I S S   X - F o r c e
                                      
                         The Most Wanted Alert List
                                      
       [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library
          [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback
                             [9]Advanced Search
                                      
   _ Alert Summaries_

ISS Security Alert Summary
March 11, 1998
Volume 2 Number 3


X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce

To receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an e-mail to [11]majordomo@iss.net, and within the body of the message
type:  'subscribe alert'.


[12]Top of Page || [13]Back to Alert List

___

Contents

4 Reported Vulnerabilities
 - [14]Sun-dtaction
 - [15]Linux-quake2
 - [16]BSD-mmap
 - [17]BSD-sourceroute

2 Updates
 - [18]Sun-vacation
 - [19]SCO-land

2 Reported Incidents
 - [20]Wide Spread Teardrop Attacks
 - [21]Pentagon Hacked

Risk Factor Key


[22]Top of Page || [23]Back to Alert List

___


Date Reported:          3/4/98
Vulnerability:          Sun-dtaction
Platforms Affected:     Solaris (2.4, 2.5, 2.5.1, 2.6)
Risk Factor:            High

The "dtaction" utility allows applications or shell scripts, which are
otherwise not connected into the CDE development environment, to invoke
action requests.  "dtaction" contains a vulnerability that would allow an
attacker to overwrite stack space of dtaction, and gain unauthorized root
level access.

References:
[24]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-164.txt
[25]http://www.ciac.org/ciac/bulletins/i-032.shtml


[26]Top of Page || [27]Back to Alert List

___


Date Reported:          2/25/98
Vulnerability:          Linux-quake2
Platforms Affected:     Linux (3.13 and below with Quake2 installed)
Risk Factor:            Medium

Quake 2 is a game that is installed setuid root under Linux 3.13 and
below.  It contains vulnerabilities that allows users to read arbitrary
files and gain root level access.  Systems with Quake 2 installed should
remove the setuid bit from the Quake 2 binary.

References:
[28]http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=2157
[29]http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=1911


[30]Top of Page || [31]Back to Alert List

___


Date Reported:          2/20/98
Vulnerability:          BSD-mmap
Platforms Affected:     OpenBSD (2.2 and below)
                        FreeBSD (2.2.5 and below)
                        BSDI (3.0)
Risk Factor:            High

The mmap() system call is used to map files to a memory address space.  In
some 4.4 BSD derived operating systems such as (FreeBSD, NetBSD, OpenBSD,
and BSDI), a vulnerability exists within this system call that allows a
user of a privileged group (kmem) to become root.  This vulnerability also
allows a root user to modify the securelevel of a system.  This setting
normally prevents everyone, even root users, from making some security
critical modifications to a normal system.

Reference:
[32]http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=3208


[33]Top of Page || [34]Back to Alert List

___


Date Reported:          2/15/98
Vulnerability:          BSD-sourceroute
Platforms Affected:     OpenBSD (2.2 and below)
                        FreeBSD (2.2.5 and below)
                        FreeBSD (2.2-current before 1998/02/16)
                        FreeBSD-stable (before 1998/02/23)
Risk Factor:            High

4.4 BSD derived operating systems allow kernel state variables to be
changed via the "sysctl" command.  "sysctl" is used to define whether a
system accepts source routed packets by using the variable
"net.inet.ip.dosourceroute".  The variable is set to "0" by default which
means "do not perform IP source routing".  Secure Networks Inc. has found
that it is possible to send source routed packets to these systems even
when the flag is set to "0".

Reference:
[35]http://www.openbsd.org/advisories/sourceroute


[36]Top of Page || [37]Back to Alert List

___


Date:                   3/4/98 (SNI Vacation Advisory)
Update:                 Sun-vacation
Vendor:                 Sun Microsystems, Inc.
Platforms:              Solaris (2.3, 2.4, 2.5, 2.5.1, 2.6)

Sun has released patches for the vacation vulnerability reported in
September, 1997.  The vacation program is used to automatically reply to
incoming e-mail, such as "out of office" replies, etc.  The vacation
program contains a vulnerability that allows remote users to obtain access
to the account running vacation.

References:
[38]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-163.txt
[39]http://www.ciac.org/ciac/bulletins/i-032.shtml
[40]ftp://ftp.secnet.com/advisories/SNI-18.VACATION.advisory


[41]Top of Page || [42]Back to Alert List

___


Date:                   2/24/98 (CERT Advisory CA-97.28)
Update:                 SCO-land
Vendor:                 SCO
Platforms:              SCO Open Desktop/Open Server (Release 3.0)
                        SCO CMW+ (3.0)
                        SCO OpenServer (Release 5.0)
                        SCO UnixWare (2.1)

SCO has released patches for the land attack.  This attack can lock up or
"freeze" many different operating systems as well as network hardware.
When this happens an attacker sends a SYN packet, which is normally used
to open a connection, to the targeted host.

References:
[43]ftp://ftp.sco.com/SSE/sse010.ltr
[44]ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land


[45]Top of Page || [46]Back to Alert List

___


Date Reported:          3/3/98
Incident:               Widespread Windows DOS Attacks

Attackers launched a widespread Teardrop/Bonk/Boink type of attack that
crashed a large quantity of Windows 95 and Windows NT systems across the
Internet.  The attack uses the a malformed UDP packet to 'blue screen'
Windows NT and Windows 95 systems.

References:
[47]http://www.microsoft.com/security/netdos.htm
[48]http://cnn.com/TECH/computing/9803/04/internet.attack.ap/
[49]http://www.ciac.org/ciac/bulletins/i-031a.shtml


[50]Top of Page || [51]Back to Alert List

___


Date Reported:          2/25/98
Incident:               Pentagon Hacked

Hackers penetrated unclassified computers at the Pentagon in what was said
to be an organized and systematic attack.  Two teenagers in California
were raided and linked to the attacks.  An Israeli hacker says that he is
the ring leader of the group that hacked numerous Department of Defense
computers.

References:
[52]http://cnn.com/TECH/computing/9802/25/pentagon.cyberattack/
[53]http://www.wired.com/news/news/technology/story/10730.html


[54]Top of Page || [55]Back to Alert List

___

Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via bruteforce methods.

Internet Security Systems, Inc., (ISS) is the pioneer and world's leading
supplier of network security assessment and intrusion detection tools,
providing comprehensive software that enables organizations to proactively
manage and minimize their network security risks.  For more information,
contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS
Web site at [56]http://www.iss.net.


[57]Top of Page || [58]Back to Alert List

___

Copyright (c) 1998 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this
Alert Summary in any other medium excluding electronic medium, please
e-mail [59]xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.

X-Force PGP Key available at:   [60]http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force xforce@iss.net

   > of Internet Security Systems, Inc.
   
     [61]News | [62]Serious Fun | [63]Mail Lists | [64]Security Library
        [65]Protoworx | [66]Alerts | [67]Submissions | [68]Feedback
                            [69]Advanced Search
                                      
                        [70]About the Knowledge Base
                                      
            Copyright ©1994-1998 Internet Security Systems, Inc.
          All Rights Reserved. Sales Inquiries: [71]sales@iss.net
         6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328
                 Phone (678) 443-6000 · Fax (678) 443-6477
                                      
                      Read our [72]privacy guidelines.

References

   1. http://xforce.iss.net/news.php3
   2. http://xforce.iss.net/seriousfun/
   3. http://xforce.iss.net/maillists/
   4. http://xforce.iss.net/library/
   5. http://xforce.iss.net/protoworx/
   6. http://xforce.iss.net/alerts/
   7. http://xforce.iss.net/submission.php3
   8. http://xforce.iss.net/feedback.php3
   9. http://xforce.iss.net/search.php3
  10. http://www.iss.net/xforce
  11. mailto:majordomo@iss.net
  12. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  13. http://xforce.iss.net/alerts/alerts.php3
  14. http://xforce.iss.net/alerts/vol-2_num-3.php3#Sun-dtaction
  15. http://xforce.iss.net/alerts/vol-2_num-3.php3#Linux-quake2
  16. http://xforce.iss.net/alerts/vol-2_num-3.php3#BSD-mmap
  17. http://xforce.iss.net/alerts/vol-2_num-3.php3#BSD-sourceroute
  18. http://xforce.iss.net/alerts/vol-2_num-3.php3#Sun-vacation
  19. http://xforce.iss.net/alerts/vol-2_num-3.php3#SCO-land
  20. http://xforce.iss.net/alerts/vol-2_num-3.php3#Wide Spread Teardrop Attacks
  21. http://xforce.iss.net/alerts/vol-2_num-3.php3#Pentagon Hacked
  22. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  23. http://xforce.iss.net/alerts/alerts.php3
  24. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-164.txt
  25. http://www.ciac.org/ciac/bulletins/i-032.shtml
  26. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  27. http://xforce.iss.net/alerts/alerts.php3
  28. http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=2157
  29. http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=1911
  30. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  31. http://xforce.iss.net/alerts/alerts.php3
  32. http://www.netspace.org/cgi-bin/wa?A2=ind9802d&L=bugtraq&O=T&P=3208
  33. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  34. http://xforce.iss.net/alerts/alerts.php3
  35. http://www.openbsd.org/advisories/sourceroute
  36. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  37. http://xforce.iss.net/alerts/alerts.php3
  38. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-163.txt
  39. http://www.ciac.org/ciac/bulletins/i-032.shtml
  40. ftp://ftp.secnet.com/advisories/SNI-18.VACATION.advisory
  41. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  42. http://xforce.iss.net/alerts/alerts.php3
  43. ftp://ftp.sco.com/SSE/sse010.ltr
  44. ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land
  45. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  46. http://xforce.iss.net/alerts/alerts.php3
  47. http://www.microsoft.com/security/netdos.htm
  48. http://cnn.com/TECH/computing/9803/04/internet.attack.ap
  49. http://www.ciac.org/ciac/bulletins/i-031a.shtml
  50. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  51. http://xforce.iss.net/alerts/alerts.php3
  52. http://cnn.com/TECH/computing/9802/25/pentagon.cyberattack
  53. http://www.wired.com/news/news/technology/story/10730.html
  54. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  55. http://xforce.iss.net/alerts/alerts.php3
  56. http://www.iss.net/
  57. http://xforce.iss.net/alerts/vol-2_num-3.php3#list
  58. http://xforce.iss.net/alerts/alerts.php3
  59. mailto:xforce@iss.net
  60. http://www.iss.net/xforce/sensitive.html
  61. http://xforce.iss.net/news.php3
  62. http://xforce.iss.net/seriousfun/
  63. http://xforce.iss.net/maillists/
  64. http://xforce.iss.net/library/
  65. http://xforce.iss.net/protoworx/
  66. http://xforce.iss.net/alerts/
  67. http://xforce.iss.net/submission.php3
  68. http://xforce.iss.net/feedback.php3
  69. http://xforce.iss.net/search.php3
  70. http://xforce.iss.net/about.php3
  71. http://xforce.iss.net/cgi-bin/getSGIInfo.pl
  72. http://xforce.iss.net/privacy.php3