SecurityFocus Microsoft Newsletter #119
---------------------------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Securing Outlook, Part Two: Many Choices to Make
2. 'Twas the Night Before Christmas, 2002
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. RealNetworks Helix Universal Server RTSP Transport Buffer...
2. Oracle 9i Application Server Insecure Default File Permissions...
3. MATLAB Mex Insecure Temporary Files Vulnerability
4. MATLAB Mex Local Command Execution Vulnerability
5. SPGPartenaires Multiple SQL Injection Vulnerabilities
6. RealNetworks Helix Universal Server Long URI Dual HTTP Request...
7. Hyperion FTP Server Buffer Overflow Vulnerability
8. Oracle 9i Application Server WEB-INF Folder Access Vulnerability
9. RealNetworks Helix Universal Server RTSP Describe Buffer...
10. PHP-Nuke CRLF Injection Vulnerability
11. PHP-Nuke Modules.PHP Denial Of Service Vulnerability
12. Apache printenv Sample Script Cross Site Scripting Vulnerability
13. MATLAB Insecure Temporary Files Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Blank passwords, TsInternetUser added to Administrators (Thread)
2. SecurityFocus Microsoft Newsletter #118 (Thread)
3. How to kill OL2000 ability to render html mail (Thread)
4. Fw: How to kill OL2000 ability to render html mail (Thread)
5. AW: How to kill OL2000 ability to render html mail (Thread)
6. Logging Terminal Services Access? (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Anti-Trojan 5.5
2. Anti-Virus (AVP) Personal PRO
3. InterScan VirusWall
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Netmon 1.52
2. NeTraMet 3.2
3. Network Equipment Performance Monitor v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Securing Outlook, Part Two: Many Choices to Make
By Scott Granneman
This is the second of two articles focusing on ways to secure one of the
world's most popular e-mail clients, Microsoft's Outlook. The first
article offered a brief overview of Outlook, as well as some security
issues. It also discussed configuring Outlook for optimal security. This
article will look at some more things that Outlook users can do to secure
their e-mail.
http://online.securityfocus.com/infocus/1652
2. 'Twas the Night Before Christmas, 2002
By Tim Mullen
'Twas the night before Christmas and all through the House,
Not a congressman was stirring-- and the Senate was soused.
Freedom and Privacy-- the things we hold dear,
Have been trampled by the 107th this year.
http://online.securityfocus.com/columnists/131
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. RealNetworks Helix Universal Server RTSP Transport Buffer Overflow Vulnerability
BugTraq ID: 6454
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6454
Summary:
Helix Universal Server is a multiple type media server distributed and
maintained by RealNetworks. It is available for Unix, Linux, and
Microsoft Windows platforms.
A problem with Helix Universal Server could make it possible for a remote
user to execute arbitrary code.
A buffer overflow has been reported in the Helix Universal Server. Due to
insufficient bounds checking on the 'transport' field of a RTSP request,
it is possible for a user to exploit a boundry condition error. This
could lead to the remote execution of arbitrary code with the privileges
of the Helix Universal Server process.
Due to this server running on TCP port 554 on most Windows systems, and
the server being installed as a system service, exploitation of this
vulnerability would yield SYSTEM privileges on a vulnerable host.
Exploitation on Unix systems would yield the privileges of the Universal
Server.
2. Oracle 9i Application Server Insecure Default File Permissions Vulnerability
BugTraq ID: 6460
Remote: No
Date Published: Dec 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6460
Summary:
9i Application Server (9iAS) is the web application server infrastructure
distributed by Oracle.
A problem with Oracle 9iAS may make it possible for a local user to gain
access to sensitive information.
It has been reported that Oracle 9iAS does not install with secure default
permissions. The default installation of Oracle 9iAS allows users with
local access to the system to access some contents of the 9iAS
installation. A user with local access may also modify or remove files
affected by this vulnerability. It should be noted that this only affects
9iAS installed on Microsoft Windows NT and 2000 systems.
This vulnerability could result in a local user accessing potentially
sensitive information. A user with local access could also modify or
destroy affected files.
3. MATLAB Mex Insecure Temporary Files Vulnerability
BugTraq ID: 6469
Remote: No
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6469
Summary:
MATLAB is a language and technical computing environment. It is available
for a number of platforms, including Linux and Unix variants and Microsoft
Windows.
MATLAB is prone to an issue which may allow local attackers to corrupt
files.
The MATLAB Mex script uses the process ID (PID) when naming temporary
files. If an attacker can anticipate the name of temporary files created
by Mex, then the attacker can place a malicious symbolic link in place of
the temporary files. If the symbolic link points to a file which is
writeable by the user running the program, then they will be corrupted
when the Mex script performs any actions on temporary files.
This may result in critical files being overwritten. If an attacker can
cause files to be overwritten with custom data, then it may be possible to
elevate privileges.
4. MATLAB Mex Local Command Execution Vulnerability
BugTraq ID: 6470
Remote: No
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6470
Summary:
MATLAB is a language and technical computing environment. It is available
for a number of platforms, including Linux and Unix variants and Microsoft
Windows.
MATLAB is prone to an issue which may allow local attackers to execute
arbitrary commands with elevated privileges.
The MATLAB Mex script creates temporary files which are later executed to
perform various actions. If an attacker can anticipate the name of a
temporary file created by the Mex script, it is possible to create a
malicious file in the place of the temporary file. The Mex script will
then reportedly execute the malicious file.
Successful exploitation will result in arbitrary command execution with
the privileges of the user running the Mex script.
This issue is compounded by the fact that Mex uses predictable names when
creating temporary files, as described in BID 6469 "MATLAB Mex Insecure
Temporary Files Vulnerability".
SPGPartenaires is a partner management script written in PHP and that uses
a SQL backend. It is available for the Linux, Unix, and Microsoft Windows
operating systems.
Several vulnerabilities have been discovered in SPGPartenaires. These
vulnerabilities are due to insufficient sanitization of variables used to
construct SQL queries in various scripts, including 'indent.php',
'index2.php', and 'delete.php'. Specifically, the 'pass' and 'SPGP'
variables are not sanitized of malicious SQL input. It is possible to
modify the logic of SQL queries through malformed query strings in
requests for the vulnerable script.
By injecting SQL code into the 'pass' or 'SPGP' variable, it may be
possible for an attacker to corrupt member information. It may also be
possible for attackers to perform more advanced attacks on the underlying
database.
6. RealNetworks Helix Universal Server Long URI Dual HTTP Request Buffer Overflow Vulnerability
BugTraq ID: 6458
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6458
Summary:
Helix Universal Server is a multiple type media server distributed and
maintained by RealNetworks. It is available for Unix, Linux, and
Microsoft Windows platforms.
A problem with Helix Universal Server could make it possible for a remote
user to execute arbitrary code.
A buffer overflow has been reported in the Helix Universal Server. Due to
insufficient bounds checking, when a long URI is requested via the HTTP
server in two separate connections, a boundry condition error occurs.
This could lead to the remote execution of arbitrary code with the
privileges of the Helix Universal Server process.
Exploitation of this vulnerability would yield SYSTEM privileges on a
vulnerable host. Exploitation on Unix systems would yield the privileges
of the Universal Server.
7. Hyperion FTP Server Buffer Overflow Vulnerability
BugTraq ID: 6467
Remote: Yes
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6467
Summary:
MollenSoft Hyperion FTP Server is a server that supports basic FTP
functionality and more. It is available for the Microsoft Windows
operating systems.
A vulnerability has been discovered in Hyperion FTP Server. It is possible
for a remote attacker to trigger this vulnerability by passing an FTP
parameter of excessive length.
By exploiting this issue to overwrite a functions instruction pointer it
may be possible to redirect the servers flow of execution to malicious
shellcode. Successful exploitation will result in arbitrary commands being
executed with the privileges of the vulnerable server.
It should be noted that this vulnerability was discovered in version
2.8.11 of Hyperion FTP Server. It is not yet known whether this issue
affects earlier versions.
This vulnerability is very similar to the issue described in BID 6345.
8. Oracle 9i Application Server WEB-INF Folder Access Vulnerability
BugTraq ID: 6461
Remote: Yes
Date Published: Dec 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6461
Summary:
9i Application Server (9iAS) is the web application server infrastructure
distributed by Oracle.
A problem with Oracle 9iAS may make it possible for a local user to gain
access to sensitive information.
It has been reported that a problem exists in Oracle 9iAS with the WEB-INF
directory. Under some circumstances, it may be possible for a remote user
to gain access to the contents of the WEB-INF directory. In doing so, a
remote user could potentially gain access to source code of web
applications, and potentially other sensitive information.
This vulnerability could lead to an information gathering attack. In some
situations, this vulnerability could also lead to password disclosure.
9. RealNetworks Helix Universal Server RTSP Describe Buffer Overflow Vulnerability
BugTraq ID: 6456
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6456
Summary:
Helix Universal Server is a multiple type media server distributed and
maintained by RealNetworks. It is available for Unix, Linux, and
Microsoft Windows platforms.
A problem with Helix Universal Server could make it possible for a remote
user to execute arbitrary code.
A buffer overflow has been reported in the Helix Universal Server. Due to
insufficient bounds checking on the 'describe' field of a RTSP request, it
is possible for a user to exploit a boundry condition error. This could
lead to the remote execution of arbitrary code with the privileges of the
Helix Universal Server process.
Due to this server running on TCP port 554 on most Windows systems, and
the server being installed as a system service, exploitation of this
vulnerability would yield SYSTEM privileges on a vulnerable host.
Exploitation on Unix systems would yield the privileges of the Universal
Server.
10. PHP-Nuke CRLF Injection Vulnerability
BugTraq ID: 6446
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6446
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
Throughout PHP-Nuke, the PHP mail() function is implemented to handle
email through web-based intefaces for various purposes (for features such
as "feedback", "send this to a friend", etc). There is no input
validation performed on user data passed to this function. As a result,
malicious users may embed CR/LF sequences to inject additional headers
into outgoing messages.
Attackers may exploit this weakness to manipulate the structure of
outgoing messages. For example, it may be possible for attackers to set
the recipient to an arbitrary value. This could be leveraged by
individuals to send mass unsolicited mail in a manner similar to how
"formmail" is actively exploited (BID 3955).
11. PHP-Nuke Modules.PHP Denial Of Service Vulnerability
BugTraq ID: 6465
Remote: Yes
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6465
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
A denial of service vulnerability has been reported for the modules.php
script used by PHP-Nuke. The vulnerability occurs because the modules.php
script does not properly validate URI parameters.
An attacker can exploit this vulnerability by modifying the 'name'
parameter when making a request for modules.php. This will prevent
visitors to the site hosting PHP-Nuke from creating a new account thereby
leading to a denial of service condition.
This vulnerability was reported for PHP-Nuke 6.0. It is not known whether
earlier versions are affected.
12. Apache printenv Sample Script Cross Site Scripting Vulnerability
BugTraq ID: 6466
Remote: Yes
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6466
Summary:
Apache is a freely available webserver for Unix and Linux variants, as
well as Microsoft operating systems.
A cross site scripting vulnerability has been reported in a sample script
included with Apache. The vulnerability exists in the 'printenv' sample
script, which is typically installed in the 'cgi-bin' directory.
Due to insufficient sanitization of user-supplied input it is possible for
an attacker to construct a malicious link which contains arbitrary HTML
and script code. Attacker-supplied HTML and script code may be executed on
a web client visiting the malicious link in the context of the vulnerable
server.
This may be exploited to steal cookie-based authentication credentials.
It should be noted that this script is not installed as an executable
script and any output is generated as plain text. However, some browsers
may not properly interpret the TEXT/PLAIN MIME header and may render any
output messages in HTML.
13. MATLAB Insecure Temporary Files Vulnerability
BugTraq ID: 6468
Remote: No
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6468
Summary:
MATLAB is a language and technical computing environment. It is available
for a number of platforms, including Linux and Unix variants and Microsoft
Windows.
MATLAB is prone to an issue which may allow local attackers to corrupt
files.
MATLAB uses the process ID (PID) when naming temporary files. If an
attacker can anticipate the name of temporary files created by MATLAB,
then the attacker can place a malicious symbolic link in place of the
temporary files. If the symbolic link points to a file which is writeable
by the user running the program, then they will be corrupted when MATLAB
performs any actions on temporary files.
This may result in critical files being overwritten. If an attacker can
cause files to be overwritten with custom data, then it may be possible to
elevate privileges.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Blank passwords, TsInternetUser added to Administrators (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304411
2. SecurityFocus Microsoft Newsletter #118 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304415
3. How to kill OL2000 ability to render html mail (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304410
4. Fw: How to kill OL2000 ability to render html mail (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304321
5. AW: How to kill OL2000 ability to render html mail (Thread)
Relevant URL:
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Anti-Trojan 5.5
by Anti-Trojan
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.anti-trojan.net/en/home.aspx
Anti-Trojan 5.5 is a powerful trojan scanner and remover which detects
more than 8000 different types of trojan horses. It uses three methods to
find them. The first is the portscan which gives you information if there
are open ports on your computer. The second one is the registry scan which
searches through the system registry database for trojans. The third and
the most important part is the disk scan. It scans your harddisks for
dangerous trojan files and removes them safely. This commercial product is
also available for a 14 day free trial.
2. Anti-Virus (AVP) Personal PRO
by Kaspersky Labs
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.kaspersky.co.uk/products.asp?tgroup=2&pgroup=10&id=26
Kaspersky Ant-Virus Personal Pro provides full-scale protection with some
additional protective components - a behavior blocker and integrity
checker; appropriate for experienced users seeking the best anti-virus.
Office Guard, integrated into Kaspersky? Anti-Virus Personal Pro,
constantly controls macros executed on your computer, and prohibits any
suspicious action. The unique technology of the behavior blocker
underlying Office Guard guarantees 100% protection from destructive
macro-virus action, leaving no chance for any malicious macros to damage
your computer.
3. InterScan VirusWall
by TrendMicro
Platforms: HP-UX, Solaris, Windows NT
Relevant URL:
http://www.antivirus.com/products/isvw/index.htm
InterScan VirusWall does real-time gateway scanning SMTP, FTP, and HTTP.
Optionally blocks malicious applets JAVA and ActiveX
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Netmon 1.52
by Johan Samuelson
Relevant URL:
http://w1.132.telia.com/~u13200034/netmon.html
Platforms: Windows 2000, Windows 95/98
Summary:
Netmon is a compact, easy-to-use network information utility. It displays
information pertaining to the IP, TCP, UDP and ICMP protocols. It's main
purpose is viewing connections made using TCP and UDP protocols from or to
your computer. It's main advantages over the console based version, is the
the database of common trojan ports, the complete list of well-known
ports, the user configurable filters and the automatic hostname lookup.
2. NeTraMet 3.2
by unknown
Relevant URL:
http://online.securityfocus.com/tools/1508
Platforms: DOS, IRIX, Linux, Solaris, UNIX, Windows 2000, Windows 95/98,
Windows NT
Summary:
NeTraMet is an accounting meter which runs on a PC under DOS or a Unix
system. It builds up packet and byte counts for traffic flows, which are
defined by their end-point addresses. Addresses can be ethernet addresses,
protocol addresses (IP, DECnet, EtherTalk, IPX or CLNS) or 'transport'
addresses (IP port numbers, etc), or any combination of these. The traffic
flows to be observed are specified by a set of rules, which are downloaded
to NeTraMet by a 'manager' program. Traffic flow data is collected via
SNMP from NeTraMet by a 'collector' program.
NeTraMet provides a valuable tool for analysing network traffic flows, and
should prove to be of interest to anyone interested in network monitoring,
capacity planning, performance measurement, etc.
Full distribution, including manual, source & Makefiles for UNIX,
executable files for PC (DOS/Win)
3. Network Equipment Performance Monitor v1.0
by jimesh
Relevant URL:
http://www.nepm.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, Solaris, True64 UNIX, UNIX, Windows
2000, Windows NT, Windows XP
Summary:
NEPM monitors and reports uptime, critical events and their predecessors,
access rates, bytes-served rates, and error rates for network node
equipment. Hardware and software elements within the nodes are tracked and
reported separately to make possible rapid fault isolation. It is a very
general, highly configurable, two-part software system that captures and
analyzes logged performance data from IP-networked equipment and reports
it via email and Web pages. Current conditions and history from systems
based on Windows NT/2000, Unix, and Unix-style operating systems can be
tracked and reported. Most major server, switch and router systems can be
monitored, without running agents on the target systems. NEPM itself is
system-independent and can be hosted on either a Unix or Win NT system or
a combination of these with equal ease.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
SecurityFocus Microsoft Newsletter #119
---------------------------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Securing Outlook, Part Two: Many Choices to Make
2. 'Twas the Night Before Christmas, 2002
3. SecurityFocus DPP Program
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003,Orlando, FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. RealNetworks Helix Universal Server RTSP Transport Buffer...
2. Oracle 9i Application Server Insecure Default File Permissions...
3. MATLAB Mex Insecure Temporary Files Vulnerability
4. MATLAB Mex Local Command Execution Vulnerability
5. SPGPartenaires Multiple SQL Injection Vulnerabilities
6. RealNetworks Helix Universal Server Long URI Dual HTTP Request...
7. Hyperion FTP Server Buffer Overflow Vulnerability
8. Oracle 9i Application Server WEB-INF Folder Access Vulnerability
9. RealNetworks Helix Universal Server RTSP Describe Buffer...
10. PHP-Nuke CRLF Injection Vulnerability
11. PHP-Nuke Modules.PHP Denial Of Service Vulnerability
12. Apache printenv Sample Script Cross Site Scripting Vulnerability
13. MATLAB Insecure Temporary Files Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Blank passwords, TsInternetUser added to Administrators (Thread)
2. SecurityFocus Microsoft Newsletter #118 (Thread)
3. How to kill OL2000 ability to render html mail (Thread)
4. Fw: How to kill OL2000 ability to render html mail (Thread)
5. AW: How to kill OL2000 ability to render html mail (Thread)
6. Logging Terminal Services Access? (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Anti-Trojan 5.5
2. Anti-Virus (AVP) Personal PRO
3. InterScan VirusWall
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Netmon 1.52
2. NeTraMet 3.2
3. Network Equipment Performance Monitor v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Securing Outlook, Part Two: Many Choices to Make
By Scott Granneman
This is the second of two articles focusing on ways to secure one of the
world's most popular e-mail clients, Microsoft's Outlook. The first
article offered a brief overview of Outlook, as well as some security
issues. It also discussed configuring Outlook for optimal security. This
article will look at some more things that Outlook users can do to secure
their e-mail.
http://online.securityfocus.com/infocus/1652
2. 'Twas the Night Before Christmas, 2002
By Tim Mullen
'Twas the night before Christmas and all through the House,
Not a congressman was stirring-- and the Senate was soused.
Freedom and Privacy-- the things we hold dear,
Have been trampled by the 107th this year.
http://online.securityfocus.com/columnists/131
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
4. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. RealNetworks Helix Universal Server RTSP Transport Buffer Overflow Vulnerability
BugTraq ID: 6454
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6454
Summary:
Helix Universal Server is a multiple type media server distributed and
maintained by RealNetworks. It is available for Unix, Linux, and
Microsoft Windows platforms.
A problem with Helix Universal Server could make it possible for a remote
user to execute arbitrary code.
A buffer overflow has been reported in the Helix Universal Server. Due to
insufficient bounds checking on the 'transport' field of a RTSP request,
it is possible for a user to exploit a boundry condition error. This
could lead to the remote execution of arbitrary code with the privileges
of the Helix Universal Server process.
Due to this server running on TCP port 554 on most Windows systems, and
the server being installed as a system service, exploitation of this
vulnerability would yield SYSTEM privileges on a vulnerable host.
Exploitation on Unix systems would yield the privileges of the Universal
Server.
2. Oracle 9i Application Server Insecure Default File Permissions Vulnerability
BugTraq ID: 6460
Remote: No
Date Published: Dec 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6460
Summary:
9i Application Server (9iAS) is the web application server infrastructure
distributed by Oracle.
A problem with Oracle 9iAS may make it possible for a local user to gain
access to sensitive information.
It has been reported that Oracle 9iAS does not install with secure default
permissions. The default installation of Oracle 9iAS allows users with
local access to the system to access some contents of the 9iAS
installation. A user with local access may also modify or remove files
affected by this vulnerability. It should be noted that this only affects
9iAS installed on Microsoft Windows NT and 2000 systems.
This vulnerability could result in a local user accessing potentially
sensitive information. A user with local access could also modify or
destroy affected files.
3. MATLAB Mex Insecure Temporary Files Vulnerability
BugTraq ID: 6469
Remote: No
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6469
Summary:
MATLAB is a language and technical computing environment. It is available
for a number of platforms, including Linux and Unix variants and Microsoft
Windows.
MATLAB is prone to an issue which may allow local attackers to corrupt
files.
The MATLAB Mex script uses the process ID (PID) when naming temporary
files. If an attacker can anticipate the name of temporary files created
by Mex, then the attacker can place a malicious symbolic link in place of
the temporary files. If the symbolic link points to a file which is
writeable by the user running the program, then they will be corrupted
when the Mex script performs any actions on temporary files.
This may result in critical files being overwritten. If an attacker can
cause files to be overwritten with custom data, then it may be possible to
elevate privileges.
4. MATLAB Mex Local Command Execution Vulnerability
BugTraq ID: 6470
Remote: No
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6470
Summary:
MATLAB is a language and technical computing environment. It is available
for a number of platforms, including Linux and Unix variants and Microsoft
Windows.
MATLAB is prone to an issue which may allow local attackers to execute
arbitrary commands with elevated privileges.
The MATLAB Mex script creates temporary files which are later executed to
perform various actions. If an attacker can anticipate the name of a
temporary file created by the Mex script, it is possible to create a
malicious file in the place of the temporary file. The Mex script will
then reportedly execute the malicious file.
Successful exploitation will result in arbitrary command execution with
the privileges of the user running the Mex script.
This issue is compounded by the fact that Mex uses predictable names when
creating temporary files, as described in BID 6469 "MATLAB Mex Insecure
Temporary Files Vulnerability".
5. SPGPartenaires Multiple SQL Injection Vulnerabilities
BugTraq ID: 6455
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6455
Summary:
SPGPartenaires is a partner management script written in PHP and that uses
a SQL backend. It is available for the Linux, Unix, and Microsoft Windows
operating systems.
Several vulnerabilities have been discovered in SPGPartenaires. These
vulnerabilities are due to insufficient sanitization of variables used to
construct SQL queries in various scripts, including 'indent.php',
'index2.php', and 'delete.php'. Specifically, the 'pass' and 'SPGP'
variables are not sanitized of malicious SQL input. It is possible to
modify the logic of SQL queries through malformed query strings in
requests for the vulnerable script.
By injecting SQL code into the 'pass' or 'SPGP' variable, it may be
possible for an attacker to corrupt member information. It may also be
possible for attackers to perform more advanced attacks on the underlying
database.
6. RealNetworks Helix Universal Server Long URI Dual HTTP Request Buffer Overflow Vulnerability
BugTraq ID: 6458
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6458
Summary:
Helix Universal Server is a multiple type media server distributed and
maintained by RealNetworks. It is available for Unix, Linux, and
Microsoft Windows platforms.
A problem with Helix Universal Server could make it possible for a remote
user to execute arbitrary code.
A buffer overflow has been reported in the Helix Universal Server. Due to
insufficient bounds checking, when a long URI is requested via the HTTP
server in two separate connections, a boundry condition error occurs.
This could lead to the remote execution of arbitrary code with the
privileges of the Helix Universal Server process.
Exploitation of this vulnerability would yield SYSTEM privileges on a
vulnerable host. Exploitation on Unix systems would yield the privileges
of the Universal Server.
7. Hyperion FTP Server Buffer Overflow Vulnerability
BugTraq ID: 6467
Remote: Yes
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6467
Summary:
MollenSoft Hyperion FTP Server is a server that supports basic FTP
functionality and more. It is available for the Microsoft Windows
operating systems.
A vulnerability has been discovered in Hyperion FTP Server. It is possible
for a remote attacker to trigger this vulnerability by passing an FTP
parameter of excessive length.
By exploiting this issue to overwrite a functions instruction pointer it
may be possible to redirect the servers flow of execution to malicious
shellcode. Successful exploitation will result in arbitrary commands being
executed with the privileges of the vulnerable server.
It should be noted that this vulnerability was discovered in version
2.8.11 of Hyperion FTP Server. It is not yet known whether this issue
affects earlier versions.
This vulnerability is very similar to the issue described in BID 6345.
8. Oracle 9i Application Server WEB-INF Folder Access Vulnerability
BugTraq ID: 6461
Remote: Yes
Date Published: Dec 21 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6461
Summary:
9i Application Server (9iAS) is the web application server infrastructure
distributed by Oracle.
A problem with Oracle 9iAS may make it possible for a local user to gain
access to sensitive information.
It has been reported that a problem exists in Oracle 9iAS with the WEB-INF
directory. Under some circumstances, it may be possible for a remote user
to gain access to the contents of the WEB-INF directory. In doing so, a
remote user could potentially gain access to source code of web
applications, and potentially other sensitive information.
This vulnerability could lead to an information gathering attack. In some
situations, this vulnerability could also lead to password disclosure.
9. RealNetworks Helix Universal Server RTSP Describe Buffer Overflow Vulnerability
BugTraq ID: 6456
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6456
Summary:
Helix Universal Server is a multiple type media server distributed and
maintained by RealNetworks. It is available for Unix, Linux, and
Microsoft Windows platforms.
A problem with Helix Universal Server could make it possible for a remote
user to execute arbitrary code.
A buffer overflow has been reported in the Helix Universal Server. Due to
insufficient bounds checking on the 'describe' field of a RTSP request, it
is possible for a user to exploit a boundry condition error. This could
lead to the remote execution of arbitrary code with the privileges of the
Helix Universal Server process.
Due to this server running on TCP port 554 on most Windows systems, and
the server being installed as a system service, exploitation of this
vulnerability would yield SYSTEM privileges on a vulnerable host.
Exploitation on Unix systems would yield the privileges of the Universal
Server.
10. PHP-Nuke CRLF Injection Vulnerability
BugTraq ID: 6446
Remote: Yes
Date Published: Dec 20 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6446
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
Throughout PHP-Nuke, the PHP mail() function is implemented to handle
email through web-based intefaces for various purposes (for features such
as "feedback", "send this to a friend", etc). There is no input
validation performed on user data passed to this function. As a result,
malicious users may embed CR/LF sequences to inject additional headers
into outgoing messages.
Attackers may exploit this weakness to manipulate the structure of
outgoing messages. For example, it may be possible for attackers to set
the recipient to an arbitrary value. This could be leveraged by
individuals to send mass unsolicited mail in a manner similar to how
"formmail" is actively exploited (BID 3955).
11. PHP-Nuke Modules.PHP Denial Of Service Vulnerability
BugTraq ID: 6465
Remote: Yes
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6465
Summary:
PHP-Nuke is a web-based portal system. Implemented in PHP, it is available
for a range of systems, including Unix, Linux, and Microsoft Windows.
A denial of service vulnerability has been reported for the modules.php
script used by PHP-Nuke. The vulnerability occurs because the modules.php
script does not properly validate URI parameters.
An attacker can exploit this vulnerability by modifying the 'name'
parameter when making a request for modules.php. This will prevent
visitors to the site hosting PHP-Nuke from creating a new account thereby
leading to a denial of service condition.
This vulnerability was reported for PHP-Nuke 6.0. It is not known whether
earlier versions are affected.
12. Apache printenv Sample Script Cross Site Scripting Vulnerability
BugTraq ID: 6466
Remote: Yes
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6466
Summary:
Apache is a freely available webserver for Unix and Linux variants, as
well as Microsoft operating systems.
A cross site scripting vulnerability has been reported in a sample script
included with Apache. The vulnerability exists in the 'printenv' sample
script, which is typically installed in the 'cgi-bin' directory.
Due to insufficient sanitization of user-supplied input it is possible for
an attacker to construct a malicious link which contains arbitrary HTML
and script code. Attacker-supplied HTML and script code may be executed on
a web client visiting the malicious link in the context of the vulnerable
server.
This may be exploited to steal cookie-based authentication credentials.
It should be noted that this script is not installed as an executable
script and any output is generated as plain text. However, some browsers
may not properly interpret the TEXT/PLAIN MIME header and may render any
output messages in HTML.
13. MATLAB Insecure Temporary Files Vulnerability
BugTraq ID: 6468
Remote: No
Date Published: Dec 23 2002 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6468
Summary:
MATLAB is a language and technical computing environment. It is available
for a number of platforms, including Linux and Unix variants and Microsoft
Windows.
MATLAB is prone to an issue which may allow local attackers to corrupt
files.
MATLAB uses the process ID (PID) when naming temporary files. If an
attacker can anticipate the name of temporary files created by MATLAB,
then the attacker can place a malicious symbolic link in place of the
temporary files. If the symbolic link points to a file which is writeable
by the user running the program, then they will be corrupted when MATLAB
performs any actions on temporary files.
This may result in critical files being overwritten. If an attacker can
cause files to be overwritten with custom data, then it may be possible to
elevate privileges.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Blank passwords, TsInternetUser added to Administrators (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304411
2. SecurityFocus Microsoft Newsletter #118 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304415
3. How to kill OL2000 ability to render html mail (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304410
4. Fw: How to kill OL2000 ability to render html mail (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304321
5. AW: How to kill OL2000 ability to render html mail (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/304229
6. Logging Terminal Services Access? (Thread)
Relevant URL:
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Anti-Trojan 5.5
by Anti-Trojan
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL:
http://www.anti-trojan.net/en/home.aspx
Anti-Trojan 5.5 is a powerful trojan scanner and remover which detects
more than 8000 different types of trojan horses. It uses three methods to
find them. The first is the portscan which gives you information if there
are open ports on your computer. The second one is the registry scan which
searches through the system registry database for trojans. The third and
the most important part is the disk scan. It scans your harddisks for
dangerous trojan files and removes them safely. This commercial product is
also available for a 14 day free trial.
2. Anti-Virus (AVP) Personal PRO
by Kaspersky Labs
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT
Relevant URL:
http://www.kaspersky.co.uk/products.asp?tgroup=2&pgroup=10&id=26
Kaspersky Ant-Virus Personal Pro provides full-scale protection with some
additional protective components - a behavior blocker and integrity
checker; appropriate for experienced users seeking the best anti-virus.
Office Guard, integrated into Kaspersky? Anti-Virus Personal Pro,
constantly controls macros executed on your computer, and prohibits any
suspicious action. The unique technology of the behavior blocker
underlying Office Guard guarantees 100% protection from destructive
macro-virus action, leaving no chance for any malicious macros to damage
your computer.
3. InterScan VirusWall
by TrendMicro
Platforms: HP-UX, Solaris, Windows NT
Relevant URL:
http://www.antivirus.com/products/isvw/index.htm
InterScan VirusWall does real-time gateway scanning SMTP, FTP, and HTTP.
Optionally blocks malicious applets JAVA and ActiveX
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Netmon 1.52
by Johan Samuelson
Relevant URL:
http://w1.132.telia.com/~u13200034/netmon.html
Platforms: Windows 2000, Windows 95/98
Summary:
Netmon is a compact, easy-to-use network information utility. It displays
information pertaining to the IP, TCP, UDP and ICMP protocols. It's main
purpose is viewing connections made using TCP and UDP protocols from or to
your computer. It's main advantages over the console based version, is the
the database of common trojan ports, the complete list of well-known
ports, the user configurable filters and the automatic hostname lookup.
2. NeTraMet 3.2
by unknown
Relevant URL:
http://online.securityfocus.com/tools/1508
Platforms: DOS, IRIX, Linux, Solaris, UNIX, Windows 2000, Windows 95/98,
Windows NT
Summary:
NeTraMet is an accounting meter which runs on a PC under DOS or a Unix
system. It builds up packet and byte counts for traffic flows, which are
defined by their end-point addresses. Addresses can be ethernet addresses,
protocol addresses (IP, DECnet, EtherTalk, IPX or CLNS) or 'transport'
addresses (IP port numbers, etc), or any combination of these. The traffic
flows to be observed are specified by a set of rules, which are downloaded
to NeTraMet by a 'manager' program. Traffic flow data is collected via
SNMP from NeTraMet by a 'collector' program.
NeTraMet provides a valuable tool for analysing network traffic flows, and
should prove to be of interest to anyone interested in network monitoring,
capacity planning, performance measurement, etc.
Full distribution, including manual, source & Makefiles for UNIX,
executable files for PC (DOS/Win)
3. Network Equipment Performance Monitor v1.0
by jimesh
Relevant URL:
http://www.nepm.net/
Platforms: AIX, FreeBSD, HP-UX, Linux, Solaris, True64 UNIX, UNIX, Windows
2000, Windows NT, Windows XP
Summary:
NEPM monitors and reports uptime, critical events and their predecessors,
access rates, bytes-served rates, and error rates for network node
equipment. Hardware and software elements within the nodes are tracked and
reported separately to make possible rapid fault isolation. It is a very
general, highly configurable, two-part software system that captures and
analyzes logged performance data from IP-networked equipment and reports
it via email and Web pages. Current conditions and history from systems
based on Windows NT/2000, Unix, and Unix-style operating systems can be
tracked and reported. Most major server, switch and router systems can be
monitored, without running agents on the target systems. NEPM itself is
system-independent and can be hosted on either a Unix or Win NT system or
a combination of these with equal ease.
VI. SPONSOR INFORMATION
-----------------------
This issue is sponsored by: Qualys
Strengthening Network Security: FREE Guide Network security is a
constantly moving target - even proven solutions lose their punch over
time. Find out how to get COMPLETE PROTECTION against ever-growing
security threats with our FREE new Guide.
Get your copy today at: https://www.qualys.com/forms/nsguideh_376.php
------------------------------------------------------------------------
-------
[ reply ]