SecurityFocus Microsoft Newsletter #116
---------------------------------------
This issue is sponsored by St. Bernard Software
Solution to Find & Fix Network Vulnerabilities
Identifying and eliminating network vulnerabilities just got easier.
Award-winning Retina scans networks for early detection of
vulnerabilities, while UpdateEXPERT provides automated critical patch
management assistance.
For a FREE TRIAL visit: http://www.eeye.com/ctrack.asp?ref=STBJOINT2
I. FRONT AND CENTER
1. Barbarians at the Gate: An Introduction to Distributed Denial...
2. Does Research Support Dumping Linux?
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Computer Associates InoculateIT Yaha.E Exchange Filter Bypassing
2. YaBB YaBB.pl Cross Site Scripting Vulnerability
3. Moby NetSuite POST Handler Buffer Overflow Vulnerability
4. McAfee VirusScan WebScanX Code Execution Vulnerability
5. Microsoft Windows XP Wireless LAN AP Information Disclosure...
6. PortailPHP SQL Injection Vulnerability
7. Pedestal Software Integrity Protection Driver Bypass Vulnerability
8. 3D3.Com ShopFactory Shopping Cart Cookie Price Manipulation...
9. Microsoft Internet Explorer Dialog Style Same Origin Policy...
10. phpBB search.php Cross Site Scripting Vulnerability
11. pWins Web Server Directory Traversal Vulnerability
13. Webster HTTP Server Long Request Buffer Overrun Vulnerability
14. Webster HTTP Server File Disclosure Vulnerability
15. Webster HTTP Server Cross Site Scripting Vulnerability
16. Lawson Financials Account Credentials World Accessible...
III. MICROSOFT FOCUS LIST SUMMARY
1. Container Names in RSACryptoServiceProvider class (Thread)
2. issues with syskey in NT 4.0 (Thread)
3. SecurityFocus Microsoft Newsletter #115 (Thread)
4. Question: Buffer Overrun in Microsoft Data Access Components...
5. Secure / Encrypt Terminal Services (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. ActivPack for NDS
2. i.Secure Office
3. SafeBoot 3
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. klogger v1.0
2. CECrypt v1.1
3. KerbCrack v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Barbarians at the Gate: An Introduction to Distributed Denial of
Service Attacks
By Matthew Tanase
DDoS attacks first made headlines in February 2000. Now, almost three
years later, can it be that we're still vulnerable? Unfortunately the
answer is yes. This article will explain the concept of DDoS attacks, how
they work, how to react if you become a target, and how the security
community can work together to prevent them.
http://online.securityfocus.com/infocus/1647
2. Does Research Support Dumping Linux?
By Tim Mullen
Microsoft's security policies are getting better every day, even as a new
report slams open-source competitors as security nightmares. But the easy
answers aren't always the right ones.
http://online.securityfocus.com/columnists/127
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Computer Associates InoculateIT Yaha.E Exchange Filter Bypassing Vulnerability
BugTraq ID: 6290
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6290
Summary:
Computer Associates InoculateIT's Exchange option allows incoming email to
be scanned as well as background scanning of the Exchange database.
It has been reported that some email messsages containing the
W32.Yaha.E@mm worm are able to bypass the incoming mail scanner. Most
messages containing this worm are detected by the scanner, but some
messages are allowed through.
Some messages generated by the Yaha worm use the Microsoft IE MIME Header
Attachment Execution Vulnerability (BID 2524). This may be related to
this issue, however, precise details are not currently known.
This entry will be updated if and when more details become available.
2. YaBB YaBB.pl Cross Site Scripting Vulnerability
BugTraq ID: 6272
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6272
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl. YaBB will run on most Unix/Linux variants, MacOS,
and Microsoft Windows 9x/ME/NT/2000/XP platforms.
A cross-site scripting vulnerability has been reported in the YaBB forum
'YaBB.pl' script. This vulnerability is due to insufficient sanitization
of URI parameters.
As a result, it is possible for a remote attacker to create a malicious
link to the login page of a site hosting the web forum. The malicious link
may contain arbitrary HTML code in URI parameters. When this link is
visited by an unsuspecting web user, the attacker-supplied code will be
executed in their browser in the security context of the vulnerable
website.
It has been demonstrated that this vulnerability may be exploited to steal
cookie-based authentication credentials.
This vulnerability has been reported for YaBB 1 Gold - SP 1. It is not
known if other versions are affected.
3. Moby NetSuite POST Handler Buffer Overflow Vulnerability
BugTraq ID: 6277
Remote: Yes
Date Published: Nov 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6277
Summary:
Moby NetSuite is a small SMTP and HTTP/CGI server designed for use with
the Microsoft Windows operating system.
A buffer overflow vulnerability has been reported for Moby NetSuite that
may result in a denial of service condition. Reportedly, it is possible to
cause NetSuite to crash when a malformed POST request is received.
Specifically, the denial of service condition is triggered when a POST
request is received that has an overly large integer value as the value
for the 'Content-Length' header field.
An attacker can exploit this vulnerability by issuing a POST request with
a 'Content-Length' value that is a very large integer. When NetSuite
attempts to service the malformed POST request, it will crash resulting in
a denial of service. Restarting the service is neccessary to restore
functionality.
Although unconfirmed, this may be a remotely exploitable buffer overflow
condition and code execution may be possible.
4. McAfee VirusScan WebScanX Code Execution Vulnerability
BugTraq ID: 6288
Remote: No
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6288
Summary:
McAfee VirusScan contains a component for scanning Internet downloads and
active content called WebScanX. Since explorer.exe can also be used as a
web browser, WebScanX will hook the application.
A vulnerability exists in WebScanX that could allow arbitrary code
execution in the security context of the local system account. This
behaviour only appears to occur if a user's home directory (ie. Documents
and Settings\<username>) is located on a network share.
When Explorer is used to browse the local disk, WebScanX appears to open
several DLL (Dynamic Link Libraries) from the user's home directory. If
one of these DLLs were replaced with a malicious file, WebScanX could
execute the attacker-supplied code in the local system context.
This vulnerability was reported on VirusScan 4.5.1sp1. Other versions may
be vulnerable.
5. Microsoft Windows XP Wireless LAN AP Information Disclosure Vulnerability
BugTraq ID: 6312
Remote: Yes
Date Published: Dec 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6312
Summary:
An information disclosure vulnerability has been reported for Microsoft
Windows XP systems using a wireless LAN setup.
The vulnerability exists due to the configuration of Windows XP. If a
system is configured for use with a wireless network, Windowx XP systems
will automatically search for available access points (APs). If APs are
not found, requests are still submitted until a connection is achieved.
An attacker can exploit this vulnerability to set up an AP with the same
SSID (Service Set ID) of an AP configured for use with an XP system. When
the vulnerable system recognizes this malicious AP, it will then begin
transmission of data.
This can be exploited by an attacker to intercept and decrypt any
transmissions received from a vulnerable system. Information obtained in
this manner may be used to launch further, destructive attacks against a
vulnerable system.
6. PortailPHP SQL Injection Vulnerability
BugTraq ID: 6273
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6273
Summary:
Portail PHP is a Web portal project based PHP and MySQL. It is available
for the Linux, Unix, and Microsoft Windows operating systems.
A vulnerability exists in the mod_search module included with PortailPHP.
The vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'index.php' script. Specifically, the 'rech'
variable is not sanitized of malicious SQL input. It is possible to modify
the logic of SQL queries through malformed query strings in requests for
the vulnerable script.
By injecting SQL code into the 'rech' variable, it may be possible for an
attacker to corrupt database information.
7. Pedestal Software Integrity Protection Driver Bypass Vulnerability
BugTraq ID: 6295
Remote: No
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6295
Summary:
Pedestal Software Integrity Protection Driver (IPD) is open source
software designed to prohibit new services and drivers from being
installed and to prevent the modification of existing drivers. This
provides protection from rootkit installation on Microsoft Windows NT/2000
systems.
When systems with IPD installed are rebooted, the IPD does not start until
the system has been up for twenty minutes. This allows new services and
drivers to be installed, or the uninstallation of IPD.
IPD appears to rely on the system clock to determine the end of the twenty
minute startup window. This could allow an attacker who gains privileged
access to the system to set the system clock back in order to increase the
time window before IPD starts.
During this period, the attacker could install a rootkit or make further
modifications to the system before resetting the system clock allowing IPD
to start.
ShopFactory is an e-commerce application for Microsoft Windows operating
systems. It is distributed by 3D3.Com.
A problem with ShopFactory may make it possible for users to change prices
on items.
When a user visits a site and creates a shopping cart, information on
items added to the cart are stored in web cookies. The information stored
in these cookies is later retrieved by ShopFactory and used to give the
user the price on the item. Changing the information contained in the
cookie could change variables quoted to the user by the ShopFactory site.
This vulnerability has been reported to allow the changing of prices. A
malicious user could attempt to exploit this vulnerability to steal from
e-commerce sites.
9. Microsoft Internet Explorer Dialog Style Same Origin Policy Bypass Vulnerability
BugTraq ID: 6306
Remote: Yes
Date Published: Dec 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6306
Summary:
It is possible to bypass the origin policy used by Internet Explorer for
the showModalDialog and showModelessDialog functions. Under some
circumstances, it may be possible to execute script code in sensitive
contexts.
Microsoft Internet Explorer includes support for dialog windows through
script calls to the two functions showModalDialog and showModelessDialog.
These functions accept a URL location for the dialog content, and an
option argument parameter to allow data to be passed to the dialog from
the calling page. Additionally, various styles can be applied to the
dialog from the calling page such as font-size, width, and height.
A check is done to ensure that data is only passed to dialogs located in
the same domain, port and protocol as the calling page. This prevents a
malicious party from injecting content into arbitrary dialogs. However,
script code can be injected into the style parameters and bypass this
check.
As a result, a malicious party may open a dialog with a URL which will
pass this check, and have the script code within the style parameters
execute in the zone of the target URL.
The consequences of exploitation are highly dependant on the functionality
of the targetted dialog. It is likely that this vulnerability could lead
to subversion of information or social engineering attacks.
It has been demonstrated to possibly inject script code into dialogs
included by default with versions of Internet Explorer 6.0 and 6.0SP1,
however, earlier versions may also be vulnerable. This can be used to
execute arbitrary script code in the Local Computer Zone.
10. phpBB search.php Cross Site Scripting Vulnerability
BugTraq ID: 6311
Remote: Yes
Date Published: Dec 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6311
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
phpBB is prone to cross site scripting attacks. The problem lies in the
search.php script which fails to properly sanitize user-supplied input in
the 'search_username' parameter.
By exploiting this issue it may be possible to steal a users cookie-based
authentication credentials. This could be accomplished by constructing a
malicious link containing script code embedded in the 'search_username'
parameter.
11. pWins Web Server Directory Traversal Vulnerability
BugTraq ID: 6271
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6271
Summary:
pWins is a Web server implemented using Ruby and Perl. It is designed for
use on Linux variant and Microsoft Windows operating environments.
It has been reported that pWins fails to properly sanitize web requests.
By sending a malicious web request to the vulnerable server, using
directory traversal sequences, it is possible for a remote attacker to
access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability has been reported for pWins 0.2.5 for the Microsoft
Windows platform.
12. Microsoft Windows XP Fast User Switching Process Viewing Weakness
BugTraq ID: 6280
Remote: No
Date Published: Nov 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6280
Summary:
Microsoft Windows XP contains a feature called Fast User Switching (FUS).
This allows multiple users to be concurrently logged onto the system; only
one user can interact with the system at a time. FUS is enabled by
default on Windows XP Home edition, but not on Professional edition. It
cannot be enabled on systems that are members of a domain.
FUS contains a weakness that could allow unprivileged users to view other
users' process lists.
Members of the Administrators group can enable an option to view other
users' process lists. If a member of the Administrators group enables
this option and is subsequently removed from the group, they are still
able to view other users' process lists.
While this is not directly exploitable, it may violate other users'
privacy or the information obtained may potentially be used to mount
attacks on other local users.
13. Webster HTTP Server Long Request Buffer Overrun Vulnerability
BugTraq ID: 6289
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6289
Summary:
Webster HTTP Server is an HTTP/1.0 server written in C++ using Microsoft
Foundation Classes (MFC). It is available for the Microsoft Windows
operating system.
A buffer overrun vulnerability has been discovered in Webster HTTP server.
It is possible to trigger this condition by passing Webster HTTP server a
malicious URL containing 275 or more bytes of data.
This issue can be exploited to overwrite the programs instruction pointer,
potentially resulting in the execution of malicious code. Exploitation of
this issue would allow an attacker to run arbitrary system commands with
the privileges of Webster.
14. Webster HTTP Server File Disclosure Vulnerability
BugTraq ID: 6291
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6291
Summary:
Webster HTTP Server is an HTTP/1.0 server written in C++ using Microsoft
Foundation Classes (MFC). It is available for the Microsoft Windows
operating system.
A file disclosure vulnerability has been discovered in Webster HTTP
Server. By constructing a malicious URL containing directory traversal
sequences (../), it is possible for a remote attacker to disclose a known
system resource.
This vulnerability could be exploited to obtain the systems SAM file or
other sensitive resources, which may be used by the attacker to launch
further attacks against the target system.
15. Webster HTTP Server Cross Site Scripting Vulnerability
BugTraq ID: 6292
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6292
Summary:
Webster HTTP Server is an HTTP/1.0 server written in C++ using Microsoft
Foundation Classes (MFC). It runs on Windows 95, 98, NT, 2000, Me, and XP
platforms.
It has been discovered that Webster HTTP Server fails to sanitize
user-supplied input, making it vulnerable to cross site scripting attacks.
By including HTML or script code in a malconstructed link, it may be
possible to execute arbitrary code within the context of the visited
website.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials.
16. Lawson Financials Account Credentials World Accessible Vulnerability
BugTraq ID: 6293
Remote: No
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6293
Summary:
Lawson Financials is a commercially available financial planning and
tracking software package. It is available for the Unix and Microsoft
Windows platforms.
A problem with Lawson Financials may make it possible for local users to
gain access to other user's accounts.
Lawson Financials requires specific configuration guidelines for the
Lawson certification process. These guidelines give users the ability to
install Lawson Financials with a limited set of configuration options.
Some default configurations of Lawson Financials may allow unauthorized
users access to sensitive information. By default, user credentials such
as the Lawson Financials user name and password are stored in a
world-readable, world-writable file. This could allow a user with local
access to a Lawson Financials system to gain access to the Financials
database. This is known to affect Financials installed on the UNIX
operating system.
Exploiting this vulnerability could result in an attacker connecting
directly to the database via some means such as ODBC or JDBC. The
attacker would then have access to the Financials database with the
privileges of any user listed in the database user file. It should be
noted that passwords stored in the file are in plain text.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Container Names in RSACryptoServiceProvider class (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302112
2. issues with syskey in NT 4.0 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302111
3. SecurityFocus Microsoft Newsletter #115 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301856
4. Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414) (Thread)
Relevant URL:
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. ActivPack for NDS
by ActivCard
Platforms: RACF, Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.activcard.com/activ/products/infrastructure/activpack_nds/ind
ex.html
Summary:
ActivPack delivers integrated digital identity services, strong
authentication and smart card/token management for a comprehensive
solution seamlessly integrated into NDS® eDirectory and the ConsoleOne
management system. Linked tightly with Novell Modular Authentication
Service (NMAS) and iChain, ActivCard enables smart card-based login to NDS
using a private key and digital certificate stored securely on the user's
card, and token-based login with one-time passwords.
2. i.Secure Office
by Archisoft Security Solutions Limited
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.archisoft.com.hk/secureoffice.html
Summary:
i.Secure Office is a plug-in security module for Microsoft Office. It
makes use of the latest PKI technology together with personal Smart Token
to ensure that every document that reaches its users is uniquely
identified, confidential and intact. i.Secure Office works transparently
with Microsoft Office to promote unsurpassed security.
3. SafeBoot 3
by Control Break International
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.safeboot.com/products/safeboot.html
Summary:
SafeBoot 3 is a PC security system that prevents the data stored on a PC's
hard disk from being read or used by an unauthorized person. SafeBoot 3
encrypts the data stored on the hard disk and secures access to the PC via
a password or token at boot time. If a user fails to logon to SafeBoot 3,
or if an unauthorized person tries to access or use the PC, SafeBoot 3
will prevent access to the PC and its data.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. klogger v1.0
by Arne Vidstrom
Relevant URL:
http://www.ntsecurity.nu/toolbox/klogger/
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
"klogger" is a keystroke logger for Windows NT / 2000.
2. CECrypt v1.1
by Arne Vidstrom
Relevant URL:
http://www.ntsecurity.nu/toolbox/cecrypt/
Platforms: Windows CE
Summary:
CECrypt is a file encryption tool for Windows CE, that can encrypt with
either 3-DES or IDEA.
3. KerbCrack v1.0
by Arne Vidstrom
Relevant URL:
http://www.ntsecurity.nu/toolbox/kerbcrack/
Platforms: Windows 2000, Windows XP
Summary:
KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer
listens on the network and captures Windows 2000/XP Kerberos logins. The
cracker can be used to find the passwords from the capture file using a
brute force attack or a dictionary attack.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by St. Bernard Software
Solution to Find & Fix Network Vulnerabilities
Identifying and eliminating network vulnerabilities just got easier.
Award-winning Retina scans networks for early detection of
vulnerabilities, while UpdateEXPERT provides automated critical patch
management assistance.
For a FREE TRIAL visit: http://www.eeye.com/ctrack.asp?ref=STBJOINT2
SecurityFocus Microsoft Newsletter #116
---------------------------------------
This issue is sponsored by St. Bernard Software
Solution to Find & Fix Network Vulnerabilities
Identifying and eliminating network vulnerabilities just got easier.
Award-winning Retina scans networks for early detection of
vulnerabilities, while UpdateEXPERT provides automated critical patch
management assistance.
For a FREE TRIAL visit: http://www.eeye.com/ctrack.asp?ref=STBJOINT2
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Barbarians at the Gate: An Introduction to Distributed Denial...
2. Does Research Support Dumping Linux?
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Computer Associates InoculateIT Yaha.E Exchange Filter Bypassing
2. YaBB YaBB.pl Cross Site Scripting Vulnerability
3. Moby NetSuite POST Handler Buffer Overflow Vulnerability
4. McAfee VirusScan WebScanX Code Execution Vulnerability
5. Microsoft Windows XP Wireless LAN AP Information Disclosure...
6. PortailPHP SQL Injection Vulnerability
7. Pedestal Software Integrity Protection Driver Bypass Vulnerability
8. 3D3.Com ShopFactory Shopping Cart Cookie Price Manipulation...
9. Microsoft Internet Explorer Dialog Style Same Origin Policy...
10. phpBB search.php Cross Site Scripting Vulnerability
11. pWins Web Server Directory Traversal Vulnerability
13. Webster HTTP Server Long Request Buffer Overrun Vulnerability
14. Webster HTTP Server File Disclosure Vulnerability
15. Webster HTTP Server Cross Site Scripting Vulnerability
16. Lawson Financials Account Credentials World Accessible...
III. MICROSOFT FOCUS LIST SUMMARY
1. Container Names in RSACryptoServiceProvider class (Thread)
2. issues with syskey in NT 4.0 (Thread)
3. SecurityFocus Microsoft Newsletter #115 (Thread)
4. Question: Buffer Overrun in Microsoft Data Access Components...
5. Secure / Encrypt Terminal Services (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. ActivPack for NDS
2. i.Secure Office
3. SafeBoot 3
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. klogger v1.0
2. CECrypt v1.1
3. KerbCrack v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Barbarians at the Gate: An Introduction to Distributed Denial of
Service Attacks
By Matthew Tanase
DDoS attacks first made headlines in February 2000. Now, almost three
years later, can it be that we're still vulnerable? Unfortunately the
answer is yes. This article will explain the concept of DDoS attacks, how
they work, how to react if you become a target, and how the security
community can work together to prevent them.
http://online.securityfocus.com/infocus/1647
2. Does Research Support Dumping Linux?
By Tim Mullen
Microsoft's security policies are getting better every day, even as a new
report slams open-source competitors as security nightmares. But the easy
answers aren't always the right ones.
http://online.securityfocus.com/columnists/127
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Computer Associates InoculateIT Yaha.E Exchange Filter Bypassing Vulnerability
BugTraq ID: 6290
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6290
Summary:
Computer Associates InoculateIT's Exchange option allows incoming email to
be scanned as well as background scanning of the Exchange database.
It has been reported that some email messsages containing the
W32.Yaha.E@mm worm are able to bypass the incoming mail scanner. Most
messages containing this worm are detected by the scanner, but some
messages are allowed through.
Some messages generated by the Yaha worm use the Microsoft IE MIME Header
Attachment Execution Vulnerability (BID 2524). This may be related to
this issue, however, precise details are not currently known.
This entry will be updated if and when more details become available.
2. YaBB YaBB.pl Cross Site Scripting Vulnerability
BugTraq ID: 6272
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6272
Summary:
YaBB (Yet Another Bulletin Board) is freely available web forum software
that is written in Perl. YaBB will run on most Unix/Linux variants, MacOS,
and Microsoft Windows 9x/ME/NT/2000/XP platforms.
A cross-site scripting vulnerability has been reported in the YaBB forum
'YaBB.pl' script. This vulnerability is due to insufficient sanitization
of URI parameters.
As a result, it is possible for a remote attacker to create a malicious
link to the login page of a site hosting the web forum. The malicious link
may contain arbitrary HTML code in URI parameters. When this link is
visited by an unsuspecting web user, the attacker-supplied code will be
executed in their browser in the security context of the vulnerable
website.
It has been demonstrated that this vulnerability may be exploited to steal
cookie-based authentication credentials.
This vulnerability has been reported for YaBB 1 Gold - SP 1. It is not
known if other versions are affected.
3. Moby NetSuite POST Handler Buffer Overflow Vulnerability
BugTraq ID: 6277
Remote: Yes
Date Published: Nov 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6277
Summary:
Moby NetSuite is a small SMTP and HTTP/CGI server designed for use with
the Microsoft Windows operating system.
A buffer overflow vulnerability has been reported for Moby NetSuite that
may result in a denial of service condition. Reportedly, it is possible to
cause NetSuite to crash when a malformed POST request is received.
Specifically, the denial of service condition is triggered when a POST
request is received that has an overly large integer value as the value
for the 'Content-Length' header field.
An attacker can exploit this vulnerability by issuing a POST request with
a 'Content-Length' value that is a very large integer. When NetSuite
attempts to service the malformed POST request, it will crash resulting in
a denial of service. Restarting the service is neccessary to restore
functionality.
Although unconfirmed, this may be a remotely exploitable buffer overflow
condition and code execution may be possible.
4. McAfee VirusScan WebScanX Code Execution Vulnerability
BugTraq ID: 6288
Remote: No
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6288
Summary:
McAfee VirusScan contains a component for scanning Internet downloads and
active content called WebScanX. Since explorer.exe can also be used as a
web browser, WebScanX will hook the application.
A vulnerability exists in WebScanX that could allow arbitrary code
execution in the security context of the local system account. This
behaviour only appears to occur if a user's home directory (ie. Documents
and Settings\<username>) is located on a network share.
When Explorer is used to browse the local disk, WebScanX appears to open
several DLL (Dynamic Link Libraries) from the user's home directory. If
one of these DLLs were replaced with a malicious file, WebScanX could
execute the attacker-supplied code in the local system context.
This vulnerability was reported on VirusScan 4.5.1sp1. Other versions may
be vulnerable.
5. Microsoft Windows XP Wireless LAN AP Information Disclosure Vulnerability
BugTraq ID: 6312
Remote: Yes
Date Published: Dec 04 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6312
Summary:
An information disclosure vulnerability has been reported for Microsoft
Windows XP systems using a wireless LAN setup.
The vulnerability exists due to the configuration of Windows XP. If a
system is configured for use with a wireless network, Windowx XP systems
will automatically search for available access points (APs). If APs are
not found, requests are still submitted until a connection is achieved.
An attacker can exploit this vulnerability to set up an AP with the same
SSID (Service Set ID) of an AP configured for use with an XP system. When
the vulnerable system recognizes this malicious AP, it will then begin
transmission of data.
This can be exploited by an attacker to intercept and decrypt any
transmissions received from a vulnerable system. Information obtained in
this manner may be used to launch further, destructive attacks against a
vulnerable system.
6. PortailPHP SQL Injection Vulnerability
BugTraq ID: 6273
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6273
Summary:
Portail PHP is a Web portal project based PHP and MySQL. It is available
for the Linux, Unix, and Microsoft Windows operating systems.
A vulnerability exists in the mod_search module included with PortailPHP.
The vulnerability is due to insufficient sanitization of variables used to
construct SQL queries in the 'index.php' script. Specifically, the 'rech'
variable is not sanitized of malicious SQL input. It is possible to modify
the logic of SQL queries through malformed query strings in requests for
the vulnerable script.
By injecting SQL code into the 'rech' variable, it may be possible for an
attacker to corrupt database information.
7. Pedestal Software Integrity Protection Driver Bypass Vulnerability
BugTraq ID: 6295
Remote: No
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6295
Summary:
Pedestal Software Integrity Protection Driver (IPD) is open source
software designed to prohibit new services and drivers from being
installed and to prevent the modification of existing drivers. This
provides protection from rootkit installation on Microsoft Windows NT/2000
systems.
When systems with IPD installed are rebooted, the IPD does not start until
the system has been up for twenty minutes. This allows new services and
drivers to be installed, or the uninstallation of IPD.
IPD appears to rely on the system clock to determine the end of the twenty
minute startup window. This could allow an attacker who gains privileged
access to the system to set the system clock back in order to increase the
time window before IPD starts.
During this period, the attacker could install a rootkit or make further
modifications to the system before resetting the system clock allowing IPD
to start.
8. 3D3.Com ShopFactory Shopping Cart Cookie Price Manipulation Vulnerability
BugTraq ID: 6296
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6296
Summary:
ShopFactory is an e-commerce application for Microsoft Windows operating
systems. It is distributed by 3D3.Com.
A problem with ShopFactory may make it possible for users to change prices
on items.
When a user visits a site and creates a shopping cart, information on
items added to the cart are stored in web cookies. The information stored
in these cookies is later retrieved by ShopFactory and used to give the
user the price on the item. Changing the information contained in the
cookie could change variables quoted to the user by the ShopFactory site.
This vulnerability has been reported to allow the changing of prices. A
malicious user could attempt to exploit this vulnerability to steal from
e-commerce sites.
9. Microsoft Internet Explorer Dialog Style Same Origin Policy Bypass Vulnerability
BugTraq ID: 6306
Remote: Yes
Date Published: Dec 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6306
Summary:
It is possible to bypass the origin policy used by Internet Explorer for
the showModalDialog and showModelessDialog functions. Under some
circumstances, it may be possible to execute script code in sensitive
contexts.
Microsoft Internet Explorer includes support for dialog windows through
script calls to the two functions showModalDialog and showModelessDialog.
These functions accept a URL location for the dialog content, and an
option argument parameter to allow data to be passed to the dialog from
the calling page. Additionally, various styles can be applied to the
dialog from the calling page such as font-size, width, and height.
A check is done to ensure that data is only passed to dialogs located in
the same domain, port and protocol as the calling page. This prevents a
malicious party from injecting content into arbitrary dialogs. However,
script code can be injected into the style parameters and bypass this
check.
As a result, a malicious party may open a dialog with a URL which will
pass this check, and have the script code within the style parameters
execute in the zone of the target URL.
The consequences of exploitation are highly dependant on the functionality
of the targetted dialog. It is likely that this vulnerability could lead
to subversion of information or social engineering attacks.
It has been demonstrated to possibly inject script code into dialogs
included by default with versions of Internet Explorer 6.0 and 6.0SP1,
however, earlier versions may also be vulnerable. This can be used to
execute arbitrary script code in the Local Computer Zone.
10. phpBB search.php Cross Site Scripting Vulnerability
BugTraq ID: 6311
Remote: Yes
Date Published: Dec 03 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6311
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
phpBB is prone to cross site scripting attacks. The problem lies in the
search.php script which fails to properly sanitize user-supplied input in
the 'search_username' parameter.
By exploiting this issue it may be possible to steal a users cookie-based
authentication credentials. This could be accomplished by constructing a
malicious link containing script code embedded in the 'search_username'
parameter.
11. pWins Web Server Directory Traversal Vulnerability
BugTraq ID: 6271
Remote: Yes
Date Published: Nov 28 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6271
Summary:
pWins is a Web server implemented using Ruby and Perl. It is designed for
use on Linux variant and Microsoft Windows operating environments.
It has been reported that pWins fails to properly sanitize web requests.
By sending a malicious web request to the vulnerable server, using
directory traversal sequences, it is possible for a remote attacker to
access sensitive resources located outside of the web root.
An attacker is able to traverse outside of the established web root by
using dot-dot-slash (../) directory traversal sequences. An attacker may
be able to obtain any web server readable files from outside of the web
root directory.
Disclosure of sensitive system files may aid the attacker in launching
further attacks against the target system.
This vulnerability has been reported for pWins 0.2.5 for the Microsoft
Windows platform.
12. Microsoft Windows XP Fast User Switching Process Viewing Weakness
BugTraq ID: 6280
Remote: No
Date Published: Nov 29 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6280
Summary:
Microsoft Windows XP contains a feature called Fast User Switching (FUS).
This allows multiple users to be concurrently logged onto the system; only
one user can interact with the system at a time. FUS is enabled by
default on Windows XP Home edition, but not on Professional edition. It
cannot be enabled on systems that are members of a domain.
FUS contains a weakness that could allow unprivileged users to view other
users' process lists.
Members of the Administrators group can enable an option to view other
users' process lists. If a member of the Administrators group enables
this option and is subsequently removed from the group, they are still
able to view other users' process lists.
While this is not directly exploitable, it may violate other users'
privacy or the information obtained may potentially be used to mount
attacks on other local users.
13. Webster HTTP Server Long Request Buffer Overrun Vulnerability
BugTraq ID: 6289
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6289
Summary:
Webster HTTP Server is an HTTP/1.0 server written in C++ using Microsoft
Foundation Classes (MFC). It is available for the Microsoft Windows
operating system.
A buffer overrun vulnerability has been discovered in Webster HTTP server.
It is possible to trigger this condition by passing Webster HTTP server a
malicious URL containing 275 or more bytes of data.
This issue can be exploited to overwrite the programs instruction pointer,
potentially resulting in the execution of malicious code. Exploitation of
this issue would allow an attacker to run arbitrary system commands with
the privileges of Webster.
14. Webster HTTP Server File Disclosure Vulnerability
BugTraq ID: 6291
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6291
Summary:
Webster HTTP Server is an HTTP/1.0 server written in C++ using Microsoft
Foundation Classes (MFC). It is available for the Microsoft Windows
operating system.
A file disclosure vulnerability has been discovered in Webster HTTP
Server. By constructing a malicious URL containing directory traversal
sequences (../), it is possible for a remote attacker to disclose a known
system resource.
This vulnerability could be exploited to obtain the systems SAM file or
other sensitive resources, which may be used by the attacker to launch
further attacks against the target system.
15. Webster HTTP Server Cross Site Scripting Vulnerability
BugTraq ID: 6292
Remote: Yes
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6292
Summary:
Webster HTTP Server is an HTTP/1.0 server written in C++ using Microsoft
Foundation Classes (MFC). It runs on Windows 95, 98, NT, 2000, Me, and XP
platforms.
It has been discovered that Webster HTTP Server fails to sanitize
user-supplied input, making it vulnerable to cross site scripting attacks.
By including HTML or script code in a malconstructed link, it may be
possible to execute arbitrary code within the context of the visited
website.
This issue may be exploited to steal cookie-based authentication
credentials from legitimate users of the website running the vulnerable
software. The attacker may hijack the session of the legitimate by using
cookie-based authentication credentials.
16. Lawson Financials Account Credentials World Accessible Vulnerability
BugTraq ID: 6293
Remote: No
Date Published: Dec 02 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6293
Summary:
Lawson Financials is a commercially available financial planning and
tracking software package. It is available for the Unix and Microsoft
Windows platforms.
A problem with Lawson Financials may make it possible for local users to
gain access to other user's accounts.
Lawson Financials requires specific configuration guidelines for the
Lawson certification process. These guidelines give users the ability to
install Lawson Financials with a limited set of configuration options.
Some default configurations of Lawson Financials may allow unauthorized
users access to sensitive information. By default, user credentials such
as the Lawson Financials user name and password are stored in a
world-readable, world-writable file. This could allow a user with local
access to a Lawson Financials system to gain access to the Financials
database. This is known to affect Financials installed on the UNIX
operating system.
Exploiting this vulnerability could result in an attacker connecting
directly to the database via some means such as ODBC or JDBC. The
attacker would then have access to the Financials database with the
privileges of any user listed in the database user file. It should be
noted that passwords stored in the file are in plain text.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Container Names in RSACryptoServiceProvider class (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302112
2. issues with syskey in NT 4.0 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/302111
3. SecurityFocus Microsoft Newsletter #115 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301856
4. Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301855
5. Secure / Encrypt Terminal Services (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/301663
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. ActivPack for NDS
by ActivCard
Platforms: RACF, Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.activcard.com/activ/products/infrastructure/activpack_nds/ind
ex.html
Summary:
ActivPack delivers integrated digital identity services, strong
authentication and smart card/token management for a comprehensive
solution seamlessly integrated into NDS® eDirectory and the ConsoleOne
management system. Linked tightly with Novell Modular Authentication
Service (NMAS) and iChain, ActivCard enables smart card-based login to NDS
using a private key and digital certificate stored securely on the user's
card, and token-based login with one-time passwords.
2. i.Secure Office
by Archisoft Security Solutions Limited
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.archisoft.com.hk/secureoffice.html
Summary:
i.Secure Office is a plug-in security module for Microsoft Office. It
makes use of the latest PKI technology together with personal Smart Token
to ensure that every document that reaches its users is uniquely
identified, confidential and intact. i.Secure Office works transparently
with Microsoft Office to promote unsurpassed security.
3. SafeBoot 3
by Control Break International
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.safeboot.com/products/safeboot.html
Summary:
SafeBoot 3 is a PC security system that prevents the data stored on a PC's
hard disk from being read or used by an unauthorized person. SafeBoot 3
encrypts the data stored on the hard disk and secures access to the PC via
a password or token at boot time. If a user fails to logon to SafeBoot 3,
or if an unauthorized person tries to access or use the PC, SafeBoot 3
will prevent access to the PC and its data.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. klogger v1.0
by Arne Vidstrom
Relevant URL:
http://www.ntsecurity.nu/toolbox/klogger/
Platforms: Windows 2000, Windows NT, Windows XP
Summary:
"klogger" is a keystroke logger for Windows NT / 2000.
2. CECrypt v1.1
by Arne Vidstrom
Relevant URL:
http://www.ntsecurity.nu/toolbox/cecrypt/
Platforms: Windows CE
Summary:
CECrypt is a file encryption tool for Windows CE, that can encrypt with
either 3-DES or IDEA.
3. KerbCrack v1.0
by Arne Vidstrom
Relevant URL:
http://www.ntsecurity.nu/toolbox/kerbcrack/
Platforms: Windows 2000, Windows XP
Summary:
KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer
listens on the network and captures Windows 2000/XP Kerberos logins. The
cracker can be used to find the passwords from the capture file using a
brute force attack or a dictionary attack.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by St. Bernard Software
Solution to Find & Fix Network Vulnerabilities
Identifying and eliminating network vulnerabilities just got easier.
Award-winning Retina scans networks for early detection of
vulnerabilities, while UpdateEXPERT provides automated critical patch
management assistance.
For a FREE TRIAL visit: http://www.eeye.com/ctrack.asp?ref=STBJOINT2
------------------------------------------------------------------------
-------
[ reply ]