms Affected:  NFS  
Risk Level:    High

NFS systems could allow an attacker to access files on systems across the
network. 


8. RPC
_____

Vulnerability:    rpc.cmsd
Platforms Affected:   Solaris: 2.3, 2.4, 2.5, 2.5.1, and 2.6, Common
      Desktop Environments (CDE)
Risk Level:    High

Sun has found a vulnerability in the database manager rpc.cmsd, which is
used as an appointment and resource-scheduler with clients such as
Calendar Manager in Openwindows, and Calendar in CDE. The vulnerability,
if exploited, would allow an attacker to overwrite arbitrary files and
gain root level access.

Reference:
Sun Microsystems, Inc. Security Bulletin #00166: "rpc.cmsd" at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/166


Vulnerability:    Sun RPC Statd
Platforms Affected:  Solaris: 2.3, 2.4, 2.5, 2.5.1, and 2.6
Risk Level:    High

The RPC service statd works with lockd to provide crash and recovery
functions for file locking over NFS. Under Solaris and SunOS, a remote
attacker can use statd's ability to indirectly call other RPC services to
bypass the access controls of those RPC services. This hole could
potentially be used to exploit other security weaknesses in Sun servers.

Reference:
Sun Microsystems, Inc. Security Bulletin #00186: "rpc.statd" at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/186


Vulnerability:    Sadmin
Platforms Affected:  Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6, and 7
Risk Level:    High

The sadmind daemon is part of the Solstice AdminSuite distributed system
adminisitration package distributed with Sun's Solaris operating system.
The program contains a remotely exploitable buffer overflow in calls made
to NETMGT_PROC_SERVICE, which could allow an attacker to execute arbitrary
code with root privileges.

Reference:
Sun Microsystems, Inc. Security Bulletin #00191: "Sadmin" at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/191


Vulnerability:    Amd
Platforms Affected:  Linux
Risk Level:    High

The Automounter daemon (amd) has a buffer overflow in the mount code that
affects Linux and some BSD platforms. Amd automatically mounts file
systems in response to attempts to access files that reside on those file
systems. Passing a long string to the AMQPROC_MOUNT procedure can cause a
remote attacker to obtain root credentials.

Reference:
CERT Advisory CA-99-12: "Buffer Overflow in amd" at:
http://www.cert.org/advisories/CA-99-12-amd.html


Vulnerability:    Mountd
Platforms Affected:  Linux
Risk Level:    High

There is a vulnerability in some implementations of the software that NFS
servers use to log requests to use file systems. Attackers who exploit the
vulnerability are able to gain administrative access to the vulnerable NFS
file server. That is, they can do anything the system administrator can
do. This vulnerability can be exploited remotely and does not require an
account on the target machine.

Reference:
CERT Advisory CA-98.12: "Remotely Exploitable Buffer Overflow
Vulnerability in mountd" at:
http://www.cert.org/advisories/CA-98.12.mountd.html


9. BIND
_____

Vulnerability:    BIND nxt
Platforms Affected:   Bind: 8.2, 8.2 P1, and 8.2.1
Risk Level:    High

A vulnerability has been discovered in the processing of NXT records in
the 8.2 and 8.2.1 versions of BIND. BIND is a freely available DNS server
produced by the Internet Software Consortium. This buffer overflow could
allow a remote attacker to execute arbitrary code on vulnerable servers
with root privileges.

Reference:
Sun Microsystems, Inc. Security Bulletin #00166: "rpc.cmsd" at:
http://www.cert.org/advisories/CA-99-14-bind.html


Vulnerability:    BIND Qinv
Platforms Affected:  Bind
Risk Level:    High

A buffer overflow exists in BIND versions prior to 4.9.7, and BIND
versions prior to 8.1.2. A malicious remote user can send a specially
formatted inverse-query TCP stream that would crash the BIND server and
allow the attacker to gain root access.

Reference:
CERT Advisory CA-98.05: "Multiple Vulnerabilities in BIND" at:
http://www.cert.org/ftp/cert_advisories/CA-98.05.bind_problems


10. Linux buffer overflows
_____

Vulnerability:    IMAP Buffer Overflow
Platforms Affected:  IMAP
Risk Level:    High

IMAP4rev1 servers up to and including 10.234 contain a buffer overflow
that allows a remote attacker to execute arbitrary commands on the victim
site as the user running imapd, generally root.. This is not the same
vulnerability described in CERT CA-97.09, which was a buffer overflow in
the IMAP LOGIN command whereas this vulnerability affects the IMAP
AUTHENTICATE command. It is important to note that fixed versions of IMAP
were distributed under the 10.234 version number as well, so version
numbers alone are not indicative of a safe or vulnerable server.

Reference:
CERT Advisory CA-98.09: "Buffer Overflow in Some Implementations of IMAP
Servers" at: http://www.cert.org/advisories/CA-98.09.imapd.html


Vulnerability:     QPopper Buffer Overflow
Platforms Affected:  Qpopper, SCO Open Server, SCO Internet FastStart
Risk Level:    High

Qualcomm qpopper server versions earlier than 2.5 contain a buffer
overflow. A remote attacker can issue a PASS command of excessive length
to the server and cause an internal buffer to be overflowed. This could
allow an attacker to execute arbitrary code on the server with root
privileges.

Reference:
CERT Advisory CA-98.08: "Buffer overflows in some POP servers" at:
http://www.cert.org/advisories/CA-98.08.qpopper_vul.html

Vulnerability:     Overwrite Stack 
Platforms Affected:  wu-ftpd 
Risk Level:    High

Wu-ftpd macro variables in the message file allow local or remote
attackers to overwrite the stack in the FTP daemon and execute code as
root. This is caused by improper bounds checking during the expansion of
macro variables in the message file.

Reference:
CERT Advisory CA-99.013: "Multiple Vulnerabilities in WU-FTPD" at:
http://www.cert.org/advisories/CA-99-13-wuftpd.html


Vulnerability:     WU-FTP Directory Buffer Overflow
Platforms Affected:  wu-ftpd: 2.5, BeroFTPD, 
Risk Level:    High

A vulnerability in Washington University's FTP server (wu-ftpd) and
servers derived from its source could allow a local or remote attacker to
execute code as root. A buffer overflow condition exists in bounds
checking of directory names supplied by users when the server is compiled
to use the MAPPING_CHDIR feature. Any attacker with the ability to create
directories can overwrite static memory space and execute arbitrary code
with root privileges.

Reference:
CERT Advisory CA-99.013: "Multiple Vulnerabilities in WU-FTPD" at:
http://www.cert.org/advisories/CA-99-13-wuftpd.html






-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBORhAgjRfJiV99eG9AQGbygQAl2xkCJfUpWs4RKuNIUixB+O5+HmCdUCt
Wevhx5tONo30i3XD6c2bvTGG/tyAsd+xobjmRUr/U9fSr2gS5fc+Wfspr/zg4B28
O9dAvQ0NT9HKh69OWVORwxoOFQZ/vpK2Uz1itFnNYYseXeRuBpysspdO0h1b8vS4
iPVitevyXoY=
=XmQY
-----END PGP SIGNATURE-----