SecurityFocus Microsoft Newsletter #113
---------------------------------------
This Issue is Sponsored by: SpiDynamics
ALERT! -Cross-Site Scripting Holes in Web Applications! Cross-site
scripting vulnerabilities in web applications allow hackers to collect
confidential user information, manipulate or steal cookies, and create
requests that can be mistaken for those of a valid user!! All undetectable
by IDS!
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection! http://www.spidynamics.com/mktg/xss20
I. FRONT AND CENTER
1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
2. .NET/MSIL malicious code and AV/heuristic Engines
3. Locking Down the Pop-up Perps
4. Maintaining Credible IIS Log Files
5. Back to the Insecure Future
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Pine From: Field Heap Corruption Vulnerability
2. Macromedia JRun IIS ISAPI Filter GET Request Buffer Overrun...
3. Macromedia J Run Log File/JRun.INI File Disclosure...
4. Macromedia JRun Web Server Unicode Source Disclosure Vulnerability
5. CuteCast User Credential Disclosure Vulnerability
6. Perception LiteServe DNS Wildcard Cross Site Scripting...
7. Microsoft JVM Unauthorized Clipboard Access Vulnerability
8. Microsoft JVM Package Access Restriction Bypassing Vulnerability
9. Microsoft JVM Passed HTML Object Reference Denial Of Service...
10. Microsoft JVM HTML Applet Tag Class Restriction Bypass...
11. Microsoft JVM CAB File Loading Vulnerability
12. Microsoft JVM Codebase Information Disclosure Vulnerability
13. Microsoft JVM Information Disclosure Vulnerability
14. Microsoft JVM INativeServices Unauthorized Memory Access...
15. Perception LiteServe Directory Query String Cross Site...
16. Lotus Domino Non-existent NSF Database Banner Information...
17. Microsoft JVM Class Loader Buffer Overrun Vulnerability
18. Microsoft JVM URI Parsing Vulnerability
19. EZ Systems HTTPBench Information Disclosure Vulnerability
20. Light HTTPD GET Request Buffer Overflow Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Unknown workgroup in Microsoft Windows Network (Thread)
2. Local security settings in W2k adv server causes problems (Thread)
3. Active Directory network security (Thread)
4. Tools (Thread)
5. RES: Tools (Thread)
6. SecurityFocus Microsoft Newsletter #112 (Thread)
7. Win 2000 password Complexity Requirements (Thread)
8. Win 2000 passsword Complexity Requirements (Thread)
9. IIS 5 and client certificates (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. SentriNET
2. Secure-IT
3. Big Crocodile
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. MAIL PASSWORD RECOVERY v1.0.0.0
2. KingPing v1.0
3. lcrzoex v4.16.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
By Joe Stewart
In a previous SecurityFocus article, the author described the tools and
processes involved in basic reverse engineering of a simple trojan. This
article will offer a more detailed examination of the reversing process,
using a trojan found in the wild, and focusing on techniques for reversing
Windows-native code entirely under Linux.
http://online.securityfocus.com/infocus/1641
2. .NET/MSIL malicious code and AV/heuristic Engines
By Markus Schmall
While the Windows .NET strategy incorporates numerous aspects, this
article will focus on what aspects to cover in developing an AV/heuristic
engine for this new platform. Specifically, it will address the additions
introduced by .NET technologies to standard Windows PE (portable
executable) file format and how that will affect the development of an
effective heuristic engine. It will also briefly discuss the existing
malicious codes for the .NET environment.
http://online.securityfocus.com/infocus/1642
3. Locking Down the Pop-up Perps
By Mark Rasch
Pop-up ads have already inspired civil lawsuits. Here's how federal
computer crime law and the USA-PATRIOT Act could put obnoxious advertisers
in the pokey ...
http://online.securityfocus.com/columnists/124
4. Maintaining Credible IIS Log Files
by Mark Burnett
Many network administrators by now have encountered serious Web server
intrusions that have resulted in legal action. Often IIS logs are the
primary evidence used to track down Web intruders. But what would happen
if the credibility of your IIS logs was challenged in court? What if the
defense claimed the logs were not reliable enough to be admissible as
evidence?
http://online.securityfocus.com/infocus/1639
5. Back to the Insecure Future
By Richard Forno
Web services, such as Microsoft's .NET platform, represent a return to
centralized computing. They also pose some serious security issues.
http://online.securityfocus.com/columnists/123
6. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Pine From: Field Heap Corruption Vulnerability
BugTraq ID: 6120
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6120
Summary:
Pine is an open source mail user agent distributed by the University of
Washington. It is freely available for Unix, Linux, and Microsoft
operating systems.
It is possible to cause a denial of service in Pine by sending an email
message with a specially crafted "From:" address. According to the
report, the crash can be reproduced by setting the "From:" address to a
value such as:
When the condition is triggered, heap memory may be corrupted. It is
possible to exploit this memory corruption to cause execution of arbitrary
code.
Note that the user does not have to view the message in order for the
denial of service to take place; the message simply has to be present in
the user's Inbox. While a message with this address is present in the
Pine Inbox, it is not possible to start Pine again. The message
containing this address must be manually removed from the spool or by
using another MUA.
It is important to note that this specially crafted "From:" address is RFC
legal.
This issue will reportedly be fixed in Pine 4.50.
2. Macromedia JRun IIS ISAPI Filter GET Request Buffer Overrun Vulnerability
BugTraq ID: 6122
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6122
Summary:
Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application
server for use with IIS (Internet Information Server) 4/5 on the Microsoft
Windows operating systems. Versions are also available for Unix and Linux
variants.
The Macromedia JRun IIS ISAPI handler is prone to a remotely exploitable
buffer overrun condition. The issue is due to a lack of bounds checking
on requested filenames. It is possible to trigger the overrun by
requesting a filename (with extension ".jsp") of length 4096 characters or
greater.
For example:
GET /[buffer].jsp HTTP/1.0
The overrun reportedly occurs in stack memory and may be trivially
exploited to execute instructions on the target host. The instructions
will run with the privileges of IIS.
Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application
server for use with IIS (Internet Information Server) 4/5 on the Microsoft
Windows operating systems. Versions are also available for Unix and Linux
variants.
Macromedia JRun is prone to a file disclosure vulnerability.
It has been reported that this issue may be exploited by remote attackers
to retrieve sensitive resources such as JRun log files or the 'jrun.ini'
configuration file. This issue is likely due to insufficient input
validation of incoming HTTP requests, causing the vulnerable software to
serve sensitive content.
Disclosure of this type of sensitive information may lead to further
attacks against the vulnerable host.
This issue is specific to JRun running on Microsoft Windows platforms.
4. Macromedia JRun Web Server Unicode Source Disclosure Vulnerability
BugTraq ID: 6126
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6126
Summary:
Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application
server for use with IIS (Internet Information Server) 4/5 on the Microsoft
Windows operating systems. Versions are also available for Unix and Linux
variants.
Macromedia JRun ships with a non-production web server, which is intended
to be used on internal networks.
The Macromedia JRun Web Server component is prone to a source code
disclosure issue. The cause of this issue is reportedly insufficient
validation of unicode characters in HTTP requests. A remote attacker may
submit a malicious request containing unicode characters and cause the
source code of the requested script resource to be displayed instead of
interpreted.
Information gathered from a successful attack may aid in further attacks.
This issue is specific to Macromedia JRun running on Unix and Linux
platforms.
5. CuteCast User Credential Disclosure Vulnerability
BugTraq ID: 6127
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6127
Summary:
CuteCast is web forum software. It is implemented in Perl and is
available for Unix and Linux variants as well as Microsoft Windows
operating systems.
CuteCast is prone to an issue which may cause user credentials to be
disclosed to remote attackers. CuteCast stores user information in a
publicly accessible directory. User information is also stored in
plaintext.
Remote attackers may request any individual user files and gain access to
user credentials. The attacker may use these credentials to gain
unauthorized access to user accounts.
6. Perception LiteServe DNS Wildcard Cross Site Scripting Vulnerability
BugTraq ID: 6131
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6131
Summary:
Perception LiteServe is a commercial e-mail, web, and FTP server for
Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered LiteServe.
It should be noted that this vulnerability is limited to server
configurations with Wildcard DNS enabled.
It has been reported that LiteServe fails to sanitize requests containing
encoded HTML and script code as the hostname when Wildcard DNS is used.
Requests of this nature will be rejected by the server, effectively
returning the request to the sender, without sanitizing the contents of
the request.
This issue may allow an attacker to create a malicious link containing
encoded HTML and script code in the requested hostname. When the malicious
link is clicked by an unsuspecting user, the attacker-supplied HTML and
script code will be executed by their web client.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
This issue was reported in LiteServe v2.01. It is not yet known whether
earlier versions are affected by this issue.
7. Microsoft JVM Unauthorized Clipboard Access Vulnerability
BugTraq ID: 6132
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6132
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered Microsoft's
implementation of the Java Virtual Machine (JVM).
By implementing the 'INativeServices' class, ClipBoardGetText() and
ClipBoardSetText() methods into a malicious Java applet, it is possible
for a remote attacker to access and modify the contents of a target users
clipboard. The methods must be called indirectly through the
java.lang.reflect.* package.
Exploiting this vulnerability may allow a remote attacker to read and
potentially corrupt sensitive information stored in a users clipboard,
which could be used to launch further attacks against target systems.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
8. Microsoft JVM Package Access Restriction Bypassing Vulnerability
BugTraq ID: 6133
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6133
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
The JVM includes a class named com.ms.security.StandardSecurityManager
which can be extended by any applet. This class contains two protected
static fields named deniedDefinitionPackages and deniedAccessPackages.
These fields contain package access restrictions.
The package access restrictions set in these two fields can be altered or
emptied, allowing any applet to bypass the set restrictions.
These restrictions originate from the registry and are not implemented by
default.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
9. Microsoft JVM Passed HTML Object Reference Denial Of Service Vulnerability
BugTraq ID: 6135
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6135
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
A vulnerability has been reported in Microsoft JVM that may lead to a
denial of service in Microsoft Internet Explorer.
This problem occurs when references of HTML objects are passed to Java
applets via JavaScript. Applets may potentially invoke methods of
proprietary Microsoft interfaces. In some cases, when a HTML object is
passed to a Java applet which invokes a method of one of these proprietary
interfaces, illegal memory access will occur. This will cause the web
browser to crash.
It is theoretically possible that this problem may be an exploitable
memory corruption vulnerability which may allow arbitrary code execution.
This possibility has not been confirmed.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
10. Microsoft JVM HTML Applet Tag Class Restriction Bypass Vulnerability
BugTraq ID: 6136
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6136
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
A vulnerability has been reported in Microsoft JVM that may lead to a
denial of service in Microsoft Internet Explorer.
It is possible to abuse the HTML <applet> tag to bypass Java class
restrictions. Class objects may be instantiated using the HTML <applet>
tag, and since this is not expected by the browser when some native
methods are used, this may crash the browser.
It is theoretically possible that this problem may be an exploitable
memory corruption vulnerability which may allow arbitrary code execution.
This possibility has not been confirmed.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
11. Microsoft JVM CAB File Loading Vulnerability
BugTraq ID: 6137
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6137
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
The JVM contains a class named com.ms.vm.loader.CabCracker. This class
contains a load() method that can be used to load CAB archives from the
local drive. This method performs security checks and queries the user
for permission to access the CAB file from the hard drive. The method
then calls load0() to load the archive from disk.
The load0() method is declared public, which allows any applet to call the
method directly, bypassing the security checks performed by the load()
method.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
12. Microsoft JVM Codebase Information Disclosure Vulnerability
BugTraq ID: 6138
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6138
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
By including a codebase of 'file://%00' in the applet tag of a malicious
Java applet, it is possible to gain local read access to all local files
on a target system. If the applet is loaded from a publicly readable
network share, it is possible to list directory contents on a target
system.
By gaining local read access to a target system, it may be possible for a
remote attacker to disclose sensitive information, including cookie-based
credentials and passwords. Information gathered through this technique,
may be used by an attacker to launch further attacks against a target
system.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
13. Microsoft JVM Information Disclosure Vulnerability
BugTraq ID: 6139
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6139
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Due to insufficient access validation, the JVM may allow applets to
retrieve sensitive information.
By calling new File(".").getAbsolutePath(), the applet may retrieve the
path to the current Internet Explorer directory. On multiuser operating
systems such as Windows NT/2000/XP, this path may also include the current
username.
This information could be used by an attacker to mount further attacks
against the system.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
14. Microsoft JVM INativeServices Unauthorized Memory Access Vulnerability
BugTraq ID: 6140
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6140
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
INativeServices methods accept memory addresses as parameters. Due to
insufficient checking of these values, it may be possible to pass invalid
memory addresses and cause a denial of service.
Additionally, the pGetFontEnumeratedFamily() methods may also be invoked
to read memory via INativeServices methods. This may lead to disclosure
of various types of sensitive information such as websites visited,
cookies, and filesystem information such as the location of the cache
directory.
Exploitation of this vulnerability may facilitate other attacks,
potentially leading to further information disclosure or execution of
malicious code.
It is possible for a Java applet to access INativeServices methods
directly via other methods such as SystemX.getNativeServices().
Indirectly, the INativeServices methods may be accessed through the the
java.lang.reflect.* methods.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
15. Perception LiteServe Directory Query String Cross Site Scripting Vulnerability
BugTraq ID: 6143
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6143
Summary:
Perception LiteServe is a commercial e-mail, web, and FTP server for
Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered LiteServe.
It has been reported that LiteServe fails to sanitize query strings from
indexed folders. By constructing a malicious link containing encoded HTML
and script code in the 'dir' variable, it is possible to execute the
script code within the context of a victims web browser.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
16. Lotus Domino Non-existent NSF Database Banner Information Disclosure Vulnerability
BugTraq ID: 6128
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6128
Summary:
Lotus Domino Server is an application framework for web based
collaborative software. It runs on multiple platforms including Microsoft
Windows and Unix.
Lotus Domino reportedly discloses sensitive banner information when a
non-existent NSF database is requested. A remote attacker may exploit
this by making a HTTP request for such a database. Disclosure of this
information may allow a remote attacker to discover information about the
layout of the filesystem.
This type of sensitive information may aid in further attacks against the
system hosting the vulnerable software.
This issue is present on Lotus Domino Server with the 'DominoNoBanner' set
to a value of '1'.
This vulnerability is similar to the issue described by Bugtraq ID 4049.
17. Microsoft JVM Class Loader Buffer Overrun Vulnerability
BugTraq ID: 6134
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6134
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Details of a vulnerability in Microsoft JVM have been published.
According to the report, a buffer overrun condition is present in the
class loader. It may be triggered by attempting to load a class with a
name of excessive length. At the very least, attackers may crash victim
browsers when the condition occurs.
This vulnerability may be exploited by malicious webmasters who construct
a Java applet designed to do so. It is not confirmed whether this may be
exploited to execute attacker-supplied instructions or not. It should be
assumed that this is possible.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
18. Microsoft JVM URI Parsing Vulnerability
BugTraq ID: 6142
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6142
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Details of a vulnerability in the Microsoft JVM have been published. The
vulnerability is in the parsing of the location URI string and may result
in an applet being retrieved from an attacker-specified location rather
than that of the document it is embedded in. This may result in a
malicious applet having access to the DOM of the target location. The
applet may retrieve cookie values or manipulate web content.
According to the report, the Microsoft JVM can be fooled into believing
that the HTTP username component of a HTTP URI is the domain. This
allegedly occurs when a colon character is present in the URI that would
normally, when it is in the correct location in the URI string, indicate
the listening port of the server. If the attacker constructs a HTTP URI
with a HTTP username component containing a location and the port, the
Microsoft engine will use that value incorrectly as the document location.
Such a URI may look like:
In this example, if the document served by the server 'www.realsite.tld'
has an embedded applet the Java engine will retrieve it from
'www.attackersite.tld'. The consequences of this are significant. An
attacker may place a rogue applet on a server under their control
('www.attackersite.tld') with the same class name. When invoked, this
applet will have access to the DOM of the document from
'www.realsite.tld'. The applet may then retrieve cookie values or
otherwise access/manipulate the contents of the document.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
19. EZ Systems HTTPBench Information Disclosure Vulnerability
BugTraq ID: 6153
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6153
Summary:
eZ Systems httpbench is a benchmarking utility implemented in PHP. It is
available for Unix and Linux variant as well as Microsoft Windows
operating environments.
An information disclosure vulnerability has been reported for httpbench.
Reportedly, httpbench may disclose the contents of web server readable
files to remote attackers.
This vulnerability can be exploited by a remote attacker to obtain
potentially sensitive information on a vulnerable system. Information
obtained in this manner may be used to launch further, destructive attacks
against a vulnerable system.
This vulnerability was reported for httpbench 1.1. It is not known whether
other versions are affected.
20. Light HTTPD GET Request Buffer Overflow Vulnerability
BugTraq ID: 6162
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6162
Summary:
Light httpd is a small HTTP server, derived from ghttpd. It is available
for a large variety of platforms, including Linux, BSD, Solaris, and
Microsoft Windows operating systems.
A vulnerability has been discovered in Light httpd, when processing GET
requests. Passing an excessively long GET request to a vulnerable server,
containing roughly 1024 or more bytes of data, will trigger a buffer
overflow. This will typically result in sensitive memory being overwritten
with attacker-supplied values.
Exploitation of this issue will result in the execution of arbitrary
commands with the privileges of the target web server. As Light httpd
drops privileges, commands will be executed with the privileges of the
'nobody' user.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Unknown workgroup in Microsoft Windows Network (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299922
2. Local security settings in W2k adv server causes problems (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299879
3. Active Directory network security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299795
4. Tools (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299692
5. RES: Tools (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299613
6. SecurityFocus Microsoft Newsletter #112 (Thread)
Relevant URL:
9. IIS 5 and client certificates (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298899
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. SentriNET
by ISL
Platforms: BeOS, BSDI, Windows 2000, Windows 95/98, Windows CE, Windows
NT, Windows XP
http://www.informer.co.uk/sols/sols_sentrinet_main.htm
Summary:
SentriNET provides biometric authentication and verification techniques to
secure network access by replacing the logon password with fingerprint
authentication.
2. Secure-IT
by ISL
Platforms: Windows 2000, Windows NT
http://www.informer.co.uk/sols/sols_secureit_main.htm
Summary:
Secure-IT provides the corporate business a means to effectively control
and monitor all forms of remote access into the corporate network. The
product supports the ?best of breed ' authentication technologies ranging
from simple PIN controlled hardware tokens to sophisticated smart card and
biometrics
3. Big Crocodile
by Sow
Platforms: Windows 2000, Windows 95/98, Windows NT
http://www.sowsoft.com/bigcroc.htm
Summary:
Big Crocodile is a powerful, secure password manager. Storage of all your
passwords, logins and hyperlinks in a securely encrypted file. Big
Crocodile can automatically insert the passwords into the windows that
require them. Password generator with advanced functions, multi file
interface, special password folders, backup, export and other features.
This program is very easy to use. The program uses powerful commercial
encryption algorithm.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. MAIL PASSWORD RECOVERY v1.0.0.0
by Aleksandar Boros
Relevant URL:
http://members.ams.chello.nl/a.boros/mpr/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Mail Password Recovery allows you to recover your email password for any
POP3 account, as long as it is stored in an email program on your
computer. You just need to temporarily change the settings in your email
program , so that it connects to Mail Password Recovery instead, and your
password will be revealed. Mail Password Recovery works by emulating a
local POP server, your email program hands over the password when it
connects, and Mail Password Recovery will show it to you. Only works with
email accounts/passwords that have the login information stored in your
email program (Outlook Express, Eudora, The Bat! etc.) Program can only
recover the passwords that are stored on your computer
Program does NOT recover passwords from web based email accounts such as
Hotmail, Yahoo, MSN, AOL etc.
2. KingPing v1.0
by Vladimir Kraljevic
Relevant URL:
http://www.k-qube.com/index.html
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
KingPing is the network administration tool for professionals, it enables
you to utilize ICMP (Internet Control Message Protocol) and troubleshoot
most network problems regardless of the size of the network you are
administering. So far, it is the only ICMP echo program which allows you
to specify more than just ICMP parameters.
3. lcrzoex v4.16.0
by Laurent Constantin
Relevant URL:
http://www.laurentconstantin.com/en/lcrzoex/
Platforms: FreeBSD, Linux, OpenBSD, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Summary:
Lcrzoex is a toolbox for network administrators and network hackers.
Lcrzoex contains over 300 functionnalities using network library lcrzo.
Each one can be compiled alone and modified to match your needs.
Lcrzoex can be used in the following contexts :
- discover the Ethernet address of a computer (number 2, 3, 134, etc.)
- sniff your LAN to detect what's going on (number 7, 8, 9, etc.)
- check the checksums created by a network program which isn't working
(number 16, 17, 18, etc.)
- intercept a session and replay it as many times you want to strictly
test your application (number 10, 11, 12, 22, etc.)
- verify if a router is well configured even if the needed computers are
down (number 48, ..., 53, etc.)
- check if your router/firewall/computer blocks
- IP protocols (number 29, ..., 34, etc.)
- IP options (number 29, ..., 34, 73, ..., 79, etc.), source routing
(number 45, 56, 59, 62, etc.)
- IP fragments (number 44, 55, 58, 61, 72, etc.)
- TCP options (number 48, ..., 53, etc.)
- ICMP types (number 65, ..., 70, etc.)
- ARP poisoning (number 80, 81, 82, 83, etc.)
- create a tcp/udp client with a special local port (number 85, 89, 86,
93, 97, etc.)
- convert between numbers (number 139, ..., 148, etc.) - etc.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SpiDynamics
ALERT! -Cross-Site Scripting Holes in Web Applications! Cross-site
scripting vulnerabilities in web applications allow hackers to collect
confidential user information, manipulate or steal cookies, and create
requests that can be mistaken for those of a valid user!! All undetectable
by IDS!
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection! http://www.spidynamics.com/mktg/xss20
SecurityFocus Microsoft Newsletter #113
---------------------------------------
This Issue is Sponsored by: SpiDynamics
ALERT! -Cross-Site Scripting Holes in Web Applications! Cross-site
scripting vulnerabilities in web applications allow hackers to collect
confidential user information, manipulate or steal cookies, and create
requests that can be mistaken for those of a valid user!! All undetectable
by IDS!
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection! http://www.spidynamics.com/mktg/xss20
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
2. .NET/MSIL malicious code and AV/heuristic Engines
3. Locking Down the Pop-up Perps
4. Maintaining Credible IIS Log Files
5. Back to the Insecure Future
6. SecurityFocus DPP Program
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Pine From: Field Heap Corruption Vulnerability
2. Macromedia JRun IIS ISAPI Filter GET Request Buffer Overrun...
3. Macromedia J Run Log File/JRun.INI File Disclosure...
4. Macromedia JRun Web Server Unicode Source Disclosure Vulnerability
5. CuteCast User Credential Disclosure Vulnerability
6. Perception LiteServe DNS Wildcard Cross Site Scripting...
7. Microsoft JVM Unauthorized Clipboard Access Vulnerability
8. Microsoft JVM Package Access Restriction Bypassing Vulnerability
9. Microsoft JVM Passed HTML Object Reference Denial Of Service...
10. Microsoft JVM HTML Applet Tag Class Restriction Bypass...
11. Microsoft JVM CAB File Loading Vulnerability
12. Microsoft JVM Codebase Information Disclosure Vulnerability
13. Microsoft JVM Information Disclosure Vulnerability
14. Microsoft JVM INativeServices Unauthorized Memory Access...
15. Perception LiteServe Directory Query String Cross Site...
16. Lotus Domino Non-existent NSF Database Banner Information...
17. Microsoft JVM Class Loader Buffer Overrun Vulnerability
18. Microsoft JVM URI Parsing Vulnerability
19. EZ Systems HTTPBench Information Disclosure Vulnerability
20. Light HTTPD GET Request Buffer Overflow Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Unknown workgroup in Microsoft Windows Network (Thread)
2. Local security settings in W2k adv server causes problems (Thread)
3. Active Directory network security (Thread)
4. Tools (Thread)
5. RES: Tools (Thread)
6. SecurityFocus Microsoft Newsletter #112 (Thread)
7. Win 2000 password Complexity Requirements (Thread)
8. Win 2000 passsword Complexity Requirements (Thread)
9. IIS 5 and client certificates (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. SentriNET
2. Secure-IT
3. Big Crocodile
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. MAIL PASSWORD RECOVERY v1.0.0.0
2. KingPing v1.0
3. lcrzoex v4.16.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Alien Autopsy: Reverse Engineering Win32 Trojans on Linux
By Joe Stewart
In a previous SecurityFocus article, the author described the tools and
processes involved in basic reverse engineering of a simple trojan. This
article will offer a more detailed examination of the reversing process,
using a trojan found in the wild, and focusing on techniques for reversing
Windows-native code entirely under Linux.
http://online.securityfocus.com/infocus/1641
2. .NET/MSIL malicious code and AV/heuristic Engines
By Markus Schmall
While the Windows .NET strategy incorporates numerous aspects, this
article will focus on what aspects to cover in developing an AV/heuristic
engine for this new platform. Specifically, it will address the additions
introduced by .NET technologies to standard Windows PE (portable
executable) file format and how that will affect the development of an
effective heuristic engine. It will also briefly discuss the existing
malicious codes for the .NET environment.
http://online.securityfocus.com/infocus/1642
3. Locking Down the Pop-up Perps
By Mark Rasch
Pop-up ads have already inspired civil lawsuits. Here's how federal
computer crime law and the USA-PATRIOT Act could put obnoxious advertisers
in the pokey ...
http://online.securityfocus.com/columnists/124
4. Maintaining Credible IIS Log Files
by Mark Burnett
Many network administrators by now have encountered serious Web server
intrusions that have resulted in legal action. Often IIS logs are the
primary evidence used to track down Web intruders. But what would happen
if the credibility of your IIS logs was challenged in court? What if the
defense claimed the logs were not reliable enough to be admissible as
evidence?
http://online.securityfocus.com/infocus/1639
5. Back to the Insecure Future
By Richard Forno
Web services, such as Microsoft's .NET platform, represent a return to
centralized computing. They also pose some serious security issues.
http://online.securityfocus.com/columnists/123
6. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
7. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Pine From: Field Heap Corruption Vulnerability
BugTraq ID: 6120
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6120
Summary:
Pine is an open source mail user agent distributed by the University of
Washington. It is freely available for Unix, Linux, and Microsoft
operating systems.
It is possible to cause a denial of service in Pine by sending an email
message with a specially crafted "From:" address. According to the
report, the crash can be reproduced by setting the "From:" address to a
value such as:
"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.tld
When the condition is triggered, heap memory may be corrupted. It is
possible to exploit this memory corruption to cause execution of arbitrary
code.
Note that the user does not have to view the message in order for the
denial of service to take place; the message simply has to be present in
the user's Inbox. While a message with this address is present in the
Pine Inbox, it is not possible to start Pine again. The message
containing this address must be manually removed from the spool or by
using another MUA.
It is important to note that this specially crafted "From:" address is RFC
legal.
This issue will reportedly be fixed in Pine 4.50.
2. Macromedia JRun IIS ISAPI Filter GET Request Buffer Overrun Vulnerability
BugTraq ID: 6122
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6122
Summary:
Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application
server for use with IIS (Internet Information Server) 4/5 on the Microsoft
Windows operating systems. Versions are also available for Unix and Linux
variants.
The Macromedia JRun IIS ISAPI handler is prone to a remotely exploitable
buffer overrun condition. The issue is due to a lack of bounds checking
on requested filenames. It is possible to trigger the overrun by
requesting a filename (with extension ".jsp") of length 4096 characters or
greater.
For example:
GET /[buffer].jsp HTTP/1.0
The overrun reportedly occurs in stack memory and may be trivially
exploited to execute instructions on the target host. The instructions
will run with the privileges of IIS.
3. Macromedia JRun Log File/JRun.INI File Disclosure Vulnerability
BugTraq ID: 6125
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6125
Summary:
Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application
server for use with IIS (Internet Information Server) 4/5 on the Microsoft
Windows operating systems. Versions are also available for Unix and Linux
variants.
Macromedia JRun is prone to a file disclosure vulnerability.
It has been reported that this issue may be exploited by remote attackers
to retrieve sensitive resources such as JRun log files or the 'jrun.ini'
configuration file. This issue is likely due to insufficient input
validation of incoming HTTP requests, causing the vulnerable software to
serve sensitive content.
Disclosure of this type of sensitive information may lead to further
attacks against the vulnerable host.
This issue is specific to JRun running on Microsoft Windows platforms.
4. Macromedia JRun Web Server Unicode Source Disclosure Vulnerability
BugTraq ID: 6126
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6126
Summary:
Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application
server for use with IIS (Internet Information Server) 4/5 on the Microsoft
Windows operating systems. Versions are also available for Unix and Linux
variants.
Macromedia JRun ships with a non-production web server, which is intended
to be used on internal networks.
The Macromedia JRun Web Server component is prone to a source code
disclosure issue. The cause of this issue is reportedly insufficient
validation of unicode characters in HTTP requests. A remote attacker may
submit a malicious request containing unicode characters and cause the
source code of the requested script resource to be displayed instead of
interpreted.
Information gathered from a successful attack may aid in further attacks.
This issue is specific to Macromedia JRun running on Unix and Linux
platforms.
5. CuteCast User Credential Disclosure Vulnerability
BugTraq ID: 6127
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6127
Summary:
CuteCast is web forum software. It is implemented in Perl and is
available for Unix and Linux variants as well as Microsoft Windows
operating systems.
CuteCast is prone to an issue which may cause user credentials to be
disclosed to remote attackers. CuteCast stores user information in a
publicly accessible directory. User information is also stored in
plaintext.
Remote attackers may request any individual user files and gain access to
user credentials. The attacker may use these credentials to gain
unauthorized access to user accounts.
6. Perception LiteServe DNS Wildcard Cross Site Scripting Vulnerability
BugTraq ID: 6131
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6131
Summary:
Perception LiteServe is a commercial e-mail, web, and FTP server for
Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered LiteServe.
It should be noted that this vulnerability is limited to server
configurations with Wildcard DNS enabled.
It has been reported that LiteServe fails to sanitize requests containing
encoded HTML and script code as the hostname when Wildcard DNS is used.
Requests of this nature will be rejected by the server, effectively
returning the request to the sender, without sanitizing the contents of
the request.
This issue may allow an attacker to create a malicious link containing
encoded HTML and script code in the requested hostname. When the malicious
link is clicked by an unsuspecting user, the attacker-supplied HTML and
script code will be executed by their web client.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
This issue was reported in LiteServe v2.01. It is not yet known whether
earlier versions are affected by this issue.
7. Microsoft JVM Unauthorized Clipboard Access Vulnerability
BugTraq ID: 6132
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6132
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered Microsoft's
implementation of the Java Virtual Machine (JVM).
By implementing the 'INativeServices' class, ClipBoardGetText() and
ClipBoardSetText() methods into a malicious Java applet, it is possible
for a remote attacker to access and modify the contents of a target users
clipboard. The methods must be called indirectly through the
java.lang.reflect.* package.
Exploiting this vulnerability may allow a remote attacker to read and
potentially corrupt sensitive information stored in a users clipboard,
which could be used to launch further attacks against target systems.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
8. Microsoft JVM Package Access Restriction Bypassing Vulnerability
BugTraq ID: 6133
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6133
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
The JVM includes a class named com.ms.security.StandardSecurityManager
which can be extended by any applet. This class contains two protected
static fields named deniedDefinitionPackages and deniedAccessPackages.
These fields contain package access restrictions.
The package access restrictions set in these two fields can be altered or
emptied, allowing any applet to bypass the set restrictions.
These restrictions originate from the registry and are not implemented by
default.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
9. Microsoft JVM Passed HTML Object Reference Denial Of Service Vulnerability
BugTraq ID: 6135
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6135
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
A vulnerability has been reported in Microsoft JVM that may lead to a
denial of service in Microsoft Internet Explorer.
This problem occurs when references of HTML objects are passed to Java
applets via JavaScript. Applets may potentially invoke methods of
proprietary Microsoft interfaces. In some cases, when a HTML object is
passed to a Java applet which invokes a method of one of these proprietary
interfaces, illegal memory access will occur. This will cause the web
browser to crash.
It is theoretically possible that this problem may be an exploitable
memory corruption vulnerability which may allow arbitrary code execution.
This possibility has not been confirmed.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
10. Microsoft JVM HTML Applet Tag Class Restriction Bypass Vulnerability
BugTraq ID: 6136
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6136
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
A vulnerability has been reported in Microsoft JVM that may lead to a
denial of service in Microsoft Internet Explorer.
It is possible to abuse the HTML <applet> tag to bypass Java class
restrictions. Class objects may be instantiated using the HTML <applet>
tag, and since this is not expected by the browser when some native
methods are used, this may crash the browser.
It is theoretically possible that this problem may be an exploitable
memory corruption vulnerability which may allow arbitrary code execution.
This possibility has not been confirmed.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
11. Microsoft JVM CAB File Loading Vulnerability
BugTraq ID: 6137
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6137
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
The JVM contains a class named com.ms.vm.loader.CabCracker. This class
contains a load() method that can be used to load CAB archives from the
local drive. This method performs security checks and queries the user
for permission to access the CAB file from the hard drive. The method
then calls load0() to load the archive from disk.
The load0() method is declared public, which allows any applet to call the
method directly, bypassing the security checks performed by the load()
method.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
12. Microsoft JVM Codebase Information Disclosure Vulnerability
BugTraq ID: 6138
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6138
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer. A vulnerability has been discovered in the Microsoft
Java Virtual Machine.
By including a codebase of 'file://%00' in the applet tag of a malicious
Java applet, it is possible to gain local read access to all local files
on a target system. If the applet is loaded from a publicly readable
network share, it is possible to list directory contents on a target
system.
By gaining local read access to a target system, it may be possible for a
remote attacker to disclose sensitive information, including cookie-based
credentials and passwords. Information gathered through this technique,
may be used by an attacker to launch further attacks against a target
system.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
13. Microsoft JVM Information Disclosure Vulnerability
BugTraq ID: 6139
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6139
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Due to insufficient access validation, the JVM may allow applets to
retrieve sensitive information.
By calling new File(".").getAbsolutePath(), the applet may retrieve the
path to the current Internet Explorer directory. On multiuser operating
systems such as Windows NT/2000/XP, this path may also include the current
username.
This information could be used by an attacker to mount further attacks
against the system.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
14. Microsoft JVM INativeServices Unauthorized Memory Access Vulnerability
BugTraq ID: 6140
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6140
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
INativeServices methods accept memory addresses as parameters. Due to
insufficient checking of these values, it may be possible to pass invalid
memory addresses and cause a denial of service.
Additionally, the pGetFontEnumeratedFamily() methods may also be invoked
to read memory via INativeServices methods. This may lead to disclosure
of various types of sensitive information such as websites visited,
cookies, and filesystem information such as the location of the cache
directory.
Exploitation of this vulnerability may facilitate other attacks,
potentially leading to further information disclosure or execution of
malicious code.
It is possible for a Java applet to access INativeServices methods
directly via other methods such as SystemX.getNativeServices().
Indirectly, the INativeServices methods may be accessed through the the
java.lang.reflect.* methods.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
15. Perception LiteServe Directory Query String Cross Site Scripting Vulnerability
BugTraq ID: 6143
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6143
Summary:
Perception LiteServe is a commercial e-mail, web, and FTP server for
Microsoft Windows operating systems.
A cross site scripting vulnerability has been discovered LiteServe.
It has been reported that LiteServe fails to sanitize query strings from
indexed folders. By constructing a malicious link containing encoded HTML
and script code in the 'dir' variable, it is possible to execute the
script code within the context of a victims web browser.
Attacks of this nature may make it possible for attackers to manipulate
web content or to steal cookie-based authentication credentials. It may be
possible to take arbitrary actions as the victim user.
16. Lotus Domino Non-existent NSF Database Banner Information Disclosure Vulnerability
BugTraq ID: 6128
Remote: Yes
Date Published: Nov 07 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6128
Summary:
Lotus Domino Server is an application framework for web based
collaborative software. It runs on multiple platforms including Microsoft
Windows and Unix.
Lotus Domino reportedly discloses sensitive banner information when a
non-existent NSF database is requested. A remote attacker may exploit
this by making a HTTP request for such a database. Disclosure of this
information may allow a remote attacker to discover information about the
layout of the filesystem.
This type of sensitive information may aid in further attacks against the
system hosting the vulnerable software.
This issue is present on Lotus Domino Server with the 'DominoNoBanner' set
to a value of '1'.
This vulnerability is similar to the issue described by Bugtraq ID 4049.
17. Microsoft JVM Class Loader Buffer Overrun Vulnerability
BugTraq ID: 6134
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6134
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Details of a vulnerability in Microsoft JVM have been published.
According to the report, a buffer overrun condition is present in the
class loader. It may be triggered by attempting to load a class with a
name of excessive length. At the very least, attackers may crash victim
browsers when the condition occurs.
This vulnerability may be exploited by malicious webmasters who construct
a Java applet designed to do so. It is not confirmed whether this may be
exploited to execute attacker-supplied instructions or not. It should be
assumed that this is possible.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
18. Microsoft JVM URI Parsing Vulnerability
BugTraq ID: 6142
Remote: Yes
Date Published: Nov 08 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6142
Summary:
The Microsoft JVM implements the Java runtime environment for Microsoft
Internet Explorer.
Details of a vulnerability in the Microsoft JVM have been published. The
vulnerability is in the parsing of the location URI string and may result
in an applet being retrieved from an attacker-specified location rather
than that of the document it is embedded in. This may result in a
malicious applet having access to the DOM of the target location. The
applet may retrieve cookie values or manipulate web content.
According to the report, the Microsoft JVM can be fooled into believing
that the HTTP username component of a HTTP URI is the domain. This
allegedly occurs when a colon character is present in the URI that would
normally, when it is in the correct location in the URI string, indicate
the listening port of the server. If the attacker constructs a HTTP URI
with a HTTP username component containing a location and the port, the
Microsoft engine will use that value incorrectly as the document location.
Such a URI may look like:
http://www.attackersite.tld:80 (at) www.realsite (dot) tld [email concealed]
^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^
HTTP Auth Username/Password Actual domain
In this example, if the document served by the server 'www.realsite.tld'
has an embedded applet the Java engine will retrieve it from
'www.attackersite.tld'. The consequences of this are significant. An
attacker may place a rogue applet on a server under their control
('www.attackersite.tld') with the same class name. When invoked, this
applet will have access to the DOM of the document from
'www.realsite.tld'. The applet may then retrieve cookie values or
otherwise access/manipulate the contents of the document.
This vulnerability was originally reported in BID 5670. As technical
details have emerged, a database record with a unique BID for this issue
has been created.
19. EZ Systems HTTPBench Information Disclosure Vulnerability
BugTraq ID: 6153
Remote: Yes
Date Published: Nov 11 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6153
Summary:
eZ Systems httpbench is a benchmarking utility implemented in PHP. It is
available for Unix and Linux variant as well as Microsoft Windows
operating environments.
An information disclosure vulnerability has been reported for httpbench.
Reportedly, httpbench may disclose the contents of web server readable
files to remote attackers.
This vulnerability can be exploited by a remote attacker to obtain
potentially sensitive information on a vulnerable system. Information
obtained in this manner may be used to launch further, destructive attacks
against a vulnerable system.
This vulnerability was reported for httpbench 1.1. It is not known whether
other versions are affected.
20. Light HTTPD GET Request Buffer Overflow Vulnerability
BugTraq ID: 6162
Remote: Yes
Date Published: Nov 12 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6162
Summary:
Light httpd is a small HTTP server, derived from ghttpd. It is available
for a large variety of platforms, including Linux, BSD, Solaris, and
Microsoft Windows operating systems.
A vulnerability has been discovered in Light httpd, when processing GET
requests. Passing an excessively long GET request to a vulnerable server,
containing roughly 1024 or more bytes of data, will trigger a buffer
overflow. This will typically result in sensitive memory being overwritten
with attacker-supplied values.
Exploitation of this issue will result in the execution of arbitrary
commands with the privileges of the target web server. As Light httpd
drops privileges, commands will be executed with the privileges of the
'nobody' user.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Unknown workgroup in Microsoft Windows Network (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299922
2. Local security settings in W2k adv server causes problems (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299879
3. Active Directory network security (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299795
4. Tools (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299692
5. RES: Tools (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299613
6. SecurityFocus Microsoft Newsletter #112 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299440
7. Win 2000 password Complexity Requirements (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/299434
8. Win 2000 passsword Complexity Requirements (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298907
9. IIS 5 and client certificates (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/298899
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. SentriNET
by ISL
Platforms: BeOS, BSDI, Windows 2000, Windows 95/98, Windows CE, Windows
NT, Windows XP
http://www.informer.co.uk/sols/sols_sentrinet_main.htm
Summary:
SentriNET provides biometric authentication and verification techniques to
secure network access by replacing the logon password with fingerprint
authentication.
2. Secure-IT
by ISL
Platforms: Windows 2000, Windows NT
http://www.informer.co.uk/sols/sols_secureit_main.htm
Summary:
Secure-IT provides the corporate business a means to effectively control
and monitor all forms of remote access into the corporate network. The
product supports the ?best of breed ' authentication technologies ranging
from simple PIN controlled hardware tokens to sophisticated smart card and
biometrics
3. Big Crocodile
by Sow
Platforms: Windows 2000, Windows 95/98, Windows NT
http://www.sowsoft.com/bigcroc.htm
Summary:
Big Crocodile is a powerful, secure password manager. Storage of all your
passwords, logins and hyperlinks in a securely encrypted file. Big
Crocodile can automatically insert the passwords into the windows that
require them. Password generator with advanced functions, multi file
interface, special password folders, backup, export and other features.
This program is very easy to use. The program uses powerful commercial
encryption algorithm.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. MAIL PASSWORD RECOVERY v1.0.0.0
by Aleksandar Boros
Relevant URL:
http://members.ams.chello.nl/a.boros/mpr/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
Mail Password Recovery allows you to recover your email password for any
POP3 account, as long as it is stored in an email program on your
computer. You just need to temporarily change the settings in your email
program , so that it connects to Mail Password Recovery instead, and your
password will be revealed. Mail Password Recovery works by emulating a
local POP server, your email program hands over the password when it
connects, and Mail Password Recovery will show it to you. Only works with
email accounts/passwords that have the login information stored in your
email program (Outlook Express, Eudora, The Bat! etc.) Program can only
recover the passwords that are stored on your computer
Program does NOT recover passwords from web based email accounts such as
Hotmail, Yahoo, MSN, AOL etc.
2. KingPing v1.0
by Vladimir Kraljevic
Relevant URL:
http://www.k-qube.com/index.html
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
KingPing is the network administration tool for professionals, it enables
you to utilize ICMP (Internet Control Message Protocol) and troubleshoot
most network problems regardless of the size of the network you are
administering. So far, it is the only ICMP echo program which allows you
to specify more than just ICMP parameters.
3. lcrzoex v4.16.0
by Laurent Constantin
Relevant URL:
http://www.laurentconstantin.com/en/lcrzoex/
Platforms: FreeBSD, Linux, OpenBSD, Solaris, Windows 2000, Windows 95/98,
Windows NT, Windows XP
Summary:
Lcrzoex is a toolbox for network administrators and network hackers.
Lcrzoex contains over 300 functionnalities using network library lcrzo.
Each one can be compiled alone and modified to match your needs.
Lcrzoex can be used in the following contexts :
- discover the Ethernet address of a computer (number 2, 3, 134, etc.)
- sniff your LAN to detect what's going on (number 7, 8, 9, etc.)
- check the checksums created by a network program which isn't working
(number 16, 17, 18, etc.)
- intercept a session and replay it as many times you want to strictly
test your application (number 10, 11, 12, 22, etc.)
- verify if a router is well configured even if the needed computers are
down (number 48, ..., 53, etc.)
- check if your router/firewall/computer blocks
- IP protocols (number 29, ..., 34, etc.)
- IP options (number 29, ..., 34, 73, ..., 79, etc.), source routing
(number 45, 56, 59, 62, etc.)
- IP fragments (number 44, 55, 58, 61, 72, etc.)
- TCP options (number 48, ..., 53, etc.)
- ICMP types (number 65, ..., 70, etc.)
- ARP poisoning (number 80, 81, 82, 83, etc.)
- create a tcp/udp client with a special local port (number 85, 89, 86,
93, 97, etc.)
- convert between numbers (number 139, ..., 148, etc.) - etc.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored by: SpiDynamics
ALERT! -Cross-Site Scripting Holes in Web Applications! Cross-site
scripting vulnerabilities in web applications allow hackers to collect
confidential user information, manipulate or steal cookies, and create
requests that can be mistaken for those of a valid user!! All undetectable
by IDS!
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection! http://www.spidynamics.com/mktg/xss20
------------------------------------------------------------------------
-------
[ reply ]