SecurityFocus Microsoft Newsletter #123
---------------------------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)
Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts.
All of the top experts you've read about recently are speaking. Fully
supported by Microsoft, with new MS hosted training sessions just added!
Visit www.blackhat.com to register.
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Forensics on the Windows Platform, Part 1
2. The Busy Life of a Welsh Virus-Writer
3. New Book: Hacker's Challenge 2 Test Your Network Security...
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Rediff Bol URL Handling Denial Of Service Vulnerability
2. SyGate Insecure UDP Source Port Firewall Bypass Weak Default...
3. Blackboard Learning System search.pl SQL Injection Variant...
4. PlatinumFTPServer File Disclosure Vulnerability
5. Microsoft Windows MSGINA.DLL Read-Lock Denial Of Service...
6. YaBB SE News.PHP Remote File Include Vulnerability
7. FTLS GuestBook Script Injection Vulnerability
9. Finjan SurfinGate File Extension File Filter Circumvention...
10. Finjan SurfinGate Java Applet Analyzer Bypass Vulnerability
12. MIT Kerberos Key Distribution Center Remote Format String...
13. Finjan SurfinGate Active Content Filter Bypass Vulnerability
14. Finjan SurfinGate Compressed Archive File Filter Circumvention...
15. Finjan SurfinGate Unknown File Extension File Filter...
16. MIT Kerberos Remote Heap Corruption Vulnerability
17. MIT Kerberos / Key Distribution Center Shared Key User...
III. MICROSOFT FOCUS LIST SUMMARY
1. uh, oh (was:Re: w2k server compromised) (Thread)
2. Problems with Pwdump3e (Thread)
3. Win2k log management (Thread)
4. Bypass Traverse Checking? (Thread)
5. IIS 5.0 and Digest Authentication (Thread)
6. Securing IIS/5 with ASP (Thread)
7. At.exe Service Account - scripted or registry? (Thread)
8. Administrivia (Thread)
9. SecurityFocus Microsoft Newsletter #122 (Thread)
10. SQL Sapphire Worm Analysis (Thread)
11. w2k server compromised (Thread)
12. Attacking EFS through cached domain logon credentials (Thread)
13. AD replication over WAN (Thread)
14. Stopping Admin Alert SPAM (Thread)
15. Fw: Bypass Traverse Checking? (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. RAV AntiVirus Desktop for Windows
2. Panda Antivirus Small Business Edition
3. NOD32
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. AMaViS (A Mail Virus Scanner) 0.3.12pre8
2. IP Personality 20010724
3. Sentinel Security Toolkit v1.2.1c
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Forensics on the Windows Platform, Part 1
By Jamie Morris
This article, the first in a two-part series about forensics on the
Windows platform, will examine the preparatory steps that can be taken by
both investigators and system administrators alike. While this series is
concerned with Windows-specific investigations, this article will examine
some basic, non-technical concepts that are applicable to all forensic
investigations.
http://online.securityfocus.com/infocus/1661
2. The Busy Life of a Welsh Virus-Writer
By George Smith
The prison-bound author of the Gokar virus loves shoes, pole dancers and
personal self-disclosure. His blog tells all.
http://online.securityfocus.com/columnists/138
3. New Book: Hacker's Challenge 2 Test Your Network Security & Forensic
Skills
Do you have what it takes to keep the bad guys out of your network? Find
out with the latest edition of this best-selling book featuring 20+ all
new hacking challenges for you to solve. Plus, you'll get in-depth
solutions for each, all written by experienced security consultants.
For more information visit:
http://shop.osborne.com/cgi-bin/osborne/0072226307.html
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Rediff Bol URL Handling Denial Of Service Vulnerability
BugTraq ID: 6670
Remote: Yes
Date Published: Jan 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6670
Summary:
Bol is a freely available chat client available from Rediff. It is
available for Microsoft Windows operating systems.
A problem could make it possible for remote user to deny service to
legitimate users of the chat client.
It has been reported that a problem in Rediff Bol may allow remote users
to log other users out of the Bol chat client. Due to improper handling
of some types of requests, a remote user could send an URL request to the
client in the form of a rbol: command that would cause the client log out.
Under ordinary circumstances, the chat client should not react input from
untrusted users. This problem could make it possible for a remote user to
launch a continuous denial of service against a user of the vulnerable
client.
2. SyGate Insecure UDP Source Port Firewall Bypass Weak Default Configuration Vulnerability
BugTraq ID: 6684
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6684
Summary:
Sygate Pro is a personal firewall application for Microsoft Windows
operating system.
It has been reported that the Sygate Pro firewall permits traffic
originating from UDP source port 137 or 138 by default. UDP packets
originating from either of these source ports will bypass the firewall.
Remote attackers attacker may potentially exploit this vulnerability to
get malicious network traffic past the firewall.
3. Blackboard Learning System search.pl SQL Injection Variant Vulnerability
BugTraq ID: 6687
Remote: Yes
Date Published: Jan 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6687
Summary:
Blackboard Learning system is a suite of software products available for
Microsoft Windows, Linux and Solaris servers that power an "e-Education
Infrastructure" for education providers.
Blackboard Learning System, in some cases, does not sufficiently sanitize
user-supplied input which is used when constructing SQL queries. As a
result, attackers may supply malicious parameters to manipulate the
structure and logic of SQL queries. This may result in unauthorized
operations being performed on the underlying database.
This vulnerability was reported to exist in the search.pl script file. A
remote attacker can exploit this vulnerability to discover the passwords
of other users.
This vulnerability is a variant of the vulnerability described in BID
6655.
This vulnerability was reported for Blackboard Learning System 5.5.1,level
1 and 2. Previous releases may also be affected.
4. PlatinumFTPServer File Disclosure Vulnerability
BugTraq ID: 6691
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6691
Summary:
PlatinumFTPServer is an FTP server for Microsoft Windows systems. It is
commercially available, and distributed by BYTE/400.
A directory traversal vulnerability has been reported in
PlatinumFTPServer. The program does not sufficiently handle
backslash-dot-dot input, which could result in an attacker gaining access
to unauthorized resources.
This problem can allow an attacker to break out of the FTP root directory,
and access the entire file system of the vulnerable host. It has been
reported that an attacker may also be able to create and remove arbitrary
files and directories on the system by specifying the full path to the
file. This vulnerability requires an attacker to use the '\..' notation.
This vulnerability was reported for PlatinumFTPServer 1.0.7. It is likely
that earlier versions are affected.
5. Microsoft Windows MSGINA.DLL Read-Lock Denial Of Service Vulnerability
BugTraq ID: 6672
Remote: No
Date Published: Jan 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6672
Summary:
It has been reported that Microsoft Windows 2000 Terminal Servers and XP
Pro are prone to a denial of service due to a problem with 'MSGINA.DLL'.
This condition may be triggered by users who can successfully login to the
server via RDP or ICA.
'MSGINA.dll' is the vendor-supplied Graphical Identification and
Authentication dynamic-link library. 'MSGINA.DLL' is loaded by the
WinLogon executable and helps to facilitate graphical client sessions.
If a malicious user causes a read-lock to be placed on
'%SYSTEMROOT%\SYSTEM32\MSGINA.DLL', the next user to log in will be
prompted with a dialog stating that 'MSGINA.DLL' failed to load and will
be given the opportunity to restart the system.
An attacker may trigger this condition by opening the dynamic-link library
with an external application, such as a hex editor.
6. YaBB SE News.PHP Remote File Include Vulnerability
BugTraq ID: 6674
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
A vulnerability has been discovered in YaBB SE. Due to insufficient
sanitization of some user-supplied variables by the 'News.php' script, it
is possible for a remote attacker to include a malicious PHP file in a
URL.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the
'$template' parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for YaBB SE 1.5.1 and earlier.
FTLS Guestbook is freely available guestbook software. It will run on most
Unix and Linux variants, as well as Microsoft Windows operating systems.
Guestbook does not adequately filter HTML tags from various fields. This
may enable an attacker to inject arbitrary script code into pages that are
generated by the guestbook.
The attacker's script code may be executed in the web client of arbitrary
users who view the pages generated by the guestbook, in the security
context of the website running the software.
Attackers may potentially exploit this issue to hijack web content or to
steal cookie-based authentication credentials.
This vulnerability was reported for FTLS Guestbook 1.1.
8. Finjan SurfinGate HTML Filtering Weakness
BugTraq ID: 6702
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6702
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
The HTML filter included with Finjan SurfinGate does not sufficiently
recognize certain types of malicious HTML which may pose a threat to end
users.
As a result, end users may be exposed to attacks which utilize malicious
HTML to cause a denial of service or impact the user in other ways.
Due to this weakness in the SurfinGate filter, it may be possible for
malicious HTML code to be accessed by a user. Specifically, HTML META-Tags
with a refresh set to 0, infinite recursive frame sets, and infinite
recursive iframes are not detected by the affected application. Processing
malicious HTML code sequences may result in a denial of service, depending
on the end user's web browser implementation.
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A problem with SurfinGate could make it possible for an attacker to
circumvent file filters that are set in place.
SurfinGate uses the file extension to determine if a file is of a type
that is blacklisted by the software. It has been reported that an
attacker may bypass SurfinGate file filtering rules by appending an extra
file extension of a type that is not blacklisted to the end of the file
name.
For example, an attacker may rename an executable file to
'filename.com.txt' to bypass the SurfinGate file filter.
It should be noted that an end user would still have interactively to open
or execute the malicious file.
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A flaw was reported in the Java applet analyzer included with Finjan
SurfinGate. The analyzer works by filtering out specific code which is
deemed dangerous and permitting "safe" code to pass. The Java applet
analyzer scans the contents of a JAR archive and removes classes which are
on a blacklist.
However, the Finjan SurfinGate Java applet analyzer does not properly
detect the use of the Java Reflection API. As a result, this API may be
used to call methods and classes that may otherwise be restricted.
A malicious Java applet may use this technique to bypass the Finjan
SurfinGate filter. End users may not be protected from malicious Java
applets as a result.
11. Finjan SurfinGate Password Ciphering Weaknesses
BugTraq ID: 6705
Remote: No
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6705
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A weakness has been discovered in the encryption algorithms implemented by
Finjan SurfinGate. The SurfinGate Console password is viewable through the
properties table and is obfuscated using an algorithm which may be trivial
for an attacker to reverse. SurfinGate uses the following algorithm to
obfuscate the Console password:
CHAR encrypted(n) = CHAR( ACSCII(CHAR cleartext(n)) + n )
Where n is the position of the character in the password beginning with 0.
When the SurfinGate console is used to access a Solaris installation the
Oracle protocol is used. For this to be possible a valid Oracle user must
exist for SurfinGate to use. The Oracle user credentials are stored in a
locally accessible configuration file. It has been reported that the
user's Oracle password is also obfuscated using a slightly more complex
algorithm, which would be trivial for an attacker to reverse.
If the password is discovered, this may lead to further attacks against
the target system and the filtering software.
The Oracle password is obfuscated used the following algorithm:
Where n is the position of the character in the password.
12. MIT Kerberos Key Distribution Center Remote Format String Vulnerabilities
BugTraq ID: 6712
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6712
Summary:
Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.
A number of vulnerabilities have been reported in the MIT Kerberos Key
Distribution Center (KDC). It has been reported that KDC fails to supply
sufficient format specifiers when handling user-supplied data.
Specifically, principal names supplied by a remote user are handled by
functions of the printf family without supplying format specifiers. It has
been determined that under some cirumstances an unauthenticated remote
user may be able to pass principal names to an affected server.
An attacker could exploit this vulnerability by supplying a maliciously
crafted principal name containing format specifiers. By writing
attacker-controlled values to memory using the %n format specifier, it may
be possible for a remote attacker to execute arbitrary commands.
As this issue affects older releases of Kerberos, a BID may already exist.
If this is issue proves to be covered in a previous database entry, this
BID will be retired and the correct BID will be updated accordingly.
13. Finjan SurfinGate Active Content Filter Bypass Vulnerability
BugTraq ID: 6701
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6701
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A flaw was reported in the SurfinGate active content filter, which
provides functionality for analyzing various types of active content
(JavaScript, ActiveX, VBScript, etc.). The active content filter works by
filtering out specific code which is deemed dangerous and permitting
"safe" code to pass. However, the JavaScript parser included in the
active content filter does not sufficiently sanitize script code.
It is possible to bypass the filter by obfuscating the malicious
JavaScript. This may be accomplished by hex-encoding the malicious code
and then passing it through a function which decodes the string (such as
through the eval() method).
Successful exploitation will permit arbitrary JavaScript to bypass the
filter and reach end users.
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A problem with SurfinGate could make it possible for an attacker to
circumvent file filters that are set in place.
It has been reported that SurfinGate does not sufficiently dissect archive
files for analysis. This may allow an attacker to circumvent the
SurfinGate file filter rules by including the malicious file of a
blacklisted type inside a file archive (such as '.ZIP' or '.RAR').
It should be noted that an end user would still have interactively to open
or execute the malicious file.
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A problem with SurfinGate could make it possible for an attacker to
circumvent file filters that are set in place.
SurfinGate uses the file extension to determine if a file is of a type
that is blacklisted by the software. It has been reported that an
attacker may bypass SurfinGate file filtering rules by using a file
extension that is not recognized by the filtering software.
It should be noted that an end user would still have interactively to open
or execute the malicious file. This may be suspicious if there is no
handler on the local system for the unknown file extension.
16. MIT Kerberos Remote Heap Corruption Vulnerability
BugTraq ID: 6713
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6713
Summary:
Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.
A vulnerability has been discovered in MIT Kerberos. It has been reported
that, due to insufficient bounds checking and sanitization of
user-supplied data, Kerberos is prone to memory corruption.
A remote attacker may trigger this condition my supplying a negative
length value in a malicious packet sent to a target server. This may
result in insufficient memory being allocated or cause invalid memory to
be referenced. Successful exploitation of this issue may result in a
denial of service.
Due to the nature of this vulnerability it may be possible for an attacker
to create a situation in which sensitive memory could be overwritten. If
successful this could allow for the execution of arbitrary code with the
privileges of Kerberos. The possibility of exploitation of this issue to
execute code, however, has not been confirmed.
As this issue affects older releases of Kerberos, a BID may already exist.
If this is issue proves to be covered in a previous database entry, this
BID will be retired and the correct BID will be updated accordingly.
17. MIT Kerberos / Key Distribution Center Shared Key User Spoofing Vulnerability
BugTraq ID: 6714
Remote: Yes
Date Published: Jan 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6714
Summary:
Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.
A vulnerability has been discovered MIT Kerberos and Key Distribution
Center (KDC). It has been reported that a user within a realm implementing
shared keys may be able to spoof another legitimate non-local user.
This issue is exploitable due to insufficent realm transit path
verification by the affected software.
This vulnerable exists only if non-local principal names are located in
the KDC's access control list. The ability to impersonate another
legitimate user may be leveraged by an attacker to obtain sensitive
information. Under some cirumstances a malicious attacker may be able to
impersonate a user with additional privileges to their own.
This issue affects MIT Kerberos 5 release 1.2.2 and earlier. As this issue
affects older releases of Kerberos, a BID may already exist. If this is
issue proves to be covered in a previous database entry, this BID will be
retired and the correct BID will be updated accordingly.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. uh, oh (was:Re: w2k server compromised) (Thread)
Relevant URL:
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. RAV AntiVirus Desktop for Windows
by GeCAD Software
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.ravantivirus.com/pages/showproduct.php?p=10
Summary:
Highly efficient antivirus integrated suite, RAV AntiVirus Suite for
Windows is designed to protect servers and workstations, thus recommended
both for exigent professionals and home users. With a unique modular
construction and cutting edge technology included in the advanced
features, RAV for Windows is an exceptional product, offering you complete
local protection against viruses.
2. Panda Antivirus Small Business Edition
by Panda Software
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.pandasoftware.com/products/pavsbe/desk_srv.asp
Summary:
For small to medium-sized businesses with a maximum of 50 workstations
connected to file servers. The ideal antivirus solution for small and
medium-sized businesses with workstations connected to one or more file
servers. It combines total protection and optimized performance of file
servers with centralized management via the new Panda Administrator 2.5.
The automatic daily updates ensure that all servers and workstations are
constantly protected against new viruses.
3. NOD32
by Eset
Platforms: DOS, Netware, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
http://www.nod32.com/products/products.htm
Summary:
The NOD32 Antivirus System provides balanced state-of-the-art protection
against threats endangering your PC, running on various platforms from
Microsoft Windows 95 / 98 / ME / NT / 2000 / XP through a number of UNIX
operating systems to major mail servers. Viruses, worms, and other malware
are kept out of striking distance from your valuable data. Advanced
detection methods implemented in the software provide protection against a
great proportion of the worms and viruses that are still awaiting
creation.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. AMaViS (A Mail Virus Scanner) 0.3.12pre8
by Christian Bricart, shiva (at) aachalon (dot) de [email concealed]
Relevant URL:
http://www.amavis.org/
Platforms: AIX, HP-UX, Linux, SCO, Solaris, UNIX
Summary:
Most people will say: "A virus scanner? For UN*X? Why? Viruses do not work
in a UNIX environment." On the first glance they are right (even if there
are at least two viruses which run under Linux - well, actually they are
Trojan Horses)
On the second view though, imagine a heterogene network environment with
both UN*X and DOS / Windows / Macintosh workstations. Now think of an UN*X
server that serves Windows and/or Macintosh workstations via a POP3
service. Would it not be nice to ensure attachments coming via email are
scanned for viruses before they reach a system they are able to infect?
Well - that is what this package is for. It resides on the server that
handles your incoming mails. When a mail arrives, instead of being
delivered via procmail directly, is parsed through a script that extracts
all attachments from the mail, unpacks (if needed) and scans them using a
professional virus scanner program.
2. IP Personality 20010724
by Gael Roualland and Jean-Marc Saffroy
Relevant URL:
http://ippersonality.sourceforge.net/
Platforms: Linux
Summary:
The IP Personality project is a patch to the newer Linux kernels that adds
netfilter functionalities : it enables the emulation of other OSes at the
network level, thus fooling remote OS detection tools such as nmap that
rely on network fingerprinting.
3. Sentinel Security Toolkit v1.2.1c
by Zurk zurk (at) usa (dot) net [email concealed]
Relevant URL:
http://zurk.sourceforge.net/zfile.html
Platforms: IRIX, Linux
Summary:
Sentinel is a fast file scanner similar to Tripwire or Viper with built in
authentication using the RIPEMD 160 bit MAC hashing function. It uses a
single database similar to Tripwire, maintains file integrity using the
RIPEMD algorithm and also produces secure, signed logfiles. Its main
design goal is to detect intruders modifying files. It also prevents
intruders with root/superuser permissions from tampering with its log
files and database. Disclaimer: this is not a security toolkit. It is a
single purpose file/drive scanning program. Available versions are for
linux (tested on all current Slackware and RedHat releases), with Irix
versions soon to be added on.
VI. SPONSOR INFORMATION
-----------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)
Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts.
All of the top experts you've read about recently are speaking. Fully
supported by Microsoft, with new MS hosted training sessions just added!
Visit www.blackhat.com to register.
------------------------------------------------------------------------
-------
SecurityFocus Microsoft Newsletter #123
---------------------------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)
Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts.
All of the top experts you've read about recently are speaking. Fully
supported by Microsoft, with new MS hosted training sessions just added!
Visit www.blackhat.com to register.
------------------------------------------------------------------------
-------
I. FRONT AND CENTER
1. Forensics on the Windows Platform, Part 1
2. The Busy Life of a Welsh Virus-Writer
3. New Book: Hacker's Challenge 2 Test Your Network Security...
4. SecurityFocus DPP Program
5. InfoSec World Conference and Expo/2003(March10-12,2003,Orlando,FL)
II. MICROSOFT VULNERABILITY SUMMARY
1. Rediff Bol URL Handling Denial Of Service Vulnerability
2. SyGate Insecure UDP Source Port Firewall Bypass Weak Default...
3. Blackboard Learning System search.pl SQL Injection Variant...
4. PlatinumFTPServer File Disclosure Vulnerability
5. Microsoft Windows MSGINA.DLL Read-Lock Denial Of Service...
6. YaBB SE News.PHP Remote File Include Vulnerability
7. FTLS GuestBook Script Injection Vulnerability
9. Finjan SurfinGate File Extension File Filter Circumvention...
10. Finjan SurfinGate Java Applet Analyzer Bypass Vulnerability
12. MIT Kerberos Key Distribution Center Remote Format String...
13. Finjan SurfinGate Active Content Filter Bypass Vulnerability
14. Finjan SurfinGate Compressed Archive File Filter Circumvention...
15. Finjan SurfinGate Unknown File Extension File Filter...
16. MIT Kerberos Remote Heap Corruption Vulnerability
17. MIT Kerberos / Key Distribution Center Shared Key User...
III. MICROSOFT FOCUS LIST SUMMARY
1. uh, oh (was:Re: w2k server compromised) (Thread)
2. Problems with Pwdump3e (Thread)
3. Win2k log management (Thread)
4. Bypass Traverse Checking? (Thread)
5. IIS 5.0 and Digest Authentication (Thread)
6. Securing IIS/5 with ASP (Thread)
7. At.exe Service Account - scripted or registry? (Thread)
8. Administrivia (Thread)
9. SecurityFocus Microsoft Newsletter #122 (Thread)
10. SQL Sapphire Worm Analysis (Thread)
11. w2k server compromised (Thread)
12. Attacking EFS through cached domain logon credentials (Thread)
13. AD replication over WAN (Thread)
14. Stopping Admin Alert SPAM (Thread)
15. Fw: Bypass Traverse Checking? (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. RAV AntiVirus Desktop for Windows
2. Panda Antivirus Small Business Edition
3. NOD32
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. AMaViS (A Mail Virus Scanner) 0.3.12pre8
2. IP Personality 20010724
3. Sentinel Security Toolkit v1.2.1c
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Forensics on the Windows Platform, Part 1
By Jamie Morris
This article, the first in a two-part series about forensics on the
Windows platform, will examine the preparatory steps that can be taken by
both investigators and system administrators alike. While this series is
concerned with Windows-specific investigations, this article will examine
some basic, non-technical concepts that are applicable to all forensic
investigations.
http://online.securityfocus.com/infocus/1661
2. The Busy Life of a Welsh Virus-Writer
By George Smith
The prison-bound author of the Gokar virus loves shoes, pole dancers and
personal self-disclosure. His blog tells all.
http://online.securityfocus.com/columnists/138
3. New Book: Hacker's Challenge 2 Test Your Network Security & Forensic
Skills
Do you have what it takes to keep the bad guys out of your network? Find
out with the latest edition of this best-selling book featuring 20+ all
new hacking challenges for you to solve. Plus, you'll get in-depth
solutions for each, all written by experienced security consultants.
For more information visit:
http://shop.osborne.com/cgi-bin/osborne/0072226307.html
4. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
5. InfoSec World Conference and Expo/2003 (March 10-12, 2003, Orlando, FL)
Optional Workshops March 8, 9, 12, 13, & 14 Vendor Expo March 10 & 11
Solutions to today?s security concerns; hands-on experts; blockbuster
vendor expo; the CISO Executive Summit; invaluable networking
opportunities. InfoSec World has it all!
Go to: http://www.misti.com/10/os03nl37inf.html
II. BUGTRAQ SUMMARY
-------------------
1. Rediff Bol URL Handling Denial Of Service Vulnerability
BugTraq ID: 6670
Remote: Yes
Date Published: Jan 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6670
Summary:
Bol is a freely available chat client available from Rediff. It is
available for Microsoft Windows operating systems.
A problem could make it possible for remote user to deny service to
legitimate users of the chat client.
It has been reported that a problem in Rediff Bol may allow remote users
to log other users out of the Bol chat client. Due to improper handling
of some types of requests, a remote user could send an URL request to the
client in the form of a rbol: command that would cause the client log out.
Under ordinary circumstances, the chat client should not react input from
untrusted users. This problem could make it possible for a remote user to
launch a continuous denial of service against a user of the vulnerable
client.
2. SyGate Insecure UDP Source Port Firewall Bypass Weak Default Configuration Vulnerability
BugTraq ID: 6684
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6684
Summary:
Sygate Pro is a personal firewall application for Microsoft Windows
operating system.
It has been reported that the Sygate Pro firewall permits traffic
originating from UDP source port 137 or 138 by default. UDP packets
originating from either of these source ports will bypass the firewall.
Remote attackers attacker may potentially exploit this vulnerability to
get malicious network traffic past the firewall.
3. Blackboard Learning System search.pl SQL Injection Variant Vulnerability
BugTraq ID: 6687
Remote: Yes
Date Published: Jan 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6687
Summary:
Blackboard Learning system is a suite of software products available for
Microsoft Windows, Linux and Solaris servers that power an "e-Education
Infrastructure" for education providers.
Blackboard Learning System, in some cases, does not sufficiently sanitize
user-supplied input which is used when constructing SQL queries. As a
result, attackers may supply malicious parameters to manipulate the
structure and logic of SQL queries. This may result in unauthorized
operations being performed on the underlying database.
This vulnerability was reported to exist in the search.pl script file. A
remote attacker can exploit this vulnerability to discover the passwords
of other users.
This vulnerability is a variant of the vulnerability described in BID
6655.
This vulnerability was reported for Blackboard Learning System 5.5.1,level
1 and 2. Previous releases may also be affected.
4. PlatinumFTPServer File Disclosure Vulnerability
BugTraq ID: 6691
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6691
Summary:
PlatinumFTPServer is an FTP server for Microsoft Windows systems. It is
commercially available, and distributed by BYTE/400.
A directory traversal vulnerability has been reported in
PlatinumFTPServer. The program does not sufficiently handle
backslash-dot-dot input, which could result in an attacker gaining access
to unauthorized resources.
This problem can allow an attacker to break out of the FTP root directory,
and access the entire file system of the vulnerable host. It has been
reported that an attacker may also be able to create and remove arbitrary
files and directories on the system by specifying the full path to the
file. This vulnerability requires an attacker to use the '\..' notation.
This vulnerability was reported for PlatinumFTPServer 1.0.7. It is likely
that earlier versions are affected.
5. Microsoft Windows MSGINA.DLL Read-Lock Denial Of Service Vulnerability
BugTraq ID: 6672
Remote: No
Date Published: Jan 23 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6672
Summary:
It has been reported that Microsoft Windows 2000 Terminal Servers and XP
Pro are prone to a denial of service due to a problem with 'MSGINA.DLL'.
This condition may be triggered by users who can successfully login to the
server via RDP or ICA.
'MSGINA.dll' is the vendor-supplied Graphical Identification and
Authentication dynamic-link library. 'MSGINA.DLL' is loaded by the
WinLogon executable and helps to facilitate graphical client sessions.
If a malicious user causes a read-lock to be placed on
'%SYSTEMROOT%\SYSTEM32\MSGINA.DLL', the next user to log in will be
prompted with a dialog stating that 'MSGINA.DLL' failed to load and will
be given the opportunity to restart the system.
An attacker may trigger this condition by opening the dynamic-link library
with an external application, such as a hex editor.
6. YaBB SE News.PHP Remote File Include Vulnerability
BugTraq ID: 6674
Remote: Yes
Date Published: Jan 24 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6674
Summary:
YaBB SE is a freely available, open source port of Yet Another Bulletin
Board (YaBB). It is available for a number of platforms include Unix,
Linux, and Microsoft Windows operating systems.
A vulnerability has been discovered in YaBB SE. Due to insufficient
sanitization of some user-supplied variables by the 'News.php' script, it
is possible for a remote attacker to include a malicious PHP file in a
URL.
An attacker may exploit this by supplying a path to a maliciously created
file, located on an attacker-controlled host as a value for the
'$template' parameter.
If the remote file is a malicious PHP script, this may allow for execution
of attacker-supplied PHP code with the privileges of the webserver.
Successful exploitation may provide local access to the attacker.
This vulnerability was reported for YaBB SE 1.5.1 and earlier.
7. FTLS GuestBook Script Injection Vulnerability
BugTraq ID: 6686
Remote: Yes
Date Published: Jan 25 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6686
Summary:
FTLS Guestbook is freely available guestbook software. It will run on most
Unix and Linux variants, as well as Microsoft Windows operating systems.
Guestbook does not adequately filter HTML tags from various fields. This
may enable an attacker to inject arbitrary script code into pages that are
generated by the guestbook.
The attacker's script code may be executed in the web client of arbitrary
users who view the pages generated by the guestbook, in the security
context of the website running the software.
Attackers may potentially exploit this issue to hijack web content or to
steal cookie-based authentication credentials.
This vulnerability was reported for FTLS Guestbook 1.1.
8. Finjan SurfinGate HTML Filtering Weakness
BugTraq ID: 6702
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6702
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
The HTML filter included with Finjan SurfinGate does not sufficiently
recognize certain types of malicious HTML which may pose a threat to end
users.
As a result, end users may be exposed to attacks which utilize malicious
HTML to cause a denial of service or impact the user in other ways.
Due to this weakness in the SurfinGate filter, it may be possible for
malicious HTML code to be accessed by a user. Specifically, HTML META-Tags
with a refresh set to 0, infinite recursive frame sets, and infinite
recursive iframes are not detected by the affected application. Processing
malicious HTML code sequences may result in a denial of service, depending
on the end user's web browser implementation.
9. Finjan SurfinGate File Extension File Filter Circumvention Vulnerability
BugTraq ID: 6703
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6703
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A problem with SurfinGate could make it possible for an attacker to
circumvent file filters that are set in place.
SurfinGate uses the file extension to determine if a file is of a type
that is blacklisted by the software. It has been reported that an
attacker may bypass SurfinGate file filtering rules by appending an extra
file extension of a type that is not blacklisted to the end of the file
name.
For example, an attacker may rename an executable file to
'filename.com.txt' to bypass the SurfinGate file filter.
It should be noted that an end user would still have interactively to open
or execute the malicious file.
10. Finjan SurfinGate Java Applet Analyzer Bypass Vulnerability
BugTraq ID: 6704
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6704
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A flaw was reported in the Java applet analyzer included with Finjan
SurfinGate. The analyzer works by filtering out specific code which is
deemed dangerous and permitting "safe" code to pass. The Java applet
analyzer scans the contents of a JAR archive and removes classes which are
on a blacklist.
However, the Finjan SurfinGate Java applet analyzer does not properly
detect the use of the Java Reflection API. As a result, this API may be
used to call methods and classes that may otherwise be restricted.
A malicious Java applet may use this technique to bypass the Finjan
SurfinGate filter. End users may not be protected from malicious Java
applets as a result.
11. Finjan SurfinGate Password Ciphering Weaknesses
BugTraq ID: 6705
Remote: No
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6705
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A weakness has been discovered in the encryption algorithms implemented by
Finjan SurfinGate. The SurfinGate Console password is viewable through the
properties table and is obfuscated using an algorithm which may be trivial
for an attacker to reverse. SurfinGate uses the following algorithm to
obfuscate the Console password:
CHAR encrypted(n) = CHAR( ACSCII(CHAR cleartext(n)) + n )
Where n is the position of the character in the password beginning with 0.
When the SurfinGate console is used to access a Solaris installation the
Oracle protocol is used. For this to be possible a valid Oracle user must
exist for SurfinGate to use. The Oracle user credentials are stored in a
locally accessible configuration file. It has been reported that the
user's Oracle password is also obfuscated using a slightly more complex
algorithm, which would be trivial for an attacker to reverse.
If the password is discovered, this may lead to further attacks against
the target system and the filtering software.
The Oracle password is obfuscated used the following algorithm:
CHAR encrypted(n) = HEX( ASCII( CHAR cleartext(n) ) + 1 )
Where n is the position of the character in the password.
12. MIT Kerberos Key Distribution Center Remote Format String Vulnerabilities
BugTraq ID: 6712
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6712
Summary:
Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.
A number of vulnerabilities have been reported in the MIT Kerberos Key
Distribution Center (KDC). It has been reported that KDC fails to supply
sufficient format specifiers when handling user-supplied data.
Specifically, principal names supplied by a remote user are handled by
functions of the printf family without supplying format specifiers. It has
been determined that under some cirumstances an unauthenticated remote
user may be able to pass principal names to an affected server.
An attacker could exploit this vulnerability by supplying a maliciously
crafted principal name containing format specifiers. By writing
attacker-controlled values to memory using the %n format specifier, it may
be possible for a remote attacker to execute arbitrary commands.
As this issue affects older releases of Kerberos, a BID may already exist.
If this is issue proves to be covered in a previous database entry, this
BID will be retired and the correct BID will be updated accordingly.
13. Finjan SurfinGate Active Content Filter Bypass Vulnerability
BugTraq ID: 6701
Remote: Yes
Date Published: Jan 27 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6701
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A flaw was reported in the SurfinGate active content filter, which
provides functionality for analyzing various types of active content
(JavaScript, ActiveX, VBScript, etc.). The active content filter works by
filtering out specific code which is deemed dangerous and permitting
"safe" code to pass. However, the JavaScript parser included in the
active content filter does not sufficiently sanitize script code.
It is possible to bypass the filter by obfuscating the malicious
JavaScript. This may be accomplished by hex-encoding the malicious code
and then passing it through a function which decodes the string (such as
through the eval() method).
Successful exploitation will permit arbitrary JavaScript to bypass the
filter and reach end users.
14. Finjan SurfinGate Compressed Archive File Filter Circumvention Vulnerability
BugTraq ID: 6706
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6706
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A problem with SurfinGate could make it possible for an attacker to
circumvent file filters that are set in place.
It has been reported that SurfinGate does not sufficiently dissect archive
files for analysis. This may allow an attacker to circumvent the
SurfinGate file filter rules by including the malicious file of a
blacklisted type inside a file archive (such as '.ZIP' or '.RAR').
It should be noted that an end user would still have interactively to open
or execute the malicious file.
15. Finjan SurfinGate Unknown File Extension File Filter Circumvention
Vulnerability
BugTraq ID: 6707
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL: http://www.securityfocus.com/bid/6707
Summary:
SurfinGate is a commercially available content filtering and application
firewall package. It is distributed by Finjan, and available for the Sun
Solaris and Microsoft Windows platforms.
A problem with SurfinGate could make it possible for an attacker to
circumvent file filters that are set in place.
SurfinGate uses the file extension to determine if a file is of a type
that is blacklisted by the software. It has been reported that an
attacker may bypass SurfinGate file filtering rules by using a file
extension that is not recognized by the filtering software.
It should be noted that an end user would still have interactively to open
or execute the malicious file. This may be suspicious if there is no
handler on the local system for the unknown file extension.
16. MIT Kerberos Remote Heap Corruption Vulnerability
BugTraq ID: 6713
Remote: Yes
Date Published: Jan 28 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6713
Summary:
Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.
A vulnerability has been discovered in MIT Kerberos. It has been reported
that, due to insufficient bounds checking and sanitization of
user-supplied data, Kerberos is prone to memory corruption.
A remote attacker may trigger this condition my supplying a negative
length value in a malicious packet sent to a target server. This may
result in insufficient memory being allocated or cause invalid memory to
be referenced. Successful exploitation of this issue may result in a
denial of service.
Due to the nature of this vulnerability it may be possible for an attacker
to create a situation in which sensitive memory could be overwritten. If
successful this could allow for the execution of arbitrary code with the
privileges of Kerberos. The possibility of exploitation of this issue to
execute code, however, has not been confirmed.
As this issue affects older releases of Kerberos, a BID may already exist.
If this is issue proves to be covered in a previous database entry, this
BID will be retired and the correct BID will be updated accordingly.
17. MIT Kerberos / Key Distribution Center Shared Key User Spoofing Vulnerability
BugTraq ID: 6714
Remote: Yes
Date Published: Jan 29 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/6714
Summary:
Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret- key
cryptography. Kerberos is written and maintained by MIT. It is available
for a variety of platforms including the Microsoft Windows, Unix, and
Linux operating systems.
A vulnerability has been discovered MIT Kerberos and Key Distribution
Center (KDC). It has been reported that a user within a realm implementing
shared keys may be able to spoof another legitimate non-local user.
This issue is exploitable due to insufficent realm transit path
verification by the affected software.
This vulnerable exists only if non-local principal names are located in
the KDC's access control list. The ability to impersonate another
legitimate user may be leveraged by an attacker to obtain sensitive
information. Under some cirumstances a malicious attacker may be able to
impersonate a user with additional privileges to their own.
This issue affects MIT Kerberos 5 release 1.2.2 and earlier. As this issue
affects older releases of Kerberos, a BID may already exist. If this is
issue proves to be covered in a previous database entry, this BID will be
retired and the correct BID will be updated accordingly.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. uh, oh (was:Re: w2k server compromised) (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/309420
2. Problems with Pwdump3e (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/309120
3. Win2k log management (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/309121
4. Bypass Traverse Checking? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/309119
5. IIS 5.0 and Digest Authentication (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308989
6. Securing IIS/5 with ASP (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308979
7. At.exe Service Account - scripted or registry? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308906
8. Administrivia (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308765
9. SecurityFocus Microsoft Newsletter #122 (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308764
10. SQL Sapphire Worm Analysis (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308838
11. w2k server compromised (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308782
12. Attacking EFS through cached domain logon credentials (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308274
13. AD replication over WAN (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308262
14. Stopping Admin Alert SPAM (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308139
15. Fw: Bypass Traverse Checking? (Thread)
Relevant URL:
http://online.securityfocus.com/archive/88/308127
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. RAV AntiVirus Desktop for Windows
by GeCAD Software
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.ravantivirus.com/pages/showproduct.php?p=10
Summary:
Highly efficient antivirus integrated suite, RAV AntiVirus Suite for
Windows is designed to protect servers and workstations, thus recommended
both for exigent professionals and home users. With a unique modular
construction and cutting edge technology included in the advanced
features, RAV for Windows is an exceptional product, offering you complete
local protection against viruses.
2. Panda Antivirus Small Business Edition
by Panda Software
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
http://www.pandasoftware.com/products/pavsbe/desk_srv.asp
Summary:
For small to medium-sized businesses with a maximum of 50 workstations
connected to file servers. The ideal antivirus solution for small and
medium-sized businesses with workstations connected to one or more file
servers. It combines total protection and optimized performance of file
servers with centralized management via the new Panda Administrator 2.5.
The automatic daily updates ensure that all servers and workstations are
constantly protected against new viruses.
3. NOD32
by Eset
Platforms: DOS, Netware, UNIX, Windows 2000, Windows 95/98, Windows NT,
Windows XP
http://www.nod32.com/products/products.htm
Summary:
The NOD32 Antivirus System provides balanced state-of-the-art protection
against threats endangering your PC, running on various platforms from
Microsoft Windows 95 / 98 / ME / NT / 2000 / XP through a number of UNIX
operating systems to major mail servers. Viruses, worms, and other malware
are kept out of striking distance from your valuable data. Advanced
detection methods implemented in the software provide protection against a
great proportion of the worms and viruses that are still awaiting
creation.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. AMaViS (A Mail Virus Scanner) 0.3.12pre8
by Christian Bricart, shiva (at) aachalon (dot) de [email concealed]
Relevant URL:
http://www.amavis.org/
Platforms: AIX, HP-UX, Linux, SCO, Solaris, UNIX
Summary:
Most people will say: "A virus scanner? For UN*X? Why? Viruses do not work
in a UNIX environment." On the first glance they are right (even if there
are at least two viruses which run under Linux - well, actually they are
Trojan Horses)
On the second view though, imagine a heterogene network environment with
both UN*X and DOS / Windows / Macintosh workstations. Now think of an UN*X
server that serves Windows and/or Macintosh workstations via a POP3
service. Would it not be nice to ensure attachments coming via email are
scanned for viruses before they reach a system they are able to infect?
Well - that is what this package is for. It resides on the server that
handles your incoming mails. When a mail arrives, instead of being
delivered via procmail directly, is parsed through a script that extracts
all attachments from the mail, unpacks (if needed) and scans them using a
professional virus scanner program.
2. IP Personality 20010724
by Gael Roualland and Jean-Marc Saffroy
Relevant URL:
http://ippersonality.sourceforge.net/
Platforms: Linux
Summary:
The IP Personality project is a patch to the newer Linux kernels that adds
netfilter functionalities : it enables the emulation of other OSes at the
network level, thus fooling remote OS detection tools such as nmap that
rely on network fingerprinting.
3. Sentinel Security Toolkit v1.2.1c
by Zurk zurk (at) usa (dot) net [email concealed]
Relevant URL:
http://zurk.sourceforge.net/zfile.html
Platforms: IRIX, Linux
Summary:
Sentinel is a fast file scanner similar to Tripwire or Viper with built in
authentication using the RIPEMD 160 bit MAC hashing function. It uses a
single database similar to Tripwire, maintains file integrity using the
RIPEMD algorithm and also produces secure, signed logfiles. Its main
design goal is to detect intruders modifying files. It also prevents
intruders with root/superuser permissions from tampering with its log
files and database. Disclaimer: this is not a security toolkit. It is a
single purpose file/drive scanning program. Available versions are for
linux (tested on all current Slackware and RedHat releases), with Irix
versions soon to be added on.
VI. SPONSOR INFORMATION
-----------------------
This newsletter is sponsored by: Black Hat (http://www.blackhat.com)
Spooked about Windows security? Getting "slammed" hard by worms? Find
all of the solutions at Black Hat Windows Security Briefings & Training,
February 24-27 in Seattle, the world's premier technical event for Windows
security experts.
All of the top experts you've read about recently are speaking. Fully
supported by Microsoft, with new MS hosted training sessions just added!
Visit www.blackhat.com to register.
------------------------------------------------------------------------
-------
[ reply ]