what you don't know can hurt you

841713.html

841713.html
Posted Oct 27, 2004
Site uniras.gov.uk

NISCC Vulnerability Advisory 841713/Hummingbird - The first issue with Hummingbird Inetd32 allows a user to run an application in the context of the Local System user. The second issue is a buffer overflow in XCWD that causes a denial of service condition and requires valid user credentials to invoke.

tags | advisory, denial of service, overflow, local
MD5 | 758be0c78f2e3a84328ca516b5afa8e2

841713.html

Change Mirror Download
<html>

<head>
<title>NISCC Vulnerability Advisory 841713</title>
</head>

<body bgcolor="#FFFFCC" lang=EN-GB link=blue vlink=blue style='tab-interval:
36.0pt'>

<div class=Section1>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:Verdana'><br>
</span><b><span style='font-size:13.5pt;font-family:Verdana;color:red'><u4:p></u4:p>NISCC Vulnerability Advisory 841713/Hummingbird</span></b><span
style='font-size:13.5pt;font-family:Verdana'><br>
<br>
<b>Vulnerability Issues in ICMP packets with TCP payloads</b></span><span
style='font-family:Verdana'><br>
<br>
<br>
<b>Version Information</b> <u4:p></u4:p></span></p>

<table class=MsoNormalTable border=1 cellpadding=0 width="61%"
style='width:61.0%;mso-cellspacing:1.5pt;mso-padding-alt:0cm 5.4pt 0cm 5.4pt'>
<tr style='mso-yfti-irow:0'>
<td width="58%" style='width:58.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Advisory Reference<u4:p></u4:p></span></p>
</td>
<td width="77%" style='width:77.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>841713/Hummingbird</span><span
style='mso-bidi-font-size:10.0pt;font-family:Verdana'><o:p></o:p></span></p>
</td>
</tr>
<tr style='mso-yfti-irow:1'>
<td width="58%" style='width:58.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Release Date<u4:p></u4:p></span><u3:p></u3:p></p>
</td>
<td width="77%" style='width:77.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><st1:date Month="9" Day="17" Year="2004"><span
style='font-family:Verdana'>26 October 2004</span></st1:date></p>
</td>
</tr>
<u4:p></u4:p>
<tr style='mso-yfti-irow:2'>
<td width="58%" style='width:58.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Last Revision<u4:p></u4:p></span><u3:p></u3:p></p>
</td>
<td width="77%" style='width:77.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><st1:date Month="9" Day="8" Year="2004"><span
style='font-family:Verdana'>19 October 2004</span></st1:date></p>
</td>
</tr>
<u4:p></u4:p>
<tr style='mso-yfti-irow:3;mso-yfti-lastrow:yes'>
<td width="58%" style='width:58.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Version Number<u4:p></u4:p></span></p>
</td>
<td width="77%" style='width:77.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>1.0</span></p>
</td>
</tr>
</table>

<p class=MsoNormal>&nbsp
<br>
<b style='mso-bidi-font-weight:normal'><span style='font-family:Verdana'>What
is Affected?<o:p></o:p></span><u4:p></u4:p></b></p>

<p class=MsoNormal><span style='font-family:Verdana'>
These issues were found during testing of Hummingbird Connectivity 7.1 but has been
reproduced on version 9.0 (default install). The host operating systems were Windows
2000 Professional SP2 and Windows 2000 Advanced Server SP4 + all current HotFixes.<o:p></o:p></span></p>

<p class=MsoNormal style='text-align:justify'>
<br>
<b><span style='font-family:Verdana'>Severity</span></b><br>
<br>
<span style='font-family:Verdana'>The issue with Hummingbird Inetd32 allows a user to run an application in the context
of the Local System user. The second issue, the buffer overflow in XCWD is a
denial-of-service condition that requires valid user credentials to invoke.<o:p></o:p></span></p>

<p class=MsoNormal style='text-align:justify'>
<br>
<b><span style='font-family:Verdana'>Summary</span></b><br>
<br>
<span style='font-family:Verdana'>Hummingbird Inetd32 provides a number of network services including FTP, TFTP and
Telnet. Any user can enable and disable services, and crucially, change the
executables that run when the service receives a connection. These applications run
in the security context of the Local System user.
<o:p></o:p></span></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>Additionally, the FTP service contains a buffer overrun in the XCWD command handler.<u1:p></u1:p></span></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
<br>
<b>Details</b></span><br>
<span style='font-family:Verdana'><br>

<p class=MsoNormal style='text-align:justify'><i style='mso-bidi-font-style:
normal'><span style='font-family:Verdana'>NISCC/841713/Hummingbird/1
<br>
CVE number: No match<o:p></o:p></span></i></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>The Hummingbird Inetd32 administration tool allows a user to configure which services
under Inetd are enabled, which ports they listen on, and interestingly, which
executables run when a connection is received. By simply replacing the normal daemon
with a command of our choice, that command is run as Local System.<o:p></o:p></span></p>

<p class=MsoNormal style='text-align:justify'><i style='mso-bidi-font-style:
normal'><span style='font-family:Verdana'>NISCC/841713/Hummingbird/2
<br>
CVE number: No match<o:p></o:p></span></i></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>The FTP service contains a buffer overrun in the XCWD command handler, which can be
triggered by a directory name of between between 256 and 259 characters.<o:p></o:p></span></p>

<p class=MsoNormal style='text-align:justify'><u4:p><span
style='mso-spacerun:yes'> </span>
<br>
<b><span style='font-family:Verdana'>Mitigation</span></b><br>
<br>
<span style='font-family:Verdana'>Hummingbird users are advised to apply the patches available from Hummingbird.
</span><o:p></o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt;text-align:justify'><br>
<b><span style='font-family:Verdana'>Solution</span></b><br>
<br>
<span style='font-family:Verdana'>Hummingbird have produced patches to address the issues noted in this advisory.
Customers who require the patches should either contact their local Hummingbird
support centre, details available from <a href="http://connectivity.hummingbird.com/support/nc/contact.html">
http://connectivity.hummingbird.com/support/nc/contact.html</a>.
<p>
Or, customers who have a valid maintenance contract can register for web support and
download patches from there: <br>
<a href="http://connectivity.hummingbird.com/support/nc/request.html">http://connectivity.hummingbird.com/support/nc/request.html</a>.
</span></p>

<p class=MsoNormal style='text-align:justify'>
<br>
<b><span style='font-family:Verdana'>Vendor Information</span></b><span
style='font-family:Verdana'> </span><o:p></o:p></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>Hummingbird Ltd. was initially founded in 1984 as a consulting business. They are headquartered in Toronto, Canada and operates from 40 offices in Canada, the United States, Australia, France, Germany, Italy, Japan, Korea, Netherlands, Singapore, Sweden, Switzerland, and the United Kingdom.
<p>
For more detail, please visit their webiste: <a href="http://www.hummingbird.com/index.html?cks=y">http://www.hummingbird.com/index.html?cks=y</a>.<o:p></o:p></span></p>

<u1:p></u1:p>

<br>
<b><span style='font-family:Verdana'>Acknowledgements</b><br>
<br>
<span style='font-family:Verdana'>This issue was discovered by the CESG Network Defence Team, who reported the issue to NISCC. The NISCC vulnerability team would also like to thank Hummingbird for their
co-operation in handling this vulnerability.
<br>
<br><br>
<p class=MsoNormal style='text-align:justify'><b><span style='font-family:Verdana'>Contact
Information<u4:p></u4:p></span></b></p>

<p class=MsoNormal style='text-align:justify'>
<span style='font-family:Verdana'>The NISCC Vulnerability Management Team can
be contacted as follows:<u3:p></u3:p><o:p></o:p></span></p>

<table class=MsoNormalTable border=1 cellspacing=3 cellpadding=0 width="87%"
style='width:87.0%;mso-cellspacing:2.2pt;mso-padding-alt:3.75pt 3.75pt 3.75pt 3.75pt'>
<tr style='mso-yfti-irow:0'>
<td width="30%" valign=top style='width:30.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Email<u4:p></u4:p></span></p>
</td>
<td width="70%" style='width:70.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'><a
href="mailto:vulteam@niscc.gov.uk">vulteam@niscc.gov.uk</a> <br>
<i>(Please quote the advisory reference in the subject line.)</i><u4:p></u4:p></span></p>
</td>
</tr>
<tr style='mso-yfti-irow:1'>
<td width="30%" valign=top style='width:30.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Telephone<u4:p></u4:p></span></p>
</td>
<td width="70%" style='width:70.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>+44 (0)870 487 0748
Extension 4511 <br>
<i>(Monday to Friday </i></span><st1:time Minute="30" Hour="8"><i><span
style='font-family:Verdana'>08:30 - 17:00</span></i></st1:time><i><span
style='font-family:Verdana'>)<u4:p></u4:p></span></i></p>
</td>
</tr>
<tr style='mso-yfti-irow:2'>
<td width="30%" valign=top style='width:30.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Fax<u4:p></u4:p></span></p>
</td>
<td width="70%" style='width:70.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>+44 (0)870 487 0749</span><span
style='mso-bidi-font-size:10.0pt;font-family:Verdana'><o:p></o:p></span></p>
</td>
</tr>
<tr style='mso-yfti-irow:3;mso-yfti-lastrow:yes'>
<td width="30%" valign=top style='width:30.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Post<u4:p></u4:p></span></p>
</td>
<td width="70%" style='width:70.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Vulnerability Management
Team<br>
NISCC<br>
</span><st1:address><st1:Street><span style='font-family:Verdana'>PO Box 832</span></st1:Street><span
style='font-family:Verdana'><br>
</span><st1:City><span style='font-family:Verdana'>London</span></st1:City><span
style='font-family:Verdana'><br>
</span><st1:PostalCode><span style='font-family:Verdana'>SW1P 1BG<u4:p></u4:p></span></st1:PostalCode></st1:address><span
style='font-family:Verdana'><o:p></o:p></span></p>
</td>
</tr>
</table>

<p class=MsoNormal style='text-align:justify'>
<span style='font-family:Verdana'>We encourage those who wish to communicate
via email to make use of our PGP key. This is available from <a
href="http://www.uniras.gov.uk/UNIRAS.asc">http://www.uniras.gov.uk/UNIRAS.asc</a>.<u4:p></u4:p></span></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
Please note that </span><st1:country-region><st1:place><span style='font-family:
Verdana'>UK</span></st1:place></st1:country-region><span style='font-family:
Verdana'> government protectively marked material should not be sent to the
email address above.<u4:p></u4:p></span></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
If you wish to be added to our email distribution list, please email your
request to <a href="mailto:uniras@niscc.gov.uk">uniras@niscc.gov.uk</a>.<o:p></o:p></span></p>

<br>

<p class=MsoNormal>
<b style='mso-bidi-font-weight:normal'><span style='font-family:Verdana'>What
is NISCC?<o:p></o:p></span><u4:p></u4:p></b></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
For further information regarding the UK National Infrastructure Security
Co-Ordination Centre, please visit the NISCC web site at: <a
href="http://www.niscc.gov.uk/aboutniscc/index.htm">http://www.niscc.gov.uk/aboutniscc/index.htm</a><u4:p></u4:p><o:p></o:p></span></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
Reference to any specific commercial product, process or service by trade name,
trademark manufacturer or otherwise, does not constitute or imply its endorsement,
recommendation, or favouring by NISCC. The views and opinions of authors
expressed within this notice shall not be used for advertising or product
endorsement purposes.<u4:p></u4:p><o:p></o:p></span></p>

<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
Neither shall NISCC accept responsibility for any errors or omissions contained
within this advisory. In particular, they shall not be liable for any loss or
damage whatsoever, arising from or in connection with the usage of information
contained within this notice.<u4:p></u4:p><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:Verdana'>
© 2004 Crown Copyright<u4:p></u4:p><o:p></o:p></span></p>

<br>
<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
style='font-family:Verdana'><u4:p></u4:p><u1:p></u1:p>Revision History<u4:p></u4:p><o:p></o:p></span></b><u3:p></u3:p></p>

<table class=MsoNormalTable border=0 cellpadding=0 width="100%"
style='width:100.0%;mso-cellspacing:1.5pt;mso-padding-alt:0cm 5.4pt 0cm 5.4pt'>
<tr style='mso-yfti-irow:0;mso-yfti-lastrow:yes'>
<td width="22%" style='width:22.84%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><st1:date Year="2004" Day="8" Month="9"><span
style='font-size:10.0pt;font-family:Verdana'>October 26, 2004</span></st1:date><span
style='font-size:6.0pt;font-family:Verdana'>: </span><span style='font-family:
Verdana'><o:p></o:p></span></p>
</td>
<u4:p></u4:p>
<td width="76%" style='width:76.44%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Verdana'>Initial
release (1.0)</span><span style='font-family:Verdana'><o:p></o:p></span></p>
</td>
</tr>
<u4:p></u4:p>
</table>

<p class=MsoNormal><span style='font-family:Verdana'><br>
<End of NISCC Vulnerability Advisory><u4:p></u4:p></span></p>

</div>

</div>

</body>

</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close