From xforce@iss.net Mon Aug 16 20:13:43 1999
From: X-Force <xforce@iss.net>
Resent-From: mea culpa <jericho@dimensional.com>
To: alert@iss.net
Resent-To: jericho@attrition.org
Cc: X-Force <xforce@iss.net>
Date: Mon, 16 Aug 1999 16:20:23 -0400 (EDT)
Subject: ISSalert: ISS Security Alert Summary v4 n6


TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Alert Summary
August 15, 1999
Volume 4 Number 6

X-Force Vulnerability and Threat Database: http://xforce.iss.net/   To 
receive these Alert Summaries, subscribe to the ISS Alert mailing list. 
Send an email to majordomo@iss.net, and within the body of the message 
type:  'subscribe alert'.

_____

Contents

8 Reported Vulnerabilities
- - irdp-gateway-spoof
- - http-iis-malformed-header
- - netbsd-profil
- - nt-terminal-dos
- - frontpage-pws-dos
- - sun-stdcm-convert
- - exchange-relay
- - gauntlet-dos

Risk Factor Key

_____

Date Reported:    1999-08-11
Vulnerability:    irdp-gateway-spoof
Platforms Affected:  Windows (95, 98)
      Solaris
      SunOS
Risk Factor:    High
Attack Type:    Network Based

Systems configured for DHCP obtain their default gateway information,
along with other configuration parameters,  when they first contact the
network's DHCP server. When dynamically configured through DHCP, it has
been shown to be possible to remotely change the default gateway of
certain systems, including Sun Solaris and SunOS as well as Windows 9x, by
manipulating the systems with ICMP Router Advertisement messages. An
attacker could therefore cause a system to direct its network traffic
through a system of their choice, opening up man-in-the-middle, monitoring
and denial of service attacks.

Reference:
L0pht Security Advisory: "ICMP Router Discovery Protocol" at:
http://www.l0pht.com/advisories/rdp.txt

_____

Date Reported:    1999-08-11
Vulnerability:    http-iis-malformed-header
Platforms Affected:  IIS 4.0
Risk Factor:    Medium
Attack Type:    Host/Network Based

A vulnerability has been discovered in Microsoft Internet Information
Server 4.0 (IIS) and other web servers that use IIS as their web engine.
If a remote attacker sends a flood of specifically malformed HTTP request
headers, it could cause IIS to consume all the memory on the server.  The
service would have to be stopped and restarted in order to resume normal
operation.

Reference:
Microsoft Security Bulletin (MS99-029): "Patch Available for 'Malformed
HTTP Request Header' Vulnerability" at:
http://www.microsoft.com/security/bulletins/ms99-029.asp

_____

Date Reported:    1999-08-09
Vulnerability:    netbsd-profil
Platforms Affected:  NetBSD
Risk Factor:    High
Attack Type:    Host Based

NetBSD supports the profil(2) system call which arranges for the kernel to
sample the PC and increment an element of an array on every profile clock
tick. The profil(2) call fails to disable itself when a program calls
execve(2). Under certains circumstances a malicious local user could call
a privileged program through execve(2) and possibly modify its behavior
during execution and gain elevated privileges.

Reference:
NetBSD Security Advisory 1999-011: "profil(2) can modify setuid root
programs" at: http://www.netbsd.org/Security/advisory.html

_____

Date Reported:    1999-08-09
Vulnerability:    nt-terminal-dos
Platforms Affected:  Windows NT Server (4.0 Terminal Server Edition)
Risk Factor:    Medium
Attack Type:    Network Based

The ISS X-Force has discovered a denial of service attack against Windows
NT Server 4.0, Terminal Server Edition.  This vulnerability allows a
remote attacker to quickly consume all available memory on a Windows NT
Terminal Server, causing a significant disruption for users currently
logged into the terminal server, and preventing any new terminal
connections from being successfully completed.

References:
Microsoft Security Bulletin (MS99-028): "Patch Available for 'Terminal
Server Connection Request Flooding' Vulnerability" at:
http://www.microsoft.com/security/bulletins/ms99-028.asp

_____

Date Reported:    1999-08-08
Vulnerability:    frontpage-pws-dos
Platforms Affected:  Microsoft FrontPage Server Extensions PWS
Risk Factor:    Medium
Attack Type:    Host/Network Based

A bug in Microsoft FrontPage Server Extensions PWS for Windows exists in
the way it handles long URLs.  If someone sends it a URL of 167 characters
or more, then the web server crashes.

Reference:
BUGTRAQ Mailing List: "Crash FrontPage Remotely..." at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=199908071207.FAA23507@mb3.mailbank.com

_____

Date Reported:    1999-08-08
Vulnerability:    sun-stdcm-convert
Platforms Affected:  Solaris (2.6)
Risk Factor:    High
Attack Type:    Host Based

A vulnerability exists in stdcm_convert, which is a program shipped with
CDE and packaged with Solaris 2.6.  A local user could create a symbolic
link of the tmp file created by stdcm_convert and point it to any file on
the system.  This would overwrite the file and make it writable by the
user.  This could lead to a local root compromise.

Reference:
BUGTRAQ Mailing List: "sdtcm_convert" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-08&msg=19990809010450.A3223@hades.chaoz.org

_____

Date Reported:    1999-08-06
Vulnerability:    exchange-relay
Platforms Affected:  Microsoft Exchange (5.5)
Risk Factor:    Low
Attack Type:    Network Based

A vulnerability exists in Microsoft Exchange 5.5 with at least one
Internet Mail Service configured, which would allow a remote user to relay
mail off of the server to other users by using encapsulated SMTP
addresses. This could allow a spammer to send e-mail from your site, but
poses no real security risk.

Reference:
Microsoft Security Bulletin (MS99-027): "Patch Available for 'Encapsulated
SMTP Address' Vulnerability" at:
http://www.microsoft.com/security/bulletins/ms99-027.asp

_____

Date Reported:    1999-07-30
Vulnerability:    gauntlet-dos
Platforms Affected:  Gauntlet Firewall (5.0)
Risk Factor:            High
Attack Type:    Network Based

Network Associates Gauntlet Firewall contains a vulnerability that would
allow a remote attacker to crash the firewall by sending a specifically
constructed ICMP packet through the machine to a known IP inside the
firewall.

Reference:
BUGTRAQ Mailing List: "Remotely Lock Up Gauntlet 5.0" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-07-29&msg=199907301603.LAA17178@expert.cc.purdue.edu

_____


Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.


ISS is the pioneer and leading provider of adaptive network security
software delivering enterprise-wide information protection solutions. ISS'
award-winning SAFEsuite family of products enables information risk
management within intranet, extranet and electronic commerce environments.
By combining proactive vulnerability detection with real-time intrusion
detection and response, ISS' adaptive security approach creates a flexible
cycle of continuous security improvement, including security policy
implementation and enforcement. ISS SAFEsuite solutions strengthen the
security of existing systems and have dramatically improved the security
posture for organizations worldwide, making ISS a trusted security advisor
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks
and over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.


________

Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is hereby 
granted for the redistribution of this Alert Summary electronically.  It is 
not to be edited in any way without express consent of the X-Force.  If
you wish to reprint the whole or any part of this Alert Summary in any other 
medium excluding electronic medium, please e-mail xforce@iss.net for 
permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties with regard to this information. In no event shall the author 
be liable for any damages whatsoever arising out of or in connection with 
the use or spread of this information. Any use of this information is at 
the user's own risk.

X-Force PGP Key available at:   http://xforce.iss.net/sensitive.php3 as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBN7hyVDRfJiV99eG9AQHmTQP9G81xqXy+YxZwipgqLfutU/CdRZgGsWn4
9g+ddZMaFbgRrAya6Ny+FArYi5iqQDJWzDtw8xknk7t++nDOOnDph97lxgGusH3r
mLIHwLqWERVSDMGJ4CUtRs/MrKLJhRw0lMDQ6QKXPXmONiBSvSVslskgeV8LVlWM
R8lq/ubHPCE=
=noQT
-----END PGP SIGNATURE-----