SecurityFocus Microsoft Newsletter #136
---------------------------------------
This issue is sponsored by: KaVaDo
The only integrated Web Application Security Suite
==================================================
ScanDo - Web Application Scanner
InterDo - Web Application Firewall
KaVaDo Inc., Web Application Security without Compromise
Read more at: http://www.securityfocus.com/Kavado-ms-secnews
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Starting from Scratch: Formatting and Reinstalling after a...
2. The Nowhere Men
II. MICROSOFT VULNERABILITY SUMMARY
1. Mirabilis ICQ POP3 Client UIDL Command Format String Vulnerability
2. Mirabilis ICQ POP3 Client Date Field Signed Integer Overflow...
3. Mirabilis ICQ Message Session Window Denial Of Service...
4. Mirabilis ICQ GIF Parsing Denial Of Service Vulnerability
5. Mirabilis ICQ POP3 Client Subject Field Signed Integer...
6. Mirabilis ICQ Features On Demand Remote Command Execution...
8. Mod_Survey SYSBASE Disk Resource Consumption Denial of Service...
9. MySQL Weak Password Encryption Vulnerability
10. Microsoft Internet Explorer DHTML AnchorClick Partial Denial...
11. Floosietek FTGate PRO SMTP RCPT TO Buffer Overflow Vulnerability
12. CommuniGate Pro Webmail Session Hijacking Vulnerability
13. Floosietek FTGate PRO SMTP MAIL FROM Buffer Overflow...
14. MDG Web Server 4D HTTP Command Buffer Overflow Vulnerability
15. Sun ONE Directory Server Unprivileged LDAP Operation Denial Of...
16. Leksbot Multiple Unspecified Vulnerabilities
17. Ethereal Multiple Dissector One Byte Buffer Overflow...
18. Ethereal Mount Dissector Integer Overflow Vulnerability
19. Ethereal PPP Dissector Integer Overflow Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. (prevent + detect Arp spoofing) + Securing Terminal Services...
2. (prevent + detect Arp spoofing) + Securing Terminal Services...
3. Article Announcement: Starting from Scratch: Formatting and...
4. IPSEC through Ms ISA Server (Thread)
5. p2p and ISA (Thread)
6. Timbuktu, etc. (Thread)
7. SuS update's (Thread)
8. Article Announcement: Madonna's Borderline MP3 Tactics (Thread)
9. Article Announcement: Auditing Web Site Authentication, Part...
10. SecurityFocus Microsoft Newsletter #135 (Thread)
11. Microsoft and Bluetooth (Thread)
12. Outlook Security Settings removed (Thread)
13. AD Question (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Enterprise Manager
2. WebProxy 2.1
3. AuditPro Suite
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. SSHVnc v0.0.2 Alpha
2. nProbe v2.0
3. Active@ File Recovery
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Starting from Scratch: Formatting and Reinstalling after a Security
Incident
By Matthew Tanase
This article will examine the process of starting over, and more
specifically, reinstalling after a security incident.
http://www.securityfocus.com/infocus/1692
2. The Nowhere Men
By George Smith
Unemployed virus writers take heart: the recording industry is hiring
cyber miscreants to attack its own customers. And we thought you'd never
amount to anything.
http://www.securityfocus.com/columnists/160
II. BUGTRAQ SUMMARY
-------------------
1. Mirabilis ICQ POP3 Client UIDL Command Format String Vulnerability
BugTraq ID: 7461
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7461
Summary:
Mirabilis ICQ is an instant messenger client for a number of platforms
including Microsoft Windows, MacOS and Palm systems. ICQ provides an
integrated POP3 client that is used to communicate via e-mail. The POP3
client is a COM object embedded in the POP3.dll library.
Each message generated by the POP3 client is given a unique identification
number (UIDL), which is determined by the server. This id consists of up
to 70 bytes of data from a limited character set.
A format string vulnerability has been discovered in the ICQ POP3 client
when handling the identification string. It is likely that the problem
presents itself due to a programming error in a function used to handle
UIDL command server response strings.
By impersonating a valid POP3 server, an attacker may send malicious
format string specifiers, embedded in the unique id of an e-mail message
destined for the ICQ POP3 Client. When the message header is processed the
malicious format string specifiers may be interpreted. As a result, it may
be possible for sensitive locations in memory to be corrupted. This may
ultimately result in the execution of attacker-supplied code.
2. Mirabilis ICQ POP3 Client Date Field Signed Integer Overflow Vulnerability
BugTraq ID: 7463
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7463
Summary:
Mirabilis ICQ is an instant messenger client for a number of platforms
including Microsoft Windows, MacOS and Palm systems. ICQ provides an
integrated POP3 client that is used to communicate via e-mail. The POP3
client is a COM object embedded in the POP3.dll library.
A vulnerability has been reported for the POP3 client of ICQ that may
result in the execution of arbitrary attacker-supplied commands.
The vulnerability exists due to insufficient boundary checks performed by
the integrated POP3 mail client when verifying the length of certain
e-mail header fields. Specifically, the length of the 'Date' header is
stored within a 16 bit signed integer. As a result, by supplying excessive
data within the 'Date' field it may be possible to wrap the signed
integer, resulting in a negative value.
An attacker can exploit this vulnerability by crafting an e-mail with an
overly long 'Date' field, consisting of at least 32000 bytes of data, and
sending it to a victim user. This will effectively overflow the sign of an
internally stored variable and result in an unexpected miscalculation by
the application.
Successful exploitation of this issue may allow an attacker to overwrite
sensitive memory with malicious values, which will result in the client
throwing an unhandled exception and crashing.
Exploitation of this issue may also result in the execution of
attacker-supplied code.
This vulnerability was reported for Mirabilis ICQ 2003a and earlier.
3. Mirabilis ICQ Message Session Window Denial Of Service Vulnerability
BugTraq ID: 7465
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7465
Summary:
Mirabilis ICQ is an instant messenger client for a number of platforms
including Microsoft Windows, MacOS and Palm systems.
Each ICQ message window (message session) contains an advertisement that
the client requests from an ADS server. This advertisement is obtained by
making a specially crafted HTTP request to the ADS server for a randomized
HTML file. Aside from the randomized file name, the request is made to a
static location.
No authentication is performed between the ICQ client and the ADS server
during this transaction.
A denial of service vulnerability has been discovered in HTML rendering
library used by Mirabilis ICQ to process advertisement code. The problem
occurs due to the library failing to handle specific malformed HTML table
tag attributes. Specifically, a table tag containing a 'width' attribute
with a value of '-1' will trigger a denial of service. The affected client
program will freeze the systems CPU utilization will rise to 100%.
An attacker may be capable of exploiting this vulnerability due to the
lack of authentication while obtaining the advertisement. By impersonating
the ADS server it may be possible for ICQ client requests to be made to an
attacker-controlled server. This may result in malicious HTML
advertisements being rendered within a message session.
4. Mirabilis ICQ GIF Parsing Denial Of Service Vulnerability
BugTraq ID: 7466
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7466
Summary:
ICQ is an instant messenger client for a number of platforms including
Microsoft Windows systems.
ICQ is prone to a denial of service condition when parsing GIF89a headers.
This condition exists in 'icqateimg32.dll', which is the native ICQ GIF
parsing/rendering library.
This issue is due to a flaw in how 'icqateimg32.dll' decodes GIF files.
The library expects either an existing GCT (Global Color Table) or an LCT
(Local Color Table) in the header when attempting to decode a GIF file.
If none of these tables exist in the header, the library will fail when
attempting to render the GIF file. This will cause ICQ to crash, leading
to a denial of service.
An attacker will be able to exploit this issue by passing a GIF with a
specially crafted header for processing by the GIF parsing/rendering
library.
5. Mirabilis ICQ POP3 Client Subject Field Signed Integer Overflow Vulnerability
BugTraq ID: 7462
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7462
Summary:
Mirabilis ICQ is an instant messenger client for a number of platforms
including Microsoft Windows, MacOS and Palm systems. ICQ provides an
integrated POP3 client that is used to communicate via e-mail. The POP3
client is a COM object embedded in the POP3.dll library.
A vulnerability has been reported for the POP3 client of ICQ that may
result in the execution of arbitrary attacker-supplied commands.
The vulnerability exists due to insufficient boundary checks performed by
the integrated POP3 mail client when verifying the length of certain
e-mail header fields. Specifically, the length of the 'Subject' header is
stored within a 16 bit signed integer. As a result, by supplying excessive
data within the 'Subject' field it may be possible to wrap the signed
integer, resulting in a negative value.
An attacker can exploit this vulnerability by crafting an e-mail with an
overly long Subject field, consisting of at least 33000 characters, and
sending it to a victim user. This will effectively result in an unexpected
miscalculation by the application.
Successful exploitation of this issue may allow an attacker to overwrite
sensitive memory with malicious values which will result in the client
throwing an unhandled exception and crashing.
Exploitation of this issue may also result in the execution of
attacker-supplied code.
This vulnerability was reported for Mirabilis ICQ 2003a and earlier.
6. Mirabilis ICQ Features On Demand Remote Command Execution Vulnerability
BugTraq ID: 7464
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7464
Summary:
ICQ is an instant messenger client for a number of platforms including
Microsoft Windows.
The ICQ Features on Demand allows users to download and install ICQ add-on
client software such as ICQ Phone and ICQ Web Search.
Features on Demand uses a hardcoded URL from which it retrieves add-on
installation packages. The DataURL value is found in the 'Packages.ini'
file under the heading '[General]'.
When Features on Demand is invoked, it connects to this URL in order to
download the appropriate packages, but it does not verify the authenticity
of the package in any way. This could allow a malicious user to
impersonate the package repository service through some other attack, such
as DNS poisoning. Any malicious package supplied to ICQ will be executed
with the permissions of the user running ICQ.
Features on Demand was introduced in ICQ 2002a and is available in
subsequent versions.
7. Microsoft MN-500 Plaintext Password Disclosure Weakness
BugTraq ID: 7496
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7496
Summary:
The MN-500 Wireless Base Station provides a wireless networking solution
to home and business networks.
A weakness has been reported for the MN-500 device that may result in the
disclosure of administrative credentials to remote attackers. Reportedly,
the issue exists due to backup configuration files storing administrative
passwords in a plaintext format.
An attacker who is able to obtain the backup configuration file is able to
obtain the administrative password.
8. Mod_Survey SYSBASE Disk Resource Consumption Denial of Service Vulnerability
BugTraq ID: 7498
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7498
Summary:
Mod_Survey is an Apache module designed to process and display XML-based
questionnaires and surveys. It is available for the Linux, Unix, and
Microsoft Windows operating systems.
The SYSBASE variable is used by Mod_Survey when accessing requests survey
files. The value of SYSBASE is initialized to the location of the survey
file and is used to create a subdirectory for the storage of various
survey related files including cache files and questionnaire response
data. The subdirectory is placed within the central data repository,
typically /usr/local/mod_survey/data.
A vulnerability has been discovered in Mod_Survey when handling requests
for nonexistent surveys. Before verifying the existence of a requested
survey file the SYSBASE variable is initialized, triggering the creation
of an unneeded directory. The validity of the requested survey file is
subsequently verified.
Exploitation of this vulnerability may allow an attacker to carry out a
denial of service attack, designed to consume available hard disk space or
inodes. The consumption of resources may cause a target server to crash.
This vulnerability affects Mod_Survey versions prior to 3.0.15.
9. MySQL Weak Password Encryption Vulnerability
BugTraq ID: 7500
Remote: No
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7500
Summary:
MySQL is an open source relational database project. It is available for
the Microsoft Windows, Linux, and Unix operating systems.
MySQL has been reported prone to a weak password encryption algorithm. It
has been reported that the MySQL function used to encrypt MySQL passwords
makes just one pass over the password and employs a weak left shift based
cipher. The output of this function results in a password hash of low
entropy. Due to the base complexity of the algorithm used to create the
MySQL password hash, the hash may be cracked in little time using a
bruteforce method to create an identical hash and thereby guess the clear
text password.
An attacker may use information recovered in this way to aid in further
attacks launched against the underlying system.
10. Microsoft Internet Explorer DHTML AnchorClick Partial Denial Of Service Vulnerability
BugTraq ID: 7502
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7502
Summary:
Microsoft Internet Explorer has been reported prone to a denial of service
condition when handling certain DHTML objects.
It has been reported that, while using the DHTML 'A' 'AnchorClick' object,
an attacker may specify a folder instead of a HREF style URL link. While
the latter is within normal specifications of the DHTML language, if the
attacker leaves this field blank and supplies the link to an unsuspecting
user, upon following the malicious link, Internet Explorer will fail. This
issue is believed to be as a result of an illegal exception thrown while
attempting to access a null pointer.
This issue will only affect the active Internet Explorer window, inactive
Internet Explorer windows are not affected.
It should be noted that, although this vulnerability has been reported to
affect Internet Explorer version 6.0 SP1, previous versions might also be
affected.
11. Floosietek FTGate PRO SMTP RCPT TO Buffer Overflow Vulnerability
BugTraq ID: 7508
Remote: Yes
Date Published: May 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7508
Summary:
Floosietek FTGate PRO is a mail server for the Microsoft Windows operating
system.
A buffer overflow vulnerability has been reported for FTGate PRO mail
server. The vulnerability exists when the mail server attempts to process
overly long SMTP 'Rcpt To' arguments. Specifically, when the mail server
processes a malicious 'Rcpt To' e-mail address consisting of more than
2017 characters, the mail server will crash. This is reportedly due to the
exception handler being corrupted. Although unconfirmed, due to the nature
of this vulnerability the condition may be exploited to execute
attacker-supplied arbitrary code with the privileges of the SYSTEM user.
This vulnerability was reported for FTGate PRO 1.22 Hotfix(1328). It is
likely that previous versions are also affected.
12. CommuniGate Pro Webmail Session Hijacking Vulnerability
BugTraq ID: 7501
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7501
Summary:
CommuniGate Pro is an internet messaging server. CommuniGate Pro includes
a webmail service to allow access to mailboxes via HTTP. It is available
for a number of platforms including Unix and Linux variants and Microsoft
Windows operating systems.
CommuniGate Pro Webmail has been reported prone to a session hijacking
vulnerability. The vulnerability presents itself when the victim views an
image or similar resource embedded in a HTML web-mail. Specifically the
current session ID used in CommuniGate Pro Webmail is sent, as the
'referrer' field, in the HTTP header of a request made for an image
embedded in a malicious e-mail.
The attacker may intercept the HTTP header and extract the URL data
contained in the 'referrer' field. The attacker may then follow the URL to
hijack the current user session.
13. Floosietek FTGate PRO SMTP MAIL FROM Buffer Overflow Vulnerability
BugTraq ID: 7506
Remote: Yes
Date Published: May 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7506
Summary:
Floosietek FTGate PRO is a mail server for the Microsoft Windows operating
system.
A buffer overflow vulnerability has been reported for FTGate PRO mail
server. The vulnerability exists when the mail server attempts to process
overly long SMTP 'Mail From' arguments. Specifically, when the mail server
processes a malicious 'Mail From' e-mail address consisting of more than
2017 characters, the mail server will crash. This is reportedly due to the
exception handler being corrupted. Although unconfirmed, due to the nature
of this vulnerability the condition may be exploited to execute
attacker-supplied arbitrary code with the privileges of the SYSTEM user.
This vulnerability was reported for FTGate PRO 1.22 Hotfix(1328). It is
likely that previous versions are also affected.
14. MDG Web Server 4D HTTP Command Buffer Overflow Vulnerability
BugTraq ID: 7479
Remote: Yes
Date Published: May 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7479
Summary:
MDG Web Server 4D is a HTTP Server implemented on top of the 4th Dimension
relational database. It runs on Microsoft Windows and Apple MacOS
operating systems.
A buffer overflow vulnerability has been reported for MDG Web Server. The
vulnerability exists when the web server attempts to process overly long
HTTP requests. Specifically, when the web server processes a malformed
HTTP request consisting of "<" or ">" characters, the web server will
crash. This will result in a denial of service condition.
Although unconfirmed, this vulnerability may be exploited to execute
attacker-supplied code with the privileges of the vulnerable web server.
The affected service must be restarted to restore normal functionality.
This vulnerability was reported for MDG Web Server 4D 3.60. It is likely
that other versions are also affected.
15. Sun ONE Directory Server Unprivileged LDAP Operation Denial Of Service Vulnerabliity
BugTraq ID: 7478
Remote: Yes
Date Published: May 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7478
Summary:
Sun ONE Directory Server is a LDAP directory server available for a
variety of platforms including Sun Solaris, AIX, Microsoft Windows and
Linux and Unix variant systems.
A denial of service vulnerability has been reported for Sun ONE Directory
Server. The vulnerability has been reported to occur when certain LDAP
operations are made.
This vulnerability can be exploited by remote attackers to cause the
ns-slapd service to crash.
Precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information becomes available.
16. Leksbot Multiple Unspecified Vulnerabilities
BugTraq ID: 7505
Remote: No
Date Published: May 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7505
Summary:
Leksbot is a freely available dictionary of botanical terms. It is
available for a variety of platforms including Microsoft Windows and Linux
systems.
Multiple vulnerabilities have been reported for Leksbot. The precise
nature of these vulnerabilities are currently unknown however,
exploitation of this issue may result in an attacker obtaining elevated
privileges.
Reportedly, in some installations of Leksbot, the /usr/bin/KATAXWR is
unnecessarily configured to be a setuid root binary. Systems configured in
this manner may be prone to a security risk, as an attacker may be capable
of gaining root privileges.
These vulnerabilities have been confirmed to affect Debian installations
of Leksbot. Although unconfirmed, Leksbot installations on other systems
may also be prone to this issue.
This BID will be updated as further information is available.
17. Ethereal Multiple Dissector One Byte Buffer Overflow Vulnerabilities
BugTraq ID: 7493
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7493
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
Several dissectors included with Ethereal are vulnerable to buffer
overflow conditions. Specifically, the dissectors were using the
tvb_get_nstringz() and tvb_get_nstringz0() functions in an unsafe manner.
Exploitation of this issue will allow an attacker to overflow memory
buffers by one byte. The AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2,
Quake3, Rsync, SMB, SMPP, and TSP dissectors are vulnerable to this issue.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissectors or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.11 and earlier.
18. Ethereal Mount Dissector Integer Overflow Vulnerability
BugTraq ID: 7494
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7494
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The Mount dissector of Ethereal is prone to an integer overflow
vulnerability.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the Mount
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability it may be possible for an attacker
to create a situation in which sensitive memory could be corrupted. If
successful, this may cause Ethereal to behave in an unpredictable manner.
This vulnerability affects Ethereal 0.9.11 and earlier.
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The PPP dissector of Ethereal is prone to an integer overflow
vulnerability.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the PPP dissector
or by convincing a victim user to use Ethereal to read a malformed packet
trace file.
Due to the nature of this vulnerability it may be possible for an attacker
to create a situation in which sensitive memory could be corrupted. If
successful, this may cause Ethereal to behave in an unpredictable manner.
This vulnerability affects Ethereal 0.9.11 and earlier.
20. FlashFXP User Password Encryption Weakness
BugTraq ID: 7499
Remote: No
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7499
Summary:
FlashFXP is a FTP implementation that allows client-server file transfers
in addition to site-to-site file transfers. It is available for Microsoft
Windows.
FlashFXP uses a trivially reversible algorithm to encode FTP user
credentials. FTP user passwords are encrypted using XOR with a weak key.
Local attackers with access to the sites.data may exploit this weakness to
gain unauthorized access to FTP user credentials for remote sites.
If credentials are used for multiple services or sites, it may permit
attackers to gain unauthorized access to those services as well.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. (prevent + detect Arp spoofing) + Securing Terminal Services (Thread)
Relevant URL:
9. Article Announcement: Auditing Web Site Authentication, Part Two (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320541
10. SecurityFocus Microsoft Newsletter #135 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320491
11. Microsoft and Bluetooth (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320483
12. Outlook Security Settings removed (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320481
13. AD Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320327
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Enterprise Manager
by TNT Software
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.tntsoftware.com/products/ELM3/EEM31/
Summary:
ELM Enterprise Manager gives IT administrators and managers the power to
see the health and status of distributed systems with a single glance by
combining the following core functions into a feature-packed, reliable,
and scalable application: - Real-Time and Scheduled Monitoring -
Rules-Based Management System - Rich Notification and Corrective Action -
Data collection, Archiving and Reporting
2. WebProxy 2.1
by @stake
Platforms: Linux, Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.ngsec.com/ngproducts/ngsw/
Summary:
WebProxy is a powerful interactive security tool that helps software
developers, quality engineers, and security professionals test and enhance
the security of Web applications. Release 2.1 of WebProxy replaces all
earlier releases, and is available for sale to enterprise customers and
independent security consultants. Sitting between the developer's browser
and the Web application, WebProxy acts as a 'proxy' to let the developer
observe precisely how the Web application responds to staged attacks, such
as those that use buffer overflows, SQL injection, cookie manipulation,
cross-site scripting or parameter manipulation. By identifying security
vulnerabilities while the software is still in development, companies can
more cost-effectively improve the overall security of any Web application.
3. AuditPro Suite
by Network Intelligence India Pvt. Ltd.
Platforms: AIX, Linux, Solaris, SunOS, Windows 2000, Windows NT, Windows
XP
Relevant URL:
http://www.atstake.com/webproxy/
Summary:
AuditPro for Windows is our most advanced and fastest-selling auditing
product. A product that came about from our own requirement as auditors to
automate the process, it now carries out more than 85 Windows specific
checks. Its greatest selling feature is not just its comprehensiveness
(although, we are yet to find another equivalent product), but its
detailed and comprehensive reporting capability. It also comes with the
Audit Central Console (ACC), a centralized controlling software that
allows you to control the audits of any Windows Server in your
organization with the click of a button. Once the Auditing Engine is
installed locally, you can schedule the Auditing and Control it from the
ACC. Continuing in the tradition of tools such as COPS and SARA, we
introduce AuditPro for Unix. AuditPro differs from Vulnerability Scanners
such as Nessus, in that it does not scan for possible vulnerabilities but
mainly for mis-configurations or signs of a system compromise. AuditPro
for Oracle audits the Oracle Database Security. It checks for system
mis-configurations, insecure parameters, open privileges, roles, users,
profiles, etc. It also checks for insecure permissions on system critical
tables, and user-defined tables. Additionally, AuditPro for Oracle
provides unique features such as the Baseline, which will snapshot your
database for comparisons with future audits in order to determine
suspicious or unauthorized changes. Microsoft's SQL Server has had some
very critical security flaws being discovered and exploited in the past
couple of years. Most of these vulnerabilities could have been protected
against, had the servers been patched and security measures followed.
AuditPro for SQL is designed to help you detect any unpatched servers,
weak passwords, and all possible insecure configurations. APSQL
automatically discovers all the SQL servers in your network and works with
Named Instances as well. Future additions to the AuditPro suite: AuditPro
for Sybase
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. SSHVnc v0.0.2 Alpha
by Lee David Painter
Relevant URL:
http://www.sshtools.com
Platforms: Os Independent
Summary:
SSHVnc is a standalone Java VNC viewer that secures VNC a ccess by
integrating the popular TightVNC viewer with the SSH Tools Java SSH API.
It features a clean and easy to use interf ace.
2. nProbe v2.0
by Luca Deri
Relevant URL:
http://www.ntop.org/nProbe.html
Platforms: MacOS, POSIX, Windows 2000, Windows 3.x, Windows 95/98, Windows
CE, Windows NT, Windows XP
Summary:
nProbe is a Netflow V5 probe characterized by portability to Unix and
Windows environments, a small memory footprint (less than 2MB of memory
regardless of the size of the network), and low CPU usage. It is designed
for running in environments with limited resources.
3. Active@ File Recovery v2.0
by Active@ Data Recovery Services
Relevant URL:
http://www.file-recovery.net/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Active@ File Recovery is a powerful software utility, designed to restore
accidentally deleted files and directories. It allows you to recover files
that have been deleted from the Recycle Bin, as well as those deleted
after avoiding the Recycle Bin (e.g. Shift-Delete).
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: KaVaDo
The only integrated Web Application Security Suite
==================================================
ScanDo - Web Application Scanner
InterDo - Web Application Firewall
KaVaDo Inc., Web Application Security without Compromise
Read more at: http://www.securityfocus.com/Kavado-ms-secnews
------------------------------------------------------------------------
-------
SecurityFocus Microsoft Newsletter #136
---------------------------------------
This issue is sponsored by: KaVaDo
The only integrated Web Application Security Suite
==================================================
ScanDo - Web Application Scanner
InterDo - Web Application Firewall
KaVaDo Inc., Web Application Security without Compromise
Read more at: http://www.securityfocus.com/Kavado-ms-secnews
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Starting from Scratch: Formatting and Reinstalling after a...
2. The Nowhere Men
II. MICROSOFT VULNERABILITY SUMMARY
1. Mirabilis ICQ POP3 Client UIDL Command Format String Vulnerability
2. Mirabilis ICQ POP3 Client Date Field Signed Integer Overflow...
3. Mirabilis ICQ Message Session Window Denial Of Service...
4. Mirabilis ICQ GIF Parsing Denial Of Service Vulnerability
5. Mirabilis ICQ POP3 Client Subject Field Signed Integer...
6. Mirabilis ICQ Features On Demand Remote Command Execution...
8. Mod_Survey SYSBASE Disk Resource Consumption Denial of Service...
9. MySQL Weak Password Encryption Vulnerability
10. Microsoft Internet Explorer DHTML AnchorClick Partial Denial...
11. Floosietek FTGate PRO SMTP RCPT TO Buffer Overflow Vulnerability
12. CommuniGate Pro Webmail Session Hijacking Vulnerability
13. Floosietek FTGate PRO SMTP MAIL FROM Buffer Overflow...
14. MDG Web Server 4D HTTP Command Buffer Overflow Vulnerability
15. Sun ONE Directory Server Unprivileged LDAP Operation Denial Of...
16. Leksbot Multiple Unspecified Vulnerabilities
17. Ethereal Multiple Dissector One Byte Buffer Overflow...
18. Ethereal Mount Dissector Integer Overflow Vulnerability
19. Ethereal PPP Dissector Integer Overflow Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. (prevent + detect Arp spoofing) + Securing Terminal Services...
2. (prevent + detect Arp spoofing) + Securing Terminal Services...
3. Article Announcement: Starting from Scratch: Formatting and...
4. IPSEC through Ms ISA Server (Thread)
5. p2p and ISA (Thread)
6. Timbuktu, etc. (Thread)
7. SuS update's (Thread)
8. Article Announcement: Madonna's Borderline MP3 Tactics (Thread)
9. Article Announcement: Auditing Web Site Authentication, Part...
10. SecurityFocus Microsoft Newsletter #135 (Thread)
11. Microsoft and Bluetooth (Thread)
12. Outlook Security Settings removed (Thread)
13. AD Question (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Enterprise Manager
2. WebProxy 2.1
3. AuditPro Suite
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. SSHVnc v0.0.2 Alpha
2. nProbe v2.0
3. Active@ File Recovery
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Starting from Scratch: Formatting and Reinstalling after a Security
Incident
By Matthew Tanase
This article will examine the process of starting over, and more
specifically, reinstalling after a security incident.
http://www.securityfocus.com/infocus/1692
2. The Nowhere Men
By George Smith
Unemployed virus writers take heart: the recording industry is hiring
cyber miscreants to attack its own customers. And we thought you'd never
amount to anything.
http://www.securityfocus.com/columnists/160
II. BUGTRAQ SUMMARY
-------------------
1. Mirabilis ICQ POP3 Client UIDL Command Format String Vulnerability
BugTraq ID: 7461
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7461
Summary:
Mirabilis ICQ is an instant messenger client for a number of platforms
including Microsoft Windows, MacOS and Palm systems. ICQ provides an
integrated POP3 client that is used to communicate via e-mail. The POP3
client is a COM object embedded in the POP3.dll library.
Each message generated by the POP3 client is given a unique identification
number (UIDL), which is determined by the server. This id consists of up
to 70 bytes of data from a limited character set.
A format string vulnerability has been discovered in the ICQ POP3 client
when handling the identification string. It is likely that the problem
presents itself due to a programming error in a function used to handle
UIDL command server response strings.
By impersonating a valid POP3 server, an attacker may send malicious
format string specifiers, embedded in the unique id of an e-mail message
destined for the ICQ POP3 Client. When the message header is processed the
malicious format string specifiers may be interpreted. As a result, it may
be possible for sensitive locations in memory to be corrupted. This may
ultimately result in the execution of attacker-supplied code.
2. Mirabilis ICQ POP3 Client Date Field Signed Integer Overflow Vulnerability
BugTraq ID: 7463
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7463
Summary:
Mirabilis ICQ is an instant messenger client for a number of platforms
including Microsoft Windows, MacOS and Palm systems. ICQ provides an
integrated POP3 client that is used to communicate via e-mail. The POP3
client is a COM object embedded in the POP3.dll library.
A vulnerability has been reported for the POP3 client of ICQ that may
result in the execution of arbitrary attacker-supplied commands.
The vulnerability exists due to insufficient boundary checks performed by
the integrated POP3 mail client when verifying the length of certain
e-mail header fields. Specifically, the length of the 'Date' header is
stored within a 16 bit signed integer. As a result, by supplying excessive
data within the 'Date' field it may be possible to wrap the signed
integer, resulting in a negative value.
An attacker can exploit this vulnerability by crafting an e-mail with an
overly long 'Date' field, consisting of at least 32000 bytes of data, and
sending it to a victim user. This will effectively overflow the sign of an
internally stored variable and result in an unexpected miscalculation by
the application.
Successful exploitation of this issue may allow an attacker to overwrite
sensitive memory with malicious values, which will result in the client
throwing an unhandled exception and crashing.
Exploitation of this issue may also result in the execution of
attacker-supplied code.
This vulnerability was reported for Mirabilis ICQ 2003a and earlier.
3. Mirabilis ICQ Message Session Window Denial Of Service Vulnerability
BugTraq ID: 7465
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7465
Summary:
Mirabilis ICQ is an instant messenger client for a number of platforms
including Microsoft Windows, MacOS and Palm systems.
Each ICQ message window (message session) contains an advertisement that
the client requests from an ADS server. This advertisement is obtained by
making a specially crafted HTTP request to the ADS server for a randomized
HTML file. Aside from the randomized file name, the request is made to a
static location.
No authentication is performed between the ICQ client and the ADS server
during this transaction.
A denial of service vulnerability has been discovered in HTML rendering
library used by Mirabilis ICQ to process advertisement code. The problem
occurs due to the library failing to handle specific malformed HTML table
tag attributes. Specifically, a table tag containing a 'width' attribute
with a value of '-1' will trigger a denial of service. The affected client
program will freeze the systems CPU utilization will rise to 100%.
An attacker may be capable of exploiting this vulnerability due to the
lack of authentication while obtaining the advertisement. By impersonating
the ADS server it may be possible for ICQ client requests to be made to an
attacker-controlled server. This may result in malicious HTML
advertisements being rendered within a message session.
4. Mirabilis ICQ GIF Parsing Denial Of Service Vulnerability
BugTraq ID: 7466
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7466
Summary:
ICQ is an instant messenger client for a number of platforms including
Microsoft Windows systems.
ICQ is prone to a denial of service condition when parsing GIF89a headers.
This condition exists in 'icqateimg32.dll', which is the native ICQ GIF
parsing/rendering library.
This issue is due to a flaw in how 'icqateimg32.dll' decodes GIF files.
The library expects either an existing GCT (Global Color Table) or an LCT
(Local Color Table) in the header when attempting to decode a GIF file.
If none of these tables exist in the header, the library will fail when
attempting to render the GIF file. This will cause ICQ to crash, leading
to a denial of service.
An attacker will be able to exploit this issue by passing a GIF with a
specially crafted header for processing by the GIF parsing/rendering
library.
5. Mirabilis ICQ POP3 Client Subject Field Signed Integer Overflow Vulnerability
BugTraq ID: 7462
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7462
Summary:
Mirabilis ICQ is an instant messenger client for a number of platforms
including Microsoft Windows, MacOS and Palm systems. ICQ provides an
integrated POP3 client that is used to communicate via e-mail. The POP3
client is a COM object embedded in the POP3.dll library.
A vulnerability has been reported for the POP3 client of ICQ that may
result in the execution of arbitrary attacker-supplied commands.
The vulnerability exists due to insufficient boundary checks performed by
the integrated POP3 mail client when verifying the length of certain
e-mail header fields. Specifically, the length of the 'Subject' header is
stored within a 16 bit signed integer. As a result, by supplying excessive
data within the 'Subject' field it may be possible to wrap the signed
integer, resulting in a negative value.
An attacker can exploit this vulnerability by crafting an e-mail with an
overly long Subject field, consisting of at least 33000 characters, and
sending it to a victim user. This will effectively result in an unexpected
miscalculation by the application.
Successful exploitation of this issue may allow an attacker to overwrite
sensitive memory with malicious values which will result in the client
throwing an unhandled exception and crashing.
Exploitation of this issue may also result in the execution of
attacker-supplied code.
This vulnerability was reported for Mirabilis ICQ 2003a and earlier.
6. Mirabilis ICQ Features On Demand Remote Command Execution Vulnerability
BugTraq ID: 7464
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7464
Summary:
ICQ is an instant messenger client for a number of platforms including
Microsoft Windows.
The ICQ Features on Demand allows users to download and install ICQ add-on
client software such as ICQ Phone and ICQ Web Search.
Features on Demand uses a hardcoded URL from which it retrieves add-on
installation packages. The DataURL value is found in the 'Packages.ini'
file under the heading '[General]'.
When Features on Demand is invoked, it connects to this URL in order to
download the appropriate packages, but it does not verify the authenticity
of the package in any way. This could allow a malicious user to
impersonate the package repository service through some other attack, such
as DNS poisoning. Any malicious package supplied to ICQ will be executed
with the permissions of the user running ICQ.
Features on Demand was introduced in ICQ 2002a and is available in
subsequent versions.
7. Microsoft MN-500 Plaintext Password Disclosure Weakness
BugTraq ID: 7496
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7496
Summary:
The MN-500 Wireless Base Station provides a wireless networking solution
to home and business networks.
A weakness has been reported for the MN-500 device that may result in the
disclosure of administrative credentials to remote attackers. Reportedly,
the issue exists due to backup configuration files storing administrative
passwords in a plaintext format.
An attacker who is able to obtain the backup configuration file is able to
obtain the administrative password.
8. Mod_Survey SYSBASE Disk Resource Consumption Denial of Service Vulnerability
BugTraq ID: 7498
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7498
Summary:
Mod_Survey is an Apache module designed to process and display XML-based
questionnaires and surveys. It is available for the Linux, Unix, and
Microsoft Windows operating systems.
The SYSBASE variable is used by Mod_Survey when accessing requests survey
files. The value of SYSBASE is initialized to the location of the survey
file and is used to create a subdirectory for the storage of various
survey related files including cache files and questionnaire response
data. The subdirectory is placed within the central data repository,
typically /usr/local/mod_survey/data.
A vulnerability has been discovered in Mod_Survey when handling requests
for nonexistent surveys. Before verifying the existence of a requested
survey file the SYSBASE variable is initialized, triggering the creation
of an unneeded directory. The validity of the requested survey file is
subsequently verified.
Exploitation of this vulnerability may allow an attacker to carry out a
denial of service attack, designed to consume available hard disk space or
inodes. The consumption of resources may cause a target server to crash.
This vulnerability affects Mod_Survey versions prior to 3.0.15.
9. MySQL Weak Password Encryption Vulnerability
BugTraq ID: 7500
Remote: No
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7500
Summary:
MySQL is an open source relational database project. It is available for
the Microsoft Windows, Linux, and Unix operating systems.
MySQL has been reported prone to a weak password encryption algorithm. It
has been reported that the MySQL function used to encrypt MySQL passwords
makes just one pass over the password and employs a weak left shift based
cipher. The output of this function results in a password hash of low
entropy. Due to the base complexity of the algorithm used to create the
MySQL password hash, the hash may be cracked in little time using a
bruteforce method to create an identical hash and thereby guess the clear
text password.
An attacker may use information recovered in this way to aid in further
attacks launched against the underlying system.
10. Microsoft Internet Explorer DHTML AnchorClick Partial Denial Of Service Vulnerability
BugTraq ID: 7502
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7502
Summary:
Microsoft Internet Explorer has been reported prone to a denial of service
condition when handling certain DHTML objects.
It has been reported that, while using the DHTML 'A' 'AnchorClick' object,
an attacker may specify a folder instead of a HREF style URL link. While
the latter is within normal specifications of the DHTML language, if the
attacker leaves this field blank and supplies the link to an unsuspecting
user, upon following the malicious link, Internet Explorer will fail. This
issue is believed to be as a result of an illegal exception thrown while
attempting to access a null pointer.
This issue will only affect the active Internet Explorer window, inactive
Internet Explorer windows are not affected.
It should be noted that, although this vulnerability has been reported to
affect Internet Explorer version 6.0 SP1, previous versions might also be
affected.
11. Floosietek FTGate PRO SMTP RCPT TO Buffer Overflow Vulnerability
BugTraq ID: 7508
Remote: Yes
Date Published: May 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7508
Summary:
Floosietek FTGate PRO is a mail server for the Microsoft Windows operating
system.
A buffer overflow vulnerability has been reported for FTGate PRO mail
server. The vulnerability exists when the mail server attempts to process
overly long SMTP 'Rcpt To' arguments. Specifically, when the mail server
processes a malicious 'Rcpt To' e-mail address consisting of more than
2017 characters, the mail server will crash. This is reportedly due to the
exception handler being corrupted. Although unconfirmed, due to the nature
of this vulnerability the condition may be exploited to execute
attacker-supplied arbitrary code with the privileges of the SYSTEM user.
This vulnerability was reported for FTGate PRO 1.22 Hotfix(1328). It is
likely that previous versions are also affected.
12. CommuniGate Pro Webmail Session Hijacking Vulnerability
BugTraq ID: 7501
Remote: Yes
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7501
Summary:
CommuniGate Pro is an internet messaging server. CommuniGate Pro includes
a webmail service to allow access to mailboxes via HTTP. It is available
for a number of platforms including Unix and Linux variants and Microsoft
Windows operating systems.
CommuniGate Pro Webmail has been reported prone to a session hijacking
vulnerability. The vulnerability presents itself when the victim views an
image or similar resource embedded in a HTML web-mail. Specifically the
current session ID used in CommuniGate Pro Webmail is sent, as the
'referrer' field, in the HTTP header of a request made for an image
embedded in a malicious e-mail.
The attacker may intercept the HTTP header and extract the URL data
contained in the 'referrer' field. The attacker may then follow the URL to
hijack the current user session.
13. Floosietek FTGate PRO SMTP MAIL FROM Buffer Overflow Vulnerability
BugTraq ID: 7506
Remote: Yes
Date Published: May 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7506
Summary:
Floosietek FTGate PRO is a mail server for the Microsoft Windows operating
system.
A buffer overflow vulnerability has been reported for FTGate PRO mail
server. The vulnerability exists when the mail server attempts to process
overly long SMTP 'Mail From' arguments. Specifically, when the mail server
processes a malicious 'Mail From' e-mail address consisting of more than
2017 characters, the mail server will crash. This is reportedly due to the
exception handler being corrupted. Although unconfirmed, due to the nature
of this vulnerability the condition may be exploited to execute
attacker-supplied arbitrary code with the privileges of the SYSTEM user.
This vulnerability was reported for FTGate PRO 1.22 Hotfix(1328). It is
likely that previous versions are also affected.
14. MDG Web Server 4D HTTP Command Buffer Overflow Vulnerability
BugTraq ID: 7479
Remote: Yes
Date Published: May 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7479
Summary:
MDG Web Server 4D is a HTTP Server implemented on top of the 4th Dimension
relational database. It runs on Microsoft Windows and Apple MacOS
operating systems.
A buffer overflow vulnerability has been reported for MDG Web Server. The
vulnerability exists when the web server attempts to process overly long
HTTP requests. Specifically, when the web server processes a malformed
HTTP request consisting of "<" or ">" characters, the web server will
crash. This will result in a denial of service condition.
Although unconfirmed, this vulnerability may be exploited to execute
attacker-supplied code with the privileges of the vulnerable web server.
The affected service must be restarted to restore normal functionality.
This vulnerability was reported for MDG Web Server 4D 3.60. It is likely
that other versions are also affected.
15. Sun ONE Directory Server Unprivileged LDAP Operation Denial Of Service Vulnerabliity
BugTraq ID: 7478
Remote: Yes
Date Published: May 01 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7478
Summary:
Sun ONE Directory Server is a LDAP directory server available for a
variety of platforms including Sun Solaris, AIX, Microsoft Windows and
Linux and Unix variant systems.
A denial of service vulnerability has been reported for Sun ONE Directory
Server. The vulnerability has been reported to occur when certain LDAP
operations are made.
This vulnerability can be exploited by remote attackers to cause the
ns-slapd service to crash.
Precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information becomes available.
16. Leksbot Multiple Unspecified Vulnerabilities
BugTraq ID: 7505
Remote: No
Date Published: May 06 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7505
Summary:
Leksbot is a freely available dictionary of botanical terms. It is
available for a variety of platforms including Microsoft Windows and Linux
systems.
Multiple vulnerabilities have been reported for Leksbot. The precise
nature of these vulnerabilities are currently unknown however,
exploitation of this issue may result in an attacker obtaining elevated
privileges.
Reportedly, in some installations of Leksbot, the /usr/bin/KATAXWR is
unnecessarily configured to be a setuid root binary. Systems configured in
this manner may be prone to a security risk, as an attacker may be capable
of gaining root privileges.
These vulnerabilities have been confirmed to affect Debian installations
of Leksbot. Although unconfirmed, Leksbot installations on other systems
may also be prone to this issue.
This BID will be updated as further information is available.
17. Ethereal Multiple Dissector One Byte Buffer Overflow Vulnerabilities
BugTraq ID: 7493
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7493
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
Several dissectors included with Ethereal are vulnerable to buffer
overflow conditions. Specifically, the dissectors were using the
tvb_get_nstringz() and tvb_get_nstringz0() functions in an unsafe manner.
Exploitation of this issue will allow an attacker to overflow memory
buffers by one byte. The AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2,
Quake3, Rsync, SMB, SMPP, and TSP dissectors are vulnerable to this issue.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissectors or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.11 and earlier.
18. Ethereal Mount Dissector Integer Overflow Vulnerability
BugTraq ID: 7494
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7494
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The Mount dissector of Ethereal is prone to an integer overflow
vulnerability.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the Mount
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability it may be possible for an attacker
to create a situation in which sensitive memory could be corrupted. If
successful, this may cause Ethereal to behave in an unpredictable manner.
This vulnerability affects Ethereal 0.9.11 and earlier.
19. Ethereal PPP Dissector Integer Overflow Vulnerability
BugTraq ID: 7495
Remote: Yes
Date Published: May 03 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7495
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The PPP dissector of Ethereal is prone to an integer overflow
vulnerability.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the PPP dissector
or by convincing a victim user to use Ethereal to read a malformed packet
trace file.
Due to the nature of this vulnerability it may be possible for an attacker
to create a situation in which sensitive memory could be corrupted. If
successful, this may cause Ethereal to behave in an unpredictable manner.
This vulnerability affects Ethereal 0.9.11 and earlier.
20. FlashFXP User Password Encryption Weakness
BugTraq ID: 7499
Remote: No
Date Published: May 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7499
Summary:
FlashFXP is a FTP implementation that allows client-server file transfers
in addition to site-to-site file transfers. It is available for Microsoft
Windows.
FlashFXP uses a trivially reversible algorithm to encode FTP user
credentials. FTP user passwords are encrypted using XOR with a weak key.
Local attackers with access to the sites.data may exploit this weakness to
gain unauthorized access to FTP user credentials for remote sites.
If credentials are used for multiple services or sites, it may permit
attackers to gain unauthorized access to those services as well.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. (prevent + detect Arp spoofing) + Securing Terminal Services (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320932
2. (prevent + detect Arp spoofing) + Securing Terminal Services (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320915
3. Article Announcement: Starting from Scratch: Formatting and Reinstalling after a Security Incident (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320904
4. IPSEC through Ms ISA Server (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320903
5. p2p and ISA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320902
6. Timbuktu, etc. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320901
7. SuS update's (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320810
8. Article Announcement: Madonna's Borderline MP3 Tactics (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320540
9. Article Announcement: Auditing Web Site Authentication, Part Two (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320541
10. SecurityFocus Microsoft Newsletter #135 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320491
11. Microsoft and Bluetooth (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320483
12. Outlook Security Settings removed (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320481
13. AD Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/320327
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Enterprise Manager
by TNT Software
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.tntsoftware.com/products/ELM3/EEM31/
Summary:
ELM Enterprise Manager gives IT administrators and managers the power to
see the health and status of distributed systems with a single glance by
combining the following core functions into a feature-packed, reliable,
and scalable application: - Real-Time and Scheduled Monitoring -
Rules-Based Management System - Rich Notification and Corrective Action -
Data collection, Archiving and Reporting
2. WebProxy 2.1
by @stake
Platforms: Linux, Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.ngsec.com/ngproducts/ngsw/
Summary:
WebProxy is a powerful interactive security tool that helps software
developers, quality engineers, and security professionals test and enhance
the security of Web applications. Release 2.1 of WebProxy replaces all
earlier releases, and is available for sale to enterprise customers and
independent security consultants. Sitting between the developer's browser
and the Web application, WebProxy acts as a 'proxy' to let the developer
observe precisely how the Web application responds to staged attacks, such
as those that use buffer overflows, SQL injection, cookie manipulation,
cross-site scripting or parameter manipulation. By identifying security
vulnerabilities while the software is still in development, companies can
more cost-effectively improve the overall security of any Web application.
3. AuditPro Suite
by Network Intelligence India Pvt. Ltd.
Platforms: AIX, Linux, Solaris, SunOS, Windows 2000, Windows NT, Windows
XP
Relevant URL:
http://www.atstake.com/webproxy/
Summary:
AuditPro for Windows is our most advanced and fastest-selling auditing
product. A product that came about from our own requirement as auditors to
automate the process, it now carries out more than 85 Windows specific
checks. Its greatest selling feature is not just its comprehensiveness
(although, we are yet to find another equivalent product), but its
detailed and comprehensive reporting capability. It also comes with the
Audit Central Console (ACC), a centralized controlling software that
allows you to control the audits of any Windows Server in your
organization with the click of a button. Once the Auditing Engine is
installed locally, you can schedule the Auditing and Control it from the
ACC. Continuing in the tradition of tools such as COPS and SARA, we
introduce AuditPro for Unix. AuditPro differs from Vulnerability Scanners
such as Nessus, in that it does not scan for possible vulnerabilities but
mainly for mis-configurations or signs of a system compromise. AuditPro
for Oracle audits the Oracle Database Security. It checks for system
mis-configurations, insecure parameters, open privileges, roles, users,
profiles, etc. It also checks for insecure permissions on system critical
tables, and user-defined tables. Additionally, AuditPro for Oracle
provides unique features such as the Baseline, which will snapshot your
database for comparisons with future audits in order to determine
suspicious or unauthorized changes. Microsoft's SQL Server has had some
very critical security flaws being discovered and exploited in the past
couple of years. Most of these vulnerabilities could have been protected
against, had the servers been patched and security measures followed.
AuditPro for SQL is designed to help you detect any unpatched servers,
weak passwords, and all possible insecure configurations. APSQL
automatically discovers all the SQL servers in your network and works with
Named Instances as well. Future additions to the AuditPro suite: AuditPro
for Sybase
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. SSHVnc v0.0.2 Alpha
by Lee David Painter
Relevant URL:
http://www.sshtools.com
Platforms: Os Independent
Summary:
SSHVnc is a standalone Java VNC viewer that secures VNC a ccess by
integrating the popular TightVNC viewer with the SSH Tools Java SSH API.
It features a clean and easy to use interf ace.
2. nProbe v2.0
by Luca Deri
Relevant URL:
http://www.ntop.org/nProbe.html
Platforms: MacOS, POSIX, Windows 2000, Windows 3.x, Windows 95/98, Windows
CE, Windows NT, Windows XP
Summary:
nProbe is a Netflow V5 probe characterized by portability to Unix and
Windows environments, a small memory footprint (less than 2MB of memory
regardless of the size of the network), and low CPU usage. It is designed
for running in environments with limited resources.
3. Active@ File Recovery v2.0
by Active@ Data Recovery Services
Relevant URL:
http://www.file-recovery.net/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Active@ File Recovery is a powerful software utility, designed to restore
accidentally deleted files and directories. It allows you to recover files
that have been deleted from the Recycle Bin, as well as those deleted
after avoiding the Recycle Bin (e.g. Shift-Delete).
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: KaVaDo
The only integrated Web Application Security Suite
==================================================
ScanDo - Web Application Scanner
InterDo - Web Application Firewall
KaVaDo Inc., Web Application Security without Compromise
Read more at: http://www.securityfocus.com/Kavado-ms-secnews
------------------------------------------------------------------------
-------
[ reply ]