From xforce@iss.net Fri Sep 17 14:58:41 1999
From: X-Force <xforce@iss.net>
Resent-From: mea culpa <jericho@dimensional.com>
To: alert@iss.net
Resent-To: jericho@attrition.org
Date: Thu, 16 Sep 1999 14:53:29 -0400 (EDT)
Subject: ISSalert: ISS Security Alert Summary: v4 n7


TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Alert Summary
September 15, 1999
Volume 4 Number 7

X-Force Vulnerability and Threat Database: http://xforce.iss.net/   To 
receive these Alert Summaries, subscribe to the ISS Alert mailing list. 
Send an email to majordomo@iss.net, and within the body of the message 
type:  'subscribe alert'.

_____

Contents

22 Reported Vulnerabilities
 - http-powerdynamo-dotdotslash
 - inn-inews-bo
 - amd-bo
 - wu-ftpd-dir-name
 - nt-sequence-prediction-sp4
 - ibm-gina-group-add
 - linux-pt-chown
 - oracle-dbsnmp
 - oracle-dbsnmp-trace
 - jet-text-isam
 - jet-vba-shell
 - lotus-ldap-bo
 - smtp-refuser-tmp
 - ciscosecure-read-write
 - linux-telnetd-term
 - qms-2060-no-root-password
 - trn-symlinks
 - aix-pdnsd-bo
 - bsdi-smp-dos
 - linux-termcap-tgetent
 - suse-identd-dos
 - win-ie5-telnet-heap-overflow

Risk Factor Key

_____

Date Reported:    1999-09-06
Vulnerability:    http-powerdynamo-dotdotslash
Platforms Affected:  Sybase PowerDynamo PWS
Risk Factor:    Medium
Attack Type:    Network/Host Based

PowerDynamo is a personal HTTP server produced by Sybase. A vulnerability
has been found that allows a remote attacker to traverse the server's file
system outside the document root by issuing GET requests with '../' in
them. This could allow any file to be remotely read by an attacker. If
directory browsing is enabled, the attacker doesn't need prior knowledge
of file names to exploit this flaw.

Reference:
BUGTRAQ Mailing List: "[Sybase] software vendors do not think about old
bugs" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.05.9909041428230.5675-100000@mx.nkm.lt

_____

Date Reported:    1999-09-02
Vulnerability:    inn-inews-bo
Platforms Affected:  InterNet News (INN)
Risk Factor:    High
Attack Type:    Host Based

The InterNet News (INN) daemon contains the program inews, which injects
new postings into the news system.  It is possible for a local attacker to
overflow a buffer in the inews program, shipped with INN 2.2 and below
that, would give the user privileges of the news group.  This could
theoretically allow the attacker to gain root privileges.

References:
Red Hat, Inc. Security Advisory: "Buffer overflow problem in the inews
program" at: http://www.redhat.com/corp/support/errata/RHSA1999033_01.html

SuSE Security Announcement: "Security hole in inn" at:
http://www.suse.de/security/announcements/suse-security-announce-16.txt

Caldera Systems, Inc.  Security Advisory CSSA-1999:026.0: "buffer overflow
in inews" at:
ftp://ftp.calderasystems.com/pub/info/security/CSSA-1999:026.0.txt 

_____

Date Reported:    1999-08-30
Vulnerability:    amd-bo
Platforms Affected:  FreeBSD
      Linux: Red Hat (4.2, 5.2, 6.0)
Risk Factor:    High
Attack Type:    Network/Host Based

The Automounter daemon has a buffer overflow in the mount code that
affects Red Hat Linux. Passing a long string to the AMQPROC_MOUNT
procedure can cause a remote intruder to obtain root credentials.

References:
Red Hat, Inc. Security Advisory: "Buffer overrun in amd" at:
http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html

Caldera Systems, Inc.  Security Advisory CSSA-1999:024.0: "buffer overflow
in amd" at:
ftp://ftp.calderasystems.com/pub/info/security/CSSA-1999:024.0.txt

_____

Date Reported:    1999-08-26
Vulnerability:    wu-ftpd-dir-name
Platforms Affected:  wu-ftpd (2.5)
Risk Factor:    High
Attack Type:    Network/Host Based

A vulnerability has been discovered in Washington University's wu-ftpd
program.  A buffer overflow condition exists in bounds checking of
directory names supplied by the user.  It is possible for a local or
remote user to overwrite static memory space and create directory names
that could result in increased privileges.

Reference:
BUGTRAQ Mailing List: "WU-FTPD Security Update" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=NDBBKFDGMLFBPDALDAMOOEHFCBAA.yua@artlover.com

_____

Date Reported:    1999-08-25
Vulnerability:    nt-sequence-prediction-sp4
Platforms Affected:  Windows NT (4.0)
Risk Factor:    Medium
Attack Type:    Network/Host Based

Microsoft Windows NT 4.0 SP4 introduced a new method of generating TCP
sequence numbers.  The method was designed to close a hole in previous
versions of Windows NT that allowed these numbers to be easily guessed. It
has been shown that SP4 and above systems are just as vulnerable to
sequence number prediction attacks as earlier service packs.

Reference:
NTA: "Leading Security testers ^ÒNTA Monitor^Ò Discover Security Flaw in
Microsoft NT4 SP4" at: http://www.nta-monitor.com/news/NT4-SP4.htm

_____

Date Reported:    1999-08-23
Vulnerability:    ibm-gina-group-add
Platforms Affected:  IBM GINA for NT
Risk Factor:    High
Attack Type:    Host Based

IBM's GINA for Windows NT that allows a NT hosts to authenticate against
OS/2 domains.  A vulnerability has been discovered that would allow a
local user to add themselves or another user to the "Local Administrators"
group by modifying a registry key. Once this key is modified, the user 
has administrator privileges at the logon.

Reference:
NTBUGTRAQ Mailing List: "IBM Gina security warning" at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534

_____

Date Reported:    1999-08-23
Vulnerability:    linux-pt-chown
Platforms Affected:  Linux Redhat (6.0)
Risk Factor:    High
Attack Type:    Host Based

The GNU C Library (glibc) 2.1.x ships with the setuid helper program
"pt_chown", which is used to allow safe allocation of terminals to
non-privileged applications.  A lack of security checks within this
program could allow a local attacker to take control of another user's
(including root) terminal and take ownership of that device.

Reference:
BUGTRAQ Mailing List: "[Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD /
lynx / vlock / mc / glibc 2.0.x" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl

_____

Date Reported:    1999-08-23
Vulnerability:    oracle-dbsnmp
Platforms Affected:  Oracle (8.x)
Risk Factor:            High
Attack Type:    Host Based

The Oracle 8 Intelligent Agent trusts certain environment variables. The
Intelligent Agent is also installed setuid root by default. Attackers may
manipulate these environment variables to create root owned files that
will follow symbolic links.

Reference:
ISS Security Advisory: "Root Compromise Vulnerabilities in Oracle 8" at:
http://xforce.iss.net/alerts/advise35.php3

- -----

Date Reported:    1999-08-23
Vulnerability:    oracle-dbsnmp-trace
Platforms Affected:  Oracle (8.x)
Risk Factor:    High
Attack Type:    Host Based

Oracle can be tricked into reading rogue configuration files via trusted
environment variables.  'dbsnmp' then opens a 'trace' file that is owned
by root and created with mode 666.  This file can be linked out. Another
vulnerability again depends on trusted environment variables.  'dbsnmp'
will execute rogue TCL scripts if environment variables are manipulated
correctly.

Reference:
ISS Security Advisory: "Additional Root Compromise Vulnerabilities in
Oracle 8" at: http://xforce.iss.net/alerts/advise36.php3

- -----

Date Reported:    1999-08-20
Vulnerability:    jet-text-isam
Platforms Affected:  Microsoft Jet (3.5, 3.5.1, 4.0)
Risk Factor:    High
Attack Type:    Network/Host Based

Microsoft Jet is a database engine used in programs such as Office 97 and
Office 2000.  It has functionality called Text I-ISAM that allows the Jet
driver to write to a text file.  A malicious user could exploit a
vulnerability in Text I-ISAM and write to system files by performing a
database query.

Reference:
Microsoft Security Bulletin (MS99-030): "Patch Available for Office 'ODBC
Vulnerabilities'" at:
http://www.microsoft.com/Security/Bulletins/ms99-030.asp

- -----

Date Reported:    1999-08-20
Vulnerability:    jet-vba-shell
Platforms Affected:  Microsoft Jet (3.5, 3.5.1)
Risk Factor:    High
Attack Type:    Network/Host Based

Microsoft Jet is a database engine used in programs such as Office 97 and
Office 2000.  Microsoft Jet contains a vulnerability that could allow an
operating system command to be executed from a database query.  Once the
query is executed from a spreadsheet or program, then a user could execute
virtually anything on the affected machine.

Reference:
Microsoft Security Bulletin (MS99-030): "Patch Available for Office 'ODBC
Vulnerabilities'" at:
http://www.microsoft.com/Security/Bulletins/ms99-030.asp

- -----

Date Reported:    1999-08-20
Vulnerability:    lotus-ldap-bo
Platforms Affected:  Lotus Notes
Risk Factor:    Medium
Attack Type:    Network/Host Based

There is a buffer overflow in the Lotus Notes LDAP Service (NLDAP), the
service that handles the LDAP protocol. This buffer overflow is related to
the way that NLDAP handles the ldap_search request. By sending a large
parameter in the ldap_search request, an attacker can cause a PANIC in the
Domino server.  This allows an attacker to stop all Domino services
running on the affected machine.

Reference:
ISS Security Advisory: "Denial of Service Attack against Lotus Notes
Domino Server 4.6" at: http://xforce.iss.net/alerts/advise34.php3

- -----

Date Reported:    1999-08-20
Vulnerability:    smtp-refuser-tmp
Platforms Affected:  Linux: Debian
Risk Factor:    Medium
Attack Type:    Network/Host Based

The smtp-refuser package, installed on some versions of Debian Linux
systems, creates a logging facility in the system "/tmp" directory. This
facility is insecurely created and could allow a local attacker who has
write access to "/tmp" to delete arbitrary, root-owned files on the
system.

Reference:
Debian Security Information: "smtp-refuser: /tmp file creation problem"
at: http://www.debian.org/security/1999/19990823b

- -----

Date Reported:    1999-08-19
Vulnerability:    ciscosecure-read-write
Platforms Affected:  CiscoSecure
Risk Factor:    High
Attack Type:    Network/Host Based

A vulnerability in CiscoSecure ACS version 1.0 through 2.3.2 for Unix
allows a remote attacker to read and write to the server database without
authentication. The attacker could modify access policies, add and delete
accounts, or elevate access privileges for accounts.  CiscoSecure ACS for
Windows NT is not vulnerable to this problem.

Reference:
Cisco Field Notice: "CiscoSecure Access Control Server for UNIX Remote
Administration Vulnerability" at:
http://www.cisco.com/warp/public/770/csecure-dbaccess.shtml

- -----

Date Reported:    1999-08-19
Vulnerability:    linux-telnetd-term
Platforms Affected:  Linux: Red Hat (4.2, 5.2, 6.0)
Risk Factor:    Medium
Attack Type:    Network/Host Based

The telnetd server and libncurses library of some Linux systems, notably
Red Hat and Caldera, could allow a remote or local attacker to cause the
system to crash or hang. By specifying a malformed terminal when
connecting to a vulnerable system's telnet server, the daemon could
possibly attempt to read files that would cause a denial of service by
crashing the system. This same attack can be exploited by local attackers,
giving bad terminal information to setuid programs linked against a
vulnerable libncurses library.

References:
Red Hat, Inc. Security Advisory: "Denial of service attack in in.telnetd"
at: http://www.redhat.com/corp/support/errata/RHSA1999029_01.html

Caldera Systems, Inc.  Security Advisory CSSA-1999:022.0: "Security issues
with telnetd and libcurses" at:
http://www.calderasystems.com/news/security/CSSA-1999:022.0.txt

_____

Date Reported:    1999-08-19
Vulnerability:    qms-2060-no-root-password
Platforms Affected:  QMS CrownNet Unix Utilities for 2060
Risk Factor:    High
Attack Type:    Network Based

The QMS CrownNet Unix Utilities for 2060 use a file called passwd.ftp that
controls logins for users allowed to print to the QMS. This vulnerability
allows root to log on without a password, and therefore change the 
passwd.ftp and other files.

Reference:
BUGTRAQ Mailing List: "QMS 2060 printer security hole" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=199908181402.KAA03077@alchemy.chem.utoronto.ca

_____

Date Reported:    1999-08-19
Vulnerability:    trn-symlinks
Platforms Affected:  Linux: Debian
Risk Factor:    Medium
Attack Type:    Host Based

Trn is an NNTP compatible newsreader for Unix systems. Some versions of
trn create temporary files insecurely in the system '/tmp' directory.
This could allow a local attacker to create symbolic links to a user's
files that would be overwritten when that user executes trn.

References:
Debian Security Information: "trn: /tmp file creation problem" at:
http://www.debian.org/security/1999/19990823c

SuSE Security Announcement: "Security hole in trn" at:
http://www.suse.de/security/announcements/suse-security-announce-14.txt

_____

Date Reported:    1999-08-17
Vulnerability:    aix-pdnsd-bo
Platforms Affected:  AIX
Risk Factor:    High
Attack Type:    Network/Host Based

The Source Code Browser's Program Database Name Server Daemon (pdnsd)
component of the C Set ++ compiler for AIX contains a remotely exploitable
buffer overflow.  This vulnerability allows local or remote attackers to
compromise root privileges on vulnerable systems.

References:
IBM Emergency Response Service Security Vulnerability Alert
ERS-SVA-E01-1999:003: "The IBM C Set ++ for AIX Source Code Browser allows
local and remote users to become root."  at:
http://www.brs.ibm.com/services/brs/ers/brspwadv.nsf/Date/E53CE3A5F5B41D44852567D0004A250F/$file/sva003.txt

CIAC Information Bulletin J-059: "J-059: IBM AIX (pdnsd) Buffer Overflow
Vulnerability" at: http://www.ciac.org/ciac/bulletins/j-059.shtml

_____

Date Reported:    1999-08-17
Vulnerability:    bsdi-smp-dos
Platforms Affected:  BSDi (4.0.1)
Risk Factor:    Medium
Attack Type:    Host Based

A local denial of service exists with Symmetric Multiprocessing (SMP) in
BSDi 4.0.1.  When the CPU load average is initially high, a local user can
make the system halt or stop responding by executing fstat calls.

Reference:
BUGTRAQ Mailing List: "Symmetric Multiprocessing (SMP) Vulnerbility in
BSDi 4.0.1" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.4.10.9908170253560.19291-100000@saturn.psn.net

_____

Date Reported:    1999-08-17
Vulnerability:    linux-termcap-tgetent
Platforms Affected:  Linux: RedHat (4.2, 5.2)
Risk Factor:    High
Attack Type:    Host Based

A vulnerability in Red Hat 4.2 and 5.2 Linux systems libtermcap tgetent()
function could allow a malicious local user to overflow a buffer, allowing
them to execute arbitrary code with root privileges.  This hole can be
exploited on systems that allow a user to specify their own termcap file.

Reference:
Red Hat, Inc. Security Advisory RHSA-1999:028-01: "Buffer overflow in
libtermcap tgetent()" at:
http://www.redhat.com/corp/support/errata/RHSA1999028_01.html

_____

Date Reported:    1999-08-16
Vulnerability:    suse-identd-dos
Platforms Affected:  Linux: SuSE
Risk Factor:    Medium
Attack Type:    Network/Host Based

In some SuSE Linux distributions, identd is started with inetd.conf with
the options -w -t120.  Once an identd connection is made to the server, it
waits 120 seconds before answering another connection.  A remote attacker
could send a large amount of identd connections to the server, and use up
all the memory on the server, causing it to crash.

Reference:
BUGTRAQ Mailing List: "DOS against SuSE's identd" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990814202948.26220.qmail@securityfocus.com

_____

Date Reported:    1999-08-16
Vulnerability:    win-ie5-telnet-heap-overflow
Platforms Affected:  Internet Explorer (4.0, 4.01, 5.0)
Risk Factor:    High
Attack Type:    Network/Host Based

A vulnerability exists in the Telnet.exe program shipped with Internet
Explorer 4 and some versions of Internet Explorer 5. An overflow in the
Telnet.exe application could allow arbitrary code to be remotely executed
by an attacker.

Reference:
BUGTRAQ Mailing List: "telnet.exe heap overflow - remotely exploitable" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990815220227.37285.qmail@hotmail.com

_____


Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.


ISS is the pioneer and leading provider of adaptive network security
software delivering enterprise-wide information protection solutions. ISS'
award-winning SAFEsuite family of products enables information risk
management within intranet, extranet and electronic commerce environments.
By combining proactive vulnerability detection with real-time intrusion
detection and response, ISS' adaptive security approach creates a flexible
cycle of continuous security improvement, including security policy
implementation and enforcement. ISS SAFEsuite solutions strengthen the
security of existing systems and have dramatically improved the security
posture for organizations worldwide, making ISS a trusted security advisor
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks
and over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.


________

Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is hereby 
granted for the redistribution of this Alert Summary electronically.  It is 
not to be edited in any way without express consent of the X-Force.  If
you wish to reprint the whole or any part of this Alert Summary in any other 
medium excluding electronic medium, please e-mail xforce@iss.net for 
permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties with regard to this information. In no event shall the author 
be liable for any damages whatsoever arising out of or in connection with 
the use or spread of this information. Any use of this information is at 
the user's own risk.

X-Force PGP Key available at:   http://xforce.iss.net/sensitive.php3 as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBN9+/tzRfJiV99eG9AQEokAP/Su3Ndb6NShK/H0xbEqCsQbKv+ju7XAAK
JYnzl8nBgESAxTfOoVDic4MA049YNONuKlN99bb3X9RZ7GbZq7WogA+G8BbQEbQ5
DkkbVD2ntjCwKpcuH9XcUiTFrQfGWblS9aJgYtX+tEhVqmMrSl/86cp664D1lKkn
J/j4/CsFi4A=
=AWqf
-----END PGP SIGNATURE-----