NISCC Vulnerability Advisory 841713/Hummingbird - The first issue with Hummingbird Inetd32 allows a user to run an application in the context of the Local System user. The second issue is a buffer overflow in XCWD that causes a denial of service condition and requires valid user credentials to invoke.
917086275ba1d2c89ca5afe883b49b9b4c8f189b32333a5e8b203194a8ba074c<html>
<head>
<title>NISCC Vulnerability Advisory 841713</title>
</head>
<body bgcolor="#FFFFCC" lang=EN-GB link=blue vlink=blue style='tab-interval:
36.0pt'>
<div class=Section1>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:Verdana'><br>
</span><b><span style='font-size:13.5pt;font-family:Verdana;color:red'><u4:p></u4:p>NISCC Vulnerability Advisory 841713/Hummingbird</span></b><span
style='font-size:13.5pt;font-family:Verdana'><br>
<br>
<b>Vulnerability Issues in ICMP packets with TCP payloads</b></span><span
style='font-family:Verdana'><br>
<br>
<br>
<b>Version Information</b> <u4:p></u4:p></span></p>
<table class=MsoNormalTable border=1 cellpadding=0 width="61%"
style='width:61.0%;mso-cellspacing:1.5pt;mso-padding-alt:0cm 5.4pt 0cm 5.4pt'>
<tr style='mso-yfti-irow:0'>
<td width="58%" style='width:58.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Advisory Reference<u4:p></u4:p></span></p>
</td>
<td width="77%" style='width:77.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>841713/Hummingbird</span><span
style='mso-bidi-font-size:10.0pt;font-family:Verdana'><o:p></o:p></span></p>
</td>
</tr>
<tr style='mso-yfti-irow:1'>
<td width="58%" style='width:58.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Release Date<u4:p></u4:p></span><u3:p></u3:p></p>
</td>
<td width="77%" style='width:77.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><st1:date Month="9" Day="17" Year="2004"><span
style='font-family:Verdana'>26 October 2004</span></st1:date></p>
</td>
</tr>
<u4:p></u4:p>
<tr style='mso-yfti-irow:2'>
<td width="58%" style='width:58.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Last Revision<u4:p></u4:p></span><u3:p></u3:p></p>
</td>
<td width="77%" style='width:77.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><st1:date Month="9" Day="8" Year="2004"><span
style='font-family:Verdana'>19 October 2004</span></st1:date></p>
</td>
</tr>
<u4:p></u4:p>
<tr style='mso-yfti-irow:3;mso-yfti-lastrow:yes'>
<td width="58%" style='width:58.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Version Number<u4:p></u4:p></span></p>
</td>
<td width="77%" style='width:77.0%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>1.0</span></p>
</td>
</tr>
</table>
<p class=MsoNormal> 
<br>
<b style='mso-bidi-font-weight:normal'><span style='font-family:Verdana'>What
is Affected?<o:p></o:p></span><u4:p></u4:p></b></p>
<p class=MsoNormal><span style='font-family:Verdana'>
These issues were found during testing of Hummingbird Connectivity 7.1 but has been
reproduced on version 9.0 (default install). The host operating systems were Windows
2000 Professional SP2 and Windows 2000 Advanced Server SP4 + all current HotFixes.<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'>
<br>
<b><span style='font-family:Verdana'>Severity</span></b><br>
<br>
<span style='font-family:Verdana'>The issue with Hummingbird Inetd32 allows a user to run an application in the context
of the Local System user. The second issue, the buffer overflow in XCWD is a
denial-of-service condition that requires valid user credentials to invoke.<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'>
<br>
<b><span style='font-family:Verdana'>Summary</span></b><br>
<br>
<span style='font-family:Verdana'>Hummingbird Inetd32 provides a number of network services including FTP, TFTP and
Telnet. Any user can enable and disable services, and crucially, change the
executables that run when the service receives a connection. These applications run
in the security context of the Local System user.
<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>Additionally, the FTP service contains a buffer overrun in the XCWD command handler.<u1:p></u1:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
<br>
<b>Details</b></span><br>
<span style='font-family:Verdana'><br>
<p class=MsoNormal style='text-align:justify'><i style='mso-bidi-font-style:
normal'><span style='font-family:Verdana'>NISCC/841713/Hummingbird/1
<br>
CVE number: No match<o:p></o:p></span></i></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>The Hummingbird Inetd32 administration tool allows a user to configure which services
under Inetd are enabled, which ports they listen on, and interestingly, which
executables run when a connection is received. By simply replacing the normal daemon
with a command of our choice, that command is run as Local System.<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><i style='mso-bidi-font-style:
normal'><span style='font-family:Verdana'>NISCC/841713/Hummingbird/2
<br>
CVE number: No match<o:p></o:p></span></i></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>The FTP service contains a buffer overrun in the XCWD command handler, which can be
triggered by a directory name of between between 256 and 259 characters.<o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><u4:p><span
style='mso-spacerun:yes'> </span>
<br>
<b><span style='font-family:Verdana'>Mitigation</span></b><br>
<br>
<span style='font-family:Verdana'>Hummingbird users are advised to apply the patches available from Hummingbird.
</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt;text-align:justify'><br>
<b><span style='font-family:Verdana'>Solution</span></b><br>
<br>
<span style='font-family:Verdana'>Hummingbird have produced patches to address the issues noted in this advisory.
Customers who require the patches should either contact their local Hummingbird
support centre, details available from <a href="http://connectivity.hummingbird.com/support/nc/contact.html">
http://connectivity.hummingbird.com/support/nc/contact.html</a>.
<p>
Or, customers who have a valid maintenance contract can register for web support and
download patches from there: <br>
<a href="http://connectivity.hummingbird.com/support/nc/request.html">http://connectivity.hummingbird.com/support/nc/request.html</a>.
</span></p>
<p class=MsoNormal style='text-align:justify'>
<br>
<b><span style='font-family:Verdana'>Vendor Information</span></b><span
style='font-family:Verdana'> </span><o:p></o:p></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>Hummingbird Ltd. was initially founded in 1984 as a consulting business. They are headquartered in Toronto, Canada and operates from 40 offices in Canada, the United States, Australia, France, Germany, Italy, Japan, Korea, Netherlands, Singapore, Sweden, Switzerland, and the United Kingdom.
<p>
For more detail, please visit their webiste: <a href="http://www.hummingbird.com/index.html?cks=y">http://www.hummingbird.com/index.html?cks=y</a>.<o:p></o:p></span></p>
<u1:p></u1:p>
<br>
<b><span style='font-family:Verdana'>Acknowledgements</b><br>
<br>
<span style='font-family:Verdana'>This issue was discovered by the CESG Network Defence Team, who reported the issue to NISCC. The NISCC vulnerability team would also like to thank Hummingbird for their
co-operation in handling this vulnerability.
<br>
<br><br>
<p class=MsoNormal style='text-align:justify'><b><span style='font-family:Verdana'>Contact
Information<u4:p></u4:p></span></b></p>
<p class=MsoNormal style='text-align:justify'>
<span style='font-family:Verdana'>The NISCC Vulnerability Management Team can
be contacted as follows:<u3:p></u3:p><o:p></o:p></span></p>
<table class=MsoNormalTable border=1 cellspacing=3 cellpadding=0 width="87%"
style='width:87.0%;mso-cellspacing:2.2pt;mso-padding-alt:3.75pt 3.75pt 3.75pt 3.75pt'>
<tr style='mso-yfti-irow:0'>
<td width="30%" valign=top style='width:30.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Email<u4:p></u4:p></span></p>
</td>
<td width="70%" style='width:70.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'><a
href="mailto:vulteam@niscc.gov.uk">vulteam@niscc.gov.uk</a> <br>
<i>(Please quote the advisory reference in the subject line.)</i><u4:p></u4:p></span></p>
</td>
</tr>
<tr style='mso-yfti-irow:1'>
<td width="30%" valign=top style='width:30.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Telephone<u4:p></u4:p></span></p>
</td>
<td width="70%" style='width:70.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>+44 (0)870 487 0748
Extension 4511 <br>
<i>(Monday to Friday </i></span><st1:time Minute="30" Hour="8"><i><span
style='font-family:Verdana'>08:30 - 17:00</span></i></st1:time><i><span
style='font-family:Verdana'>)<u4:p></u4:p></span></i></p>
</td>
</tr>
<tr style='mso-yfti-irow:2'>
<td width="30%" valign=top style='width:30.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Fax<u4:p></u4:p></span></p>
</td>
<td width="70%" style='width:70.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>+44 (0)870 487 0749</span><span
style='mso-bidi-font-size:10.0pt;font-family:Verdana'><o:p></o:p></span></p>
</td>
</tr>
<tr style='mso-yfti-irow:3;mso-yfti-lastrow:yes'>
<td width="30%" valign=top style='width:30.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Post<u4:p></u4:p></span></p>
</td>
<td width="70%" style='width:70.0%;padding:3.75pt 3.75pt 3.75pt 3.75pt'>
<p class=MsoNormal><span style='font-family:Verdana'>Vulnerability Management
Team<br>
NISCC<br>
</span><st1:address><st1:Street><span style='font-family:Verdana'>PO Box 832</span></st1:Street><span
style='font-family:Verdana'><br>
</span><st1:City><span style='font-family:Verdana'>London</span></st1:City><span
style='font-family:Verdana'><br>
</span><st1:PostalCode><span style='font-family:Verdana'>SW1P 1BG<u4:p></u4:p></span></st1:PostalCode></st1:address><span
style='font-family:Verdana'><o:p></o:p></span></p>
</td>
</tr>
</table>
<p class=MsoNormal style='text-align:justify'>
<span style='font-family:Verdana'>We encourage those who wish to communicate
via email to make use of our PGP key. This is available from <a
href="http://www.uniras.gov.uk/UNIRAS.asc">http://www.uniras.gov.uk/UNIRAS.asc</a>.<u4:p></u4:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
Please note that </span><st1:country-region><st1:place><span style='font-family:
Verdana'>UK</span></st1:place></st1:country-region><span style='font-family:
Verdana'> government protectively marked material should not be sent to the
email address above.<u4:p></u4:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
If you wish to be added to our email distribution list, please email your
request to <a href="mailto:uniras@niscc.gov.uk">uniras@niscc.gov.uk</a>.<o:p></o:p></span></p>
<br>
<p class=MsoNormal>
<b style='mso-bidi-font-weight:normal'><span style='font-family:Verdana'>What
is NISCC?<o:p></o:p></span><u4:p></u4:p></b></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
For further information regarding the UK National Infrastructure Security
Co-Ordination Centre, please visit the NISCC web site at: <a
href="http://www.niscc.gov.uk/aboutniscc/index.htm">http://www.niscc.gov.uk/aboutniscc/index.htm</a><u4:p></u4:p><o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
Reference to any specific commercial product, process or service by trade name,
trademark manufacturer or otherwise, does not constitute or imply its endorsement,
recommendation, or favouring by NISCC. The views and opinions of authors
expressed within this notice shall not be used for advertising or product
endorsement purposes.<u4:p></u4:p><o:p></o:p></span></p>
<p class=MsoNormal style='text-align:justify'><span style='font-family:Verdana'>
Neither shall NISCC accept responsibility for any errors or omissions contained
within this advisory. In particular, they shall not be liable for any loss or
damage whatsoever, arising from or in connection with the usage of information
contained within this notice.<u4:p></u4:p><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-family:Verdana'>
© 2004 Crown Copyright<u4:p></u4:p><o:p></o:p></span></p>
<br>
<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
style='font-family:Verdana'><u4:p></u4:p><u1:p></u1:p>Revision History<u4:p></u4:p><o:p></o:p></span></b><u3:p></u3:p></p>
<table class=MsoNormalTable border=0 cellpadding=0 width="100%"
style='width:100.0%;mso-cellspacing:1.5pt;mso-padding-alt:0cm 5.4pt 0cm 5.4pt'>
<tr style='mso-yfti-irow:0;mso-yfti-lastrow:yes'>
<td width="22%" style='width:22.84%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><st1:date Year="2004" Day="8" Month="9"><span
style='font-size:10.0pt;font-family:Verdana'>October 26, 2004</span></st1:date><span
style='font-size:6.0pt;font-family:Verdana'>: </span><span style='font-family:
Verdana'><o:p></o:p></span></p>
</td>
<u4:p></u4:p>
<td width="76%" style='width:76.44%;padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Verdana'>Initial
release (1.0)</span><span style='font-family:Verdana'><o:p></o:p></span></p>
</td>
</tr>
<u4:p></u4:p>
</table>
<p class=MsoNormal><span style='font-family:Verdana'><br>
<End of NISCC Vulnerability Advisory><u4:p></u4:p></span></p>
</div>
</div>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed