SecurityFocus Microsoft Newsletter #138
---------------------------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Top 10 Web Application Attack Techniques and Methods to Combat them
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity102
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Passive Network Traffic Analysis: Understanding a Network...
2. Conducting a Security Audit: An Introductory Overview
3. Cyber Insurance Between the Lines
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft ISA Server Error Page Cross-Site Scripting...
2. PHP-Nuke Statistics Module Mainfile.PHP Cross-Site...
3. PHP-Banner Exchange Path Disclosure Vulnerability
4. Compaq Management Agents Remote Authentication Bypass...
5. Nessus LibNASL Arbitrary Code Execution Vulnerability
6. EServ Directory Indexing Vulnerability
7. EServ Unauthorized Proxy Access Vulnerability
8. Snort Spoofed Packet TCP State Evasion Vulnerability
9. Working Resources BadBlue Unauthorized HTS Access Vulnerability
11. BZFlag Reconnect Denial Of Service Vulnerability
12. Platform Load Sharing Facility LSF_ENVDIR Local Command...
13. IISProtect Authentication Bypass Vulnerability
14. PHPNuke Remote Main Modules Multiple SQL Injection...
15. Blackmoon FTP Server Username Information Disclosure...
17. Apple QuickTime/Darwin Streaming Server QTSSReflector Module...
18. Apple QuickTime/Darwin Streaming MP3Broadcaster ID3 Tag...
19. Microsoft Internet Connection Firewall IPv6 Traffic Blocking...
20. Microsoft Netmeeting CALLTO URL Buffer Overflow Vulnerability
21. Microsoft Windows Media Player Automatic File Download and...
22. Demarc PureSecure Plaintext Password Vulnerability
23. Magic Winmail Server USER POP3 Command Format String...
III. MICROSOFT FOCUS LIST SUMMARY
1. Windows 2003 Server - MS Rulez? (Thread)
2. Updated URLScan Security Tool Released (Thread)
3. Netreg for Windows (Thread)
4. Article Announcement: Passive Network Traffic Analysis:...
5. Administrivia: Sobig/Mankx/Palyh (Thread)
6. SecurityFocus Microsoft Newsletter #137 (Thread)
7. Article Announcement: "Relax, It Was a Honeypot" (Thread)
8. Article Announcement: Malware Myths and Misinformation, Part...
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CryptoGram Secure Login
2. Tricryption Engine
3. neuSECURE
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. WinCrypt v2.0
2. Darik's Boot and Nuke v2003052000(Beta)
3. incident.pl v2.6
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Passive Network Traffic Analysis: Understanding a Network Through
Passive
Monitoring
By Kevin Timm
This article will offer a brief overview of passive network monitoring,
which can offer a thorough understanding of the network's topology: what
services are available, what operating systems are in use, and what
vulnerabilities may be exposed on the network.
http://www.securityfocus.com/infocus/1696
2. Conducting a Security Audit: An Introductory Overview
By Bill Hayes
This article will offer a brief overview of security audits: what they
are, why they are important, and how they are conducted.
http://www.securityfocus.com/infocus/1697
3. Cyber Insurance Between the Lines
By Mark Rasch
Your company may already have insurance against computer attacks and
electronic sabotage, without even knowing it.
http://www.securityfocus.com/columnists/163
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft ISA Server Error Page Cross-Site Scripting Vulnerability
BugTraq ID: 7623
Remote: Yes
Date Published: May 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7623
Summary:
Microsoft ISA (Internet Security and Acceleration) Server is an
application firewall that also provides intrusion detection capabilities.
A cross-site scripting vulnerability has been reported for Microsoft ISA
Server. The vulnerability exists due to insufficient sanitization of
certain HTTP header fields. Specifically, ISA Server does not properly
sanitize malicious HTML code from the 'Via:' HTTP header.
The attacker may be required to create a malicious link to a site and then
entice web users to visit the link.
Successful exploitation could permit a malicious attacker to cause the
execution of hostile HTML and script code in the web client of a user who
visits the malicious link. This would occur in the security context of the
site.
Exploitation could allow for attacks that steal cookie-based
authentication credentials. Other attacks will also be possible.
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
The PHP-Nuke 'mainfile.php' script does not sufficiently sanitize data
supplied via URI parameters, making it prone to cross-site scripting
attacks. In particular, the 'year' URI parameter is not properly sanitized
of HTML tags. This could allow for execution of hostile HTML and script
code in the web client of a user who visits a web page that contains the
malicious code. This would occur in the security context of the site
hosting the software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
PHP-Banner Exchange is banner management software. It is written in PHP
and available for a number of operating systems including Microsoft
Windows and Unix and Linux variants.
PHP-Banner Exchange is prone to a path disclosure vulnerability.
Requesting the directory for the software will cause an error message to
be displayed with contains path information.
PHP-Banner Exchange can be used as a module for PHP-Nuke.
Exploitation may be dependant on web server and PHP configuration.
This type of information may aid an attacker in mapping out the filesystem
for further attacks against the host.
Compaq Management Agents is a web-based interface designed to monitor
various system device parameters. It is available for a variety of
operating systems including Unix, GNU/Linux, and Microsoft Windows.
A vulnerability has been reported for Compaq Management Agents (CMA). The
problem is said to present itself when anonymous access has been enabled.
Supposedly, if the administrator password has been changed from the
default, an unauthorized remote user may gain administrative access. This
can be accomplished by placing 'administrator' in all fields at the
password screen.
Successful exploitation of this issue will allow an attacker to gain
administrative access to the CMA interface. This may result in the
tampering of sensitive system device settings or possibly other attacks.
This vulnerability has been reported to affect Compaq Management Agents
4.36 and Insight Manager Version 5.0.
Nessus is a vulnerability scanning utility available for the Unix and
Microsoft Windows operating systems. libnasl is a library used by Nessus
to process NASL scripts.
Nessus has reported that various flaws have been discovered in the libnasl
library. Amongst other functions, scanner_add_port(), insstr() and
ftp_log_in() fail to sufficiently handle malformed parameters and may
allow a script to break out of the established sandbox environment. As a
result, it may be possible for a malicious Nessus plugin to execute
arbitrary system commands with the privileges of Nessus the application,
possibly root.
It should be noted that this malicious script must be a legitimate plugin
which has been uploaded to the Nessus server. Furthermore, the affected
Nessus application must have enabled the 'plugins_upload' option which is
disabled by default.
The precise details regarding this vulnerability are currently unknown.
This BID will be updated as further information becomes available.
Although unconfirmed, these vulnerabilities may be exploited to execute
arbitrary attacker-supplied code.
This issue affects Nessus version 2.05 and earlier.
6. EServ Directory Indexing Vulnerability
BugTraq ID: 7669
Remote: Yes
Date Published: May 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7669
Summary:
EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft
Windows systems.
EServ does not sufficiently prevent web users from being able to view
directory indexes. This is reported to be an issue even when a directory
has an index file. This may result in disclosure of sensitive information
which may be useful in further attacks against the system.
EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft
Windows systems.
EServ is prone to a vulnerability that may allow it to be used as a proxy
by unauthorized remote users. This can occur even if a proxy
authentication is required or the proxy service is disabled. Users can
proxy request through port 80 if the proxy service is disabled. It has
also been reported that the FTP proxy may also be abused in a similar
manner.
8. Snort Spoofed Packet TCP State Evasion Vulnerability
BugTraq ID: 7635
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7635
Summary:
Snort is a freely available, open source intrusion detection system. It is
available for Unix, Linux, and Microsoft Windows platforms.
A vulnerability has been reported within the spp_stream4.c source file.
The problem is said to occur while maintaining the state of an established
session.
Specifically, Snort is said to call UpdateState before verifying the
legitimacy of a packet received from a client partaking in a legitimate
session. As a result, it may be possible to corrupt stateful inspection
carried out by Snort.
This issue can be triggered by forging a packet to a server containing the
legitimate client source IP and port. When encountered by Snort, the
state of the session is updated before verifying that the packet is a
legitimate part of the established session. However when the packet is
received by the server, due to invalid sequence and acknowledgement data,
the packet will be dropped.
An attacker could exploit this vulnerability to trigger a situation under
which legitimate session traffic transmitted would no longer be detected
by Snort.
This vulnerability has been reported to affected Snort 2.0.0rc2, however
other versions may also be affected.
It should be noted that this is a theoretical issue and has not yet been
officially confirmed.
9. Working Resources BadBlue Unauthorized HTS Access Vulnerability
BugTraq ID: 7638
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7638
Summary:
BadBlue is a P2P file sharing application distributed by Working
Resources. It is available for Microsoft Windows operating systems.
BadBlue is prone to a vulnerability that could allow remote attackers to
gain unauthorized access to administrative functions. BadBlue includes a
server-side scripting language which uses '.htx' and '.hts' files. The
'.hts' extension represents files that are only intended to be requested
and executed by the local host.
It is possible to bypass BadBlue security checks when '.hts' files are
requested by a remote user. BadBlue restricts access to non-HTML files by
replacing the first two letters in the file extension of a requested
resource with 'ht'. If the third character of a file extension is 's',
then it is possible to trick BadBlue into serving a non-HTML file with an
extension of '.hts'. This will bypass other security checks which would
normally prevent BadBlue from serving these files to remote users.
Exploitation could result in unauthorized access to administrative
functions provided in '.hts' files.
10. Blackmoon FTP Server Plaintext User Password Weakness
BugTraq ID: 7646
Remote: No
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7646
Summary:
Blackmoon FTP Server is an FTP Server for Microsoft Windows operating
systems.
Blackmoon FTP Server stores authentication credentials for the FTP service
on the local system in plaintext. These credentials are stored in the
'blackmoon.mdb' file in the program directory. Local users with access to
this file may gain unauthorized access to the server as a result.
Exposure of authentication credentials may also lead to compromise of
other services/resources if the same credentials are commonly used.
It should be noted that although this weakness was reported to affect
Blackmoon FTP server version 2.6, previous versions might also be
affected.
11. BZFlag Reconnect Denial Of Service Vulnerability
BugTraq ID: 7649
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7649
Summary:
BZFlag is a multi-player action game. It is available for a number of
operating systems, including Microsoft Windows and Unix/Linux variants.
BZFlag is prone to a denial of service vulnerability. Users that have
established a session with BZFlag may cause a denial of service by
reconnecting and flooding BZFlag ports with excessive amounts of data.
This may reportedly cause a server crash or a memory leak that could
exhaust available resources. Though unconfirmed, exploitation could
result in memory corruption, which may allow for execution of malicious
code.
This issue was reported in BZFlag 1.7g0. Other versions are also likely
affected.
12. Platform Load Sharing Facility LSF_ENVDIR Local Command Execution Vulnerability
BugTraq ID: 7655
Remote: No
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7655
Summary:
Load Sharing Facility is a high availability and load balancing software
package distributed and maintained by Platform. It is available for Unix,
Linux, and Microsoft Windows.
A problem in the software for the Unix and Linux platform may make it
possible for a local user to gain unauthorized privileges.
It has been reported that Load Sharing Facility (LSF) does not properly
handle input in environment variables. Because of this, an attacker may
be able to gain escalated privileges on a vulnerable system.
The problem is in the handling of environment variables. When the lsadmin
program is executed, shortly after starting execution it calls the lim
program. The path to this program is specified in the configuration file.
However, it is possible to change the location that will be checked for
this program by altering the LSF_ENVDIR environment variable to force
lsadmin to look for the lim program in a different location. By doing so,
it is possible to create a malicious copy of the lim program which would
be executed with the privileges of the lsadmin program. The lsadmin
program is typically installed with elevated privileges.
13. IISProtect Authentication Bypass Vulnerability
BugTraq ID: 7661
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7661
Summary:
iisProtect is a security product for Microsoft Windows that provides
authentication based access control to protect web resources.
A vulnerability has been reported that may allow for iisProtect
authentication to be circumvented by web users. It is possible to bypass
authentication to gain access to web resources by submitting a request
which URL encoded character representations. iisProtect fails to
recognize these character representations, but the underlying IIS server
will interpret them and serve the resource that is requested.
Remote attackers may exploit this issue to gain access to sensitive web
resources, which could allow for other attacks which compromise web
resources.
14. PHPNuke Remote Main Modules Multiple SQL Injection Vulnerabilities
BugTraq ID: 7631
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7631
Summary:
PHPNuke is a freely available, open source web content management system.
It is maintained by Francisco Burzi, and available for the Unix, Linux,
and Microsoft Operating Systems.
Multiple input checking problems may make it possible for remote users to
pass malicious data to the database.
It has been reported that multiple problems exist in the PHPNuke main
modules. SQL injection issues exist in the Sections, Avantgo, Surveys,
Downloads, Reviews, and Web_Links modules. This could allow an attacker
pass malicious SQL code to the database. It should be noted that multiple
path disclosure issues also exist.
Each of these modules does not properly handle the backtick character at
precise locations in queries. Because of this, it is possible to create a
custom command that will be executed with the privileges of the PHPNuke
application.
15. Blackmoon FTP Server Username Information Disclosure Vulnerability
BugTraq ID: 7647
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7647
Summary:
Blackmoon FTP Server is an FTP Server for Microsoft Windows operating
systems.
It has been reported that Blackmoon FTP Server is prone to an information
disclosure weakness.
The problem exists in the way the FTP server handles the authentication
procedure. Specifically the FTP server returns a '530-Account does not
exist.' error message to the console, if the username supplied is invalid,
before disconnecting the user. An attacker may exploit this weakness to
enumerate valid usernames.
It should be noted that although this weakness was reported to affect
Blackmoon FTP server version 2.6, previous versions might also be
affected.
16. ShareMailPro Username Identification Weakness
BugTraq ID: 7658
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7658
Summary:
ShareMailPro is an e-mail server solution designed for use with Microsoft
Windows systems.
A weakness has been reported in ShareMailPro that may reveal the existence
of usernames to remote attackers.
This weakness is due to the fact that ShareMailPro responds with different
messages depending on whether a given username exists or not.
If an attacker connects with a non-existent username, the following
message is displayed:
-ERR sorry , no such mailbox
An attacker may be able to use this information to launch further
intelligent attacks against the server or to launch a brute force password
attack against a known user name.
This vulnerability was reported for ShareMailPro 3.6.1.
17. Apple QuickTime/Darwin Streaming Server QTSSReflector Module Integer Overflow Vulnerability
BugTraq ID: 7659
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7659
Summary:
The Darwin/QuickTime Streaming Servers are used as a web interface for
Streaming Server configuration. They are available for the Linux, Solaris,
Microsoft Windows and MacOS X operating systems.
A vulnerability has been reported for Apple Quicktime/Darwin Streaming
Server. The problem is said to occur within the QTSSReflector module while
processing the ANNOUNCE command. Specifically, by specifying the
Content-Length of an ANNOUNCE request to 0xffffffff (4294967295) it may be
possible to overflow an unsigned integer. As a result, an unexpected
calculation may occur within the affected module, causing the server to
crash. Due to the nature of the value that is supplied to Content-Length,
this issue may actually be a result of signed/unsigned variable
mismatching. This behavior however has not been confirmed.
It should be noted that it has been speculated that this issue may be
exploitable to corrupt process memory. If so, it may be possible for an
attacker to overwrite sensitive values in an attempt to execute arbitrary
instructions with the privileges of the server.
Apple has confirmed that this issue may be exploitable to trigger a denial
of service. However, it is believed that remote exploitability is unlikely
as it would require an administrator to manually configure the service to
permit unauthenticated broadcasts.
18. Apple QuickTime/Darwin Streaming MP3Broadcaster ID3 Tag Handling Vulnerability
BugTraq ID: 7660
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7660
Summary:
The Apple QuickTime/Darwin MP3 Broadcaster is encoding software used to
stream online broadcasts. They are available for the Linux, Solaris,
Microsoft Windows and MacOS X operating systems.
MP3Broadcaster has been reported prone to a vulnerability when processing
malformed ID3 tag information. The issue presents itself, under specific
conditions, when the user invokes the MP3Broadcaster utility using the '-X
-l' command line options, to generate a list based off malicious MP3
files. When a malformed integer within the ID3 data of a malicious MP3
file is processed, a miscalculation may occur which could potentially
result in the corruption of process memory. This is likely due to
insufficient sanity checks performed when handling signed integer values
contained within MP3 file ID3 tags.
Apple has confirmed that this issue may be exploitable to trigger a denial
of service. However, it is believed that remote exploitability is
unlikely, as it would require an administrator to manually configure the
service to permit unauthenticated broadcasts.
19. Microsoft Internet Connection Firewall IPv6 Traffic Blocking Vulnerability
BugTraq ID: 7666
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7666
Summary:
Microsoft provides firewall capabilites using its Internet Connection
Firewall (ICF).
An issue has been reported for systems that have enabled ICF whereby
certain traffic may bypass existing firewall filters. Specifically, it has
been reported the ICF fails to block IPv6 traffic.
This may result in an administrator having a false sense of security.
20. Microsoft Netmeeting CALLTO URL Buffer Overflow Vulnerability
BugTraq ID: 7639
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7639
Summary:
Microsoft Netmeeting sessions can be launched through Internet Explorer by
browsing to a 'callto:' link. These links usually contain the address of
the Netmeeting user to be called and may also contain a directory to
retrieve the addressing information from.
It has been reported that clicking on a malformed 'callto:' URI using
Internet Explorer may result in Windows failing due to a kernel mode
exception. This issue may be due to a boundary condition error in one of
the parameters accepted by the CALLTO protocol handler.
Successful exploitation of this vulnerability may result in a denial of
service to the system. If this is due to a boundary condition error, it
is not currently known if critical memory is overwritten that could allow
for code execution.
Symantec was unable to reproduce this vulnerability on a Windows 2000 SP3
system running Internet Explorer 6.0 SP1 and Netmeeting 3.01 using the
supplied proof of concept code.
It is important to note that the CALLTO protocol handler does not function
by default on browsers other than Internet Explorer.
** It has been reported that when Windows fails in this instance, a
pointer may be overwritten. This indicates that code execution could be
possible through successful exploitation of this vulnerability.
21. Microsoft Windows Media Player Automatic File Download and Execution Vulnerability
BugTraq ID: 7640
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7640
Summary:
Windows Media Player could allegedly allow files to be downloaded and
executed without user intervention.
When a specifically crafted XMLNS (XML Name Space) URI is embedded within
an HTML email message, a media file referenced in the URI may be
automatically downloaded. If this is combined with the vulnerability
described in BID 5543 (Microsoft Windows Media Player File Attachment
Script Execution Vulnerability), a malicious script or executable file may
be automatically downloaded and executed on the vulnerable system.
This vulnerability was reported to affect systems running Outlook Express
6.00.2800.1123 and Windows Media Player 7.01.00.3055 or 8.00.00.4487.
Windows Media Player 9 series is said to be unaffected.
Symantec was unable to reproduce this vulnerability in testing with
Outlook Express 6.00.2800.1123 and Windows Media Player 7.01.00.3055.
22. Demarc PureSecure Plaintext Password Vulnerability
BugTraq ID: 7650
Remote: No
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7650
Summary:
Demarc PureSecure is a commercially available graphical front-end for
Snort, in addition to being a generalized network monitoring solution.
Snort is a popular open-source NIDS (Network Intrusion Detection System).
Demarc PureSecure will run on most Linux and Unix variants, as well as
Microsoft Windows NT/2000/XP operating systems.
A problem with the Demarc PureSecure software could make unauthorized
access to user credentials possible.
It has been reported that a problem exists in the method used in the
storage of passwords by Demarc PureSecure. This could lead to users
gaining unauthorized access to passwords, and potentially unauthorized
access to the central/remote logging server.
Specifically, Demarc PureSecure stores certain user passwords on the disk
using plain-text format by default. A local user with access sufficient to
read the files used by the Demarc PureSecure may disclose the usernames
and passwords.
Information gathered in this way may be used to aid in further attacks
launched against the vulnerable system.
It should be noted that although this vulnerability has been reported to
affect Demarc PureSecure version 1.0.6 previous versions might also be
affected.
23. Magic Winmail Server USER POP3 Command Format String Vulnerability
BugTraq ID: 7667
Remote: Yes
Date Published: May 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7667
Summary:
Magic Winmail Server is a e-mail server designed for use on Microsoft
Windows operating environments.
A format string vulnerability has been reported for Magic Winmail Server
when processing the USER POP3 command.
An attacker may exploit this vulnerability by connecting to the vulnerable
mail server and issuing the USER command with malicious format string
specifiers. When the command is processed, the malicious format string
specifiers may be interpreted. As a result, it may be possible for
sensitive locations in memory to be corrupted. This may ultimately result
in the execution of attacker-supplied code.
This vulnerability was reported for Magic Winmail Server 2.3.
IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Windows 2003 Server - MS Rulez? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/322535
2. Updated URLScan Security Tool Released (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/322305
3. Netreg for Windows (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/322298
4. Article Announcement: Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring (Thread)
Relevant URL:
6. SecurityFocus Microsoft Newsletter #137 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321919
7. Article Announcement: "Relax, It Was a Honeypot" (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321894
8. Article Announcement: Malware Myths and Misinformation, Part One (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321893
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CryptoGram Secure Login
by CryptoGram SA
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
Summary:
As computer crime rises (computer theft, fraud, piracy, etc.) secure
access to information has become a key factor in the architecture of
computer systems. To combat these threats, only a hardware based
authentication solution can fully protect access to your computers. With
CryptoGram Secure Login, users must possess a token and provide
information to be authenticated. Using the latest cryptographic and
biometric technologies, the CryptoGram Secure Login solution protects
access to your Windows NT 4.0, Windows 2000 and Windows XP computers and
keeps all unauthorized users out
2. Tricryption Engine
by ERUCES
Platforms: N/A
Relevant URL:
Summary:
The ERUCES Tricryption Engine is an enabling technology platform based on
the most advanced high-volume encryption and automated key management
system on the market today. The Tricryption Engine is the only data
security platform that can scale to meet the continually growing
encryption requirements companies must implement. As organizations look
for methods to protect increasing amounts of electronic data, they need to
deploy solutions that will completely prohibit unauthorized users from
reading or tampering with protected data, while at the same time remove
the constraints of system performance and on-going management. With its
patent-pending automated encryption key management process, the
Tricryption Engine platform can be used to protect all types of electronic
data, from databases to multimedia files.
3. neuSECURE
by GuardedNet
Platforms: Linux, UNIX, Windows 2000, Windows NT, Windows XP
Relevant URL:
Summary:
neuSECURE is a web-based security information management software solution
designed to provide a comprehensive, coherent view of enterprise security.
It correlates log data files from disparate machines such as firewalls,
intrusion detection systems, computer systems and routers and
automatically analyzes this data to uncover legitimate threats to the
enterprise. neuSECURE allows security analysts to prioritize their
investigations and focus on the mission-critical task of responding to
threats as they are occurring, rather than after the damage is done. And
with neuSECURE a security team can manage security threats from early
detection to final resolution without ever leaving the intuitive,
web-based console.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. WinCrypt v2.0
by C2SG
Relevant URL:
http://www.wincrypt.com/
Platforms: Windows 2000, Windows 3.x, Windows 95/98, Windows NT, Windows
XP
Summary:
This is desktop encryption software to stop prying eyes. Windows users can
now secure documents in such a way that sensitive files on hard drives and
e-mail attachments are totally unreadable to unauthorized users.
Users can drag and drop sensitive files into the Wincrypt window, select a
password, and then e-mail the file to the intended recipient. The only
people able to read the document are the holders of the password. The file
or folder is protected by 256-bit Advanced Encryption Standard (AES).
Advanced features include anti-logging keyboard, quik-klik encryption and
self decrypting files.
2. Darik's Boot and Nuke v2003052000(Beta)
by Darik Horn
Relevant URL:
http://dban.sourceforge.net/
Platforms: Os Independent
Summary:
Darik's Boot and Nuke (DBAN) is a self-contained boot floppy that securely
wipes the hard disks of most computers. DBAN will automatically and
completely delete the contents of any hard disk that it can detect, which
makes it an appropriate utility for bulk or emergency data destruction.
incident.pl is a small script that, when given logs generated by snort,
can generate an incident report for every event that appears to be an
attempted security attack, and report the attack to the appropriate
administrators.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Top 10 Web Application Attack Techniques and Methods to Combat them
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity102
------------------------------------------------------------------------
-------
SecurityFocus Microsoft Newsletter #138
---------------------------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Top 10 Web Application Attack Techniques and Methods to Combat them
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity102
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Passive Network Traffic Analysis: Understanding a Network...
2. Conducting a Security Audit: An Introductory Overview
3. Cyber Insurance Between the Lines
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft ISA Server Error Page Cross-Site Scripting...
2. PHP-Nuke Statistics Module Mainfile.PHP Cross-Site...
3. PHP-Banner Exchange Path Disclosure Vulnerability
4. Compaq Management Agents Remote Authentication Bypass...
5. Nessus LibNASL Arbitrary Code Execution Vulnerability
6. EServ Directory Indexing Vulnerability
7. EServ Unauthorized Proxy Access Vulnerability
8. Snort Spoofed Packet TCP State Evasion Vulnerability
9. Working Resources BadBlue Unauthorized HTS Access Vulnerability
11. BZFlag Reconnect Denial Of Service Vulnerability
12. Platform Load Sharing Facility LSF_ENVDIR Local Command...
13. IISProtect Authentication Bypass Vulnerability
14. PHPNuke Remote Main Modules Multiple SQL Injection...
15. Blackmoon FTP Server Username Information Disclosure...
17. Apple QuickTime/Darwin Streaming Server QTSSReflector Module...
18. Apple QuickTime/Darwin Streaming MP3Broadcaster ID3 Tag...
19. Microsoft Internet Connection Firewall IPv6 Traffic Blocking...
20. Microsoft Netmeeting CALLTO URL Buffer Overflow Vulnerability
21. Microsoft Windows Media Player Automatic File Download and...
22. Demarc PureSecure Plaintext Password Vulnerability
23. Magic Winmail Server USER POP3 Command Format String...
III. MICROSOFT FOCUS LIST SUMMARY
1. Windows 2003 Server - MS Rulez? (Thread)
2. Updated URLScan Security Tool Released (Thread)
3. Netreg for Windows (Thread)
4. Article Announcement: Passive Network Traffic Analysis:...
5. Administrivia: Sobig/Mankx/Palyh (Thread)
6. SecurityFocus Microsoft Newsletter #137 (Thread)
7. Article Announcement: "Relax, It Was a Honeypot" (Thread)
8. Article Announcement: Malware Myths and Misinformation, Part...
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. CryptoGram Secure Login
2. Tricryption Engine
3. neuSECURE
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. WinCrypt v2.0
2. Darik's Boot and Nuke v2003052000(Beta)
3. incident.pl v2.6
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Passive Network Traffic Analysis: Understanding a Network Through
Passive
Monitoring
By Kevin Timm
This article will offer a brief overview of passive network monitoring,
which can offer a thorough understanding of the network's topology: what
services are available, what operating systems are in use, and what
vulnerabilities may be exposed on the network.
http://www.securityfocus.com/infocus/1696
2. Conducting a Security Audit: An Introductory Overview
By Bill Hayes
This article will offer a brief overview of security audits: what they
are, why they are important, and how they are conducted.
http://www.securityfocus.com/infocus/1697
3. Cyber Insurance Between the Lines
By Mark Rasch
Your company may already have insurance against computer attacks and
electronic sabotage, without even knowing it.
http://www.securityfocus.com/columnists/163
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft ISA Server Error Page Cross-Site Scripting Vulnerability
BugTraq ID: 7623
Remote: Yes
Date Published: May 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7623
Summary:
Microsoft ISA (Internet Security and Acceleration) Server is an
application firewall that also provides intrusion detection capabilities.
A cross-site scripting vulnerability has been reported for Microsoft ISA
Server. The vulnerability exists due to insufficient sanitization of
certain HTTP header fields. Specifically, ISA Server does not properly
sanitize malicious HTML code from the 'Via:' HTTP header.
The attacker may be required to create a malicious link to a site and then
entice web users to visit the link.
Successful exploitation could permit a malicious attacker to cause the
execution of hostile HTML and script code in the web client of a user who
visits the malicious link. This would occur in the security context of the
site.
Exploitation could allow for attacks that steal cookie-based
authentication credentials. Other attacks will also be possible.
2. PHP-Nuke Statistics Module Mainfile.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 7624
Remote: Yes
Date Published: May 17 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7624
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
The PHP-Nuke 'mainfile.php' script does not sufficiently sanitize data
supplied via URI parameters, making it prone to cross-site scripting
attacks. In particular, the 'year' URI parameter is not properly sanitized
of HTML tags. This could allow for execution of hostile HTML and script
code in the web client of a user who visits a web page that contains the
malicious code. This would occur in the security context of the site
hosting the software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
3. PHP-Banner Exchange Path Disclosure Vulnerability
BugTraq ID: 7636
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7636
Summary:
PHP-Banner Exchange is banner management software. It is written in PHP
and available for a number of operating systems including Microsoft
Windows and Unix and Linux variants.
PHP-Banner Exchange is prone to a path disclosure vulnerability.
Requesting the directory for the software will cause an error message to
be displayed with contains path information.
PHP-Banner Exchange can be used as a module for PHP-Nuke.
Exploitation may be dependant on web server and PHP configuration.
This type of information may aid an attacker in mapping out the filesystem
for further attacks against the host.
4. Compaq Management Agents Remote Authentication Bypass Vulnerability
BugTraq ID: 7648
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7648
Summary:
Compaq Management Agents is a web-based interface designed to monitor
various system device parameters. It is available for a variety of
operating systems including Unix, GNU/Linux, and Microsoft Windows.
A vulnerability has been reported for Compaq Management Agents (CMA). The
problem is said to present itself when anonymous access has been enabled.
Supposedly, if the administrator password has been changed from the
default, an unauthorized remote user may gain administrative access. This
can be accomplished by placing 'administrator' in all fields at the
password screen.
Successful exploitation of this issue will allow an attacker to gain
administrative access to the CMA interface. This may result in the
tampering of sensitive system device settings or possibly other attacks.
This vulnerability has been reported to affect Compaq Management Agents
4.36 and Insight Manager Version 5.0.
5. Nessus LibNASL Arbitrary Code Execution Vulnerability
BugTraq ID: 7664
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7664
Summary:
Nessus is a vulnerability scanning utility available for the Unix and
Microsoft Windows operating systems. libnasl is a library used by Nessus
to process NASL scripts.
Nessus has reported that various flaws have been discovered in the libnasl
library. Amongst other functions, scanner_add_port(), insstr() and
ftp_log_in() fail to sufficiently handle malformed parameters and may
allow a script to break out of the established sandbox environment. As a
result, it may be possible for a malicious Nessus plugin to execute
arbitrary system commands with the privileges of Nessus the application,
possibly root.
It should be noted that this malicious script must be a legitimate plugin
which has been uploaded to the Nessus server. Furthermore, the affected
Nessus application must have enabled the 'plugins_upload' option which is
disabled by default.
The precise details regarding this vulnerability are currently unknown.
This BID will be updated as further information becomes available.
Although unconfirmed, these vulnerabilities may be exploited to execute
arbitrary attacker-supplied code.
This issue affects Nessus version 2.05 and earlier.
6. EServ Directory Indexing Vulnerability
BugTraq ID: 7669
Remote: Yes
Date Published: May 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7669
Summary:
EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft
Windows systems.
EServ does not sufficiently prevent web users from being able to view
directory indexes. This is reported to be an issue even when a directory
has an index file. This may result in disclosure of sensitive information
which may be useful in further attacks against the system.
7. EServ Unauthorized Proxy Access Vulnerability
BugTraq ID: 7670
Remote: Yes
Date Published: May 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7670
Summary:
EServ is a combination Mail, News, Web, FTP and Proxy Server for Microsoft
Windows systems.
EServ is prone to a vulnerability that may allow it to be used as a proxy
by unauthorized remote users. This can occur even if a proxy
authentication is required or the proxy service is disabled. Users can
proxy request through port 80 if the proxy service is disabled. It has
also been reported that the FTP proxy may also be abused in a similar
manner.
8. Snort Spoofed Packet TCP State Evasion Vulnerability
BugTraq ID: 7635
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7635
Summary:
Snort is a freely available, open source intrusion detection system. It is
available for Unix, Linux, and Microsoft Windows platforms.
A vulnerability has been reported within the spp_stream4.c source file.
The problem is said to occur while maintaining the state of an established
session.
Specifically, Snort is said to call UpdateState before verifying the
legitimacy of a packet received from a client partaking in a legitimate
session. As a result, it may be possible to corrupt stateful inspection
carried out by Snort.
This issue can be triggered by forging a packet to a server containing the
legitimate client source IP and port. When encountered by Snort, the
state of the session is updated before verifying that the packet is a
legitimate part of the established session. However when the packet is
received by the server, due to invalid sequence and acknowledgement data,
the packet will be dropped.
An attacker could exploit this vulnerability to trigger a situation under
which legitimate session traffic transmitted would no longer be detected
by Snort.
This vulnerability has been reported to affected Snort 2.0.0rc2, however
other versions may also be affected.
It should be noted that this is a theoretical issue and has not yet been
officially confirmed.
9. Working Resources BadBlue Unauthorized HTS Access Vulnerability
BugTraq ID: 7638
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7638
Summary:
BadBlue is a P2P file sharing application distributed by Working
Resources. It is available for Microsoft Windows operating systems.
BadBlue is prone to a vulnerability that could allow remote attackers to
gain unauthorized access to administrative functions. BadBlue includes a
server-side scripting language which uses '.htx' and '.hts' files. The
'.hts' extension represents files that are only intended to be requested
and executed by the local host.
It is possible to bypass BadBlue security checks when '.hts' files are
requested by a remote user. BadBlue restricts access to non-HTML files by
replacing the first two letters in the file extension of a requested
resource with 'ht'. If the third character of a file extension is 's',
then it is possible to trick BadBlue into serving a non-HTML file with an
extension of '.hts'. This will bypass other security checks which would
normally prevent BadBlue from serving these files to remote users.
Exploitation could result in unauthorized access to administrative
functions provided in '.hts' files.
10. Blackmoon FTP Server Plaintext User Password Weakness
BugTraq ID: 7646
Remote: No
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7646
Summary:
Blackmoon FTP Server is an FTP Server for Microsoft Windows operating
systems.
Blackmoon FTP Server stores authentication credentials for the FTP service
on the local system in plaintext. These credentials are stored in the
'blackmoon.mdb' file in the program directory. Local users with access to
this file may gain unauthorized access to the server as a result.
Exposure of authentication credentials may also lead to compromise of
other services/resources if the same credentials are commonly used.
It should be noted that although this weakness was reported to affect
Blackmoon FTP server version 2.6, previous versions might also be
affected.
11. BZFlag Reconnect Denial Of Service Vulnerability
BugTraq ID: 7649
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7649
Summary:
BZFlag is a multi-player action game. It is available for a number of
operating systems, including Microsoft Windows and Unix/Linux variants.
BZFlag is prone to a denial of service vulnerability. Users that have
established a session with BZFlag may cause a denial of service by
reconnecting and flooding BZFlag ports with excessive amounts of data.
This may reportedly cause a server crash or a memory leak that could
exhaust available resources. Though unconfirmed, exploitation could
result in memory corruption, which may allow for execution of malicious
code.
This issue was reported in BZFlag 1.7g0. Other versions are also likely
affected.
12. Platform Load Sharing Facility LSF_ENVDIR Local Command Execution Vulnerability
BugTraq ID: 7655
Remote: No
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7655
Summary:
Load Sharing Facility is a high availability and load balancing software
package distributed and maintained by Platform. It is available for Unix,
Linux, and Microsoft Windows.
A problem in the software for the Unix and Linux platform may make it
possible for a local user to gain unauthorized privileges.
It has been reported that Load Sharing Facility (LSF) does not properly
handle input in environment variables. Because of this, an attacker may
be able to gain escalated privileges on a vulnerable system.
The problem is in the handling of environment variables. When the lsadmin
program is executed, shortly after starting execution it calls the lim
program. The path to this program is specified in the configuration file.
However, it is possible to change the location that will be checked for
this program by altering the LSF_ENVDIR environment variable to force
lsadmin to look for the lim program in a different location. By doing so,
it is possible to create a malicious copy of the lim program which would
be executed with the privileges of the lsadmin program. The lsadmin
program is typically installed with elevated privileges.
13. IISProtect Authentication Bypass Vulnerability
BugTraq ID: 7661
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7661
Summary:
iisProtect is a security product for Microsoft Windows that provides
authentication based access control to protect web resources.
A vulnerability has been reported that may allow for iisProtect
authentication to be circumvented by web users. It is possible to bypass
authentication to gain access to web resources by submitting a request
which URL encoded character representations. iisProtect fails to
recognize these character representations, but the underlying IIS server
will interpret them and serve the resource that is requested.
Remote attackers may exploit this issue to gain access to sensitive web
resources, which could allow for other attacks which compromise web
resources.
14. PHPNuke Remote Main Modules Multiple SQL Injection Vulnerabilities
BugTraq ID: 7631
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7631
Summary:
PHPNuke is a freely available, open source web content management system.
It is maintained by Francisco Burzi, and available for the Unix, Linux,
and Microsoft Operating Systems.
Multiple input checking problems may make it possible for remote users to
pass malicious data to the database.
It has been reported that multiple problems exist in the PHPNuke main
modules. SQL injection issues exist in the Sections, Avantgo, Surveys,
Downloads, Reviews, and Web_Links modules. This could allow an attacker
pass malicious SQL code to the database. It should be noted that multiple
path disclosure issues also exist.
Each of these modules does not properly handle the backtick character at
precise locations in queries. Because of this, it is possible to create a
custom command that will be executed with the privileges of the PHPNuke
application.
15. Blackmoon FTP Server Username Information Disclosure Vulnerability
BugTraq ID: 7647
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7647
Summary:
Blackmoon FTP Server is an FTP Server for Microsoft Windows operating
systems.
It has been reported that Blackmoon FTP Server is prone to an information
disclosure weakness.
The problem exists in the way the FTP server handles the authentication
procedure. Specifically the FTP server returns a '530-Account does not
exist.' error message to the console, if the username supplied is invalid,
before disconnecting the user. An attacker may exploit this weakness to
enumerate valid usernames.
It should be noted that although this weakness was reported to affect
Blackmoon FTP server version 2.6, previous versions might also be
affected.
16. ShareMailPro Username Identification Weakness
BugTraq ID: 7658
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7658
Summary:
ShareMailPro is an e-mail server solution designed for use with Microsoft
Windows systems.
A weakness has been reported in ShareMailPro that may reveal the existence
of usernames to remote attackers.
This weakness is due to the fact that ShareMailPro responds with different
messages depending on whether a given username exists or not.
If an attacker connects with a non-existent username, the following
message is displayed:
-ERR sorry , no such mailbox
An attacker may be able to use this information to launch further
intelligent attacks against the server or to launch a brute force password
attack against a known user name.
This vulnerability was reported for ShareMailPro 3.6.1.
17. Apple QuickTime/Darwin Streaming Server QTSSReflector Module Integer Overflow Vulnerability
BugTraq ID: 7659
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7659
Summary:
The Darwin/QuickTime Streaming Servers are used as a web interface for
Streaming Server configuration. They are available for the Linux, Solaris,
Microsoft Windows and MacOS X operating systems.
A vulnerability has been reported for Apple Quicktime/Darwin Streaming
Server. The problem is said to occur within the QTSSReflector module while
processing the ANNOUNCE command. Specifically, by specifying the
Content-Length of an ANNOUNCE request to 0xffffffff (4294967295) it may be
possible to overflow an unsigned integer. As a result, an unexpected
calculation may occur within the affected module, causing the server to
crash. Due to the nature of the value that is supplied to Content-Length,
this issue may actually be a result of signed/unsigned variable
mismatching. This behavior however has not been confirmed.
It should be noted that it has been speculated that this issue may be
exploitable to corrupt process memory. If so, it may be possible for an
attacker to overwrite sensitive values in an attempt to execute arbitrary
instructions with the privileges of the server.
Apple has confirmed that this issue may be exploitable to trigger a denial
of service. However, it is believed that remote exploitability is unlikely
as it would require an administrator to manually configure the service to
permit unauthenticated broadcasts.
18. Apple QuickTime/Darwin Streaming MP3Broadcaster ID3 Tag Handling Vulnerability
BugTraq ID: 7660
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7660
Summary:
The Apple QuickTime/Darwin MP3 Broadcaster is encoding software used to
stream online broadcasts. They are available for the Linux, Solaris,
Microsoft Windows and MacOS X operating systems.
MP3Broadcaster has been reported prone to a vulnerability when processing
malformed ID3 tag information. The issue presents itself, under specific
conditions, when the user invokes the MP3Broadcaster utility using the '-X
-l' command line options, to generate a list based off malicious MP3
files. When a malformed integer within the ID3 data of a malicious MP3
file is processed, a miscalculation may occur which could potentially
result in the corruption of process memory. This is likely due to
insufficient sanity checks performed when handling signed integer values
contained within MP3 file ID3 tags.
Apple has confirmed that this issue may be exploitable to trigger a denial
of service. However, it is believed that remote exploitability is
unlikely, as it would require an administrator to manually configure the
service to permit unauthenticated broadcasts.
19. Microsoft Internet Connection Firewall IPv6 Traffic Blocking Vulnerability
BugTraq ID: 7666
Remote: Yes
Date Published: May 22 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7666
Summary:
Microsoft provides firewall capabilites using its Internet Connection
Firewall (ICF).
An issue has been reported for systems that have enabled ICF whereby
certain traffic may bypass existing firewall filters. Specifically, it has
been reported the ICF fails to block IPv6 traffic.
This may result in an administrator having a false sense of security.
20. Microsoft Netmeeting CALLTO URL Buffer Overflow Vulnerability
BugTraq ID: 7639
Remote: Yes
Date Published: May 20 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7639
Summary:
Microsoft Netmeeting sessions can be launched through Internet Explorer by
browsing to a 'callto:' link. These links usually contain the address of
the Netmeeting user to be called and may also contain a directory to
retrieve the addressing information from.
It has been reported that clicking on a malformed 'callto:' URI using
Internet Explorer may result in Windows failing due to a kernel mode
exception. This issue may be due to a boundary condition error in one of
the parameters accepted by the CALLTO protocol handler.
Successful exploitation of this vulnerability may result in a denial of
service to the system. If this is due to a boundary condition error, it
is not currently known if critical memory is overwritten that could allow
for code execution.
Symantec was unable to reproduce this vulnerability on a Windows 2000 SP3
system running Internet Explorer 6.0 SP1 and Netmeeting 3.01 using the
supplied proof of concept code.
It is important to note that the CALLTO protocol handler does not function
by default on browsers other than Internet Explorer.
** It has been reported that when Windows fails in this instance, a
pointer may be overwritten. This indicates that code execution could be
possible through successful exploitation of this vulnerability.
21. Microsoft Windows Media Player Automatic File Download and Execution Vulnerability
BugTraq ID: 7640
Remote: Yes
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7640
Summary:
Windows Media Player could allegedly allow files to be downloaded and
executed without user intervention.
When a specifically crafted XMLNS (XML Name Space) URI is embedded within
an HTML email message, a media file referenced in the URI may be
automatically downloaded. If this is combined with the vulnerability
described in BID 5543 (Microsoft Windows Media Player File Attachment
Script Execution Vulnerability), a malicious script or executable file may
be automatically downloaded and executed on the vulnerable system.
This vulnerability was reported to affect systems running Outlook Express
6.00.2800.1123 and Windows Media Player 7.01.00.3055 or 8.00.00.4487.
Windows Media Player 9 series is said to be unaffected.
Symantec was unable to reproduce this vulnerability in testing with
Outlook Express 6.00.2800.1123 and Windows Media Player 7.01.00.3055.
22. Demarc PureSecure Plaintext Password Vulnerability
BugTraq ID: 7650
Remote: No
Date Published: May 21 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7650
Summary:
Demarc PureSecure is a commercially available graphical front-end for
Snort, in addition to being a generalized network monitoring solution.
Snort is a popular open-source NIDS (Network Intrusion Detection System).
Demarc PureSecure will run on most Linux and Unix variants, as well as
Microsoft Windows NT/2000/XP operating systems.
A problem with the Demarc PureSecure software could make unauthorized
access to user credentials possible.
It has been reported that a problem exists in the method used in the
storage of passwords by Demarc PureSecure. This could lead to users
gaining unauthorized access to passwords, and potentially unauthorized
access to the central/remote logging server.
Specifically, Demarc PureSecure stores certain user passwords on the disk
using plain-text format by default. A local user with access sufficient to
read the files used by the Demarc PureSecure may disclose the usernames
and passwords.
Information gathered in this way may be used to aid in further attacks
launched against the vulnerable system.
It should be noted that although this vulnerability has been reported to
affect Demarc PureSecure version 1.0.6 previous versions might also be
affected.
23. Magic Winmail Server USER POP3 Command Format String Vulnerability
BugTraq ID: 7667
Remote: Yes
Date Published: May 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7667
Summary:
Magic Winmail Server is a e-mail server designed for use on Microsoft
Windows operating environments.
A format string vulnerability has been reported for Magic Winmail Server
when processing the USER POP3 command.
An attacker may exploit this vulnerability by connecting to the vulnerable
mail server and issuing the USER command with malicious format string
specifiers. When the command is processed, the malicious format string
specifiers may be interpreted. As a result, it may be possible for
sensitive locations in memory to be corrupted. This may ultimately result
in the execution of attacker-supplied code.
This vulnerability was reported for Magic Winmail Server 2.3.
IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Windows 2003 Server - MS Rulez? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/322535
2. Updated URLScan Security Tool Released (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/322305
3. Netreg for Windows (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/322298
4. Article Announcement: Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/322175
5. Administrivia: Sobig/Mankx/Palyh (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321987
6. SecurityFocus Microsoft Newsletter #137 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321919
7. Article Announcement: "Relax, It Was a Honeypot" (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321894
8. Article Announcement: Malware Myths and Misinformation, Part One (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/321893
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. CryptoGram Secure Login
by CryptoGram SA
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
Summary:
As computer crime rises (computer theft, fraud, piracy, etc.) secure
access to information has become a key factor in the architecture of
computer systems. To combat these threats, only a hardware based
authentication solution can fully protect access to your computers. With
CryptoGram Secure Login, users must possess a token and provide
information to be authenticated. Using the latest cryptographic and
biometric technologies, the CryptoGram Secure Login solution protects
access to your Windows NT 4.0, Windows 2000 and Windows XP computers and
keeps all unauthorized users out
2. Tricryption Engine
by ERUCES
Platforms: N/A
Relevant URL:
Summary:
The ERUCES Tricryption Engine is an enabling technology platform based on
the most advanced high-volume encryption and automated key management
system on the market today. The Tricryption Engine is the only data
security platform that can scale to meet the continually growing
encryption requirements companies must implement. As organizations look
for methods to protect increasing amounts of electronic data, they need to
deploy solutions that will completely prohibit unauthorized users from
reading or tampering with protected data, while at the same time remove
the constraints of system performance and on-going management. With its
patent-pending automated encryption key management process, the
Tricryption Engine platform can be used to protect all types of electronic
data, from databases to multimedia files.
3. neuSECURE
by GuardedNet
Platforms: Linux, UNIX, Windows 2000, Windows NT, Windows XP
Relevant URL:
Summary:
neuSECURE is a web-based security information management software solution
designed to provide a comprehensive, coherent view of enterprise security.
It correlates log data files from disparate machines such as firewalls,
intrusion detection systems, computer systems and routers and
automatically analyzes this data to uncover legitimate threats to the
enterprise. neuSECURE allows security analysts to prioritize their
investigations and focus on the mission-critical task of responding to
threats as they are occurring, rather than after the damage is done. And
with neuSECURE a security team can manage security threats from early
detection to final resolution without ever leaving the intuitive,
web-based console.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. WinCrypt v2.0
by C2SG
Relevant URL:
http://www.wincrypt.com/
Platforms: Windows 2000, Windows 3.x, Windows 95/98, Windows NT, Windows
XP
Summary:
This is desktop encryption software to stop prying eyes. Windows users can
now secure documents in such a way that sensitive files on hard drives and
e-mail attachments are totally unreadable to unauthorized users.
Users can drag and drop sensitive files into the Wincrypt window, select a
password, and then e-mail the file to the intended recipient. The only
people able to read the document are the holders of the password. The file
or folder is protected by 256-bit Advanced Encryption Standard (AES).
Advanced features include anti-logging keyboard, quik-klik encryption and
self decrypting files.
2. Darik's Boot and Nuke v2003052000(Beta)
by Darik Horn
Relevant URL:
http://dban.sourceforge.net/
Platforms: Os Independent
Summary:
Darik's Boot and Nuke (DBAN) is a self-contained boot floppy that securely
wipes the hard disks of most computers. DBAN will automatically and
completely delete the contents of any hard disk that it can detect, which
makes it an appropriate utility for bulk or emergency data destruction.
3. incident.pl v2.6
by Viraj Alankar
Relevant URL:
http://www.cse.fau.edu/~valankar/
Platforms: N/A
Summary:
incident.pl is a small script that, when given logs generated by snort,
can generate an incident report for every event that appears to be an
attempted security attack, and report the attack to the appropriate
administrators.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SpiDynamics
ALERT: Top 10 Web Application Attack Techniques and Methods to Combat them
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation.
All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
Visit us at: http://www.spidynamics.com/mktg/webappsecurity102
------------------------------------------------------------------------
-------
[ reply ]