I S S   X - F o r c e
                                      
                         The Most Wanted Alert List
                                      
       [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library
          [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback
                             [9]Advanced Search
                                      
   _ Alert Summaries_

ISS Security Alert Summary
February 18, 1998
Volume 2 Number 2


X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce

To receive these Alert Summaries, subscribe to the ISS Alert mailing list
by sending an e-mail to [11]majordomo@iss.net and within the body of the
message type:  'subscribe alert'.


[12]Top of Page || [13]Back to Alert List

___

Index

7 Reported Vulnerabilities
 - [14]NT-logondos
 - [15]IBM-telnetdos
 - [16]IBM-symlink
 - [17]Sun-volrmmount
 - [18]NT-web8.3
 - [19]NT-portbind
 - [20]elm-filter

2 Update
 - [21]L0pht-l0phtcrack
 - [22]HP-land

Risk Factor Key


[23]Top of Page || [24]Back to Alert List

___


Date Reported:          2/14/98
Vulnerability:          NT-logondos
Platforms Affected:     Windows NT
Risk Factor:            High

Windows NT servers (including those with Service Pack 3 and all hotfixes
applied) are vulnerable to a denial of service attack.  When a logon
request is initiated to access the SMB/CIFS service and the SMB
logon packet is incorrectly processed, memory corruption results in the NT
kernel.  When this happens, a blue screen error message appears and the
machine has to be rebooted.

Reference:
[25]ftp://ftp.secnet.com/pub/advisories/SNI-25.Windows.NT.DoS


[26]Top of Page || [27]Back to Alert List

___


Date Reported:          2/11/98
Vulnerability:          IBM-telnetdos
Platforms Affected:     AIX (4.1.x, 4.2.x, 4.3)
Risk Factor:            High

An AIX-specific denial of service exploit has been made publicly
available on the Bugtraq mailing list.  This exploit causes all tty
activity to hang on the system being attacked.  This allows remote users to
cause the machine to stop accepting new telnet sessions.

Reference:
[28]http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:003.1
.txt


[29]Top of Page || [30]Back to Alert List

___


Date Reported:          2/11/98
Vulnerability:          IBM-symlink
Platforms Affected:     AIX (3.2.5, 4.1.x, 4.2.x, 4.3)
Risk Factor:            High

Several AIX programs will follow symbolic links that have the same name as
temporary files they create.  By creating a symbolic link with one of these
temporary file names that points to a carefully selected system file (such
as /etc/passwd), a local user can arrange to cause critical system files to
be overwritten when the root user executes one of these programs.

Reference:
[31]http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:002.2
.txt


[32]Top of Page || [33]Back to Alert List

___


Date Reported:          2/10/98
Vulnerability:          Sun-volrmmount
Platforms Affected:     Solaris 2.6
Risk Factor:            High

The Solaris program 'volrmmount' is used to simulate insertion and
ejection of removable media.  It is normally setuid and can be used by an
attacker to view any file on the system, or in some cases, even gain root
privileges.

Reference:
[34]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-162.txt


[35]Top of Page || [36]Back to Alert List

___


Date Reported:          2/6/98
Vulnerability:          NT-web8.3
Platforms Affected:     Win32 Web Servers
Risk Factor:            High

Some Windows NT and 95 web servers have problems with file names
because of the way they handle long file names and the standard
Microsoft 8.3 short format file names.  In some cases, when a URL is
requested using the short file name, the web server can apply different
configuration properties to the request, thus enabling an attacker to
gain access to unauthorized files.

References:
[37]ftp://info.cert.org/pub/cert_advisories/CA-98.04.Win32.WebServers
[38]http://www.microsoft.com/security/iissfn.htm


[39]Top of Page || [40]Back to Alert List

___


Date Reported:          2/6/98
Vulnerability:          NT-portbind
Platforms Affected:     Windows NT
Risk Factor:            High

Microsoft Windows NT allows programs run by users who are logged in to
bind to any port.  If a program binds to a port that a service is currently
running on, the service will be disrupted, effectively making it
unavailable.

Reference:
[41]http://www.l0pht.com/advisories/nc11adv.txt


[42]Top of Page || [43]Back to Alert List

___


Date Reported:          1/29/98
Vulnerability:          elm-filter
Platforms Affected:     Any UNIX system running elm/filter
Risk Factor:            High

Two problems have been found in the filter program that is contained in the
elm-2.4 package. The first problem allows local users (and potentially
remote users) to run arbitrary commands as the user who runs the filter.
The second problem allows a local user to read users' mail spools and
gain write access to the mail spool directory.  In order for these
programs to be exploited, the filter must have setuid or setgid
permissions (which is common on Linux machines).

Reference:
[44]http://www.dec.net/ksrt/adv7.html


[45]Top of Page || [46]Back to Alert List

___


Date:                   2/12/98
Update:                 L0pht-l0phtcrack
Platforms:              Windows NT
                        Unix (running Samba)

L0pht crack is a utility that can be used by system administrators and
security professionals concerned about potential points of access in their
local networks.  It can also be used by hackers to crack passwords and
gain unauthorized access to systems.

Reference:
[47]http://www.l0pht.com/l0phtcrack/news.html


[48]Top of Page || [49]Back to Alert List

___


Date:                   1/21/98 (CERT Advisory CA-97.28)
Updated:                HP-land
Vendor:                 Hewlett Packard
Platforms:              HP-UX (9.X, 10.X, 11.00)

Hewlett Packard has released patches for the land attack.  This attack can
lock up or "freeze" many different operating systems as well as network
hardware.  An attacker sends a SYN packet, which is normally used to
open a connection, to the host being attacked.

References:
[50]http://us-support.external.hp.com - HP Security Bulletin #00076
[51]ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land


[52]Top of Page || [53]Back to Alert List

___

Risk Factor Key:

        High    any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  any vulnerability that provides information that has a
                high potential of giving access to an intruder.  Example:
                A misconfigured TFTP or vulnerable NIS server that allows
                an intruder to get the password file that possibly can
                contain an account with a guessable password.
        Low     any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via bruteforce.

Internet Security Systems, Inc., (ISS) is the pioneer and world's leading
supplier of network security assessment and intrusion detection tools,
providing comprehensive software that enables organizations to proactively
manage and minimize their network security risks.  For more information,
contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS
Web site at [54]http://www.iss.net.


[55]Top of Page || [56]Back to Alert List

___

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this
Alert Summary in any other medium excluding electronic medium, please
e-mail [57]xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.

X-Force PGP Key available at:   [58]http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X Force xforce@iss.net

   > of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE-----
   Version: 2.6.2
   iQCVAwUBNM+1TDRfJiV99eG9AQEAkgQAq9D2aoB/dVtvAqgFE3cB+vp+tcd0IkWh
   k9MULvWlP80e+gomp4TvA0eUHHSzx7DkGB6qs9yIzMrbx0SqoMMvBFzB1Y4jOQ/3
   myedzvQitCe5POAGW8Ax2UU1CkADgJubDJfe86idYmjPmnbeYJW5EbxuMAy2c4bG
   vBFKuDwIQdk= =wP42 -----END PGP SIGNATURE-----
   
     [59]News | [60]Serious Fun | [61]Mail Lists | [62]Security Library
        [63]Protoworx | [64]Alerts | [65]Submissions | [66]Feedback
                            [67]Advanced Search
                                      
                        [68]About the Knowledge Base
                                      
            Copyright ©1994-1998 Internet Security Systems, Inc.
          All Rights Reserved. Sales Inquiries: [69]sales@iss.net
         6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328
                 Phone (678) 443-6000 · Fax (678) 443-6477
                                      
                      Read our [70]privacy guidelines.

References

   1. http://xforce.iss.net/news.php3
   2. http://xforce.iss.net/seriousfun/
   3. http://xforce.iss.net/maillists/
   4. http://xforce.iss.net/library/
   5. http://xforce.iss.net/protoworx/
   6. http://xforce.iss.net/alerts/
   7. http://xforce.iss.net/submission.php3
   8. http://xforce.iss.net/feedback.php3
   9. http://xforce.iss.net/search.php3
  10. http://www.iss.net/xforce
  11. mailto:majordomo@iss.net
  12. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  13. http://xforce.iss.net/alerts/alerts.php3
  14. http://xforce.iss.net/alerts/vol-2_num-2.php3#NT-logondos
  15. http://xforce.iss.net/alerts/vol-2_num-2.php3#IBM-telnetdos
  16. http://xforce.iss.net/alerts/vol-2_num-2.php3#IBM-symlink
  17. http://xforce.iss.net/alerts/vol-2_num-2.php3#Sun-volrmmount
  18. http://xforce.iss.net/alerts/vol-2_num-2.php3#NT-web8.3
  19. http://xforce.iss.net/alerts/vol-2_num-2.php3#NT-portbind
  20. http://xforce.iss.net/alerts/vol-2_num-2.php3#elm-filter
  21. http://xforce.iss.net/alerts/vol-2_num-2.php3#L0pht-l0phtcrack
  22. http://xforce.iss.net/alerts/vol-2_num-2.php3#HP-land
  23. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  24. http://xforce.iss.net/alerts/alerts.php3
  25. ftp://ftp.secnet.com/pub/advisories/SNI-25.Windows.NT.DoS
  26. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  27. http://xforce.iss.net/alerts/alerts.php3
  28. http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:003.1.txt
  29. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  30. http://xforce.iss.net/alerts/alerts.php3
  31. http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:002.2.txt
  32. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  33. http://xforce.iss.net/alerts/alerts.php3
  34. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-162.txt
  35. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  36. http://xforce.iss.net/alerts/alerts.php3
  37. ftp://info.cert.org/pub/cert_advisories/CA-98.04.Win32.WebServers
  38. http://www.microsoft.com/security/iissfn.htm
  39. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  40. http://xforce.iss.net/alerts/alerts.php3
  41. http://www.l0pht.com/advisories/nc11adv.txt
  42. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  43. http://xforce.iss.net/alerts/alerts.php3
  44. http://www.dec.net/ksrt/adv7.html
  45. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  46. http://xforce.iss.net/alerts/alerts.php3
  47. http://www.l0pht.com/l0phtcrack/news.html
  48. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  49. http://xforce.iss.net/alerts/alerts.php3
  50. http://us-support.external.hp.com/
  51. ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land
  52. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  53. http://xforce.iss.net/alerts/alerts.php3
  54. http://www.iss.net/
  55. http://xforce.iss.net/alerts/vol-2_num-2.php3#list
  56. http://xforce.iss.net/alerts/alerts.php3
  57. mailto:xforce@iss.net
  58. http://www.iss.net/xforce/sensitive.html
  59. http://xforce.iss.net/news.php3
  60. http://xforce.iss.net/seriousfun/
  61. http://xforce.iss.net/maillists/
  62. http://xforce.iss.net/library/
  63. http://xforce.iss.net/protoworx/
  64. http://xforce.iss.net/alerts/
  65. http://xforce.iss.net/submission.php3
  66. http://xforce.iss.net/feedback.php3
  67. http://xforce.iss.net/search.php3
  68. http://xforce.iss.net/about.php3
  69. http://xforce.iss.net/cgi-bin/getSGIInfo.pl
  70. http://xforce.iss.net/privacy.php3