SecurityFocus Microsoft Newsletter #130
---------------------------------------
This Issue is Sponsored by: SurfControl
Serious Enterprise E-mail and Anti-Spam Protection. SurfControl E-mail
Filter for SMTP and Exchange leverages multiple layers of technology to
defeat spam, viruses, and confidential data leakage with accuracy.
Get more info and download free 30-day trial:
http://www.surfcontrol.com/go/zsfms032403
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. IDS Logs in Forensics Investigations: An Analysis of a...
2. Remote Desktop Management Solution for Microsoft
3. The Promise and Peril of Palladium
4. Why the Dogs of Cyberwar Stay Leashed
5. SecurityFocus DPP Program
II. MICROSOFT VULNERABILITY SUMMARY
1. XChat Server Strings Buffer Overflow Vulnerability
2. MyAbraCadaWeb Path Disclosure Vulnerability
3. MyAbraCadaWeb Search Engine Cross-Site Scripting Vulnerability
4. Protegrity Secure.Data XP_PTY_Insert Buffer Overflow Vulnerability
5. BitchX Remote Cluster() Heap Corruption Vulnerability
6. SIPS User Information Disclosure Vulnerability
7. Samba SMB/CIFS Packet Assembling Buffer Overflow Vulnerability
8. McAfee ePolicy Orchestrator HTTP GET Request Format String...
9. McAfee ePolicy Orchestrator Information Disclosure Vulnerability
10. Microsoft Windows 2000 ntdll.dll Buffer Overflow Vulnerability
11. Protegrity Secure.Data XP_PTY_CheckUsers Buffer Overflow...
12. Protegrity Secure.Data XP_PTY_Select Buffer Overflow...
13. Multiple BitchX Remote Client-Side Buffer Overflow...
14. BitchX Remote BX_compress_modes() Buffer Overflow Vulnerability
15. TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability
16. BitchX Remote Send_CTCP() Memory Corruption Vulnerability
17. BitchX Remote cannot_join_channel() Buffer Overflow...
18. Samba REG File Writing Race Condition Vulnerability
19. Cyber-Cats Chitchat PHP Message Board/Guestbook Password File...
III. MICROSOFT FOCUS LIST SUMMARY
1. Anyone have hard evidence of problems with Windows Automatic...
2. MS03-007 Round-up (Thread)
3. Expire accounts from Active Directory after a period of...
4. write permissions for IIS (Thread)
5. Microsoft Security Advisory MS 03-007 (Thread)
6. FW: Microsoft Security Advisory MS 03-007 (Thread)
7. Article Announcement: Remote Desktop Management Solution for...
8. Microsoft Security Advisory MS 03-007 - Problems (Thread)
9. Exchange/MAPI/RPC (Thread)
10. SecurityFocus Microsoft Newsletter #129 (Thread)
11. AD replication - IP site to site encryption? (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. F-Secure Anti-Virus for Microsoft Exchange
2. QualysGuard Intranet Scanner
3. pcAnywhere
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. NetMap network scanner v0.2.1
2. East-Tec File Shredder v1.0
3. yavipin-conf v0.0.1
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. IDS Logs in Forensics Investigations: An Analysis of a Compromised
Honeypot
By Alan Neville
This paper will deconstruct the steps taken to conduct a full analysis of
a compromised machine. In particular, we will be examining the tool that
was used to exploit a dtspcd buffer overflow vulnerability, which allows
remote root access to the system. The objective of this paper is to show
the value of IDS logs in conducting forensics investigations.
http://www.securityfocus.com/infocus/1676
2. Remote Desktop Management Solution for Microsoft
by Artur Maj
One of the many challenges facing Microsoft administrators is how to
manage remote systems in a secure manner? In the world of the UNIX the
answer is quite simple: using the SSH protocol is sufficient. Thanks to
the SSH, we can manage remote systems not only in the text mode, but we
can also run remote X-Window applications by using the protocol tunneling
technique. And all of that by using strong cryptography, which protects
transmitted data from unauthorized access.
http://www.securityfocus.com/infocus/1677
3. The Promise and Peril of Palladium
By Tim Mullen
Whether Microsoft's ambitious project is a security solution or a Trojan
horse depends much on the company's intentions.
http://www.securityfocus.com/columnists/148
4. Why the Dogs of Cyberwar Stay Leashed
By Mark Rasch
The United States could try out its much-hyped "cyberwarfare" capabilities
in Iraq... but it would probably be illegal.
http://www.securityfocus.com/columnists/149
5. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. XChat Server Strings Buffer Overflow Vulnerability
BugTraq ID: 7089
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7089
Summary:
XChat is a freely available, open source IRC client. It is available for
the the Unix, Linux, and Microsoft Windows platforms.
XChat IRC client has been reported vulnerable, under certain
circumstances, to a buffer overflow condition.
It has been reported that due to a lack of both, sufficient bounds
checking and string termination, two malformed non-terminated server
supplied strings may be stored contiguously in a fixed internal memory
buffer.
As a result of this, a malicious IRC server may be used to pass excessive
data to the client and overwrite memory adjacent to the deficient buffer.
If this memory contains crucial saved program state values the attacker
may be able to influence the programs' flow and execute arbitrary code.
Any code successfully executed would be in the context of the user running
the vulnerable IRC application.
This vulnerability was reported to affect XChat version 2.0.1 other
versions may also be affected.
2. MyAbraCadaWeb Path Disclosure Vulnerability
BugTraq ID: 7126
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7126
Summary:
MyABraCaDaWeb is a web content management system. It is implemented in
PHP and available for Unix and Linux variants and Microsoft Windows
operating systems.
MyABraCaDaWeb is reported to disclose path information in error messages
when handling some invalid requests. This may occur when an invalid
administrative ID is requested or in some other cases. The full path to
the web root directory will be included in the error output. This
information could be useful in further attacks against a system hosting
the software.
MyABraCaDaWeb is a web content management system. It is implemented in
PHP and available for Unix and Linux variants and Microsoft Windows
operating systems.
MyABraCaDaWeb provides a facility that allows users to search for
keywords. A cross-site scripting vulnerability has been reported in
MyABraCaDaWeb's search engine. HTML and script code are not sufficiently
sanitized when included in URI parameters of the vulnerable search
facility.
This could allow creation of malicious links to the vulnerable script
which include hostile HTML and script code. If such a link was visited by
a web user, attacker-supplied HTML and script code could be interpreted by
the user's browser. This would occur in the security context of the site
hosting the software.
Secure.Data is library designed to provide enhanced database security
functions to Microsoft SQL Server through extended stored procedures.
The software is developed and distributed by Protegrity.
A problem with the software may make it possible for a user to gain
unauthorized access to a system.
It has been reported that Secure.Data does not properly check input in the
xp_pty_insert function. Because of this, an attacker may be able to
launch an attack that could result in elevated privileges.
The problem is in a boundary condition error in the xp_pty_insert
procedure. This extended stored procedure does not sufficiently check
bounds on information passed to it. By passing a string of arbitrary
length and shell code to the vulnerable procedure, an attacker could
execute code with the privileges of the SQL Server process, typically the
user SYSTEM.
This problem has been reported as affecting version 2.2.3.8 and previous.
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
BitchX has been reported prone to a heap based memory corruption
vulnerability. Reportedly when an excessively long hostname is supplied to
the BitchX 'cluster()' function an internal static memory buffer is
overflowed.
It has been reported that 1500 bytes of data may be written past the
buffer, potentially corrupting sensitive values located in the heap.
Although unconfirmed, due to the nature of heap corruption
vulnerabilities, there is a potential that this issue could be exploited
to corrupt memory management information. As a result, a hostile IRC
server may be capable of executing arbitrary code on a target client.
This vulnerability was reported to affect BitchX 1.0c19 earlier versions
may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
6. SIPS User Information Disclosure Vulnerability
BugTraq ID: 7134
Remote: Yes
Date Published: Mar 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7134
Summary:
SIPS is a weblog and link indexing system. It is available for Unix and
Linux variants in addition to Microsoft Windows operating systems.
It has been reported that SIPS fails to authenticate users before granting
users to user account information. As a result, it may be possible for an
attacker to access sensitive data by making a request to a specific
location, including the first letter of a username, followed by the full
username.
By gaining access to sensitive user account data it may be possible for an
attacker to launch further attacks.
It should be noted that this vulnerability was reported in SIPS v0.2.2
however, other versions may also be affected.
Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.
A buffer overflow vulnerability has been reported for Samba. The
vulnerability occurs when the smbd service attempts to re-assemble
specially crafted SMB/CIFS packets.
An attacker can exploit this vulnerability by creating a specially
formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The
overflow condition will be triggered when smbd attempts to re-assemble the
malformed packet fragments. smbd will overwrite sensitive areas of memory
with attacker-supplied values resulting in the execution of malicious
code.
This vulnerability is further exacerbated by the fact that the smbd
service runs with root privileges.
This vulnerability affects Samba 2.0.0 to 2.2.7a. Additionally, HP
CIFS/9000 server versions up to A.01.09.01 on HP-UX 11.0, 11.11(11i), and
11.22 are vulnerable.
8. McAfee ePolicy Orchestrator HTTP GET Request Format String Vulnerability
BugTraq ID: 7111
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7111
Summary:
McAfee ePolicy Orchestrator is a product designed to remotely manage
various policies and antivirus products. It is available for the Microsoft
Windows operating system.
A format string vulnerability has been discovered in the ePolicy
Orchestrator Agent which is designed to distribute log data remotely.
Authentication does not occur when connecting to the ePolicy Orchestrator
Agent, thus allowing an anonymous attacker to exploit this issue.
The format string bug occurs when processing HTTP GET requests via port
8081. An attacker who makes a malicious request containing format
specifiers, such as '%x' or '%n', may be capable of obtaining and writing
to sensitive locations in memory.
Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary commands with SYSTEM privileges.
It should be noted that this vulnerability has been reported to affect
McAfee ePolicy Orchestrator 2.5.1; other versions may also be affected.
9. McAfee ePolicy Orchestrator Information Disclosure Vulnerability
BugTraq ID: 7114
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7114
Summary:
McAfee ePolicy Orchestrator is a product designed to remotely manage
various policies and antivirus products. It is available for the Microsoft
Windows operating system.
The McAfee ePolicy Orchestrator Agent listens on port 8081 and is designed
to distribute various log data to remote users. It has been discovered
that the ePolicy Orchestrator Agent fails to carry out any authentication
when distributing logs. As a result, it may be possible for a remote
attacker to obtain sensitive information which could be used to launch
further attacks.
It should be noted that this vulnerability has been reported to affect
McAfee ePolicy Orchestrator 2.5.1; other versions may also be affected.
10. Microsoft Windows 2000 ntdll.dll Buffer Overflow Vulnerability
BugTraq ID: 7116
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7116
Summary:
The Windows 2000 library ntdll.dll contains a function that does not
perform sufficient bounds checking.
When a request is made to WebDAV using the methods PROPFIND, LOCK, SEARCH,
or GET with the Translate:f header, the request is in turn passed to a
function called GetFileAttributesExW. The GetFileAttributesExW in turn
makes a call to the RtlDosPathNameToNtPathName_U function which is
exported by ntdll.dll. The problem lies in that
RtlDosPathNameToNtPathName_U relies on unsigned shorts for string lengths.
This reliance on unsigned shorts is where the vulnerability lies.
Proper bounds checking is not performed on this data, allowing a buffer to
be overrun. This could result in the execution of arbitrary code with
Local System privileges.
There are other attack vectors that exist other than through
GetFileAttributesExW. The following functions also call
RtlDosPathNameToNtPathName_U and could also be potential attack vectors:
**There have been reports that this vulnerability was being actively
exploited in the wild for some time before it was discovered and fixed by
Microsoft. See the MSNBC link in the References section for more details
of systems that were exploited by this vulnerability. It is also
important to note that there is a strong possibility that this
vulnerability was known to exist for some time prior to March 12th as
indicated by the news story.
Secure.Data is library designed to provide enhanced database security
functions to Microsoft SQL Server through extended stored procedures.
The software is developed and distributed by Protegrity.
A problem with the software may make it possible for a user to gain
unauthorized access to a system.
It has been reported that Secure.Data does not properly check input in the
xp_pty_checkusers function. Because of this, an attacker may be able to
launch an attack that could result in elevated privileges.
The problem is in a boundary condition error in the xp_pty_checkusers
procedure. This extended stored procedure does not sufficiently check
bounds on information passed to it. By passing a string of arbitrary
length and shell code to the vulnerable procedure, an attacker could
execute code with the privileges of the SQL Server process, typically the
user SYSTEM.
This problem has been reported as affecting version 2.2.3.8 and previous.
Secure.Data is a library designed to provide enhanced database security
functions to Microsoft SQL Server through extended stored procedures.
The software is developed and distributed by Protegrity.
A problem with the software may make it possible for a user to gain
unauthorized access to a system.
It has been reported that Secure.Data does not properly check input in the
xp_pty_select function. Because of this, an attacker may be able to
launch an attack that could result in elevated privileges.
The problem is in a boundary condition error in the xp_pty_select
procedure. This extended stored procedure does not sufficiently check
bounds on information passed to it. By passing a string of arbitrary
length and shell code to the vulnerable procedure, an attacker could
execute code with the privileges of the SQL Server process, typically the
user SYSTEM.
This problem has been reported as affecting version 2.2.3.8 and previous.
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
Multiple vulnerabilities have been reported to exist in the BitchX IRC
client. The problems occur due to a variety of client-side functions
failing to carry out sufficient bounds checking. Specifically, a malicious
IRC server may be capable of passing malicious data to an affected BitchX
client, which could trigger a number of buffer overrun conditions.
Successful exploitation of these issues may allow a malicious server to
execute arbitrary commands on the client system with the privileges of the
user running the vulnerable client.
This vulnerability has been reported to affect BitchX 1.0c19. Other
versions may also be affected.
** The issues in this BID have been assigned individual BugtraqIDs. The
new BIDs are 7096, 7097, 7099 and 7100.
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
BitchX has been reported prone to a buffer overflow vulnerability.
Reportedly, when the BitchX option 'compress_modes' is activated a
potential circumstance for a buffer overflow condition may be created. If
an excessive amount of data is supplied to the BitchX
'BX_Compress_modes()' function an internal memory buffer, 'nmodes[16]',
will be overflowed. This action may cause adjacent memory to be corrupted
with attacker-supplied values.
There is a potential that this issue could be exploited to corrupt crucial
program management variables on the stack and thus seize control of
program flow. As a result, a hostile IRC server may be capable of
executing arbitrary code on a target client.
Any arbitrary code executed would be in the context of the user running
the vulnerable software.
This vulnerability was reported to affect BitchX 1.0c19 earlier versions
may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
15. TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability
BugTraq ID: 7090
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7090
Summary:
tcpdump is a freely available, open source network monitoring tool. It is
available for the Unix, Linux, and Microsoft Windows operating systems.
A vulnerability in the processing of some packet types may result in an
inability to further use the tcpdump application.
It has been reported that tcpdump is vulnerable to a denial of service
when some packet types are received. By sending a maliciously formatted
packet to a system using a vulnerable version of tcpdump, it is possible
for a remote user to cause tcpdump to ignore network traffic from the time
the packet is received until the application is terminated and restarted.
The problem is in the handling of RADIUS packets. When tcpdump receives a
maliciously crafted RADIUS packet, the application enters an infinite loop
and ceases to further monitor network traffic. This could allow the
passing of undetected network traffic that would typically be seen by
tcpdump.
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A memory corruption vulnerability has been reported in the send_ctcp()
function which is used when handling server-supplied data. The function
takes the length of an argument, char *to, and uses it to allocate a
buffer on the stack. This occurs by calling the alloca() function with an
argument of 512 - (12 + strlen(to)). Delimiter characters are later
appended to the buffer returned by alloca().
If a hostile IRC server were to supply a 'to' argument containing a
length, -12, which is larger then 512 bytes, it would be possible to
supply a negative value as the argument to alloca(). If this were to occur
the negative value would be interpreted and a stack address used by a
previous frame will be returned. This may allow for delimiter characters
and a NULL value to be written to arbitrary stack memory.
Successful exploitation of this issue may allow a malicious server to
execute arbitrary commands on the client system with the privileges of the
user running the vulnerable client.
This vulnerability has been reported to affect BitchX 1.0c19. Other
versions may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A memory corruption vulnerability has been discovered in BitchX 1.0c19.
This issue occurs when calling the cannot_join_channel() function. If a
channel of excessive length is supplied a buffer overflow could occur
which may result in predefined strings being written over sensitive stack
memory.
As a result, it may be possible for a malicious IRC server to crash a
vulnerable client. Although unconfirmed this vulnerability could
potentially be leveraged to execute arbitrary commands within a target
client.
This vulnerability has been reported to affect BitchX 1.0c19. Other
versions may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
18. Samba REG File Writing Race Condition Vulnerability
BugTraq ID: 7107
Remote: No
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7107
Summary:
Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.
A race condition vulnerability has been reported for Samba. The
vulnerability occurs when Samba attempts to write reg files. However, it
may be possible to create a symbolic link in a crucial point of program
execution that would result in the overwriting of files pointed to by the
link. This will only occur if the files are writeable by the Samba
process.
Successful exploitation may cause local files to be corrupted. If files
can be corrupted with custom data, this may result in privilege elevation.
Full details of this vulnerability are not currently known. The BID will
be updated as further details are disclosed.
This vulnerability is reported to exist for Samba 2.0.0 to 2.2.7a.
Cyber-Cats Chitchat PHP Message Board/Guestbook permits users to interact
and communicate via a virtual community. It is available for Unix, Linux,
and Microsoft Operating Systems.
A problem with the software may allow a remote user unauthorized access to
the board.
Cyber-Cats Chitchat PHP Message Board/Guestbook does not sufficiently
limit access to files on the local system. Because of this, an attacker
could potentially gain access to sensitive files.
The problem is in the limiting of access to the password file. User names
and passwords for the board are stored in the
$guest_board_directory/files/passwd.txt file. An attacker could gain
access to this file and launch a brute force attack against the encrypted
password hashes contained in the file, gaining unauthorized access to user
accounts.
20. Microsoft Windows PostMessage API Unmasked Password Weakness
BugTraq ID: 7092
Remote: No
Date Published: Mar 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7092
Summary:
A weakness has been reported in the Microsoft Windows PostMessage API
which could effectively allow unmasked passwords to be copied into a
user's clipboard or other buffer.
PostMessage places a message in the message queue but does not
sufficiently check the message type. EM_SETPASSWORDCHAR messages set the
password mask character in password edit box controls. PostMessage may be
abused in combination with EM_SETPASSWORDCHAR messages to cause an
unmasked password to be placed into a buffer which could potentially be
accessed through other means by an unauthorized process.
Exploitation would require a malicious local process to wait for an
authentication prompt to be sent to a local user by another application.
The attacker would then have to authenticate normally. The unmasked
password can be copied while this is occurring.
From this point, a further attack would be required to steal password
credentials.
This weakness occurs because the PostMessage API may be used in
combination with EM_SETPASSWORDCHAR messages. This may occur from another
process that does not belong to the process thread.
It is possible that this weakness could be incorporated into a trojan
horse or backdoor. Malicious local users could also potentially exploit
this to steal authentication credentials from other users.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Anyone have hard evidence of problems with Windows Automatic Updates? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315790
2. MS03-007 Round-up (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315792
3. Expire accounts from Active Directory after a period of inactivity (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315791
4. write permissions for IIS (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315789
5. Microsoft Security Advisory MS 03-007 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315621
6. FW: Microsoft Security Advisory MS 03-007 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315628
7. Article Announcement: Remote Desktop Management Solution for Microsoft (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315462
8. Microsoft Security Advisory MS 03-007 - Problems (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315452
9. Exchange/MAPI/RPC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315376
10. SecurityFocus Microsoft Newsletter #129 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315312
11. AD replication - IP site to site encryption? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315307
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. F-Secure Anti-Virus for Microsoft Exchange
by F-Secure Corporation
Platforms: Windows 2000, Windows NT
Relevant URL:
http://www.f-secure.com/products/anti-virus/ms-exchange/
Summary:
F-Secure Anti-Virus for Microsoft Exchange protects Microsoft Exchange
users from viruses, worms and Trojans, scanning both incoming and outgoing
messages. The product scans not only e-mail attachments, but it also stops
viruses in documents and notes posted to public folders. With F-Secure
Anti-Virus for Microsoft Exchange, antivirus protection is transparent and
always on as the scanning is done on the e-mail server in real-time.
With QualysGuard Intranet Scanner, Qualys also protects enterprises when
the threat comes from within the internal network. QualysGuard Intranet
Scanner is the first network appliance that provides security audits and
vulnerability management inside the firewall. Combined with QualysGuard,
the Intranet Scanner provides network administrators with an integrated,
centralized service for managing both internal and external network
vulnerabilities.
3. pcAnywhere
by Symantec
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.symantec.com/pcanywhere/Consumer/
Summary:
pcAnywhere is the world's leading remote control software. With powerful
encryption and authentication, it gives you peace of mind that your remote
sessions will be secure. Speed up performance with the new optimization
wizard. You can also use pcAnywhere with cable and DSL modems for faster
remote control sessions. Now it's even faster and easier to navigate
directories on both machines when you're transferring files. Use the
AutoTransfer function to upload or download multiple files automatically.
Whether you need to support servers, customers, or friends, choose
award-winning pcAnywhere, the world's best-selling remote control
solution.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. NetMap network scanner v0.2.1
by Joshua Corbin
Relevant URL:
http://members.jdweb.com/~jcorbin/netmap/
Platforms: Perl (any system supporting perl)
Summary:
NetMap is a network scanner written in Perl/GTK. It is not just another
nmap frontend. It is a modularized network prober/scanner that just
happens to have an nmap module. Incidentally, NetMap has nothing to do
with the network weather mapper.
2. East-Tec File Shredder v1.0
by EAST Technologies
Relevant URL:
http://www.east-tec.com/erprod/etfshred/index.htm
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
East-Tec File Shredder securely destroys (shreds) sensitive and private
files beyond recovery. Simply drag & drop files to the shredder icon on
your desktop, or select the files you want to destroy directly from the
Windows Explorer right-click menu. The files will be gone for good.
3. yavipin-conf v0.0.1
by Hisham Mardam Bey
Relevant URL:
http://hisham.cc/files/apps/yavipin/
Platforms: N/A
Summary:
yavipin-conf is a multiple client/server configuration utility for
yavipin. It provides a parser, example configuration files, and a startup
script which allows the user to start/stop/restart a VPN at any point. In
syntax, the configuration is similar to that of vtun.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SurfControl
Serious Enterprise E-mail and Anti-Spam Protection. SurfControl E-mail
Filter for SMTP and Exchange leverages multiple layers of technology to
defeat spam, viruses, and confidential data leakage with accuracy.
Get more info and download free 30-day trial:
http://www.surfcontrol.com/go/zsfms032403
------------------------------------------------------------------------
-------
SecurityFocus Microsoft Newsletter #130
---------------------------------------
This Issue is Sponsored by: SurfControl
Serious Enterprise E-mail and Anti-Spam Protection. SurfControl E-mail
Filter for SMTP and Exchange leverages multiple layers of technology to
defeat spam, viruses, and confidential data leakage with accuracy.
Get more info and download free 30-day trial:
http://www.surfcontrol.com/go/zsfms032403
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. IDS Logs in Forensics Investigations: An Analysis of a...
2. Remote Desktop Management Solution for Microsoft
3. The Promise and Peril of Palladium
4. Why the Dogs of Cyberwar Stay Leashed
5. SecurityFocus DPP Program
II. MICROSOFT VULNERABILITY SUMMARY
1. XChat Server Strings Buffer Overflow Vulnerability
2. MyAbraCadaWeb Path Disclosure Vulnerability
3. MyAbraCadaWeb Search Engine Cross-Site Scripting Vulnerability
4. Protegrity Secure.Data XP_PTY_Insert Buffer Overflow Vulnerability
5. BitchX Remote Cluster() Heap Corruption Vulnerability
6. SIPS User Information Disclosure Vulnerability
7. Samba SMB/CIFS Packet Assembling Buffer Overflow Vulnerability
8. McAfee ePolicy Orchestrator HTTP GET Request Format String...
9. McAfee ePolicy Orchestrator Information Disclosure Vulnerability
10. Microsoft Windows 2000 ntdll.dll Buffer Overflow Vulnerability
11. Protegrity Secure.Data XP_PTY_CheckUsers Buffer Overflow...
12. Protegrity Secure.Data XP_PTY_Select Buffer Overflow...
13. Multiple BitchX Remote Client-Side Buffer Overflow...
14. BitchX Remote BX_compress_modes() Buffer Overflow Vulnerability
15. TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability
16. BitchX Remote Send_CTCP() Memory Corruption Vulnerability
17. BitchX Remote cannot_join_channel() Buffer Overflow...
18. Samba REG File Writing Race Condition Vulnerability
19. Cyber-Cats Chitchat PHP Message Board/Guestbook Password File...
III. MICROSOFT FOCUS LIST SUMMARY
1. Anyone have hard evidence of problems with Windows Automatic...
2. MS03-007 Round-up (Thread)
3. Expire accounts from Active Directory after a period of...
4. write permissions for IIS (Thread)
5. Microsoft Security Advisory MS 03-007 (Thread)
6. FW: Microsoft Security Advisory MS 03-007 (Thread)
7. Article Announcement: Remote Desktop Management Solution for...
8. Microsoft Security Advisory MS 03-007 - Problems (Thread)
9. Exchange/MAPI/RPC (Thread)
10. SecurityFocus Microsoft Newsletter #129 (Thread)
11. AD replication - IP site to site encryption? (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. F-Secure Anti-Virus for Microsoft Exchange
2. QualysGuard Intranet Scanner
3. pcAnywhere
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. NetMap network scanner v0.2.1
2. East-Tec File Shredder v1.0
3. yavipin-conf v0.0.1
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. IDS Logs in Forensics Investigations: An Analysis of a Compromised
Honeypot
By Alan Neville
This paper will deconstruct the steps taken to conduct a full analysis of
a compromised machine. In particular, we will be examining the tool that
was used to exploit a dtspcd buffer overflow vulnerability, which allows
remote root access to the system. The objective of this paper is to show
the value of IDS logs in conducting forensics investigations.
http://www.securityfocus.com/infocus/1676
2. Remote Desktop Management Solution for Microsoft
by Artur Maj
One of the many challenges facing Microsoft administrators is how to
manage remote systems in a secure manner? In the world of the UNIX the
answer is quite simple: using the SSH protocol is sufficient. Thanks to
the SSH, we can manage remote systems not only in the text mode, but we
can also run remote X-Window applications by using the protocol tunneling
technique. And all of that by using strong cryptography, which protects
transmitted data from unauthorized access.
http://www.securityfocus.com/infocus/1677
3. The Promise and Peril of Palladium
By Tim Mullen
Whether Microsoft's ambitious project is a security solution or a Trojan
horse depends much on the company's intentions.
http://www.securityfocus.com/columnists/148
4. Why the Dogs of Cyberwar Stay Leashed
By Mark Rasch
The United States could try out its much-hyped "cyberwarfare" capabilities
in Iraq... but it would probably be illegal.
http://www.securityfocus.com/columnists/149
5. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. XChat Server Strings Buffer Overflow Vulnerability
BugTraq ID: 7089
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7089
Summary:
XChat is a freely available, open source IRC client. It is available for
the the Unix, Linux, and Microsoft Windows platforms.
XChat IRC client has been reported vulnerable, under certain
circumstances, to a buffer overflow condition.
It has been reported that due to a lack of both, sufficient bounds
checking and string termination, two malformed non-terminated server
supplied strings may be stored contiguously in a fixed internal memory
buffer.
As a result of this, a malicious IRC server may be used to pass excessive
data to the client and overwrite memory adjacent to the deficient buffer.
If this memory contains crucial saved program state values the attacker
may be able to influence the programs' flow and execute arbitrary code.
Any code successfully executed would be in the context of the user running
the vulnerable IRC application.
This vulnerability was reported to affect XChat version 2.0.1 other
versions may also be affected.
2. MyAbraCadaWeb Path Disclosure Vulnerability
BugTraq ID: 7126
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7126
Summary:
MyABraCaDaWeb is a web content management system. It is implemented in
PHP and available for Unix and Linux variants and Microsoft Windows
operating systems.
MyABraCaDaWeb is reported to disclose path information in error messages
when handling some invalid requests. This may occur when an invalid
administrative ID is requested or in some other cases. The full path to
the web root directory will be included in the error output. This
information could be useful in further attacks against a system hosting
the software.
3. MyAbraCadaWeb Search Engine Cross-Site Scripting Vulnerability
BugTraq ID: 7127
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7127
Summary:
MyABraCaDaWeb is a web content management system. It is implemented in
PHP and available for Unix and Linux variants and Microsoft Windows
operating systems.
MyABraCaDaWeb provides a facility that allows users to search for
keywords. A cross-site scripting vulnerability has been reported in
MyABraCaDaWeb's search engine. HTML and script code are not sufficiently
sanitized when included in URI parameters of the vulnerable search
facility.
This could allow creation of malicious links to the vulnerable script
which include hostile HTML and script code. If such a link was visited by
a web user, attacker-supplied HTML and script code could be interpreted by
the user's browser. This would occur in the security context of the site
hosting the software.
4. Protegrity Secure.Data XP_PTY_Insert Buffer Overflow Vulnerability
BugTraq ID: 7084
Remote: Yes
Date Published: Mar 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7084
Summary:
Secure.Data is library designed to provide enhanced database security
functions to Microsoft SQL Server through extended stored procedures.
The software is developed and distributed by Protegrity.
A problem with the software may make it possible for a user to gain
unauthorized access to a system.
It has been reported that Secure.Data does not properly check input in the
xp_pty_insert function. Because of this, an attacker may be able to
launch an attack that could result in elevated privileges.
The problem is in a boundary condition error in the xp_pty_insert
procedure. This extended stored procedure does not sufficiently check
bounds on information passed to it. By passing a string of arbitrary
length and shell code to the vulnerable procedure, an attacker could
execute code with the privileges of the SQL Server process, typically the
user SYSTEM.
This problem has been reported as affecting version 2.2.3.8 and previous.
5. BitchX Remote Cluster() Heap Corruption Vulnerability
BugTraq ID: 7096
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7096
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
BitchX has been reported prone to a heap based memory corruption
vulnerability. Reportedly when an excessively long hostname is supplied to
the BitchX 'cluster()' function an internal static memory buffer is
overflowed.
It has been reported that 1500 bytes of data may be written past the
buffer, potentially corrupting sensitive values located in the heap.
Although unconfirmed, due to the nature of heap corruption
vulnerabilities, there is a potential that this issue could be exploited
to corrupt memory management information. As a result, a hostile IRC
server may be capable of executing arbitrary code on a target client.
This vulnerability was reported to affect BitchX 1.0c19 earlier versions
may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
6. SIPS User Information Disclosure Vulnerability
BugTraq ID: 7134
Remote: Yes
Date Published: Mar 18 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7134
Summary:
SIPS is a weblog and link indexing system. It is available for Unix and
Linux variants in addition to Microsoft Windows operating systems.
It has been reported that SIPS fails to authenticate users before granting
users to user account information. As a result, it may be possible for an
attacker to access sensitive data by making a request to a specific
location, including the first letter of a username, followed by the full
username.
By gaining access to sensitive user account data it may be possible for an
attacker to launch further attacks.
It should be noted that this vulnerability was reported in SIPS v0.2.2
however, other versions may also be affected.
7. Samba SMB/CIFS Packet Assembling Buffer Overflow Vulnerability
BugTraq ID: 7106
Remote: Yes
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7106
Summary:
Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.
A buffer overflow vulnerability has been reported for Samba. The
vulnerability occurs when the smbd service attempts to re-assemble
specially crafted SMB/CIFS packets.
An attacker can exploit this vulnerability by creating a specially
formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The
overflow condition will be triggered when smbd attempts to re-assemble the
malformed packet fragments. smbd will overwrite sensitive areas of memory
with attacker-supplied values resulting in the execution of malicious
code.
This vulnerability is further exacerbated by the fact that the smbd
service runs with root privileges.
This vulnerability affects Samba 2.0.0 to 2.2.7a. Additionally, HP
CIFS/9000 server versions up to A.01.09.01 on HP-UX 11.0, 11.11(11i), and
11.22 are vulnerable.
8. McAfee ePolicy Orchestrator HTTP GET Request Format String Vulnerability
BugTraq ID: 7111
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7111
Summary:
McAfee ePolicy Orchestrator is a product designed to remotely manage
various policies and antivirus products. It is available for the Microsoft
Windows operating system.
A format string vulnerability has been discovered in the ePolicy
Orchestrator Agent which is designed to distribute log data remotely.
Authentication does not occur when connecting to the ePolicy Orchestrator
Agent, thus allowing an anonymous attacker to exploit this issue.
The format string bug occurs when processing HTTP GET requests via port
8081. An attacker who makes a malicious request containing format
specifiers, such as '%x' or '%n', may be capable of obtaining and writing
to sensitive locations in memory.
Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary commands with SYSTEM privileges.
It should be noted that this vulnerability has been reported to affect
McAfee ePolicy Orchestrator 2.5.1; other versions may also be affected.
9. McAfee ePolicy Orchestrator Information Disclosure Vulnerability
BugTraq ID: 7114
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7114
Summary:
McAfee ePolicy Orchestrator is a product designed to remotely manage
various policies and antivirus products. It is available for the Microsoft
Windows operating system.
The McAfee ePolicy Orchestrator Agent listens on port 8081 and is designed
to distribute various log data to remote users. It has been discovered
that the ePolicy Orchestrator Agent fails to carry out any authentication
when distributing logs. As a result, it may be possible for a remote
attacker to obtain sensitive information which could be used to launch
further attacks.
It should be noted that this vulnerability has been reported to affect
McAfee ePolicy Orchestrator 2.5.1; other versions may also be affected.
10. Microsoft Windows 2000 ntdll.dll Buffer Overflow Vulnerability
BugTraq ID: 7116
Remote: Yes
Date Published: Mar 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7116
Summary:
The Windows 2000 library ntdll.dll contains a function that does not
perform sufficient bounds checking.
When a request is made to WebDAV using the methods PROPFIND, LOCK, SEARCH,
or GET with the Translate:f header, the request is in turn passed to a
function called GetFileAttributesExW. The GetFileAttributesExW in turn
makes a call to the RtlDosPathNameToNtPathName_U function which is
exported by ntdll.dll. The problem lies in that
RtlDosPathNameToNtPathName_U relies on unsigned shorts for string lengths.
This reliance on unsigned shorts is where the vulnerability lies.
Proper bounds checking is not performed on this data, allowing a buffer to
be overrun. This could result in the execution of arbitrary code with
Local System privileges.
There are other attack vectors that exist other than through
GetFileAttributesExW. The following functions also call
RtlDosPathNameToNtPathName_U and could also be potential attack vectors:
GetShortPathNameW
CopyFileW
MoveFileW
MoveFileExW
ReplaceFileW
CreateMailslotW
GetFileAttributesW
FindFirstFileExW
CreateFileW
GetVolumeInformationW
DeleteFileW
GetDriveTypeW
GetFileAttributesExW
CreateDirectoryW
FindFirstChangeNotificationW
GetBinaryTypeW
CreateNamedPipeW
SetFileAttributesW
MoveFileWithProgressW
GetVolumeNameForVolumeMountPointW
GetDiskFreeSpaceW
CreateDirectoryExW
DefineDosDeviceW
PrivMoveFileIdentityW
GetCompressedFileSizeW
SetVolumeLabelW
CreateHardLinkW
RemoveDirectoryW
**There have been reports that this vulnerability was being actively
exploited in the wild for some time before it was discovered and fixed by
Microsoft. See the MSNBC link in the References section for more details
of systems that were exploited by this vulnerability. It is also
important to note that there is a strong possibility that this
vulnerability was known to exist for some time prior to March 12th as
indicated by the news story.
11. Protegrity Secure.Data XP_PTY_CheckUsers Buffer Overflow Vulnerability
BugTraq ID: 7083
Remote: Yes
Date Published: Mar 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7083
Summary:
Secure.Data is library designed to provide enhanced database security
functions to Microsoft SQL Server through extended stored procedures.
The software is developed and distributed by Protegrity.
A problem with the software may make it possible for a user to gain
unauthorized access to a system.
It has been reported that Secure.Data does not properly check input in the
xp_pty_checkusers function. Because of this, an attacker may be able to
launch an attack that could result in elevated privileges.
The problem is in a boundary condition error in the xp_pty_checkusers
procedure. This extended stored procedure does not sufficiently check
bounds on information passed to it. By passing a string of arbitrary
length and shell code to the vulnerable procedure, an attacker could
execute code with the privileges of the SQL Server process, typically the
user SYSTEM.
This problem has been reported as affecting version 2.2.3.8 and previous.
12. Protegrity Secure.Data XP_PTY_Select Buffer Overflow Vulnerability
BugTraq ID: 7085
Remote: Yes
Date Published: Mar 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7085
Summary:
Secure.Data is a library designed to provide enhanced database security
functions to Microsoft SQL Server through extended stored procedures.
The software is developed and distributed by Protegrity.
A problem with the software may make it possible for a user to gain
unauthorized access to a system.
It has been reported that Secure.Data does not properly check input in the
xp_pty_select function. Because of this, an attacker may be able to
launch an attack that could result in elevated privileges.
The problem is in a boundary condition error in the xp_pty_select
procedure. This extended stored procedure does not sufficiently check
bounds on information passed to it. By passing a string of arbitrary
length and shell code to the vulnerable procedure, an attacker could
execute code with the privileges of the SQL Server process, typically the
user SYSTEM.
This problem has been reported as affecting version 2.2.3.8 and previous.
13. Multiple BitchX Remote Client-Side Buffer Overflow Vulnerabilities
BugTraq ID: 7086
Remote: Yes
Date Published: Mar 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7086
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
Multiple vulnerabilities have been reported to exist in the BitchX IRC
client. The problems occur due to a variety of client-side functions
failing to carry out sufficient bounds checking. Specifically, a malicious
IRC server may be capable of passing malicious data to an affected BitchX
client, which could trigger a number of buffer overrun conditions.
Successful exploitation of these issues may allow a malicious server to
execute arbitrary commands on the client system with the privileges of the
user running the vulnerable client.
This vulnerability has been reported to affect BitchX 1.0c19. Other
versions may also be affected.
** The issues in this BID have been assigned individual BugtraqIDs. The
new BIDs are 7096, 7097, 7099 and 7100.
This BID will be subsequently retired.
14. BitchX Remote BX_compress_modes() Buffer Overflow Vulnerability
BugTraq ID: 7100
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7100
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
BitchX has been reported prone to a buffer overflow vulnerability.
Reportedly, when the BitchX option 'compress_modes' is activated a
potential circumstance for a buffer overflow condition may be created. If
an excessive amount of data is supplied to the BitchX
'BX_Compress_modes()' function an internal memory buffer, 'nmodes[16]',
will be overflowed. This action may cause adjacent memory to be corrupted
with attacker-supplied values.
There is a potential that this issue could be exploited to corrupt crucial
program management variables on the stack and thus seize control of
program flow. As a result, a hostile IRC server may be capable of
executing arbitrary code on a target client.
Any arbitrary code executed would be in the context of the user running
the vulnerable software.
This vulnerability was reported to affect BitchX 1.0c19 earlier versions
may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
15. TCPDump Malformed RADIUS Packet Denial Of Service Vulnerability
BugTraq ID: 7090
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7090
Summary:
tcpdump is a freely available, open source network monitoring tool. It is
available for the Unix, Linux, and Microsoft Windows operating systems.
A vulnerability in the processing of some packet types may result in an
inability to further use the tcpdump application.
It has been reported that tcpdump is vulnerable to a denial of service
when some packet types are received. By sending a maliciously formatted
packet to a system using a vulnerable version of tcpdump, it is possible
for a remote user to cause tcpdump to ignore network traffic from the time
the packet is received until the application is terminated and restarted.
The problem is in the handling of RADIUS packets. When tcpdump receives a
maliciously crafted RADIUS packet, the application enters an infinite loop
and ceases to further monitor network traffic. This could allow the
passing of undetected network traffic that would typically be seen by
tcpdump.
16. BitchX Remote Send_CTCP() Memory Corruption Vulnerability
BugTraq ID: 7097
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7097
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A memory corruption vulnerability has been reported in the send_ctcp()
function which is used when handling server-supplied data. The function
takes the length of an argument, char *to, and uses it to allocate a
buffer on the stack. This occurs by calling the alloca() function with an
argument of 512 - (12 + strlen(to)). Delimiter characters are later
appended to the buffer returned by alloca().
If a hostile IRC server were to supply a 'to' argument containing a
length, -12, which is larger then 512 bytes, it would be possible to
supply a negative value as the argument to alloca(). If this were to occur
the negative value would be interpreted and a stack address used by a
previous frame will be returned. This may allow for delimiter characters
and a NULL value to be written to arbitrary stack memory.
Successful exploitation of this issue may allow a malicious server to
execute arbitrary commands on the client system with the privileges of the
user running the vulnerable client.
This vulnerability has been reported to affect BitchX 1.0c19. Other
versions may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
17. BitchX Remote cannot_join_channel() Buffer Overflow Vulnerability
BugTraq ID: 7099
Remote: Yes
Date Published: Mar 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7099
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
A memory corruption vulnerability has been discovered in BitchX 1.0c19.
This issue occurs when calling the cannot_join_channel() function. If a
channel of excessive length is supplied a buffer overflow could occur
which may result in predefined strings being written over sensitive stack
memory.
As a result, it may be possible for a malicious IRC server to crash a
vulnerable client. Although unconfirmed this vulnerability could
potentially be leveraged to execute arbitrary commands within a target
client.
This vulnerability has been reported to affect BitchX 1.0c19. Other
versions may also be affected.
This issue was originally described in BID 7086 "Multiple BitchX Remote
Client-Side Buffer Overflow Vulnerabilities" and is now being assigned a
separate BID.
18. Samba REG File Writing Race Condition Vulnerability
BugTraq ID: 7107
Remote: No
Date Published: Mar 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7107
Summary:
Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.
A race condition vulnerability has been reported for Samba. The
vulnerability occurs when Samba attempts to write reg files. However, it
may be possible to create a symbolic link in a crucial point of program
execution that would result in the overwriting of files pointed to by the
link. This will only occur if the files are writeable by the Samba
process.
Successful exploitation may cause local files to be corrupted. If files
can be corrupted with custom data, this may result in privilege elevation.
Full details of this vulnerability are not currently known. The BID will
be updated as further details are disclosed.
This vulnerability is reported to exist for Samba 2.0.0 to 2.2.7a.
19. Cyber-Cats Chitchat PHP Message Board/Guestbook Password File Viewing Vulnerability
BugTraq ID: 7136
Remote: Yes
Date Published: Mar 19 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7136
Summary:
Cyber-Cats Chitchat PHP Message Board/Guestbook permits users to interact
and communicate via a virtual community. It is available for Unix, Linux,
and Microsoft Operating Systems.
A problem with the software may allow a remote user unauthorized access to
the board.
Cyber-Cats Chitchat PHP Message Board/Guestbook does not sufficiently
limit access to files on the local system. Because of this, an attacker
could potentially gain access to sensitive files.
The problem is in the limiting of access to the password file. User names
and passwords for the board are stored in the
$guest_board_directory/files/passwd.txt file. An attacker could gain
access to this file and launch a brute force attack against the encrypted
password hashes contained in the file, gaining unauthorized access to user
accounts.
20. Microsoft Windows PostMessage API Unmasked Password Weakness
BugTraq ID: 7092
Remote: No
Date Published: Mar 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7092
Summary:
A weakness has been reported in the Microsoft Windows PostMessage API
which could effectively allow unmasked passwords to be copied into a
user's clipboard or other buffer.
PostMessage places a message in the message queue but does not
sufficiently check the message type. EM_SETPASSWORDCHAR messages set the
password mask character in password edit box controls. PostMessage may be
abused in combination with EM_SETPASSWORDCHAR messages to cause an
unmasked password to be placed into a buffer which could potentially be
accessed through other means by an unauthorized process.
Exploitation would require a malicious local process to wait for an
authentication prompt to be sent to a local user by another application.
The attacker would then have to authenticate normally. The unmasked
password can be copied while this is occurring.
From this point, a further attack would be required to steal password
credentials.
This weakness occurs because the PostMessage API may be used in
combination with EM_SETPASSWORDCHAR messages. This may occur from another
process that does not belong to the process thread.
It is possible that this weakness could be incorporated into a trojan
horse or backdoor. Malicious local users could also potentially exploit
this to steal authentication credentials from other users.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Anyone have hard evidence of problems with Windows Automatic Updates? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315790
2. MS03-007 Round-up (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315792
3. Expire accounts from Active Directory after a period of inactivity (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315791
4. write permissions for IIS (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315789
5. Microsoft Security Advisory MS 03-007 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315621
6. FW: Microsoft Security Advisory MS 03-007 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315628
7. Article Announcement: Remote Desktop Management Solution for Microsoft (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315462
8. Microsoft Security Advisory MS 03-007 - Problems (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315452
9. Exchange/MAPI/RPC (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315376
10. SecurityFocus Microsoft Newsletter #129 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315312
11. AD replication - IP site to site encryption? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/315307
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. F-Secure Anti-Virus for Microsoft Exchange
by F-Secure Corporation
Platforms: Windows 2000, Windows NT
Relevant URL:
http://www.f-secure.com/products/anti-virus/ms-exchange/
Summary:
F-Secure Anti-Virus for Microsoft Exchange protects Microsoft Exchange
users from viruses, worms and Trojans, scanning both incoming and outgoing
messages. The product scans not only e-mail attachments, but it also stops
viruses in documents and notes posted to public folders. With F-Secure
Anti-Virus for Microsoft Exchange, antivirus protection is transparent and
always on as the scanning is done on the e-mail server in real-time.
2. QualysGuard Intranet Scanner
by Qualys
Platforms: N/A
Relevant URL:
http://www.qualys.com/?page=services/intranet/overview
Summary:
With QualysGuard Intranet Scanner, Qualys also protects enterprises when
the threat comes from within the internal network. QualysGuard Intranet
Scanner is the first network appliance that provides security audits and
vulnerability management inside the firewall. Combined with QualysGuard,
the Intranet Scanner provides network administrators with an integrated,
centralized service for managing both internal and external network
vulnerabilities.
3. pcAnywhere
by Symantec
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.symantec.com/pcanywhere/Consumer/
Summary:
pcAnywhere is the world's leading remote control software. With powerful
encryption and authentication, it gives you peace of mind that your remote
sessions will be secure. Speed up performance with the new optimization
wizard. You can also use pcAnywhere with cable and DSL modems for faster
remote control sessions. Now it's even faster and easier to navigate
directories on both machines when you're transferring files. Use the
AutoTransfer function to upload or download multiple files automatically.
Whether you need to support servers, customers, or friends, choose
award-winning pcAnywhere, the world's best-selling remote control
solution.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. NetMap network scanner v0.2.1
by Joshua Corbin
Relevant URL:
http://members.jdweb.com/~jcorbin/netmap/
Platforms: Perl (any system supporting perl)
Summary:
NetMap is a network scanner written in Perl/GTK. It is not just another
nmap frontend. It is a modularized network prober/scanner that just
happens to have an nmap module. Incidentally, NetMap has nothing to do
with the network weather mapper.
2. East-Tec File Shredder v1.0
by EAST Technologies
Relevant URL:
http://www.east-tec.com/erprod/etfshred/index.htm
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
East-Tec File Shredder securely destroys (shreds) sensitive and private
files beyond recovery. Simply drag & drop files to the shredder icon on
your desktop, or select the files you want to destroy directly from the
Windows Explorer right-click menu. The files will be gone for good.
3. yavipin-conf v0.0.1
by Hisham Mardam Bey
Relevant URL:
http://hisham.cc/files/apps/yavipin/
Platforms: N/A
Summary:
yavipin-conf is a multiple client/server configuration utility for
yavipin. It provides a parser, example configuration files, and a startup
script which allows the user to start/stop/restart a VPN at any point. In
syntax, the configuration is similar to that of vtun.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SurfControl
Serious Enterprise E-mail and Anti-Spam Protection. SurfControl E-mail
Filter for SMTP and Exchange leverages multiple layers of technology to
defeat spam, viruses, and confidential data leakage with accuracy.
Get more info and download free 30-day trial:
http://www.surfcontrol.com/go/zsfms032403
------------------------------------------------------------------------
-------
[ reply ]