ISS Security Alert Summary for March 3, 1999.
9fa9c9771a1c4e19885ced334e39542bde6095a2b61e0e924854adbad09b0ccb
From xforce@iss.net Fri Mar 5 14:35:07 1999
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Fri, 5 Mar 1999 15:09:44 -0500 (EST)
Subject: ISSalert: ISS Security Alert Summary v3 n6
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Alert Summary
March 3, 1999
Volume 3 Number 6
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to majordomo@iss.net, and within the body of the message
type: 'subscribe alert'.
_____
Contents
12 Reported Vulnerabilities
- linux-super-logging-bo
- cobalt-raq-history-exposure
- openbsd-link-crash
- ncftpd-port-bo
- openbsd-ping-bo
- win-resourcekit-taskpads
- arcserve-agent-passwords
- wget-permissions
- backdoor-update
- digital-networker-bo
- openbsd-ipintr-race
- zgv-privilege-leak
Risk Factor Key
_____
Date Reported: 1999-02-26
Vulnerability: linux-super-logging-bo
Platforms Affected: Linux (Debian)
Risk Factor: High
Super is a package for delegating administrative privileges to users
without giving complete root privileges. A buffer overflow exists in
the logging code of Super which could allow a local user to cause the
program to execute arbitrary code with root privileges. Exploit
information for this vulnerability has been widespread.
References:
BUGTRAQ Mailing List: "SUPER buffer overflow" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9902d&L=bugtraq&F=&S=&P=9518
Sekure SDI Homepage at: http://www.sekure.org/english/
_____
Date Reported: 1999-02-25
Vulnerability: cobalt-raq-history-exposure
Platforms: Cobalt RaQ
Risk Factor: Medium
The Cobalt RaQ web server device contains a vulnerability that may allow
a user's shell command history to be remotely obtained. By default, the
Cobalt server web shares a user's entire directory that could include
sensitive files, such as command history files. Any remote user can abuse
this hole and the nature of Cobalt RaQ's setup allows for identifying
these server's easily through web search engines.
References:
Wired News Online: "Teenager Finds Web-Server Hole" at:
http://www.wired.com/news/news/technology/story/18109.html
Cobalt Networks, Inc.: "Cobalt Networks - Security" at:
http://www.cobaltnet.com/security.html
_____
Date Reported: 1999-02-25
Tagname: openbsd-link-crash
Platforms Affected: OpenBSD (2.4)
Risk Factor: Medium
The OpenBSD FFS link(2) library function can be used by local users to
crash the system under some circumstances. The vulnerability exists when
an unbounded increment is made on the nlink value.
Reference:
The OpenBSD Project: "OpenBSD release errata" at:
http://www.openbsd.com/errata.html#nlink
_____
Date Reported: 1999-02-23
Vulnerability: ncftpd-port-bo
Platforms Affected: NCFTPd
Risk Factor: Medium
A buffer overflow has been discovered within the NCFTPd server's
implementation of the PORT command. The vulnerability allows a remote
attacker to corrupt one byte of memory, which is enough to cause the
server to crash and respawn. The bug doesn't cause the service to be
permanently crashed.
Reference:
Proof of Concept - Security Advisory: "NcFTPd remote buffer overflow" at:
http://poc.csoft.net/advs/ncftpd-of/advisory.txt
_____
Date Reported: 1999-02-23
Vulnerability: openbsd-ping-bo
Platforms Affected: OpenBSD (2.4)
Risk Factor: Medium
The OpenBSD ping command contains a buffer overflow in its handling of
oversized ICMP packets. It isn't known whether or not this could lead to
unauthorized access, but it is recommended that sites upgrade ping
regardless.
Reference:
The OpenBSD Project: "OpenBSD release errata" at:
http://www.openbsd.com/errata.html#nlink
_____
Date Reported: 1999-02-22
Vulnerability: win-resourcekit-taskpads
Platforms Affected: Windows Resource Kit
Risk Factor: High
The Windows Resource Kit (RK), optionally installed with Windows 95, 98,
or NT, contains a feature called "Taskpads" scripting as part of the Tools
Management Console Snap-in. Certain methods of launching RK Tools are
considered "safe for scripting," however, they could allow a malicious web
site to execute arbitrary commands on the browsing server.
Reference:
Microsoft Knowledgebase Article ID: Q218619: "Taskpads Let Web Sites
Invoke Executables on a User's Computer" at:
http://support.microsoft.com/support/kb/articles/Q218/6/19.ASP
Microsoft Security Bulletin MS99-007: "Patch Available for Taskpads
Scripting Vulnerability" at:
http://www.microsoft.com/security/bulletins/ms99-007.asp
_____
Date Reported: 1999-02-21
Vulnerability: arcserve-agent-passwords
Platforms Affected: ARCserveIT
Risk Factor: High
The CAI ARCserver NT backup agents transmit NT username and password
combinations with very weak encryption across the network. Due to the
nature of the tasks these agents perform, these passwords are generally of
Administrator or highly-privileged nature.
Reference:
BUGTRAQ Mailing List: "Severe Security Hole in ARCserve NT agents (fwd)"
at: http://www.netspace.org/cgi-bin/wa?A2=ind9902d&L=bugtraq&F=&S=&P=2099
_____
Date Reported: 1999-02-20
Vulnerability: wget-permissions
Platforms Affected: Linux (Debian)
Risk Factor: Medium
Wget, a file retrieval program for Unix systems, has been found to contain
a vulnerability in how it changes permissions on symbolic links when
invoked with the -N option.
Reference:
Debian GNU/Linux - Security Information: "wget: Improper handling of
symlink permissions" at: http://www.debian.org/security/1999/19990220
_____
Date Reported: 1999-02-19
Vulnerability: backdoor-update
Platforms Affected: Windows 9x
Windows NT
Risk Factor: High
The final version of NetBus 2.0 Pro was released on February 19. The
new version of NetBus is not distributed as a backdoor, but as a "Remote
Administration and Spy Tool." Due to the proliferation of NetBus
and its common use in attacks across the Internet, NetBus 2.0 poses a
significant risk with its new functionality and enhanced network
communication obfuscation. The version of NB2 available on the Internet
notifies users upon installation, however attackers can easily hide the
installation with slight modification.
Reference:
ISS Vulnerability Alert: "Windows Backdoors Update II: NetBus 2.0 Pro,
Caligula, and Picture.exe" at:
http://www.iss.net/xforce/alerts/advise20.html
_____
Date Reported: 1999-02-19
Vulnerability: digital-networker-bo
Platforms Affected: Digital Unix
Risk Factor: High
The Digital NetWorker program "nsralist" for Digital Unix contains a
buffer overflow that allows local users to execute arbitrary code
with root privileges. This hole affects all known versions of NetWorker
which install with suid root privileges.
References:
BUGTRAQ Mailing List: "More Buffer Overflows in Digital Unix" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9902c&L=bugtraq&F=&S=&P=12530
_____
Date Reported: 1999-02-19
Vulnerability: openbsd-ipintr-race
Platforms Affected: OpenBSD (2.4)
Risk Factor: Medium
The kernel function ipintr() within OpenBSD contains a race condition
which could allow a remote attacker to crash the machine.
References:
The OpenBSD Project: "OpenBSD release errata" at:
http://www.openbsd.com/errata.html#nlink
_____
Date Reported: 1999-02-19
Vulnerability: zgv-privilege-leak
Platforms Affected: All Operating systems running zgv
Risk Factor: High
zgv is an image file viewer that runs under SVGAlib at the Linux console.
Since it has to access graphics hardware, it has to be installed suid
root. A vulnerability exists when zgv leaks its privileges to a child
process, which gives the user access to all I/O ports and usage of cli()
and sti() commands. This vulnerability could lead to the attacker gaining
root access.
References:
Bugtraq Mailing List: "Security hole: 'zgv'" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9902c&L=bugtraq&F=&S=&P=13001
_____
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
Internet Security Systems, Inc. (ISS) is the leading provider of adaptive
network security monitoring, detection and response software that protects
the security and integrity of enterprise information systems. By
dynamically detecting and responding to security vulnerabilities and
threats inherent in open systems, ISS's SAFEsuite family of products
provide protection across the enterprise, including the Internet,
extranets, and internal networks, from attacks, misuse, and security
policy violations. ISS has delivered its adaptive network security
solutions to organizations worldwide, including firms in the Global 2000,
nine of the ten largest U.S. commercial banks and over 35 governmental
agencies. For more information, call ISS at 678-443-6000 or 800-776-2362
or visit the ISS Web site at http://www.iss.net.
________
Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby
granted for the redistribution of this Alert Summary electronically. It is
not to be edited in any way without express consent of the X-Force. If
you wish to reprint the whole or any part of this Alert Summary in any other
medium excluding electronic medium, please e-mail xforce@iss.net for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBNuALgzRfJiV99eG9AQEsIgP+OuiLegj2uDyLSxwGIiLDzqliV01We314
2cEHjh6kPGzb9WyJl5MwFP4GzDbUeUeNe5HjlXMmizpTARmeoKCAIGjODTZmDARN
SPEOGrKTNUXVJ7KH929LVrcMP6GOwMXyfJx9rnw+e3lTw7aB2IaKrTdH4FvaYCf0
XjOnzHYRDno=
=66lB
-----END PGP SIGNATURE-----