ISS Security Alert Summary August 1, 2000 - 37 new vulnerabilities were reported last month. This document has links to more information and full advisories on each. Includes: analogx-proxy-ftp-crash, analogx-proxy-pop3-crash, analogx-proxy-socks4-crash, roxen-null-char-url, wftpd-stat-info, bair-security-removal, roxen-admin-pw-readable, wftpd-stat-dos, wftpd-rest-dos, wftpd-mlst-dos, outlook-express-mail-browser-link, winamp-playlist-parser-bo, outlook-date-overflow, tomcat-error-path-reveal, tomcat-snoop-info, website-webfind-bo, alibaba-cgi-script-directory-listing, alibaba-get-dos, website-httpd32-bo, alibaba-script-file-overwrite, zeroport-weak-encryption, linux-usermode-dos, blackboard-courseinfo-dbase-modification, lsoft-listserv-querystring-bo, linux-nfsutils-remote-root, iis-absent-directory-dos, blackboard-courseinfo-plaintext, cvsweb-shell-access, webactive-long-get-dos, worldclient-dir-traverse, http-cgi-bigbrother-bbhostsvc, apache-source-asp-file-write, netware-port40193-dos, netscape-admin-server-password-disclosure, cisco-pix-firewall-tcp, mssql-manager-password, and minivend-viewpage-sample.
608bac3811e7784a7d30e0063ead0d9b6ab115e59950211ddd511b3ca2d93e8d
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Alert Summary
August 1, 2000
Volume 5 Number 7
X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries as well as other Alerts and Advisories,
subscribe to the Internet Security Systems Alert mailing list at:
http://xforce.iss.net/maillists/index.php
_____
Contents
37 Reported Vulnerabilities
- analogx-proxy-ftp-crash
- analogx-proxy-pop3-crash
- analogx-proxy-socks4-crash
- roxen-null-char-url
- wftpd-stat-info
- bair-security-removal
- roxen-admin-pw-readable
- wftpd-stat-dos
- wftpd-rest-dos
- wftpd-mlst-dos
- outlook-express-mail-browser-link
- winamp-playlist-parser-bo
- outlook-date-overflow
- tomcat-error-path-reveal
- tomcat-snoop-info
- website-webfind-bo
- alibaba-cgi-script-directory-listing
- alibaba-get-dos
- website-httpd32-bo
- alibaba-script-file-overwrite
- zeroport-weak-encryption
- linux-usermode-dos
- blackboard-courseinfo-dbase-modification
- lsoft-listserv-querystring-bo
- linux-nfsutils-remote-root
- iis-absent-directory-dos
- blackboard-courseinfo-plaintext
- cvsweb-shell-access
- webactive-long-get-dos
- worldclient-dir-traverse
- http-cgi-bigbrother-bbhostsvc
- apache-source-asp-file-write
- netware-port40193-dos
- netscape-admin-server-password-disclosure
- cisco-pix-firewall-tcp
- mssql-manager-password
- minivend-viewpage-sample
Risk Factor Key
_____
Date Reported: 7/25/00
Vulnerability: analogx-proxy-ftp-crash
Platforms Affected: AnalogX Proxy
Risk Factor: Low
Attack Type: Network Based
AnalogX Proxy is a proxy server that has the ability to proxy requests for many
different services. AnalogX Proxy is vulnerable to a denial of service attack
caused by a buffer overflow in the USER command. By sending an FTP USER command
containing 370 characters or more to TCP port 21, a remote attacker can
overflow the buffer and crash the service.
Reference:
Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at:
http://www.foundstone.com/FS-072500-7-ANA.txt
_____
Date Reported: 7/25/00
Vulnerability: analogx-proxy-pop3-crash
Platforms Affected: AnalogX Proxy
Risk Factor: Low
Attack Type: Network Based
AnalogX Proxy is a proxy server that has the ability to proxy requests for many
different services. AnalogX Proxy is vulnerable to a denial of service attack
caused by a buffer overflow in the USER command. By sending a POP3 USER command
containing 370 characters or more to TCP port 110, a remote attacker can
overflow the buffer and crash the service.
Reference:
Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at:
http://www.foundstone.com/FS-072500-7-ANA.txt
_____
Date Reported: 7/25/00
Vulnerability: analogx-proxy-socks4-crash
Platforms Affected: AnalogX Proxy
Risk Factor: Low
Attack Type: Network Based
AnalogX Proxy is a proxy server that has the ability to proxy requests for many
different services. AnalogX Proxy is vulnerable to a denial of service attack
caused by a buffer overflow in the CONNECT request. By sending a SOCKS4 CONNECT
request with a user ID field of 1800 characters or more to TCP port 1080, a
remote attacker can overflow the buffer and crash the service.
Reference:
Foundstone, Inc. Security Advisory: "AnalogX Proxy DoS" at:
http://www.foundstone.com/FS-072500-7-ANA.txt
_____
Date Reported: 7/22/00
Vulnerability: roxen-null-char-url
Platforms Affected: Roxen 2.0
Risk Factor: Medium
Attack Type: Network Based
Roxen is a platform that is used to develop and manage dynamic web sites. Roxen
2.0 could allow an attacker to view directory listings. By submitting a
specially-crafted URL containing null characters, a remote attacker can obtain
a directory listing the directories having index files. It may also be possible
for a remote attacker to read the source code of CGI files or obtain other
sensitive data.
Reference:
BugTraq Mailing List, Fri Jul 21 2000 21:53:34: "Roxen security alert: Problems
with URLs containing null characters." at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D76r98nc4m9.fsf@rimmer.idonex.se
_____
Date Reported: 7/21/00
Vulnerability: wftpd-stat-info
Platforms Affected: WFTPD 2.4.1
Risk Factor: Low
Attack Type: Network Based
WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker
can issue a STAT request while a file transfer is in progress to display the
path and file name on the server. The server must be restarted to regain
functionality before it can respond to any additional FTP requests.
Reference:
BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11
vulnerabilities" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au
_____
Date Reported: 7/21/00
Vulnerability: bair-security-removal
Platforms Affected: BAIR
Risk Factor: Medium
Attack Type: Host Based
BAIR web filtering software includes a setting to block access to the Internet
Explorer options menu. However, a local attacker can modify the system registry
to access this options menu. An attacker can delete the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BAIR Secure to gain full
access to the Internet Explorer options menu. An attacker could use this to
bypass security and reconfigure Internet Explorer.
Reference:
BugTraq Mailing List, Fri Jul 21 2000 07:26:40: "More bad censorware" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D4.3.2.7.2.20000721222424.00b5b330@gatekeeper.cloudview.com
_____
Date Reported: 7/21/00
Vulnerability: roxen-admin-pw-readable
Platforms Affected: Roxen 2.0
Risk Factor: Medium
Attack Type: Network Based
Roxen 2.0 is a platform that is used to develop and manage dynamic web sites.
Roxen 2.0 stores the encrypted administrator password in a file that is
readable by any user. A remote attacker can access the
/usr/local/roxen/configurations/_configinterface/settings/administrator_uid
file to obtain the encrypted web admin password. A remote attacker can retrieve
the encrypted password, and then decrypt it, to gain full access to the web
server.
Reference:
BugTraq Mailing List, Thu Jul 20 2000 23:48:18: "Roxen Web Server
Vulnerability" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D20000721074818.A10870@sdf.freeshell.org
_____
Date Reported: 7/21/00
Vulnerability: wftpd-stat-dos
Platforms Affected: WFTPD 2.4.1
Risk Factor: Medium
Attack Type: Network Based
WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker
can issue a STAT command at the same time that a LIST is in progress to crash
the FTP server. The server must be restarted to regain funtionality before it
can respond to any additional FTP requests.
Reference:
BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11
vulnerabilities" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au
_____
Date Reported: 7/21/00
Vulnerability: wftpd-rest-dos
Platforms Affected: WFTPD 2.4.1
Risk Factor: Medium
Attack Type: Network Based
WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker
can issue a REST command to write past a file that does not exist, or past the
end of an existing file, to crash the FTP server. The server must be restarted
to regain functionality before it can respond to any additional FTP requests.
Reference:
BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11
vulnerabilities" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au
_____
Date Reported: 7/21/00
Vulnerability: wftpd-mlst-dos
Platforms Affected: WFTPD 2.4.1
Risk Factor: Medium
Attack Type: Network Based
WFTPD FTP server is vulnerable to a denial of service attack. A remote attacker
can issue a MLST command before logging in and issuing a password (with the
USER and PASS commands) to crash the server. The server must be restarted to
regain functionality before it can respond to any additional FTP requests.
Reference:
BugTraq Mailing List, Fri Jul 21 2000 20:46:14: "WFTPD/WFTPD Pro 2.41 RC11
vulnerabilities" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D200007210829.SAA01763@mailman.zeta.org.au
_____
Date Reported: 7/20/00
Vulnerability: outlook-express-mail-browser-link
Platforms Affected: Microsoft Outlook Express (4.0 - 5.1)
Risk Factor: Low
Attack Type: Network Based
Microsoft Outlook Express versions 4.0 through 5.1 could allow a remote
attacker to view a user's email messages. In Outlook Express, an email message
can contain a link to open a separate browser window that refers back to (or
"reads") the open email message. A vulnerability in Outlook Express could
allow an attacker to make this browser window permanently refer back to the
open email message, until the user closes the browser window or exits Outlook
Express. Attackers could use this to send a message that would allow them to
view the recipient's subsequent email messages displayed in the preview pane."
Reference:
Microsoft Security Bulletin MS00-045: "Patch Available for 'Persistent
Mail-Browser Link' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/MS00-045.asp
_____
Date Reported: 7/20/00
Vulnerability: winamp-playlist-parser-bo
Platforms Affected: Winamp 2.10
Risk Factor: Medium
Attack Type: Network Based
Winamp is a high-fidelity music player for Windows 95/98/NT. By loading a
specially crafted M3U file with a #EXTINF: variable of 280 characters or more
on a user's computer, a remote attacker can overflow the buffer and execute
arbitrary code on the system.
References:
BugTraq Mailing List, Fri Jul 21 2000 02:23:53: "Re: Winamp M3U playlist parser
buffer overflow security vulnerability" at:
http://securityfocus.com/templates/archive.pike?list=1&msg=OFC40D0B40.4D3E7C9E-ONC1256923.0022766E@mn.man.de
BugTraq Mailing List, Thu Jul 20 2000 11:52:56: "Winamp M3U playlist parser
buffer overflow security vulnerability" at:
http://securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3DLAW-F83FV4TJvGa1hXE000013d0@hotmail.com
_____
Date Reported: 7/19/00
Vulnerability: outlook-date-overflow
Platforms Affected: Outlook Express (4.0, 5.0)
Microsoft Outlook (97, 98, 2000)
Risk Factor: High
Attack Type: Network Based
Microsoft Outlook and Outlook Express are vulnerable to a buffer overflow in
the the inetcomm.dll component shared by the programs, which could allow a
remote attacker to execute arbitrary code on your system. By sending an email
message using either the POP3 or IMAP4 protocols with a date header value of
excessive length, a remote attacker can overflow a buffer and execute arbitrary
code on your system. The malicious email can begin executing code when it is
retrieved by the server, before the user previews or opens the message. Users
that only retrieve mail using MAPI (Microsoft Messaging API), including
Microsoft Exchange users, are not affected by this vulnerability.
References:
Microsoft Security Bulletin MS00-043: "Patch Available for 'Malformed E-mail
Header' Vulnerability" at:
http://www.microsoft.com/technet/security/bulletin/MS00-043.asp
Internet Security Systems Security Alert #57: "Buffer Overflow in Microsoft
Outlook and Outlook Express Mail Clients" at:
http://xforce.iss.net/alerts/advise57.php
_____
Date Reported: 7/19/00
Vulnerability: tomcat-error-path-reveal
Platforms Affected: Jakarta Tomcat
Risk Factor: Low
Attack Type: Network/Host Based
Jakarta Tomcat reveals sensitive path information. Jakarta Tomcat is a Java
application server used with Apache web servers to support Java Servlet Pages
(JSP) and Java servlets. When a user requests the URL of a filename that is not
found, the program returns an error message that provides the physical path to
the web directory that was contained in the request. An attacker could use this
to gain information about the file structure of the web server that would be
helpful in an attack.
Reference:
BugTraq Mailing List, Wed, 19 Jul 2000 06:45:13: "[LoWNOISE] Tomcat 3.1 Path
Revealing Problem." at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719184401.17782A-100000@grex.cyberspace.org
_____
Date Reported: 7/19/00
Vulnerability: tomcat-snoop-info
Platforms Affected: Jakarta Tomcat
Risk Factor: Low
Attack Type: Netowrk/Host Based
Jakarta Tomcat snoop servlet reveals sensitive information about the web
server. Jakarta Tomcat is a Java application server used with Apache web
servers to support Java Servlet Pages (JSP) and Java servlets. When a user
requests the snoop servlet, the program returns detailed information about the
web server, including the physical path to the web directory and the web server
operating system and software version. An attacker could use this to gain
information about the web server that would be helpful in an attack.
Reference:
BugTraq Mailing List, Wed Jul 19 2000 11:56:21: "[LoWNOISE] Snoop Servlet
(Tomcat 3.1 and 3.0)" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3DPine.SUN.3.96.1000719235404.24004A-100000@grex.cyberspace.org
_____
Date Reported: 7/19/00
Vulnerability: website-webfind-bo
Platforms Affected: WebSite Professional (2.3.18, 2.4, 2.4.9)
Risk Factor: High
Attack Type: Network Based
O'Reilly WebSite Professional 2.3.18, 2.4, and 2.4.9 is vulnerable to a buffer
overflow in the webfind.exe search utility. By entering a long request to the
keywords string, a remote attacker can overflow the buffer and execute
arbitrary code on the system.
Reference:
O'Reilly Software: "WebSite Professional 2.x Updates" at:
http://website.oreilly.com/support/software/wsp2x_updates.cfm
_____
Date Reported: 7/18/00
Vulnerability: alibaba-cgi-script-directory-listing
Platforms Affected: Alibaba 2.0
Risk Factor: Low
Attack Type: Network Based
The Alibaba web server could allow a remote attacker to view directory
listings. Many of the .exe scripts in the cgi-bin directory allow a user to
send a specially-crafted URL to the server and obtain a directory listing of
any directory on the server.
Reference:
BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0"
at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org
_____
Date Reported: 7/18/00
Vulnerability: alibaba-get-dos
Platforms Affected: Alibaba 2.0
Risk Factor: Medium
Attack Type: Network Based
The Alibaba web server is vulnerable to a denial of service, caused by a buffer
overflow. A remote attacker can send an abnormally long GET request to the
server to overflow a buffer and shut down the server. The web server must be
restarted to regain functionality.
Reference:
BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0"
at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org
_____
Date Reported: 7/18/00
Vulnerability: website-httpd32-bo
Platforms Affected: WebSite Professional 2.4
Risk Factor: Medium
Attack Type: Network Based
OReilly WebSite Professional 2.4 is vulnerable to a buffer overflow in the
httpd32.exe program. By submitting a long GET request or long Referer client
header, a remote attacker can overflow a buffer and execute arbitrary code on
the system.
References:
Cerberus Information Security Advisory CISADV000717: "Website Pro GET buffer
overflow" at: http://www.cerberus-infosec.co.uk/advisories.html
O'Reilly Software: "WebSite Professional 2.x Updates" at:
http://website.oreilly.com/support/software/wsp2x_updates.cfm
_____
Date Reported: 7/18/00
Vulnerability: alibaba-script-file-overwrite
Platforms Affected: Alibaba 2.0
Risk Factor: High
Attack Type: Network Based
The Alibaba web server could allow a remote attacker to overwrite files. Many
of the .exe scripts in the cgi-bin directory allow a user to send a
specially-crafted URL to the server and overwrite any file on the system.
Reference:
BugTraq Mailing List, Mon Jul 17 2000 16:33:16: "Multiple bugs in Alibaba 2.0"
at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200007181533.IAA21707@Rage.Resentment.org
_____
Date Reported: 7/18/00
Vulnerability: zeroport-weak-encryption
Platforms Affected: NetZero ZeroPort 3.0
Risk Factor: High
Attack Type: Host Based
NetZero, a free Internet service provider, uses a program called ZeroPort to
establish a connection and authenticate the user. NetZero ZeroPort 3.0 and
earlier uses weak encryption to store the user's password in the id.dat text
file. An attacker with access to this file can decrypt the username and
password using a substitution cipher. L0pht released the encryption algorithm
used by ZeroPort, making it available to the public.
Reference:
L0pht Research Labs Security Advisory 07.18.2000: "NetZero Password Encryption
Algorithm" at: http://www.l0pht.com/advisories/netzero.txt
_____
Date Reported: 7/17/00
Vulnerability: linux-usermode-dos
Platforms Affected: Linux-Mandrake 7.1
Risk Factor: Low
Attack Type: Host Based
The usermode package in Linux-Mandrake 7.1 could allow a local user without
root access to reboot the machine or crash the server. The files that give
users access to reboot, shutdown, halt, and poweroff the system all are
affected.
Reference:
BugTraq Mailing List, Mon Jul 17 2000 23:09:37: "MDKSA-2000:020 usermode
update" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26msg%3D20000718130936.S29595@mandrakesoft.com
_____
Date Reported: 7/17/00
Vulnerability: blackboard-courseinfo-dbase-modification
Platforms Affected: Blackboard CourseInfo 4.0
Risk Factor: Medium
Attack Type: Network/Host Based
Blackboard CourseInfo 4.0 course management software could allow any user who
has a valid account to make modifications to the database. An attacker can
enter custom form values through any perl script located in /bin and its
subdirectories to change other user's passwords or assign elevated security
privileges.
Reference:
BugTraq Mailing List, Tue Jul 18 2000 06:59:57: "Blackboard Courseinfo v4.0
User Authentication" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3DNDBBJCMNOLEKOCMECKFHCEPMCGAA.amini@eecs.tulane.edu
BugTraq Mailing List, Wed Jul 19 2000 00:19:04: "Security Fix for Blackboard
CourseInfo 4.0" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000719151904.I17986@securityfocus.com
_____
Date Reported: 7/17/00
Vulnerability: lsoft-listserv-querystring-bo
Platforms Affected: Listserv
Risk Factor: High
Attack Type: Network Based
L-Soft LISTSERV is a system that creates, manages, and controls electronic
mailing listson a corporate network. L-Soft LISTSERV is vulnerable to a
buffer overflow in the web archive component. By sending a long query string to
wa or wa.exe, a remote attacker can overflow the buffer and execute arbitrary
code on the system with privileges of the LISTSERV daemon.
References:
Network Associates, Inc. Security Advisory #43: "LISTSERV Web Archive Remote
Overflow" at: http://www.nai.com/nai_labs/asp_set/advisory/43_Advisory.asp
L-Soft Security Advisory #1 17 July 2000: "THE 2000b LEVEL SET" at:
http://www.lsoft.com/news/default.asp?item=Advisory1
_____
Date Reported: 7/15/00
Vulnerability: linux-nfsutils-remote-root
Platforms Affected: Red Hat Linux (6.0, 6.1, 6.2)
Debian Linux (2.2, 2.3)
Mandrake Linux (7.0, 7.1)
Risk Factor: High
Attack Type: Network Based
The nfs-utils package in many Linux distributions could allow a remote attacker
to gain root acess. The rpc.statd program included with nfs-utils is vulnerable
to root compromise.
References:
Red Hat, Inc. Security Advisory RHSA-2000:043-03: "Updated package for
nfs-utils available" at:
http://www.redhat.com/support/errata/RHSA-2000-043-03.html
Caldera Systems, Inc. Security Advisory CSSA-2000-025.0: "rpc.statd is not a
problem on OpenLinux" at:
http://www.calderasystems.com/support/security/advisories/CSSA-2000-025.0.txt
Debian Security Advisory: "nfs-common (from nfs-utils)" at:
http://www.debian.org/security/2000/20000719a
_____
Date Reported: 7/14/00
Vulnerability: iis-absent-directory-dos
Platforms Affected: IIS 3.0
Risk Factor: Low
Attack Type: Network/Host Based
Microsoft Internet Information Server (IIS) is vulnerable to a denial of
service attack. An administrative script installed with IIS 3.0 enters an
infinite loop if an expected argument is missing. An attacker can use this to
consume all CPU resources on the server. IIS 4.0 and 5.0 are only vulnerable if
version 3.0 was previously installed on the system.
Reference:
Microsoft Security Bulletin MS00-044: ""Patch Available for ""Absent Directory
Browser Argument"" Vulnerability"" at:
http://www.microsoft.com/TechNet/security/bulletin/MS00-044.asp
ISBASE Security Advisory (SA2000-02): "IIS ISM.DLL truncation exposes file
content" at:
http://securityfocus.com/frames/?content=/templates/advisory.html%3Fid%3D2412
_____
Date Reported: 7/14/00
Vulnerability: blackboard-courseinfo-plaintext
Platforms Affected: Blackboard CourseInfo 4.0
Risk Factor: High
Attack Type: Network/Host Based
Blackboard CourseInfo 4.0 course management software stores the local
administrator username and password in plaintext in the registry. An attacker
can use this username and password to connect to the server and access critical
system information.
Reference:
NTBugtraq Mailing List, Mon, 10 Jul 2000 08:43:21 -0500: "Blackboard CourseInfo
4.0 stores admin password in clear text" at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0007&L=NTBUGTRAQ&P=R1647
_____
Date Reported: 7/14/00
Vulnerability: cvsweb-shell-access
Platforms Affected: CVSWeb 1.85
Risk Factor: High
Attack Type: Network/Host Based
The CVSWeb package version 1.85 and earlier could allow a remote user with
commit access to a CVS repository to cause the CGI program to execute arbitrary
commands. The Perl code in the cvsweb.cgi program invokes an open() call
insecurely. An attacker can create a file name containing shell metacharacters
to execute the shell code on the system. A user with commit access, but who
does not have shell access to the CVS repository, can use this vulnerability to
gain shell access.
References:
Linux-Mandrake Security Update Advisory MDKSA-2000:019: "SECURITY UPDATE:
cvsweb" at: http://www.linux-mandrake.com/en/fupdates.php3#7.1
Debian Security Advisory 20000719b: "cvsweb: unauthorized remote code
execution" at: http://www.debian.org/security/2000/20000719b
BugTraq Mailing List, Tue Jul 11 2000 23:34:27: "cvsweb: remote shell for cvs
committers" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000712143427.H15253@kitenet.net
_____
Date Reported: 7/13/00
Vulnerability: gatekeeper-long-string-bo
Platforms Affected: Proxy-Pro GateKeeper 3.6
Risk Factor: Medium
Attack Type: Network Based
Proxy-Pro GateKeeper proxy server 3.6 and earlier is vulnerable to a buffer
overflow. By sending a long string containing over 4096 characters to port 2000
on the server, a remote attacker can overflow a buffer and execute arbitrary
code or crash the server. The server must be restarted to regain functionality.
Reference:
BugTraq Mailing List, Thu Jul 13 2000 11:48:01: "The MDMA Crew's GateKeeper
Exploit" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D00af01bfece2%24a52cbd80%24367e1ec4@kungphusion
_____
Date Reported: 7/12/00
Vulnerability: webactive-long-get-dos
Platforms Affected: ITAfrica WEBactive 1.0
Risk Factor: Low
Attack Type: Network Based
ITAfrica WEBactive 1.0 HTTP Server is vulnerable to a denial of service, caused
by a buffer overflow. By requesting a URL containing more than 280 characters,
a remote attacker can overflow a buffer and crash the server.
Reference:
BugTraq Mailing List, Wed Jul 12 2000 09:27:38: "Lame DoS in WEBactive win65/NT
server" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-15%26thread%3D200007130827.BAA32671@Rage.Resentment.org
_____
Date Reported: 7/12/00
Vulnerability: worldclient-dir-traverse
Platforms Affected: Deerfield WorldClient 2.1
Risk Factor: High
Attack Type: Network Based
Deerfield WorldClient 2.1 could allow a remote user to traverse directories on
the server. WorldClient a server for providing web-based access to email
accounts. A remote attacker can traverse directories on the server by
requesting a specially-crated URL containing "dot dot" (/../) sequences. An
attacker can use this to download any file on the system if the attacker knows
or could guess the name of the file.
Reference:
BugTraq Mailing List, Wed Jul 12 2000 04:16:57:
"Infosec.20000712.worldclient.2.1" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D4125691A.00387C3A.00@guardianit.se
_____
Date Reported: 7/11/00
Vulnerability: http-cgi-bigbrother-bbhostsvc
Platforms Affected: Big Brother
Risk Factor: Medium
Attack Type: Network Based
Big Brother is a Unix-based distributed network monitoring package that allows
network administrators to view the status of networks and machines from a web
browser. Due to a vulnerability in the host services ("bb-hostsvc.sh") CGI
program, a remote attacker could view directory and file contents on a Big
Brother server.
Reference:
BugTraq Mailing List, Mon Jul 10 2000 19:10:28: "REMOTE EXPLOIT IN ALL CURRENT
VERSIONS OF BIG BROTHER" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=00071110152805.00679@sj-soc-wks1.priv.nuasis.com
_____
Date Reported: 7/11/00
Vulnerability: apache-source-asp-file-write
Platforms Affected: Apache
Risk Factor: Medium
Attack Type: Network/Host Based
Apache web server could allow remote attackers to write to files on the web
server. Due to a vulnerability in the source.asp file, an attacker can write to
files that are in the same directory as the source.asp sample file.
Reference:
BugTraq Mailing List, Mon Jul 10 2000 19:38:56: "ANNOUNCE Apache::ASP v1.95 -
Security Hole Fixed" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D20000711033856.17708.qmail@securityfocus.com
_____
Date Reported: 7/11/00
Vulnerability: netware-port40193-dos
Platforms Affected: Novell NetWare 5.0
Risk Factor: Medium
Attack Type: Network Based
Novell NetWare 5.0 is vulnerable to a denial of service attack. A remote
attacker can send packets of random data to port 40193 of the NetWare server to
crash the server. The server must be restarted to resume normal operation.
Reference:
BugTraq Mailing List, Tue Jul 11 2000 09:26:56: "Remote Denial Of Service --
NetWare 5.0 with SP 5" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26msg%3D000501bfeab5%249330c3d0%24d801a8c0@dimuthu.baysidegrp.com.au
_____
Date Reported: 7/11/00
Vulnerability: netscape-admin-server-password-disclosure
Platforms Affected: Netscape SuiteSpot
Risk Factor: Medium
Attack Type: Network/Host Based
Netscape SuiteSpot web server suite default installation includes the Netscape
Administration Server, which contains the Java and JavaScript forms used to
configure the SuiteSpot servers. The encrypted administrative password is
stored in the admpw file, in a readable local directory on the the SuiteSpot
server. An attacker could retrieve this file, and then decrypt the password to
gain full access to the administration server console.
Reference:
BugTraq Mailing List, Tue Jul 11 2000 10:46:22: "Security Advisory (
netscape.ad.00-07 ) : Netscape Administration Server Password Disclosure" at:
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-8%26msg%3D00071122473300.00796@ninja
_____
Date Reported: 7/11/00
Vulnerability: cisco-pix-firewall-tcp
Platforms Affected: Cisco Secure PIX Firewall 5.1(1)
Risk Factor: High
Attack Type: Network Based
Cisco Secure PIX Firewall version 5.1(1) and earlier could allow a remote
attacker to terminate an established TCP/IP connection. The Secure PIX Firewall
cannot distinguish between a forged TCP Reset packet and a genuine TCP Reset
packet, if the source IP address, source port, destination IP address, and
destination port are correct.
Reference:
Cisco Systems Field Notice, July 11, 2000: "Cisco Secure PIX Firewall TCP Reset
Vulnerability" at: http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml
_____
Date Reported: 7/11/00
Vulnerability: mssql-manager-password
Platforms Affected: Microsoft SQL Server 7.0
Risk Factor: High
Attack Type: Host Based
Microsoft SQL Server 7.0 Enterprise Manager could allow a local user to a
username and password for the server. If a SQL Server is registered under
Enterprise Manager with a username and password instead of with Windows
Authentication, the password is stored in the Registered Server Properties
dialog box, hidden with asterisks. However, an attacker could use an available
utility to reveal the actual password.
Reference:
Microsoft Security Bulletin MS00-041: ""Patch Available for ""DTS Password""
Vulnerability"" at:
http://www.microsoft.com/technet/security/bulletin/ms00-041.asp
_____
Date Reported: 7/10/00
Vulnerability: minivend-viewpage-sample
Platforms Affected: MiniVend
Risk Factor: High
Attack Type: Network Based
MiniVend is a free, Perl-based web shopping cart system for Unix systems. An
insecure open() call in the MiniVend UTIL.PM module could allow remote
attackers to execute arbitrary commands, if they have access to the
VIEW_PAGE.HTML sample file. This vulnerability affects users who have installed
the "simple" catalog that ships with MiniVend as a sample.
Reference:
ZDNet News: "How a cracker defeated 'Hackopen'" at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2600258,00.html
_____
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
_____
Permission is hereby granted for the redistribution of this Alert Summary
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
About Internet Security Systems
Internet Security Systems (ISS) is the leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite* security software, ePatrol* remote managed security services,
and strategic consulting and education offerings, ISS is a trusted
security provider to its customers and partners, protecting digital assets
and ensuring safe and uninterrupted e-business. ISS' security management
solutions protect more than 5,500 customers worldwide including 21 of the
25 largest U.S. commercial banks, 10 of the largest telecommunications
companies and over 35 government agencies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin
America and the Middle East. For more information, visit the Internet
Security Systems web site at www.iss.net <http://www.iss.net> or call
888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOYizcDRfJiV99eG9AQFAowP9ENtJEYB5dLHco2/Yq6Z9NNDnbSJLjGbh
cDRpnzZZGq451wYxXXYcldVptJ0SSJp5rkT1+VOHT4gHasHfIDtEC9Y6ROcyjltg
TA67ej/KCXaVfqsptyg9JMl1DPMalP9qZbSaLn+YsWPXYjDbKfZvDV/1eJ80i3ou
EesO57LGbuk=
=tGKp
-----END PGP SIGNATURE-----