SecurityFocus Microsoft Newsletter #141
---------------------------------------
This issue brought to you by: SPI Dynamics
FREE White Paper: "How Web Application Hackers Break In!" Learn why 70% of
today's successful hacks involve Web Application attacks such as: SQL
Injection, XSS, Cookie Manipulation, and Parameter Manipulation.
All undetectable by Firewalls and IDS! Download *FREE* white paper from
SPI Dynamics for a complete guide to protection!
Visit us at: http://www.securityfocus.com/SPIDynamics-ms-secnews3
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Penetration Test for Web Applications - Part One
2. Honeypots: Are They Illegal?
3. Bad Raps for Non-Hacks
II. MICROSOFT VULNERABILITY SUMMARY
1. FlashFXP PASV Response Buffer Overflow Vulnerability
2. SmartFTP PWD Command Request Buffer Overflow Vulnerability
3. FTP Voyager Remote LIST Buffer Overrun Vulnerability
4. GZip ZNew Insecure Temporary File Creation Symbolic Link...
5. Ethereal SPNEGO Dissector Denial Of Service Vulnerability
6. WebcamNow Plain Text Password Storage Weakness
7. Mollensoft Enceladus Server Suite Clear Text Password Storage...
8. silentThought Simple Web Server Directory Traversal Vulnerability
9. Mollensoft Enceladus Server Suite HTACCESS File Access Weakness
10. H-Sphere HTML Template Inclusion Cross-Site Scripting...
11. Spyke PHP Board Information Disclosure Vulnerability
12. LeapFTP Client PASV Response Buffer Overflow Vulnerability
13. SmartFTP File List Command Buffer Overflow Vulnerability
14. Ethereal OSI Dissector Buffer Overflow Vulnerability
15. FakeBO Syslog Format String Vulnerability
16. Ethereal TVB_GET_NSTRINGZ0() Memory Handling Vulnerability
17. Mollensoft Software Enceladus Server Suite Guestbook HTML...
18. MySQL libmysqlclient Library mysql_real_connect() Buffer...
19. WebBBS Pro Malicious GET Request Denial Of Service Vulnerability
20. Multiple Speak Freely Remote Boundary Condition Error...
21. Microsoft Windows FIN-ACK Network Device Driver Frame Padding...
22. FlashFXP Client Request Hostname Buffer Overflow Vulnerability
23. Nuca WebServer File Disclosure Vulnerability
24. ArGoSoft Mail Server Multiple GET Requests Denial Of Service...
25. Multiple Gnocatan Server Buffer Overflow Vulnerabilities
26. Ethereal DCERPC Dissector Memory Allocation Vulnerability
27. Ethereal Multiple Dissector String Handling Vulnerabilities
III. MICROSOFT FOCUS LIST SUMMARY
1. Local User Permissions in a Public, Domain Environment? (Thread)
2. Question regarding su.exe (Thread)
3. Windows 2000 Patch Order (Thread)
4. FW: Windows 2000 Patch Order (Thread)
5. Fwd: FW: Windows 2000 Patch Order (Thread)
6. Article Announcement (Thread)
7. SecurityFocus Microsoft Newsletter #140 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AbsoluteShield Internet Eraser Pro
2. East-Tec FormatSecure
3. KillDisk
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. LibTomCrypt v0.77
2. Blue dot v1.20
3. Enigmail v0.76.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Penetration Test for Web Applications - Part One
By Jody Melbourne
This is the first in a series of three articles on penetration testing for
Web applications. The first installment provides the penetration tester
with an overview of Web applications - how they work, how they interact
with users, and most importantly how developers can expose data and
systems with poorly written and secured Web application front-ends.
http://www.securityfocus.com/infocus/1704
2. Honeypots: Are They Illegal?
By Lance Spitzner
As honeypots and their concepts have grown more popular, people have begun
to ask what legal issues could apply. The purpose of this paper is to
address the most commonly asked issues.
http://www.securityfocus.com/infocus/1703
3. Bad Raps for Non-Hacks
By Mark Rasch
A few odd cases show that you don't have be a digital desparado to be
accused of a cybercrime... particularly if you embarrass the wrong
bureaucrats.
http://www.securityfocus.com/columnists/167
II. BUGTRAQ SUMMARY
-------------------
1. FlashFXP PASV Response Buffer Overflow Vulnerability
BugTraq ID: 7857
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7857
Summary:
FlashFXP is a FTP implementation that allows client-server file transfers
in addition to site-to-site file transfers. It is available for Microsoft
Windows.
FlashFXP is prone to a remotely exploitable buffer overflow when handling
a server response to the PASV FTP command. The PASV command is issued to
tell the server that the client wishes to transfer files in passive mode.
FTP servers that support passive mode will respond to such a request with
an IP address and port number. If an FTP server responds with an
excessively long IP address, an internal buffer on the client system may
be overrun with specific values supplied by the server.
A malicious FTP server could exploit this issue to execute code on the
client system. This would occur in the security context of the user
running the vulnerable client.
SmartFTP is a GUI FTP client available for most Microsoft Windows
operating systems.
SmartFTP is reported to be prone to a boundary condition error. This is
due to insufficient bounds checking in the 'PWD' command.
If an FTP server replies with an overly long string to a 'PWD' command, an
internal buffer may be overrun. This results in corruption of stack-based
memory. Arbitrary code execution in the security context of the user
running the FTP client is reportedly possible.
This issue was reported to affect SmartFTP 1.0.973, however, other
versions may also be vulnerable.
3. FTP Voyager Remote LIST Buffer Overrun Vulnerability
BugTraq ID: 7862
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7862
Summary:
FTP Voyager is an ftp client program maintained by RhinoSoft and is
available for the Microsoft Windows operating system.
A buffer overrun vulnerability has been discovered in FTP Voyager. It has
been discovered that the client fails to perform sufficient bounds
checking before processing server-supplied data returned from a LIST
request. Specifically, a string containing approximately 624 bytes of
data, returned in a response to a client LIST request, will result in the
corruption of stack memory.
Exploitation of this vulnerability could ultimately result in the
execution of arbitrary instructions with the privileges of the user
invoking the affected client.
This issue is said to affect FTP Voyager 9.1.0.3 and 10.0.0.0, however
earlier versions may also be vulnerable.
4. GZip ZNew Insecure Temporary File Creation Symbolic Link Vulnerability
BugTraq ID: 7872
Remote: No
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7872
Summary:
gzip is a freely available, open source file compression utility. It is
maintained by public domain, and available for the Unix, Linux, and
Microsoft operating systems.
A problem with the utility may make the local destruction of data
possible.
It has been reported that gzip does not securely handle temporary files in
the znew script. Because of this, a local attacker may be able to launch
a symbolic link attack against sensitive files.
The problem is in the handling of checking for existing files. When the
znew script executes, it does not sufficiently validate the value returned
when the program checks for the existence of a file in the temporary
directory. Because of this, znew could potentially write to a symbolic
link that would destroy the data at the end of the symbolic link, provided
the user has sufficient privileges to write to the file. This may also
potentially lead to elevated privileges, though this theory is
unconfirmed.
5. Ethereal SPNEGO Dissector Denial Of Service Vulnerability
BugTraq ID: 7879
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7879
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The SPNEGO dissector of Ethereal, when parsing certain ASN.1 codes, may
cause a segmentation fault.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet with an invalid ASN.1 value and sending it to a
system using the vulnerable dissector.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.12 and earlier.
6. WebcamNow Plain Text Password Storage Weakness
BugTraq ID: 7884
Remote: No
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7884
Summary:
WebcamNow is a streaming image service available for Microsoft Windows
operating systems.
WebcamNow stores usernames and associated passwords using plaintext
format, in the Windows registry. Specifically, WebcamNow stores
authentication credentials in the following registry entries:
As a result, these credentials could be exposed to other local users who
have the permissions to access the registry.
7. Mollensoft Enceladus Server Suite Clear Text Password Storage Weakness
BugTraq ID: 7886
Remote: No
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7886
Summary:
Enceladus Server Suite is a commercially available HTTP and FTP server
distributed by Mollensoft Software. It is available for the Microsoft
Windows platform.
A problem in the software may expose potentially sensitive information.
It has been reported that Enceladus Server Suite does not securely store
user credentials. This may allow an unauthorized user to gain access to
potentially sensitive information.
Enceladus does not securely store user passwords. Instead, the program
stores passwords in clear text on the local system. An attacker with
access to the directory could harvest username and password pairs from an
installation.
8. silentThought Simple Web Server Directory Traversal Vulnerability
BugTraq ID: 7888
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7888
Summary:
silentThought Simple Web Server is a HTTP server designed for use on
Microsoft Windows operating environments.
It has been reported that Simple Web Server fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability has been reported for silentThought Simple Web Server
version 1.0 for the Microsoft Windows platform.
9. Mollensoft Enceladus Server Suite HTACCESS File Access Weakness
BugTraq ID: 7889
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7889
Summary:
Enceladus Server Suite is a commercially available HTTP and FTP server
distributed by Mollensoft Software. It is available for the Microsoft
Windows platform.
A problem in the software may expose potentially sensitive information.
It has been reported that Enceladus Server Suite does not securely store
certain user credentials. This may allow users, who are authorized to
access the "Security File Downloads" directory, to gain access to
potentially sensitive information.
Specifically, an htaccess file is stored without access restrictions,
making it exposable to users who can access the directory. This specific
htaccess file contains all credentials of users who have access to the
specific directory.
Access to this information may aid an attacker in launching further
attacks against a target user or the server.
10. H-Sphere HTML Template Inclusion Cross-Site Scripting Vulnerabilities
BugTraq ID: 7855
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7855
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere is available
for Microsoft Windows, Linux, and Unix operating systems.
H-Sphere is prone to multiple cross-site scripting vulnerabilities via the
HTML template feature in the Hosting Control Panel. HTML and script code
will not be filtered from pages which are generated when a request for an
invalid or unknown template is made.
This could be exploited if a web user follows a malicious link to a site
hosting the vulnerable software that includes hostile HTML or script code.
This code would be executed in the context of the site hosting the
software. The link may also need to contain the username of a valid,
logged in user.
Successful exploitation could permit theft of cookie-based authentication
credentials from legitimate users of the Hosting Control Panel, which may
in turn permit unauthorized access to resources that are managed by the
software. Other attacks may also be possible.
11. Spyke PHP Board Information Disclosure Vulnerability
BugTraq ID: 7856
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7856
Summary:
A vulnerability has been reported for Spyke's PHP Board that may result in
an attacker obtaining access to sensitive information.
The vulnerability exists due to the way the CMS stores data. Specifically,
the system uses plaintext files for the storage of sensitive information.
An attacker can exploit this vulnerability to issue a request for the
'info.dat' configuration file. This will return a plaintext file to the
attacker the contents of which contain administrative authentication
information.
User authentication information is stored under the 'user' directory with
a .TXT extension.
Information obtained in this manner may allow an attacker to launch
further destructive attacks against a vulnerable system.
This vulnerability was reported for Spyke PHP Board 2.1.
LeapFTP is an FTP client for Microsoft windows operating systems.
LeapFTP client has been reported prone to a remote buffer overflow
vulnerability.
The issue is likely due to insufficient bounds checking and presents
itself when the affected FTP client makes a connection to a malicious
server that is running PASV mode. Reportedly during an FTP session LeapFTP
requests PASV mode. The PASV command is issued to tell the server that the
client wishes to transfer files in passive mode. FTP servers that support
passive mode will respond to such a request with an IP address and port
number.
If the PASV mode IP address data that is sent to the LeapFTP client is of
excessive length, the bounds of a stack based internal memory buffer is
overrun, corrupting adjacent memory with attacker-supplied data. It has
been reported that it is possible to supply sufficient data to corrupt an
exception handler that is stored on the stack. Ultimately this condition
may be exploited to execute arbitrary code in the context of the user
running LeapFTP client.
13. SmartFTP File List Command Buffer Overflow Vulnerability
BugTraq ID: 7861
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7861
Summary:
SmartFTP is a GUI FTP client available for most Microsoft Windows
operating systems.
SmartFTP is reported to be prone to a boundary condition error. This is
due to insufficient bounds checking in the File List command.
If an FTP server replies with an overly long string to a File List
command, an internal buffer may be overrun. This results in corruption of
heap-based memory. Arbitrary code execution in the security context of
the user running the FTP client is reportedly possible.
This issue was reported to affect SmartFTP 1.0.973, however, other
versions may also be vulnerable.
14. Ethereal OSI Dissector Buffer Overflow Vulnerability
BugTraq ID: 7880
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7880
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The OSI dissector is prone to a buffer overflow condition when handling
bad IPv4 or IPv6 prefix lengths. This is likely due to insufficient bounds
checking.
It may be possible to construct an IPv4 or IPv6 packet that will, when
decoded by Ethereal, trigger the overflow condition. Successful
exploitation of this vulnerability may result in the attacker gaining
access to the Ethereal host via execution of attacker-supplied
instructions.
This BID will be updated when further technical details are disclosed.
This vulnerability affects Ethereal 0.9.12 and earlier.
15. FakeBO Syslog Format String Vulnerability
BugTraq ID: 7882
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7882
Summary:
FakeBO is a utility to log common trojan attempts in an effort to possibly
emulate one. It may also be used in a honeypot setup to facilitate
security monitoring. It is available for Microsoft Windows, Linux, and
Unix variant operating systems.
A vulnerability has been reported for FakeBO that may result in an
attacker obtaining elevated privileges on a target system.
Due to a programming error, it may be possible to exploit a format string
vulnerability in the affected utility. Specifically, a logging function in
FakeBO contains insecure syslog() calls. This could result in the
execution of attacker-supplied code.
The vulnerability occurs when FakeBO resolves a carefully constructed
hostname that include malicious format string specifiers. In the event
that this vulnerability is exploited, an attacker could cause arbitrary
locations in memory to be corrupted with attacker-specified data and
execute code with elevated privileges.
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
An Ethereal routine, tvb_get_nstringz0(), has been reported prone to a
memory handling vulnerability. Reportedly tvb_get_nstringz0() incorrectly
handles a zero-length buffer size. Although unconfirmed, it has been
conjectured that this issue may be due to an incorrect allocation of
memory, caused when an unsigned integer is used when calculating the size
of memory to be allocated.
Exploitation of this issue may allow an attacker to cause Ethereal to
behave in an unpredictable manner.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for either a remotely triggered
denial of service condition or ultimately in the execution of arbitrary
code with the privileges of the Ethereal process.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated, as further information is available.
This vulnerability affects Ethereal 0.9.12 and earlier.
17. Mollensoft Software Enceladus Server Suite Guestbook HTML Injection Vulnerability
BugTraq ID: 7885
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7885
Summary:
Enceladus Server Suite is a Web and FTP server designed for use with
Microsoft Windows operating systems.
Enceladus Server Suite is prone to HTML injection attacks. The
vulnerability exists in the Guestbook, shipped as part of the web server,
and is a result of insufficient sanitization of malicious HTML code from
user-supplied input. HTML and script code may be echoed back when an
victim user chooses the view the system's Guestbook. It is possible that
code injected through this issue could be displayed and rendered by other
users.
Successful exploitation could permit a malicious attacker to cause the
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable site hosting the vulnerable guestbook software. This
would occur in the security context of the site.
Exploitation could allow for attacks that steal cookie-based
authentication credentials. Other attacks are also possible.
This vulnerability was reported for Enceladus Server Suite 3.9.11. It is
likely that other versions are also affected by this vulnerability.
18. MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability
BugTraq ID: 7887
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7887
Summary:
MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.
MySQL contains a library called libmysqlclient. A problem exists in the
sql_real_connect() function of the libmysqlclient library that could
result in a buffer being overrun.
The problem likely occurs due to insufficient bounds checking of
user-supplied parameters and could allow an attacker to corrupt sensitive
process memory. It is possible to trigger this condition by supplying a
parameter containing approximately 350 or more bytes of data.
An attacker could potentially be capable of exploiting this issue to
execute arbitrary code on a remote system. It should be noted that this
issue would be required to be exploited in conjunction with an unrelated
remote SQL injection attack or possibly used on a system which allows for
the uploading of scripts.
19. WebBBS Pro Malicious GET Request Denial Of Service Vulnerability
BugTraq ID: 7890
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7890
Summary:
WebBBS Pro is a web-based BBS system designed to run in Microsoft Windows
environments. WebBBS Pro is shipped with a web server component.
A vulnerability has been discovered in WebBBS Pro, which may allow a
remote attacker to trigger a denial of service condition in the WebBBS
HTTP server.
It has been reported that a remote attacker may cause the web server to
throw an exception by making a malformed HTTP request. The server will
crash effectively denying service to legitimate webBBS Pro users, until
the service is restarted.
This issue was reported to affect WebBBS Pro 1.18, however, other versions
may also be affected.
Speak Freely is a freely available Internet voice communication
application. It is available for the Unix, Linux, and Microsoft
platforms.
Several problems with the program may give users unauthorized access to
systems.
Several security issues have been reported in Speak Freely. These issues
include boundary condition errors, insecure use of temporary files, and
insecure network traffic handling. These problems may allow both remote
and local users to gain unauthorized access to the system.
Three boundary condition errors have been reported in the program that
allow attack through UDP traffic. Two methods of attack are through
either the data port (2074/UDP) or control port (2075/UDP).
Insecure temporary file handling has been reported, although specifics
about this particular instance of vulnerability have not been made
available. It is also reported that this issue can permit the overwriting
of any file owned by the Speak Freely user, which likely indicates the
possibility of symbolic link attack through temporary files.
Finally, there are reports of the ability to circumvent network protection
devices such as firewalls, and also static buffer overflows. Due to the
handling UDP traffic by Speak Freely, it is possible to relay traffic into
a protected network through spoofed IP headers. Information about the
reported static buffer overflow conditions is not available.
These problems could permit a remote attacker to gain access to the system
with the privileges of the Speak Freely user, or potentially relay traffic
into a restricted network. A local attacker may also be able to exploit
these problems to gain elevated privileges, or destroy data.
21. Microsoft Windows FIN-ACK Network Device Driver Frame Padding Information Disclosure Vulnerability
BugTraq ID: 7849
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7849
Summary:
Network device drivers for Microsoft Windows Server 2003 has been reported
to disclose potentially sensitive information to attackers.
Frames that are smaller than the minimum frame size should have the unused
portion of the frame buffer padded with null (or other) bytes. Some device
drivers do not do this adequately, leaving the data that was stored in the
memory comprising the buffer prior to its use intact. Consequently, this
data may be transmitted within frames across ethernet segments. As the
ethernet frame buffer is allocated in kernel memory space, sensitive data
may be leaked.
An attacker can exploit this vulnerability by sending a simple TCP packet,
with the FIN-ACK flags set, to a vulnerable machine. A response to such a
query will involve a packet that has been padded to a sufficient length.
It may be that the information that is padded is of a sensitive nature. An
attacker may use the information obtained in this manner to launch other
attacks against a vulnerable system.
The following drivers were reported to be vulnerable to this issue:
VIA Rhine II Compatible network card (some motherboards have this
integrated) AMD PCNet family network cards (Used by some versions of
VMWare).
The affected drivers are signed by the vendor and are available on the
Windows Server 2003 CD. Both drivers have been reported to disclose
sensitive information, such as POP3 passwords, to attackers.
This vulnerability is similar to the issue described in BID 6535.
FlashFXP is a FTP implementation that allows client-server file transfers
in addition to site-to-site file transfers. It is available for Microsoft
Windows.
FlashFXP is prone to a buffer overflow vulnerability. This is due to
insufficient bounds checking of hostnames supplied in client requests.
Exploitation would require a client user to submit a malicious request for
an FTP site. This could occur if the FTP user were enticed to follow a
malicious link to an FTP site. If such a request were made by the
vulnerable client, excessive data embedded in the request could overrung
adjacent regions of memory on the client system. This could permit
execution of malicious instructions in the context of the user running the
client.
Nuca WebServer is a web server plug-in for Nuca Plug-in and IdRunner. It
is implemented in Delphi and available for Microsoft Windows operating
systems.
Nuca WebServer is prone to an issue that may allow remote attackers to
gain access to sensitive files. This is due to insufficient filtering of
directory traversal sequences from web requests. As a result, it is
possible to escape the web root directory by submitting a request
containing directory traversal sequences. This could be exploited to read
the contents of arbitrary files that are readable by the web server.
This vulnerability could permit remote attackers to gain access to
sensitive information that might be useful in mounting further attacks
against the system hosting the software.
24. ArGoSoft Mail Server Multiple GET Requests Denial Of Service Vulnerability
BugTraq ID: 7873
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7873
Summary:
ArGoSoft Mail Server is an SMTP, POP3 and Finger server for Microsoft
Windows environments. ArGoSoft has a built-in web server to enable remote
access to mail.
ArGoSoft Mail Server has been reported prone to a denial of service
condition when handling multiple GET requests, in rapid succession. When
many GET requests are processed in a small time frame, the ArGoSoft Mail
server will reportedly throw an exception and likely crash. This will
effectively deny service to legitimate ArGoSoft Mail server users until
the service is restarted.
It should be noted that while ArGoSoft Mail Server version 1.8 (1.8.3.5)
has been reported vulnerable, previous versions might also be vulnerable.
25. Multiple Gnocatan Server Buffer Overflow Vulnerabilities
BugTraq ID: 7877
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7877
Summary:
Gnocatan is a multiplayer game. It is available for Microsoft Windows and
Linux operating systems.
The Gnocatan game server is prone to multiple remotely exploitable buffer
overflow vulnerabilities. The vulnerabilities are due to insufficient
bounds checking of data supplied to the server, which could result in
corruption of memory with attacker-supplied values. These conditions
could potentially be exploited to execute malicious code in the context of
the server or to launch denial of service attacks.
Specific technical details regarding these vulnerabilities are not
available at this time. This BID will be updated as more details become
available.
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The DCERPC dissector of Ethereal is prone to a condition whereby too much
memory may be allocated when decoding certain NDR strings.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
This may result in the vulnerable Ethereal process allocating too much
memory. Repeated decoding of malformed NDR packets may result in the
consumption of all available memory resources which may lead to a denial
of service condition.
This vulnerability affects Ethereal 0.9.12 and earlier.
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
Several dissectors included with Ethereal do not properly handle strings.
Exploitation of this issue may allow an attacker to cause Ethereal to
behave in an unpredictable manner. The BGP, WTP, DNS, 802.11, ISAKMP, WSP,
CLNP, ISIS, and RMI dissectors are vulnerable to this issue.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissectors or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.12 and earlier.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Local User Permissions in a Public, Domain Environment? (Thread)
Relevant URL:
3. Windows 2000 Patch Order (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324961
4. FW: Windows 2000 Patch Order (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324960
5. Fwd: FW: Windows 2000 Patch Order (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324940
6. Article Announcement (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324701
7. SecurityFocus Microsoft Newsletter #140 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324379
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AbsoluteShield Internet Eraser Pro
by SysShield Consulting, Inc
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.internet-track-eraser.com/
Summary:
AbsoluteShield Internet Eraser protects your privacy by cleaning up all
the tracks of your Internet and computer activities. The tool is
integrated with IE and it can erase the browser cache, history, cookies,
typed URLs, autocomplete list and so on in one click. You can also set the
tool to automatically erase those tracks when you quit IE or quit Windows.
The tool is also featured to erase the disk free space and has the open
plugin support. With the plugin support, AbsoluteShield Internet Eraser
now supports to erase the tracks left by any applications. We currently
offer more than 20 plugins which supports the most popular programs such
as MS Office, WinZip, UltraEdit, RealPlayer, Media Player... Beside the
ability to erase the tracks of your Internet and computer activities, the
tool also has an integrated, small, configurable and intelligent Ad window
and popup blocker.
2. East-Tec FormatSecure
by EAST Technologies
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.east-tec.com/erprod/formatsc/index.htm
Summary:
East-Tec FormatSecure, in addition to formatting the drive, will securely
wipe the entire contents of the drive in order to stop software and
hardware tools from recovering any data. East-Tec FormatSecure is a
component of our family of products designed for the entire family of
Windows operating systems (Windows 95/98/Me/NT/2000/XP) to completely
eliminate sensitive data from your computer.
3. KillDisk
by LSoft Technologies Inc.
Platforms: DOS, Linux, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL:
http://www.killdisk.com/eraser.htm
Summary:
Active@ Kill Disk is disk eraser software for secure formatting of hard
drives without any possibility of following data recovery. DOS appication
can be run from floppy boot disk. Eraser uses access to drive's data on
physical level via BIOS bypassing logical drive structure organization,
thus it formats disk bypassing operating systems and file systems located
on IBM PC. DoD 5220.22-M compatible.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. LibTomCrypt v0.77
by Tom St Denis tomstdenis (at) iahu (dot) ca [email concealed]
Relevant URL:
http://www.libtomcrypt.org
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
LibTomCrypt is a comprehensive, modular, and portable cryptographic
toolkit that provides developers with a vast array of well known published
block ciphers, one-way hash functions, chaining modes, pseudo- random
number generators, public key cryptography, and a plethora of other
routines. It has been designed from the ground up to be very simple to
use. It has a modular and standard API that allows new ciphers, hashes,
and PRNGs to be added or removed without change to the overall end
application. It features easy to use functions and a complete user manual
which has many source snippet examples.
2. Blue dot v1.20
by Matti Tukiainen
Relevant URL:
http://ktmatu.com/software/bluedot/
Platforms: Os Independent
Summary:
Blue dot is a CGI tracking and Web site activity measurement script which
generates Apache combined style access log files. These log files can be
analyzed with most standard log analysis tools to track a site's
popularity, referrers, hosts, etc. The logging is based on inserting a
small piece of JavaScript or SSI code into every Web page. This code
requests a very small blue dot image from a server where the call is
logged. Blue dot can also be configured to set and log session and
persistent cookies. This can be used, for example, to track pay-per-click
search engine ROI.
3. Enigmail v0.76.0
by Patrick
Relevant URL:
http://enigmail.mozdev.org/
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
VI. SPONSOR INFORMATION
-----------------------
This issue brought to you by: SPI Dynamics
FREE White Paper: "How Web Application Hackers Break In!" Learn why 70% of
today's successful hacks involve Web Application attacks such as: SQL
Injection, XSS, Cookie Manipulation, and Parameter Manipulation.
All undetectable by Firewalls and IDS! Download *FREE* white paper from
SPI Dynamics for a complete guide to protection!
Visit us at: http://www.securityfocus.com/SPIDynamics-ms-secnews3
------------------------------------------------------------------------
------------------------------------------------------------------------
--------------
SecurityFocus Microsoft Newsletter #141
---------------------------------------
This issue brought to you by: SPI Dynamics
FREE White Paper: "How Web Application Hackers Break In!" Learn why 70% of
today's successful hacks involve Web Application attacks such as: SQL
Injection, XSS, Cookie Manipulation, and Parameter Manipulation.
All undetectable by Firewalls and IDS! Download *FREE* white paper from
SPI Dynamics for a complete guide to protection!
Visit us at: http://www.securityfocus.com/SPIDynamics-ms-secnews3
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Penetration Test for Web Applications - Part One
2. Honeypots: Are They Illegal?
3. Bad Raps for Non-Hacks
II. MICROSOFT VULNERABILITY SUMMARY
1. FlashFXP PASV Response Buffer Overflow Vulnerability
2. SmartFTP PWD Command Request Buffer Overflow Vulnerability
3. FTP Voyager Remote LIST Buffer Overrun Vulnerability
4. GZip ZNew Insecure Temporary File Creation Symbolic Link...
5. Ethereal SPNEGO Dissector Denial Of Service Vulnerability
6. WebcamNow Plain Text Password Storage Weakness
7. Mollensoft Enceladus Server Suite Clear Text Password Storage...
8. silentThought Simple Web Server Directory Traversal Vulnerability
9. Mollensoft Enceladus Server Suite HTACCESS File Access Weakness
10. H-Sphere HTML Template Inclusion Cross-Site Scripting...
11. Spyke PHP Board Information Disclosure Vulnerability
12. LeapFTP Client PASV Response Buffer Overflow Vulnerability
13. SmartFTP File List Command Buffer Overflow Vulnerability
14. Ethereal OSI Dissector Buffer Overflow Vulnerability
15. FakeBO Syslog Format String Vulnerability
16. Ethereal TVB_GET_NSTRINGZ0() Memory Handling Vulnerability
17. Mollensoft Software Enceladus Server Suite Guestbook HTML...
18. MySQL libmysqlclient Library mysql_real_connect() Buffer...
19. WebBBS Pro Malicious GET Request Denial Of Service Vulnerability
20. Multiple Speak Freely Remote Boundary Condition Error...
21. Microsoft Windows FIN-ACK Network Device Driver Frame Padding...
22. FlashFXP Client Request Hostname Buffer Overflow Vulnerability
23. Nuca WebServer File Disclosure Vulnerability
24. ArGoSoft Mail Server Multiple GET Requests Denial Of Service...
25. Multiple Gnocatan Server Buffer Overflow Vulnerabilities
26. Ethereal DCERPC Dissector Memory Allocation Vulnerability
27. Ethereal Multiple Dissector String Handling Vulnerabilities
III. MICROSOFT FOCUS LIST SUMMARY
1. Local User Permissions in a Public, Domain Environment? (Thread)
2. Question regarding su.exe (Thread)
3. Windows 2000 Patch Order (Thread)
4. FW: Windows 2000 Patch Order (Thread)
5. Fwd: FW: Windows 2000 Patch Order (Thread)
6. Article Announcement (Thread)
7. SecurityFocus Microsoft Newsletter #140 (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AbsoluteShield Internet Eraser Pro
2. East-Tec FormatSecure
3. KillDisk
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. LibTomCrypt v0.77
2. Blue dot v1.20
3. Enigmail v0.76.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Penetration Test for Web Applications - Part One
By Jody Melbourne
This is the first in a series of three articles on penetration testing for
Web applications. The first installment provides the penetration tester
with an overview of Web applications - how they work, how they interact
with users, and most importantly how developers can expose data and
systems with poorly written and secured Web application front-ends.
http://www.securityfocus.com/infocus/1704
2. Honeypots: Are They Illegal?
By Lance Spitzner
As honeypots and their concepts have grown more popular, people have begun
to ask what legal issues could apply. The purpose of this paper is to
address the most commonly asked issues.
http://www.securityfocus.com/infocus/1703
3. Bad Raps for Non-Hacks
By Mark Rasch
A few odd cases show that you don't have be a digital desparado to be
accused of a cybercrime... particularly if you embarrass the wrong
bureaucrats.
http://www.securityfocus.com/columnists/167
II. BUGTRAQ SUMMARY
-------------------
1. FlashFXP PASV Response Buffer Overflow Vulnerability
BugTraq ID: 7857
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7857
Summary:
FlashFXP is a FTP implementation that allows client-server file transfers
in addition to site-to-site file transfers. It is available for Microsoft
Windows.
FlashFXP is prone to a remotely exploitable buffer overflow when handling
a server response to the PASV FTP command. The PASV command is issued to
tell the server that the client wishes to transfer files in passive mode.
FTP servers that support passive mode will respond to such a request with
an IP address and port number. If an FTP server responds with an
excessively long IP address, an internal buffer on the client system may
be overrun with specific values supplied by the server.
A malicious FTP server could exploit this issue to execute code on the
client system. This would occur in the security context of the user
running the vulnerable client.
2. SmartFTP PWD Command Request Buffer Overflow Vulnerability
BugTraq ID: 7858
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7858
Summary:
SmartFTP is a GUI FTP client available for most Microsoft Windows
operating systems.
SmartFTP is reported to be prone to a boundary condition error. This is
due to insufficient bounds checking in the 'PWD' command.
If an FTP server replies with an overly long string to a 'PWD' command, an
internal buffer may be overrun. This results in corruption of stack-based
memory. Arbitrary code execution in the security context of the user
running the FTP client is reportedly possible.
This issue was reported to affect SmartFTP 1.0.973, however, other
versions may also be vulnerable.
3. FTP Voyager Remote LIST Buffer Overrun Vulnerability
BugTraq ID: 7862
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7862
Summary:
FTP Voyager is an ftp client program maintained by RhinoSoft and is
available for the Microsoft Windows operating system.
A buffer overrun vulnerability has been discovered in FTP Voyager. It has
been discovered that the client fails to perform sufficient bounds
checking before processing server-supplied data returned from a LIST
request. Specifically, a string containing approximately 624 bytes of
data, returned in a response to a client LIST request, will result in the
corruption of stack memory.
Exploitation of this vulnerability could ultimately result in the
execution of arbitrary instructions with the privileges of the user
invoking the affected client.
This issue is said to affect FTP Voyager 9.1.0.3 and 10.0.0.0, however
earlier versions may also be vulnerable.
4. GZip ZNew Insecure Temporary File Creation Symbolic Link Vulnerability
BugTraq ID: 7872
Remote: No
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7872
Summary:
gzip is a freely available, open source file compression utility. It is
maintained by public domain, and available for the Unix, Linux, and
Microsoft operating systems.
A problem with the utility may make the local destruction of data
possible.
It has been reported that gzip does not securely handle temporary files in
the znew script. Because of this, a local attacker may be able to launch
a symbolic link attack against sensitive files.
The problem is in the handling of checking for existing files. When the
znew script executes, it does not sufficiently validate the value returned
when the program checks for the existence of a file in the temporary
directory. Because of this, znew could potentially write to a symbolic
link that would destroy the data at the end of the symbolic link, provided
the user has sufficient privileges to write to the file. This may also
potentially lead to elevated privileges, though this theory is
unconfirmed.
5. Ethereal SPNEGO Dissector Denial Of Service Vulnerability
BugTraq ID: 7879
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7879
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The SPNEGO dissector of Ethereal, when parsing certain ASN.1 codes, may
cause a segmentation fault.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet with an invalid ASN.1 value and sending it to a
system using the vulnerable dissector.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.12 and earlier.
6. WebcamNow Plain Text Password Storage Weakness
BugTraq ID: 7884
Remote: No
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7884
Summary:
WebcamNow is a streaming image service available for Microsoft Windows
operating systems.
WebcamNow stores usernames and associated passwords using plaintext
format, in the Windows registry. Specifically, WebcamNow stores
authentication credentials in the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\WebCamNow\Users\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WebCamNow\Users\Password
As a result, these credentials could be exposed to other local users who
have the permissions to access the registry.
7. Mollensoft Enceladus Server Suite Clear Text Password Storage Weakness
BugTraq ID: 7886
Remote: No
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7886
Summary:
Enceladus Server Suite is a commercially available HTTP and FTP server
distributed by Mollensoft Software. It is available for the Microsoft
Windows platform.
A problem in the software may expose potentially sensitive information.
It has been reported that Enceladus Server Suite does not securely store
user credentials. This may allow an unauthorized user to gain access to
potentially sensitive information.
Enceladus does not securely store user passwords. Instead, the program
stores passwords in clear text on the local system. An attacker with
access to the directory could harvest username and password pairs from an
installation.
8. silentThought Simple Web Server Directory Traversal Vulnerability
BugTraq ID: 7888
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7888
Summary:
silentThought Simple Web Server is a HTTP server designed for use on
Microsoft Windows operating environments.
It has been reported that Simple Web Server fails to properly sanitize web
requests. By sending a malicious web request to the vulnerable server,
using directory traversal sequences, it is possible for a remote attacker
to access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability has been reported for silentThought Simple Web Server
version 1.0 for the Microsoft Windows platform.
9. Mollensoft Enceladus Server Suite HTACCESS File Access Weakness
BugTraq ID: 7889
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7889
Summary:
Enceladus Server Suite is a commercially available HTTP and FTP server
distributed by Mollensoft Software. It is available for the Microsoft
Windows platform.
A problem in the software may expose potentially sensitive information.
It has been reported that Enceladus Server Suite does not securely store
certain user credentials. This may allow users, who are authorized to
access the "Security File Downloads" directory, to gain access to
potentially sensitive information.
Specifically, an htaccess file is stored without access restrictions,
making it exposable to users who can access the directory. This specific
htaccess file contains all credentials of users who have access to the
specific directory.
Access to this information may aid an attacker in launching further
attacks against a target user or the server.
10. H-Sphere HTML Template Inclusion Cross-Site Scripting Vulnerabilities
BugTraq ID: 7855
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7855
Summary:
H-Sphere is a multiserver web hosting application. H-Sphere is available
for Microsoft Windows, Linux, and Unix operating systems.
H-Sphere is prone to multiple cross-site scripting vulnerabilities via the
HTML template feature in the Hosting Control Panel. HTML and script code
will not be filtered from pages which are generated when a request for an
invalid or unknown template is made.
This could be exploited if a web user follows a malicious link to a site
hosting the vulnerable software that includes hostile HTML or script code.
This code would be executed in the context of the site hosting the
software. The link may also need to contain the username of a valid,
logged in user.
Successful exploitation could permit theft of cookie-based authentication
credentials from legitimate users of the Hosting Control Panel, which may
in turn permit unauthorized access to resources that are managed by the
software. Other attacks may also be possible.
11. Spyke PHP Board Information Disclosure Vulnerability
BugTraq ID: 7856
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7856
Summary:
A vulnerability has been reported for Spyke's PHP Board that may result in
an attacker obtaining access to sensitive information.
The vulnerability exists due to the way the CMS stores data. Specifically,
the system uses plaintext files for the storage of sensitive information.
An attacker can exploit this vulnerability to issue a request for the
'info.dat' configuration file. This will return a plaintext file to the
attacker the contents of which contain administrative authentication
information.
User authentication information is stored under the 'user' directory with
a .TXT extension.
Information obtained in this manner may allow an attacker to launch
further destructive attacks against a vulnerable system.
This vulnerability was reported for Spyke PHP Board 2.1.
12. LeapFTP Client PASV Response Buffer Overflow Vulnerability
BugTraq ID: 7860
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7860
Summary:
LeapFTP is an FTP client for Microsoft windows operating systems.
LeapFTP client has been reported prone to a remote buffer overflow
vulnerability.
The issue is likely due to insufficient bounds checking and presents
itself when the affected FTP client makes a connection to a malicious
server that is running PASV mode. Reportedly during an FTP session LeapFTP
requests PASV mode. The PASV command is issued to tell the server that the
client wishes to transfer files in passive mode. FTP servers that support
passive mode will respond to such a request with an IP address and port
number.
If the PASV mode IP address data that is sent to the LeapFTP client is of
excessive length, the bounds of a stack based internal memory buffer is
overrun, corrupting adjacent memory with attacker-supplied data. It has
been reported that it is possible to supply sufficient data to corrupt an
exception handler that is stored on the stack. Ultimately this condition
may be exploited to execute arbitrary code in the context of the user
running LeapFTP client.
13. SmartFTP File List Command Buffer Overflow Vulnerability
BugTraq ID: 7861
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7861
Summary:
SmartFTP is a GUI FTP client available for most Microsoft Windows
operating systems.
SmartFTP is reported to be prone to a boundary condition error. This is
due to insufficient bounds checking in the File List command.
If an FTP server replies with an overly long string to a File List
command, an internal buffer may be overrun. This results in corruption of
heap-based memory. Arbitrary code execution in the security context of
the user running the FTP client is reportedly possible.
This issue was reported to affect SmartFTP 1.0.973, however, other
versions may also be vulnerable.
14. Ethereal OSI Dissector Buffer Overflow Vulnerability
BugTraq ID: 7880
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7880
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The OSI dissector is prone to a buffer overflow condition when handling
bad IPv4 or IPv6 prefix lengths. This is likely due to insufficient bounds
checking.
It may be possible to construct an IPv4 or IPv6 packet that will, when
decoded by Ethereal, trigger the overflow condition. Successful
exploitation of this vulnerability may result in the attacker gaining
access to the Ethereal host via execution of attacker-supplied
instructions.
This BID will be updated when further technical details are disclosed.
This vulnerability affects Ethereal 0.9.12 and earlier.
15. FakeBO Syslog Format String Vulnerability
BugTraq ID: 7882
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7882
Summary:
FakeBO is a utility to log common trojan attempts in an effort to possibly
emulate one. It may also be used in a honeypot setup to facilitate
security monitoring. It is available for Microsoft Windows, Linux, and
Unix variant operating systems.
A vulnerability has been reported for FakeBO that may result in an
attacker obtaining elevated privileges on a target system.
Due to a programming error, it may be possible to exploit a format string
vulnerability in the affected utility. Specifically, a logging function in
FakeBO contains insecure syslog() calls. This could result in the
execution of attacker-supplied code.
The vulnerability occurs when FakeBO resolves a carefully constructed
hostname that include malicious format string specifiers. In the event
that this vulnerability is exploited, an attacker could cause arbitrary
locations in memory to be corrupted with attacker-specified data and
execute code with elevated privileges.
This vulnerability was reported for FakeBO 0.4.1.
16. Ethereal TVB_GET_NSTRINGZ0() Memory Handling Vulnerability
BugTraq ID: 7883
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7883
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
An Ethereal routine, tvb_get_nstringz0(), has been reported prone to a
memory handling vulnerability. Reportedly tvb_get_nstringz0() incorrectly
handles a zero-length buffer size. Although unconfirmed, it has been
conjectured that this issue may be due to an incorrect allocation of
memory, caused when an unsigned integer is used when calculating the size
of memory to be allocated.
Exploitation of this issue may allow an attacker to cause Ethereal to
behave in an unpredictable manner.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for either a remotely triggered
denial of service condition or ultimately in the execution of arbitrary
code with the privileges of the Ethereal process.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated, as further information is available.
This vulnerability affects Ethereal 0.9.12 and earlier.
17. Mollensoft Software Enceladus Server Suite Guestbook HTML Injection Vulnerability
BugTraq ID: 7885
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7885
Summary:
Enceladus Server Suite is a Web and FTP server designed for use with
Microsoft Windows operating systems.
Enceladus Server Suite is prone to HTML injection attacks. The
vulnerability exists in the Guestbook, shipped as part of the web server,
and is a result of insufficient sanitization of malicious HTML code from
user-supplied input. HTML and script code may be echoed back when an
victim user chooses the view the system's Guestbook. It is possible that
code injected through this issue could be displayed and rendered by other
users.
Successful exploitation could permit a malicious attacker to cause the
execution of hostile HTML and script code in the web client of a user who
visits a vulnerable site hosting the vulnerable guestbook software. This
would occur in the security context of the site.
Exploitation could allow for attacks that steal cookie-based
authentication credentials. Other attacks are also possible.
This vulnerability was reported for Enceladus Server Suite 3.9.11. It is
likely that other versions are also affected by this vulnerability.
18. MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability
BugTraq ID: 7887
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7887
Summary:
MySQL is an open source relational database project, and is available for
a number of operating systems, including Microsoft Windows.
MySQL contains a library called libmysqlclient. A problem exists in the
sql_real_connect() function of the libmysqlclient library that could
result in a buffer being overrun.
The problem likely occurs due to insufficient bounds checking of
user-supplied parameters and could allow an attacker to corrupt sensitive
process memory. It is possible to trigger this condition by supplying a
parameter containing approximately 350 or more bytes of data.
An attacker could potentially be capable of exploiting this issue to
execute arbitrary code on a remote system. It should be noted that this
issue would be required to be exploited in conjunction with an unrelated
remote SQL injection attack or possibly used on a system which allows for
the uploading of scripts.
19. WebBBS Pro Malicious GET Request Denial Of Service Vulnerability
BugTraq ID: 7890
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7890
Summary:
WebBBS Pro is a web-based BBS system designed to run in Microsoft Windows
environments. WebBBS Pro is shipped with a web server component.
A vulnerability has been discovered in WebBBS Pro, which may allow a
remote attacker to trigger a denial of service condition in the WebBBS
HTTP server.
It has been reported that a remote attacker may cause the web server to
throw an exception by making a malformed HTTP request. The server will
crash effectively denying service to legitimate webBBS Pro users, until
the service is restarted.
This issue was reported to affect WebBBS Pro 1.18, however, other versions
may also be affected.
20. Multiple Speak Freely Remote Boundary Condition Error Vulnerabilities
BugTraq ID: 7846
Remote: Yes
Date Published: Jun 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7846
Summary:
Speak Freely is a freely available Internet voice communication
application. It is available for the Unix, Linux, and Microsoft
platforms.
Several problems with the program may give users unauthorized access to
systems.
Several security issues have been reported in Speak Freely. These issues
include boundary condition errors, insecure use of temporary files, and
insecure network traffic handling. These problems may allow both remote
and local users to gain unauthorized access to the system.
Three boundary condition errors have been reported in the program that
allow attack through UDP traffic. Two methods of attack are through
either the data port (2074/UDP) or control port (2075/UDP).
Insecure temporary file handling has been reported, although specifics
about this particular instance of vulnerability have not been made
available. It is also reported that this issue can permit the overwriting
of any file owned by the Speak Freely user, which likely indicates the
possibility of symbolic link attack through temporary files.
Finally, there are reports of the ability to circumvent network protection
devices such as firewalls, and also static buffer overflows. Due to the
handling UDP traffic by Speak Freely, it is possible to relay traffic into
a protected network through spoofed IP headers. Information about the
reported static buffer overflow conditions is not available.
These problems could permit a remote attacker to gain access to the system
with the privileges of the Speak Freely user, or potentially relay traffic
into a restricted network. A local attacker may also be able to exploit
these problems to gain elevated privileges, or destroy data.
21. Microsoft Windows FIN-ACK Network Device Driver Frame Padding Information Disclosure Vulnerability
BugTraq ID: 7849
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7849
Summary:
Network device drivers for Microsoft Windows Server 2003 has been reported
to disclose potentially sensitive information to attackers.
Frames that are smaller than the minimum frame size should have the unused
portion of the frame buffer padded with null (or other) bytes. Some device
drivers do not do this adequately, leaving the data that was stored in the
memory comprising the buffer prior to its use intact. Consequently, this
data may be transmitted within frames across ethernet segments. As the
ethernet frame buffer is allocated in kernel memory space, sensitive data
may be leaked.
An attacker can exploit this vulnerability by sending a simple TCP packet,
with the FIN-ACK flags set, to a vulnerable machine. A response to such a
query will involve a packet that has been padded to a sufficient length.
It may be that the information that is padded is of a sensitive nature. An
attacker may use the information obtained in this manner to launch other
attacks against a vulnerable system.
The following drivers were reported to be vulnerable to this issue:
VIA Rhine II Compatible network card (some motherboards have this
integrated) AMD PCNet family network cards (Used by some versions of
VMWare).
The affected drivers are signed by the vendor and are available on the
Windows Server 2003 CD. Both drivers have been reported to disclose
sensitive information, such as POP3 passwords, to attackers.
This vulnerability is similar to the issue described in BID 6535.
22. FlashFXP Client Request Hostname Buffer Overflow Vulnerability
BugTraq ID: 7859
Remote: Yes
Date Published: Jun 09 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7859
Summary:
FlashFXP is a FTP implementation that allows client-server file transfers
in addition to site-to-site file transfers. It is available for Microsoft
Windows.
FlashFXP is prone to a buffer overflow vulnerability. This is due to
insufficient bounds checking of hostnames supplied in client requests.
Exploitation would require a client user to submit a malicious request for
an FTP site. This could occur if the FTP user were enticed to follow a
malicious link to an FTP site. If such a request were made by the
vulnerable client, excessive data embedded in the request could overrung
adjacent regions of memory on the client system. This could permit
execution of malicious instructions in the context of the user running the
client.
23. Nuca WebServer File Disclosure Vulnerability
BugTraq ID: 7864
Remote: Yes
Date Published: Jun 10 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7864
Summary:
Nuca WebServer is a web server plug-in for Nuca Plug-in and IdRunner. It
is implemented in Delphi and available for Microsoft Windows operating
systems.
Nuca WebServer is prone to an issue that may allow remote attackers to
gain access to sensitive files. This is due to insufficient filtering of
directory traversal sequences from web requests. As a result, it is
possible to escape the web root directory by submitting a request
containing directory traversal sequences. This could be exploited to read
the contents of arbitrary files that are readable by the web server.
This vulnerability could permit remote attackers to gain access to
sensitive information that might be useful in mounting further attacks
against the system hosting the software.
24. ArGoSoft Mail Server Multiple GET Requests Denial Of Service Vulnerability
BugTraq ID: 7873
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7873
Summary:
ArGoSoft Mail Server is an SMTP, POP3 and Finger server for Microsoft
Windows environments. ArGoSoft has a built-in web server to enable remote
access to mail.
ArGoSoft Mail Server has been reported prone to a denial of service
condition when handling multiple GET requests, in rapid succession. When
many GET requests are processed in a small time frame, the ArGoSoft Mail
server will reportedly throw an exception and likely crash. This will
effectively deny service to legitimate ArGoSoft Mail server users until
the service is restarted.
It should be noted that while ArGoSoft Mail Server version 1.8 (1.8.3.5)
has been reported vulnerable, previous versions might also be vulnerable.
25. Multiple Gnocatan Server Buffer Overflow Vulnerabilities
BugTraq ID: 7877
Remote: Yes
Date Published: Jun 12 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7877
Summary:
Gnocatan is a multiplayer game. It is available for Microsoft Windows and
Linux operating systems.
The Gnocatan game server is prone to multiple remotely exploitable buffer
overflow vulnerabilities. The vulnerabilities are due to insufficient
bounds checking of data supplied to the server, which could result in
corruption of memory with attacker-supplied values. These conditions
could potentially be exploited to execute malicious code in the context of
the server or to launch denial of service attacks.
Specific technical details regarding these vulnerabilities are not
available at this time. This BID will be updated as more details become
available.
26. Ethereal DCERPC Dissector Memory Allocation Vulnerability
BugTraq ID: 7878
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7878
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
The DCERPC dissector of Ethereal is prone to a condition whereby too much
memory may be allocated when decoding certain NDR strings.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissector or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
This may result in the vulnerable Ethereal process allocating too much
memory. Repeated decoding of malformed NDR packets may result in the
consumption of all available memory resources which may lead to a denial
of service condition.
This vulnerability affects Ethereal 0.9.12 and earlier.
27. Ethereal Multiple Dissector String Handling Vulnerabilities
BugTraq ID: 7881
Remote: Yes
Date Published: Jun 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7881
Summary:
Ethereal is a freely available, open source network traffic analysis tool.
It is maintained by the Ethereal Project and is available for most Unix
and Linux variants as well as Microsoft Windows operating systems.
Several dissectors included with Ethereal do not properly handle strings.
Exploitation of this issue may allow an attacker to cause Ethereal to
behave in an unpredictable manner. The BGP, WTP, DNS, 802.11, ISAKMP, WSP,
CLNP, ISIS, and RMI dissectors are vulnerable to this issue.
The precise technical details of this vulnerability are currently unknown.
This BID will be updated as further information is available.
An attacker may be able to exploit this vulnerability by crafting a
specially formed packet and sending it to a system using the vulnerable
dissectors or by convincing a victim user to use Ethereal to read a
malformed packet trace file.
Due to the nature of this vulnerability, it may be possible for an
attacker to create a situation in which sensitive memory could be
overwritten. If successful this may allow for the execution of arbitrary
code with the privileges of the Ethereal process.
This vulnerability affects Ethereal 0.9.12 and earlier.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Local User Permissions in a Public, Domain Environment? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/325096
2. Question regarding su.exe (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/325095
3. Windows 2000 Patch Order (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324961
4. FW: Windows 2000 Patch Order (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324960
5. Fwd: FW: Windows 2000 Patch Order (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324940
6. Article Announcement (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324701
7. SecurityFocus Microsoft Newsletter #140 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/324379
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AbsoluteShield Internet Eraser Pro
by SysShield Consulting, Inc
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.internet-track-eraser.com/
Summary:
AbsoluteShield Internet Eraser protects your privacy by cleaning up all
the tracks of your Internet and computer activities. The tool is
integrated with IE and it can erase the browser cache, history, cookies,
typed URLs, autocomplete list and so on in one click. You can also set the
tool to automatically erase those tracks when you quit IE or quit Windows.
The tool is also featured to erase the disk free space and has the open
plugin support. With the plugin support, AbsoluteShield Internet Eraser
now supports to erase the tracks left by any applications. We currently
offer more than 20 plugins which supports the most popular programs such
as MS Office, WinZip, UltraEdit, RealPlayer, Media Player... Beside the
ability to erase the tracks of your Internet and computer activities, the
tool also has an integrated, small, configurable and intelligent Ad window
and popup blocker.
2. East-Tec FormatSecure
by EAST Technologies
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.east-tec.com/erprod/formatsc/index.htm
Summary:
East-Tec FormatSecure, in addition to formatting the drive, will securely
wipe the entire contents of the drive in order to stop software and
hardware tools from recovering any data. East-Tec FormatSecure is a
component of our family of products designed for the entire family of
Windows operating systems (Windows 95/98/Me/NT/2000/XP) to completely
eliminate sensitive data from your computer.
3. KillDisk
by LSoft Technologies Inc.
Platforms: DOS, Linux, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
Relevant URL:
http://www.killdisk.com/eraser.htm
Summary:
Active@ Kill Disk is disk eraser software for secure formatting of hard
drives without any possibility of following data recovery. DOS appication
can be run from floppy boot disk. Eraser uses access to drive's data on
physical level via BIOS bypassing logical drive structure organization,
thus it formats disk bypassing operating systems and file systems located
on IBM PC. DoD 5220.22-M compatible.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. LibTomCrypt v0.77
by Tom St Denis tomstdenis (at) iahu (dot) ca [email concealed]
Relevant URL:
http://www.libtomcrypt.org
Platforms: Linux, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
LibTomCrypt is a comprehensive, modular, and portable cryptographic
toolkit that provides developers with a vast array of well known published
block ciphers, one-way hash functions, chaining modes, pseudo- random
number generators, public key cryptography, and a plethora of other
routines. It has been designed from the ground up to be very simple to
use. It has a modular and standard API that allows new ciphers, hashes,
and PRNGs to be added or removed without change to the overall end
application. It features easy to use functions and a complete user manual
which has many source snippet examples.
2. Blue dot v1.20
by Matti Tukiainen
Relevant URL:
http://ktmatu.com/software/bluedot/
Platforms: Os Independent
Summary:
Blue dot is a CGI tracking and Web site activity measurement script which
generates Apache combined style access log files. These log files can be
analyzed with most standard log analysis tools to track a site's
popularity, referrers, hosts, etc. The logging is based on inserting a
small piece of JavaScript or SSI code into every Web page. This code
requests a very small blue dot image from a server where the call is
logged. Blue dot can also be configured to set and log session and
persistent cookies. This can be used, for example, to track pay-per-click
search engine ROI.
3. Enigmail v0.76.0
by Patrick
Relevant URL:
http://enigmail.mozdev.org/
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
VI. SPONSOR INFORMATION
-----------------------
This issue brought to you by: SPI Dynamics
FREE White Paper: "How Web Application Hackers Break In!" Learn why 70% of
today's successful hacks involve Web Application attacks such as: SQL
Injection, XSS, Cookie Manipulation, and Parameter Manipulation.
All undetectable by Firewalls and IDS! Download *FREE* white paper from
SPI Dynamics for a complete guide to protection!
Visit us at: http://www.securityfocus.com/SPIDynamics-ms-secnews3
------------------------------------------------------------------------
------------------------------------------------------------------------
--------------
[ reply ]