SecurityFocus Microsoft Newsletter #159
----------------------------------------
This issue is Sponsored by: SPIDynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks"- New White Paper
The newest web app vulnerability... Blind SQL Injection! Even if your web
application does not return error messages, it may still be open to a
Blind SQL Injection Attack. Blind SQL Injection can deliver total control
of your server to a hacker giving them the ability to read, write and
manipulate all data stored in your backend systems!
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection!
I. FRONT AND CENTER
1. Incident Response Tools For Unix, Part Two: File-System Tools
2. Transparent, Bridging Firewall Devices
3. Disclosure Plan Won't Help
4. CCIA Report is Bad Medicine
5. The Flaw of Security Through Diversification
6. Counterpoint: Linux vs. Windows Viruses
II. MICROSOFT VULNERABILITY SUMMARY
1. Rit Research Labs TinyWeb Server Remote Denial of Service Vu...
2. Microsoft Windows RPCSS Multi-thread Race Condition Vulnerab...
3. Hummingbird CyberDOCS Path Disclosure Vulnerability
4. mIRC DCC SEND Buffer Overflow Vulnerability
5. mIRC IRC URL Buffer Overflow Vulnerability
6. WinSyslog Long Syslog Message Remote Denial Of Service Vulne...
7. AOL Instant Messenger Getfile Screenname Buffer Overrun Vuln...
8. Microsoft Messenger Service Buffer Overrun Vulnerability
9. Microsoft ListBox/ComboBox Control User32.dll Function Buffe...
10. Microsoft Windows Help And Support Center URI Handler Buffer...
11. Microsoft ActiveX Authenticode Verification Bypass Vulnerabi...
12. Microsoft Exchange Server 5.5 Outlook Web Access Cross-Site ...
13. Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer...
14. Microsoft Word Macro Name Handler Buffer Overflow Vulnerabil...
15. Microsoft Exchange Server Buffer Overflow Vulnerability
16. RealOne Player Temporary File Default Browser Script Executi...
17. Macromedia ColdFusion MX SQL Error Message Cross-Site Scrip...
18. Bajie HTTP Server Example Scripts And Servlets Cross-Site Sc...
III. MICROSOFT FOCUS LIST SUMMARY
1. RPC Scan Issues (Thread)
2. group policy question (Thread)
3. Win2003 RPC failure after Hotfix (Thread)
4. USB memory supporting NTFS? (Thread)
5. automating reboot (was RE: RPC Scan Issues) (Thread)
6. question re: continued RPC vulnerability (Thread)
7. Article Announcement: The Flaw of Security Through D... (Thread)
8. Blocking and allowing ActiveX (Thread)
9. Article Announcement: CCIA Report is Bad Medicine (Thread)
10. Windows 2000 Server hardening (Thread)
11. SecurityFocus Microsoft Newsletter #158 (Thread)
12. Guest Feature Announcement: Counterpoint: Linux vs. ... (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. East-Tec Eraser 2003 v4.0
2. ZoneAlarm Pro 4.0
3. ActiveScout Enterprise
4. Immunity CANVAS
5. Password Creator Pro
6. Advanced Cisco Security Agent
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Steghide v0.5.1
2. COMbust v07.30.03
3. OpenSSL 0.9.7c
4. Glub Tech Secure FTP v2.0.10
5. mrtg v2.10.5
6. ACID-XML v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Incident Response Tools For Unix, Part Two: File-System Tools
By Holt Sorenson
This article is the second in a three-part series on tools that are useful
during incident response and investigation after a compromise has occurred
on a OpenBSD, Linux, or Solaris system. This installment will focus on
file system tools.
http://www.securityfocus.com/infocus/1738
2. Transparent, Bridging Firewall Devices
By Matthew Tanase
This article examines the concept of a transparent or bridging firewall
which sits hidden in-line with the network it protects.
http://www.securityfocus.com/infocus/1737
3. Disclosure Plan Won't Help
By Mark Rasch
Encouraging publicly-traded companies to disclose their cyber security
efforts would only force them to choose between providing vague and
useless platitudes, or
specific and dangerous details.
http://www.securityfocus.com/columnists/192
4. CCIA Report is Bad Medicine
By Tim Mullen
The proposed cure for the Internet's security woes might help Microsoft
competitors, but it would only make our security problems worse.
http://www.securityfocus.com/columnists/190
5. The Flaw of Security Through Diversification
by Mark Burnett
In the recent CCIA paper at
http://www.ccianet.org/papers/cyberinsecurity.pdf the authors Geer,
Pfleeger, Schneier, Quarterman, Metzger, Bace, and Gutmann introduce the
concept of "risk diversification as a primary defense against aggregated
risk when that risk cannot otherwise be addressed."
http://www.securityfocus.com/guest/23184
6. Counterpoint: Linux vs. Windows Viruses
by Thor Larholm
The debate over which Operating System is the most secure is an age-old
debate, which is filled with a vigor and passion similar to those debating
their religious beliefs. However, in the end it all boils down to reliable
management, adherence to policies and procedures and proper use.
http://www.securityfocus.com/guest/23028
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Rit Research Labs TinyWeb Server Remote Denial of Service Vu...
BugTraq ID: 8810
Remote: Yes
Date Published: Oct 10 2003
Relevant URL: http://www.securityfocus.com/bid/8810
Summary:
TinyWeb is a small web server daemon available for the Microsoft Windows
operating system.
A vulnerability has been reported in the software that may allow a remote
attacker to cause a denial of service condition in the server. The issue
presents itself when an attacker sends a malformed HTTP GET request to the
server for: /cgi-bin/.%00./dddd.html. This request may cause the software
to consume an excessive amount of CPU cycles leading to a crash or hang.
Successful exploitation of this issue may allow an attacker to cause the
software to act in an unstable manner leading to a crash or hang.
TinyWeb version 1.9 has been reported to be prone to this issue, however
other versions may be vulnerable as well.
2. Microsoft Windows RPCSS Multi-thread Race Condition Vulnerab...
BugTraq ID: 8811
Remote: Yes
Date Published: Oct 10 2003
Relevant URL: http://www.securityfocus.com/bid/8811
Summary:
It has been reported that a multi-threaded race condition in the RPCSS
service of Microsoft Windows exists. Because of this, it may be possible
for an attacker to mount denial of service attacks. This condition is
reported to exist when the service is handling multiple RPC requests. In
particular, if two threads are processing the same request, one thread may
free a packet while the other thread is still processing the packet. This
could result in memory corruption. Certain factors such as network
latency, CPU, and the state of memory on the vulnerable system may make it
difficult to reliably reproduce the condition, though it may be possible
under some circumstances to corrupt memory in a manner sufficient to
execute arbitrary code. Code execution has been deemed unlikely.
However, it has been reported by a reliable source that this problem can
cause a denial of service on fully patched Windows XP Service Pack 1
systems (including the patches supplied in MS03-039). Additionally, it
has been indicated that the vendor has been notified of this issue.
New information has been obtained from a reliable source, confirming that
the exploitation of this issue will trigger a denial of service on fully
patched Windows 2000 systems.
It is unknown what impact this attack has on Windows 2003.
3. Hummingbird CyberDOCS Path Disclosure Vulnerability
BugTraq ID: 8816
Remote: Yes
Date Published: Oct 11 2003
Relevant URL: http://www.securityfocus.com/bid/8816
Summary:
Hummingbird CyberDOCS (DM) is document management software, designed to
run on Microsoft Windows server platforms in conjunction with a SQL
database.
Hummingbird CyberDOCS has been reported prone to a path disclosure
vulnerability. An attacker could potentially access sensitive path
information by making a request to the cyberdocs.asp or loginact.asp
scripts without supplying parameters. This will effectively return an
error page containing the installation directory of the application.
Access to this information could aid an attacker in launching future
attacks.
4. mIRC DCC SEND Buffer Overflow Vulnerability
BugTraq ID: 8818
Remote: Yes
Date Published: Oct 13 2003
Relevant URL: http://www.securityfocus.com/bid/8818
Summary:
mIRC is a chat client for the IRC protocol, designed for Microsoft Windows
based operating systems.
A vulnerability has been reported to exist in mIRC that may allow a remote
attacker to crash a vulnerable mIRC client. The condition is most likely
present due to insufficient boundary checking performed on 'DCC SEND'
requests.
It has been reported that when received, a malicious 'DDC SEND' request
can trigger a fatal error and cause an affected mIRC client to crash. The
'DCC SEND' request can be sent to a channel or a specific targeted user.
Although unconfirmed, due to the nature of this vulnerability it has been
conjectured that a remote attacker may potentially lever this issue to
have arbitrary code executed in the context of the affected mIRC client.
mIRC versions 6.1 and 6.11 have been reported to be prone to this issue,
however other versions may be affected as well.
5. mIRC IRC URL Buffer Overflow Vulnerability
BugTraq ID: 8819
Remote: Yes
Date Published: Oct 13 2003
Relevant URL: http://www.securityfocus.com/bid/8819
Summary:
mIRC is a chat client for the IRC protocol, designed for Microsoft Windows
based operating systems. When mIRC is installed it registers a handler for
a 'irc://' type of URL. Through these means, mIRC is invoked when a 'IRC
URL' is followed.
mIRC has been reported prone to a buffer overflow vulnerability when
handling malicious 'IRC URLs'. Specifically when a IRC URL of >998 bytes
is clicked by a user running a vulnerable version of mIRC.
The issue likely presents itself due to a lack of sufficient boundary
checks performed when IRC URL data is being copied into an insufficient
buffer in memory. Data that exceeds the size of the reserved buffer will
overrun its bounds and corrupt adjacent memory. Because memory adjacent to
the affected buffer is used to store a saved instruction pointer, an
attacker may influence execution flow of the affected client into attacker
controlled memory. This may ultimately allow the attacker to execute
arbitrary instructions in the context of the user running the affected
client.
mIRC version 6.1 has been reported to be prone to this issue, however
other versions may be affected as well.
6. WinSyslog Long Syslog Message Remote Denial Of Service Vulne...
BugTraq ID: 8821
Remote: Yes
Date Published: Oct 14 2003
Relevant URL: http://www.securityfocus.com/bid/8821
Summary:
WinSyslog is a server that logs system events. It is available for
Microsoft Windows operating systems.
WinSyslog is prone to a remotely exploitable denial of service
vulnerability. This occurs when the program receives multiple excessive
syslog messages via the port it listens on (10514/UDP by default). An
exploit script was provided with the disclosure of this vulnerability that
floods the server with incrementally larger syslog messages, triggering
the condition.
This is also reported to cause system instability, which is likely due to
resource exhaustion. It is not known if this vulnerability is due to a
more serious issue such as a boundary condition error.
This vulnerability was reported to affect WinSyslog 4.21 SP1. Other
versions may also be affected.
7. AOL Instant Messenger Getfile Screenname Buffer Overrun Vuln...
BugTraq ID: 8825
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8825
Summary:
AOL Instant Messenger (AIM) is an instant messaging client that is
available for a number of platforms, including Microsoft Windows.
AIM is prone to a remotely exploitable buffer overrun vulnerability.
When AIM is installed, a protocol handler for AIM URIs is also installed
so that the client may be invoked from within a web page. A vulnerability
has been reported that is exposed through the AIM URI handler.
Specifically this issue is due to insufficient bounds checking of the
screenname parameter when it is specified in a "getfile" operation. This
could permit an attacker to corrupt memory with attacker-supplied values,
allowing for control of execution flow by corrupting variables such as an
instruction pointer.
Attackers may exploit this by enticing a user of the client to follow a
maliciously constructed AIM URI (using the AIM protocol handler) that
performs a "getfile" operation with an overly long value as the
screenname. It is reported that this condition can be reproduced by
supplying a screenname that is 1130 characters or more in length.
8. Microsoft Messenger Service Buffer Overrun Vulnerability
BugTraq ID: 8826
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8826
Summary:
Microsoft Messenger Service is a Windows service that is responsible for
sending and receiving "net send" messages. The service also handles any
messages that are sent via the Alerter service between client and server
systems. The Microsoft Messenger Service is not related to MSN Messenger.
Microsoft Messenger Service is prone to a remotely exploitable buffer
overrun vulnerability. This is due to a boundary condition error in the
service that may allow for memory corruption. While the service does
attempt to validate that messages are of an acceptable length, it is
reported that after performing bounds checking, the service will replace
instances of the 0x14 character in the message body with a CR/LF (Carriage
Return/Line-feed) sequence, without accounting for the fact that each
CR/LF sequence requires 2 bytes. In this manner, a particularly malformed
message may potentially corrupt adjacent regions of process memory.
Exploitation could result in a denial of service or in execution of
malicious code in Local System context, potentially allowing for full
system compromise.
The service is exposed via NetBIOS (ports 137-139) and RPC (port 135).
9. Microsoft ListBox/ComboBox Control User32.dll Function Buffe...
BugTraq ID: 8827
Remote: No
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8827
Summary:
A ComboBox control is a class used to display a drop-down list of
predefined values, as well as a field that takes user-supplied input. A
ListBox control is a similar class, however it is designed to simply
display a list of predefined values and allow a user to select a single
one.
Microsoft has reported the existence of a local buffer overrun
vulnerability in an undisclosed User32.dll library function. Both the
ComboBox and ListBox controls invoke this User32.dll function when
handling windows messaging events. The function is said to perform
insufficient sanity checks when handling specific data located within
these Windows messages. In particular, it is possible to trigger this
issue by sending a specially crafted LB_DIR message to a ListBox or a
CB_DIR message to a ComboBox. The attacker will have to specify a long
pathname for either message to cause the condition to occur. This will
reportedly cause an exception during a wcscpy call (which is a string copy
function).
This issue poses a security risk when a privileged application is
implementing the use of these affected control classes and is running in
the environment of an unprivileged user. An attacker could effectively
transmit a malicious windows message containing excessive data designed to
trigger the buffer overrun and control the execution flow of the target
program. This could ultimately allow a user with interactive local system
access to gain administrative privileges.
Microsoft has also reported that this issue affects the Utility Manager
application, designed to manage various accessibility utilities found on a
system. This application runs with administrative privileges by default on
Windows 2000 systems and is affected by this issue. As a result, this
program would likely be the target of choice for an attacking user. It
should be noted however, that the scope of this vulnerability is not
limited to the Utility Manager, as any third-party program implementing
the use of the affected controls will be vulnerable.
Finally, Microsoft has stated that the XP and 2003 versions of the Utility
Manager application are not exploitable to gain elevated privileges, as
they are invoked with the privileges of the current user.
10. Microsoft Windows Help And Support Center URI Handler Buffer...
BugTraq ID: 8828
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8828
Summary:
Microsoft Windows contains a Help and Support Center (HSC) facility that
provides help on several topics such as Windows features and hardware
support. The HSC also contains a URI handler that allows pages to be
opened through an 'hcp://' prefix.
A buffer overflow vulnerability has been reported to affect the Help and
Support Center for Microsoft Windows systems. The issue exists in
helpsvc.exe, which is started by the svchost.exe process.
The issue has been reported to present itself due to a lack of sufficient
bounds checking performed when handling 'hcp://' URI links. This could
allow an unusually long string supplied to the HSC through the URI handler
to overrun the bounds of a reserved buffer in memory.
An attacker may deliberately trigger this issue to corrupt stack memory
adjacent to the affected buffer with attacker-supplied values. This could
allow for corruption of an instruction pointer or SEH (Structured
Exception Handler). Ultimately the attacker may influence program
execution flow into attacker-controlled memory leading to the execution of
arbitrary code on the system in the local computer security context.
This vulnerability could be exploited by including a malformed link using
'hcp://' prefixes in a web page or through HTML email. It is also
possible to exploit this issue locally to gain elevated privileges.
It should be noted, the vendor has stated that although the vulnerable
code is present on all supported operating systems, attack vectors that
could lead to an exploitable issue are believed to only be present on
Windows XP and Windows Server 2003 systems. This is because the HCP
protocol is not supported on all other supported Windows operating
systems.
Additionally this vulnerability may be related to the issue reported in
BID 6802.
11. Microsoft ActiveX Authenticode Verification Bypass Vulnerabi...
BugTraq ID: 8830
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8830
Summary:
Authenticode is a component that allows for the verification of ActiveX
controls. When a web page attempts to install an ActiveX control,
Authenticode verifies the publisher of a signed control and prompts the
user whether or not to install the control.
A problem exists that could allow Authenticode to be bypassed by ActiveX
controls.
Under certain low memory conditions, an ActiveX control may be installed
without Authenticode prompting the user. This could allow a malicious
ActiveX control embedded in a web page or HTML e-mail to install and
execute on the vulnerable system. The control would be executed in the
security context of the current user.
12. Microsoft Exchange Server 5.5 Outlook Web Access Cross-Site ...
BugTraq ID: 8832
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8832
Summary:
Microsoft Exchange Server 5.5 is an e-mail and directory server offered by
Microsoft. Outlook Web Access is a service provided by Exchange server
that allows users to access their Exchange mailbox via the web.
A vulnerability has been reported to be present in the software that may
allow remote attackers to execute HTML or script code in the browser of a
user running the vulnerable version of the software.
The problem is reported to exist due to improper handling of user-supplied
data in the Compose New Message form of Outlook Web Access. HTML and
script code will be rendered in a user's browser, therefore making it
possible for an attacker to a construct a malicious link containing HTML
or script code that may be rendered in a user's browser upon visiting that
link. This attack would occur in the security context of the user.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
13. Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer...
BugTraq ID: 8833
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8833
Summary:
A vulnerability has been discovered in the Microsoft TroubleShooter
ActiveX control. Because of this, it may be possible for a remote
attacker to execute arbitrary with the privileges of a client user.
The issue is due to insufficient bounds checking of data supplied via the
RunQuery2 method by the ActiveX control. By viewing an HTML document that
invokes the control in a malicious manner, an attacker could potentially
force the execution of arbitrary instructions with the privileges of the
user viewing the document.
It should be noted that this vulnerability could be exploited through one
of several means, such as the viewing of a web page through a browser,
through HTML e-mail, and other programs that may invoke ActiveX controls.
It should be noted that the control is also marked as "Safe For
Scripting", so the user may not be prompted when the control is invoked.
This vulnerability affects only Windows 2000 systems, which included the
TroubleShooter ActiveX control (tshoot.ocx) in default installations.
14. Microsoft Word Macro Name Handler Buffer Overflow Vulnerabil...
BugTraq ID: 8835
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8835
Summary:
Microsoft Word is text document editing software that is distributed as
part of Microsoft Office suite.
Microsoft Word has been reported prone to a buffer overflow vulnerability.
The issue has been reported to present itself due to a lack of sufficient
bounds checking performed in macro name handler routines. It has been
reported that when a macro is saved, its information, including Unicode
internal and external macro names and their corresponding string size are
stored in internal structures that are embedded into an associated word
document. When these macro-names are processed, the name is copied into an
internal reserved buffer in memory that is a fixed size to accommodate a
256 Unicode character macro name.
The procedures that copy the macro name into the reserved buffers have
been reported to lack boundary checking conditional statements. As a
result of this vulnerability, an attacker may construct a malicious word
document and modify macro name string sizes so that they exceed the size
of the reserved buffer in memory. When an unsuspecting user opens this
Word document, memory corruption will occur, likely causing Word to fail.
It is not currently known if this vulnerability may be exploited to
execute arbitrary code.
Microsoft Word that ships with Office XP has not been reported prone to
this issue.
15. Microsoft Exchange Server Buffer Overflow Vulnerability
BugTraq ID: 8838
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8838
Summary:
Microsoft has announced that Exchange Server is affected by a remotely
exploitable buffer overflow condition. The overflow can be triggered
remotely by unauthenticated SMTP clients.
Microsoft has stated that remote code execution is possible on hosts
running Exchange 2000 Server. Servers running Exchange Server 5.5 are
vulnerable to a denial of service attack.
A remote user may connect to the SMTP port of the server and issue an
unusually large extended verb request. On an Exchange Server 5.5 system,
this would result in a denial of service due to memory exhaustion.
On a system running Exchange 2000 Server, this unusually large request
would result in an internal buffer being overrun. Execution of arbitrary
code in the security context of the Exchange service may be possible.
It is important to note that the SMTP services on Windows NT, 2000, XP,
and 2003 are not affected by this issue, unless a vulnerable version of
Exchange has been installed on the system.
16. RealOne Player Temporary File Default Browser Script Executi...
BugTraq ID: 8839
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8839
Summary:
RealOne Player is a media player that is available for a number of
platforms including Microsoft Windows and MacOS systems.
It has been reported that RealOne Player is vulnerable to an issue in the
handling of temporary files. Because of this, an attacker may be able to
perform unauthorized actions in a user's web browser.
Specific details pertaining to this issue are not currently available. It
is known that under some circumstances, it is possible to write to
temporary files before they are loaded in the default browser on a system.
Data written to these files could include arbitrary URLs, as well as
script code.
It is conjectured that this problem may be permit a loaded file to execute
script through the default browser in the local security zone, thus making
it possible to carry out actions on the local system on behalf of the
RealOne Player user. However, this has not been confirmed by Real or
Symantec.
17. Macromedia ColdFusion MX SQL Error Message Cross-Site Scrip...
BugTraq ID: 8840
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8840
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a standalone
product for Unix, Linux, and Microsoft Operating Systems.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to execute HTML or script code in the browser of a user
running the vulnerable version of ColdFusion MX.
The problem is due to a lack of sanitization of user-supplied input by the
software. Although unconfirmed, it has been reported to occur when the
software displays error messages generated by the underlying database.
Therefore making it possible for an attacker to construct a malicious link
containing HTML or script code that may be rendered in a user's browser
upon visiting that link. This attack would occur in the security context
of the vulnerable site.
Successful exploitation of this vulnerability may allow an attacker to
steal cookie-based authentication credentials. Other attacks are also
possible.
Macromedia ColdFusion MX version 6.0 was reported to be vulnerable to this
issue, however other versions may be affected as well.
18. Bajie HTTP Server Example Scripts And Servlets Cross-Site Sc...
BugTraq ID: 8841
Remote: Yes
Date Published: Oct 16 2003
Relevant URL: http://www.securityfocus.com/bid/8841
Summary:
Bajie HTTP Web Server is a Java web server. It is available for Microsoft
Windows and Unix and Linux variants.
Demonstration scripts and servlets that are distributed as part of Bajie
HTTP Server have been reported prone to multiple cross-site scripting
vulnerabilities. These demonstration scripts and servlets are likely not
supposed to be published for external access, but rather supposed to act
as a demonstration of the functionality contained in the Bajie HTTP
server.
It has been reported that a remote attacker may construct a malicious link
containing script and HTML code to any one of the vulnerable demonstration
scripts or servlets on the affected server. If this link is followed the
code contained therein will be rendered in the browser of the user who
followed the link. Code execution will occur in the context of the
vulnerable script running on the Bajie HTTP Server.
A remote attacker may exploit this vulnerability to steal cookie based
authentication tokens. Other attacks are also possible.
It should be noted that although this vulnerability has been reported to
affect Bajie HTTP server version 0.95zxv4, previous versions that are
bundled with the same demonstration scripts are also likely vulnerable.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. RPC Scan Issues (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341738
2. group policy question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341736
3. Win2003 RPC failure after Hotfix (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341624
4. USB memory supporting NTFS? (Thread)
Relevant URL:
6. question re: continued RPC vulnerability (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341577
7. Article Announcement: The Flaw of Security Through D... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341507
8. Blocking and allowing ActiveX (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341471
9. Article Announcement: CCIA Report is Bad Medicine (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341349
10. Windows 2000 Server hardening (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341333
11. SecurityFocus Microsoft Newsletter #158 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341129
12. Guest Feature Announcement: Counterpoint: Linux vs. ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341092
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. East-Tec Eraser 2003 v4.0
By: EAST Technologies
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.east-tec.com/eraser/index.htm
Summary:
East-Tec Eraser ("Eraser" in short) is an advanced security application
for Windows 95/98/Me/NT/2000/XP designed to help you completely eliminate
sensitive data from your computer and protect your computer and Internet
privacy.
Eraser introduces a new meaning for the verb TO ERASE. Erasing a file now
means wiping its contents beyond recovery, scrambling its name and dates
and finally removing it from disk. When you want to get rid of sensitive
files or folders beyond recovery, add them to the Eraser list of doomed
files and ask Eraser to do the job. Eraser offers tight integration with
the Windows shell, so you can drag files and folders from Explorer and
drop them in Eraser, or you can erase them directly from Explorer by
selecting Erase beyond recovery from the context menu.
2. ZoneAlarm Pro 4.0
By: Zone Labs
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.zonelabs.com
Summary:
Hackers lurk everywhere on the Internet, waiting for an "in" into your
personal and financial information. Even legitimate Web sites have
sophisticated methods of snooping, such as cookies that track your
identity and browsing habits. You need nothing less than the industry's
best protection?ZoneAlarm Pro. It offers you the award-winning firewall
that Zone Labs is famous for. Plus, it stops annoying and potentially
malicious cookies and pop-ups from invading your system.
3. ActiveScout Enterprise
By: ForeScout Technologies
Platforms: Linux, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.forescout.com/enterprise.html
Summary:
ActiveScout Enterprises actively protects a network with multiple access
points. In addition to the identification of attackers and automatic
action to stop them, this solution offers full management capabilities,
from configuration and reporting, to the sharing of threat information
between multiple deployed scouts.
4. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
5. Password Creator Pro
By: TransDigital Solutions
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: https://www.transdig.com/products/pcp/pcp.cfm
Summary:
Password Creator Professional is an extremely full featured password
generator utility for Windows.
6. Advanced Cisco Security Agent
By: Cisco Systems
Platforms: Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html
Summary:
The advanced Cisco Security Agent product provides threat protection for
server and desktop computing systems, also known as endpoints. The Cisco
Security Agent goes beyond conventional host and desktop security
solutions by identifying and preventing malicious behavior before it can
occur, thereby removing potential known and unknown ("Day Zero") security
risks that threaten enterprise networks and applications. The Cisco
Security Agent aggregates and extends multiple endpoint security functions
by providing host intrusion prevention, distributed firewall, malicious
mobile code protection, operating system integrity assurance, and audit
log consolidation all within a single agent package.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Steghide v0.5.1
By: Stefan Hetzl
Relevant URL: http://steghide.sourceforge.net
Platforms: AIX, BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Linux,
NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 UNIX, Ultrix, UNIX, Unixware,
Windows 95/98, Windows NT
Summary:
Steghide is steganography program which hides bits of a data file in some
of the least significant bits of another file in such a way that the
existence of the data file is not visible and cannot be proven. Steghide
is designed to be portable and configurable and features hiding data in
bmp, wav and au files, blowfish encryption, MD5 hashing of passphrases to
blowfish keys, and pseudo-random distribution of hidden bits in the
container data.
2. COMbust v07.30.03
By: Frederic Bret-Mounet
Relevant URL: http://atstake.com/research/tools/vulnerability_scanning/
Platforms: Windows 2000, Windows XP
Summary:
COMbust is a tool for testing ActiveX/COM/DCOM components on the Windows
platform. It enumerates the interfaces provided by the components and uses
intelligent fuzzing to automatically exercise component functionality for
testing. It can quickly find security vulnerabilities due to improper
input validation.
3. OpenSSL 0.9.7c
By: The OpenSSL Project Team <openssl (at) openssl (dot) org [email concealed]>
Relevant URL: http://www.openssl.org/
Platforms: UNIX, Windows NT
Summary:
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as
well as a full-strength general-purpose cryptography library.
4. Glub Tech Secure FTP v2.0.10
By: glub
Relevant URL: http://secureftp.glub.com
Platforms: MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
Glub Tech Secure FTP is a command-line utility that allows FTP connections
to be made using SSL.
5. mrtg v2.10.5
By: Tobias Oetiker
Relevant URL: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Platforms: POSIX, Windows 2000, Windows NT
Summary:
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic
load on network-links. MRTG generates HTML pages containing GIF/PNG images
which provide a live visual representation of this traffic.
6. ACID-XML v1.0
By: Sleepy
Relevant URL: http://www.maximumunix.org/ACID-XML/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, Windows 2000, Windows 95/98,
Windows XP
Summary:
ACID XML is a stand alone application that can read and parse snort
xml logs. It was inspired by ACID, but was designed so you can get up and
running quickly
with your logs rather than spending hours getting ACID requirments
together and
working.it uses QT and expat and it is fully open source.
VI. SPONSOR INFORMATION
-----------------------
This issue is Sponsored by: SPIDynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks"- New White Paper
The newest web app vulnerability... Blind SQL Injection! Even if your web
application does not return error messages, it may still be open to a
Blind SQL Injection Attack. Blind SQL Injection can deliver total control
of your server to a hacker giving them the ability to read, write and
manipulate all data stored in your backend systems!
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection!
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
----------------------------------------
This issue is Sponsored by: SPIDynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks"- New White Paper
The newest web app vulnerability... Blind SQL Injection! Even if your web
application does not return error messages, it may still be open to a
Blind SQL Injection Attack. Blind SQL Injection can deliver total control
of your server to a hacker giving them the ability to read, write and
manipulate all data stored in your backend systems!
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection!
http://www.securityfocus.com/sponsor/SPIDynamics_ms-secnews_031020
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Incident Response Tools For Unix, Part Two: File-System Tools
2. Transparent, Bridging Firewall Devices
3. Disclosure Plan Won't Help
4. CCIA Report is Bad Medicine
5. The Flaw of Security Through Diversification
6. Counterpoint: Linux vs. Windows Viruses
II. MICROSOFT VULNERABILITY SUMMARY
1. Rit Research Labs TinyWeb Server Remote Denial of Service Vu...
2. Microsoft Windows RPCSS Multi-thread Race Condition Vulnerab...
3. Hummingbird CyberDOCS Path Disclosure Vulnerability
4. mIRC DCC SEND Buffer Overflow Vulnerability
5. mIRC IRC URL Buffer Overflow Vulnerability
6. WinSyslog Long Syslog Message Remote Denial Of Service Vulne...
7. AOL Instant Messenger Getfile Screenname Buffer Overrun Vuln...
8. Microsoft Messenger Service Buffer Overrun Vulnerability
9. Microsoft ListBox/ComboBox Control User32.dll Function Buffe...
10. Microsoft Windows Help And Support Center URI Handler Buffer...
11. Microsoft ActiveX Authenticode Verification Bypass Vulnerabi...
12. Microsoft Exchange Server 5.5 Outlook Web Access Cross-Site ...
13. Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer...
14. Microsoft Word Macro Name Handler Buffer Overflow Vulnerabil...
15. Microsoft Exchange Server Buffer Overflow Vulnerability
16. RealOne Player Temporary File Default Browser Script Executi...
17. Macromedia ColdFusion MX SQL Error Message Cross-Site Scrip...
18. Bajie HTTP Server Example Scripts And Servlets Cross-Site Sc...
III. MICROSOFT FOCUS LIST SUMMARY
1. RPC Scan Issues (Thread)
2. group policy question (Thread)
3. Win2003 RPC failure after Hotfix (Thread)
4. USB memory supporting NTFS? (Thread)
5. automating reboot (was RE: RPC Scan Issues) (Thread)
6. question re: continued RPC vulnerability (Thread)
7. Article Announcement: The Flaw of Security Through D... (Thread)
8. Blocking and allowing ActiveX (Thread)
9. Article Announcement: CCIA Report is Bad Medicine (Thread)
10. Windows 2000 Server hardening (Thread)
11. SecurityFocus Microsoft Newsletter #158 (Thread)
12. Guest Feature Announcement: Counterpoint: Linux vs. ... (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. East-Tec Eraser 2003 v4.0
2. ZoneAlarm Pro 4.0
3. ActiveScout Enterprise
4. Immunity CANVAS
5. Password Creator Pro
6. Advanced Cisco Security Agent
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Steghide v0.5.1
2. COMbust v07.30.03
3. OpenSSL 0.9.7c
4. Glub Tech Secure FTP v2.0.10
5. mrtg v2.10.5
6. ACID-XML v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Incident Response Tools For Unix, Part Two: File-System Tools
By Holt Sorenson
This article is the second in a three-part series on tools that are useful
during incident response and investigation after a compromise has occurred
on a OpenBSD, Linux, or Solaris system. This installment will focus on
file system tools.
http://www.securityfocus.com/infocus/1738
2. Transparent, Bridging Firewall Devices
By Matthew Tanase
This article examines the concept of a transparent or bridging firewall
which sits hidden in-line with the network it protects.
http://www.securityfocus.com/infocus/1737
3. Disclosure Plan Won't Help
By Mark Rasch
Encouraging publicly-traded companies to disclose their cyber security
efforts would only force them to choose between providing vague and
useless platitudes, or
specific and dangerous details.
http://www.securityfocus.com/columnists/192
4. CCIA Report is Bad Medicine
By Tim Mullen
The proposed cure for the Internet's security woes might help Microsoft
competitors, but it would only make our security problems worse.
http://www.securityfocus.com/columnists/190
5. The Flaw of Security Through Diversification
by Mark Burnett
In the recent CCIA paper at
http://www.ccianet.org/papers/cyberinsecurity.pdf the authors Geer,
Pfleeger, Schneier, Quarterman, Metzger, Bace, and Gutmann introduce the
concept of "risk diversification as a primary defense against aggregated
risk when that risk cannot otherwise be addressed."
http://www.securityfocus.com/guest/23184
6. Counterpoint: Linux vs. Windows Viruses
by Thor Larholm
The debate over which Operating System is the most secure is an age-old
debate, which is filled with a vigor and passion similar to those debating
their religious beliefs. However, in the end it all boils down to reliable
management, adherence to policies and procedures and proper use.
http://www.securityfocus.com/guest/23028
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. Rit Research Labs TinyWeb Server Remote Denial of Service Vu...
BugTraq ID: 8810
Remote: Yes
Date Published: Oct 10 2003
Relevant URL: http://www.securityfocus.com/bid/8810
Summary:
TinyWeb is a small web server daemon available for the Microsoft Windows
operating system.
A vulnerability has been reported in the software that may allow a remote
attacker to cause a denial of service condition in the server. The issue
presents itself when an attacker sends a malformed HTTP GET request to the
server for: /cgi-bin/.%00./dddd.html. This request may cause the software
to consume an excessive amount of CPU cycles leading to a crash or hang.
Successful exploitation of this issue may allow an attacker to cause the
software to act in an unstable manner leading to a crash or hang.
TinyWeb version 1.9 has been reported to be prone to this issue, however
other versions may be vulnerable as well.
2. Microsoft Windows RPCSS Multi-thread Race Condition Vulnerab...
BugTraq ID: 8811
Remote: Yes
Date Published: Oct 10 2003
Relevant URL: http://www.securityfocus.com/bid/8811
Summary:
It has been reported that a multi-threaded race condition in the RPCSS
service of Microsoft Windows exists. Because of this, it may be possible
for an attacker to mount denial of service attacks. This condition is
reported to exist when the service is handling multiple RPC requests. In
particular, if two threads are processing the same request, one thread may
free a packet while the other thread is still processing the packet. This
could result in memory corruption. Certain factors such as network
latency, CPU, and the state of memory on the vulnerable system may make it
difficult to reliably reproduce the condition, though it may be possible
under some circumstances to corrupt memory in a manner sufficient to
execute arbitrary code. Code execution has been deemed unlikely.
However, it has been reported by a reliable source that this problem can
cause a denial of service on fully patched Windows XP Service Pack 1
systems (including the patches supplied in MS03-039). Additionally, it
has been indicated that the vendor has been notified of this issue.
New information has been obtained from a reliable source, confirming that
the exploitation of this issue will trigger a denial of service on fully
patched Windows 2000 systems.
It is unknown what impact this attack has on Windows 2003.
3. Hummingbird CyberDOCS Path Disclosure Vulnerability
BugTraq ID: 8816
Remote: Yes
Date Published: Oct 11 2003
Relevant URL: http://www.securityfocus.com/bid/8816
Summary:
Hummingbird CyberDOCS (DM) is document management software, designed to
run on Microsoft Windows server platforms in conjunction with a SQL
database.
Hummingbird CyberDOCS has been reported prone to a path disclosure
vulnerability. An attacker could potentially access sensitive path
information by making a request to the cyberdocs.asp or loginact.asp
scripts without supplying parameters. This will effectively return an
error page containing the installation directory of the application.
Access to this information could aid an attacker in launching future
attacks.
4. mIRC DCC SEND Buffer Overflow Vulnerability
BugTraq ID: 8818
Remote: Yes
Date Published: Oct 13 2003
Relevant URL: http://www.securityfocus.com/bid/8818
Summary:
mIRC is a chat client for the IRC protocol, designed for Microsoft Windows
based operating systems.
A vulnerability has been reported to exist in mIRC that may allow a remote
attacker to crash a vulnerable mIRC client. The condition is most likely
present due to insufficient boundary checking performed on 'DCC SEND'
requests.
It has been reported that when received, a malicious 'DDC SEND' request
can trigger a fatal error and cause an affected mIRC client to crash. The
'DCC SEND' request can be sent to a channel or a specific targeted user.
Although unconfirmed, due to the nature of this vulnerability it has been
conjectured that a remote attacker may potentially lever this issue to
have arbitrary code executed in the context of the affected mIRC client.
mIRC versions 6.1 and 6.11 have been reported to be prone to this issue,
however other versions may be affected as well.
5. mIRC IRC URL Buffer Overflow Vulnerability
BugTraq ID: 8819
Remote: Yes
Date Published: Oct 13 2003
Relevant URL: http://www.securityfocus.com/bid/8819
Summary:
mIRC is a chat client for the IRC protocol, designed for Microsoft Windows
based operating systems. When mIRC is installed it registers a handler for
a 'irc://' type of URL. Through these means, mIRC is invoked when a 'IRC
URL' is followed.
mIRC has been reported prone to a buffer overflow vulnerability when
handling malicious 'IRC URLs'. Specifically when a IRC URL of >998 bytes
is clicked by a user running a vulnerable version of mIRC.
The issue likely presents itself due to a lack of sufficient boundary
checks performed when IRC URL data is being copied into an insufficient
buffer in memory. Data that exceeds the size of the reserved buffer will
overrun its bounds and corrupt adjacent memory. Because memory adjacent to
the affected buffer is used to store a saved instruction pointer, an
attacker may influence execution flow of the affected client into attacker
controlled memory. This may ultimately allow the attacker to execute
arbitrary instructions in the context of the user running the affected
client.
mIRC version 6.1 has been reported to be prone to this issue, however
other versions may be affected as well.
6. WinSyslog Long Syslog Message Remote Denial Of Service Vulne...
BugTraq ID: 8821
Remote: Yes
Date Published: Oct 14 2003
Relevant URL: http://www.securityfocus.com/bid/8821
Summary:
WinSyslog is a server that logs system events. It is available for
Microsoft Windows operating systems.
WinSyslog is prone to a remotely exploitable denial of service
vulnerability. This occurs when the program receives multiple excessive
syslog messages via the port it listens on (10514/UDP by default). An
exploit script was provided with the disclosure of this vulnerability that
floods the server with incrementally larger syslog messages, triggering
the condition.
This is also reported to cause system instability, which is likely due to
resource exhaustion. It is not known if this vulnerability is due to a
more serious issue such as a boundary condition error.
This vulnerability was reported to affect WinSyslog 4.21 SP1. Other
versions may also be affected.
7. AOL Instant Messenger Getfile Screenname Buffer Overrun Vuln...
BugTraq ID: 8825
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8825
Summary:
AOL Instant Messenger (AIM) is an instant messaging client that is
available for a number of platforms, including Microsoft Windows.
AIM is prone to a remotely exploitable buffer overrun vulnerability.
When AIM is installed, a protocol handler for AIM URIs is also installed
so that the client may be invoked from within a web page. A vulnerability
has been reported that is exposed through the AIM URI handler.
Specifically this issue is due to insufficient bounds checking of the
screenname parameter when it is specified in a "getfile" operation. This
could permit an attacker to corrupt memory with attacker-supplied values,
allowing for control of execution flow by corrupting variables such as an
instruction pointer.
Attackers may exploit this by enticing a user of the client to follow a
maliciously constructed AIM URI (using the AIM protocol handler) that
performs a "getfile" operation with an overly long value as the
screenname. It is reported that this condition can be reproduced by
supplying a screenname that is 1130 characters or more in length.
8. Microsoft Messenger Service Buffer Overrun Vulnerability
BugTraq ID: 8826
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8826
Summary:
Microsoft Messenger Service is a Windows service that is responsible for
sending and receiving "net send" messages. The service also handles any
messages that are sent via the Alerter service between client and server
systems. The Microsoft Messenger Service is not related to MSN Messenger.
Microsoft Messenger Service is prone to a remotely exploitable buffer
overrun vulnerability. This is due to a boundary condition error in the
service that may allow for memory corruption. While the service does
attempt to validate that messages are of an acceptable length, it is
reported that after performing bounds checking, the service will replace
instances of the 0x14 character in the message body with a CR/LF (Carriage
Return/Line-feed) sequence, without accounting for the fact that each
CR/LF sequence requires 2 bytes. In this manner, a particularly malformed
message may potentially corrupt adjacent regions of process memory.
Exploitation could result in a denial of service or in execution of
malicious code in Local System context, potentially allowing for full
system compromise.
The service is exposed via NetBIOS (ports 137-139) and RPC (port 135).
9. Microsoft ListBox/ComboBox Control User32.dll Function Buffe...
BugTraq ID: 8827
Remote: No
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8827
Summary:
A ComboBox control is a class used to display a drop-down list of
predefined values, as well as a field that takes user-supplied input. A
ListBox control is a similar class, however it is designed to simply
display a list of predefined values and allow a user to select a single
one.
Microsoft has reported the existence of a local buffer overrun
vulnerability in an undisclosed User32.dll library function. Both the
ComboBox and ListBox controls invoke this User32.dll function when
handling windows messaging events. The function is said to perform
insufficient sanity checks when handling specific data located within
these Windows messages. In particular, it is possible to trigger this
issue by sending a specially crafted LB_DIR message to a ListBox or a
CB_DIR message to a ComboBox. The attacker will have to specify a long
pathname for either message to cause the condition to occur. This will
reportedly cause an exception during a wcscpy call (which is a string copy
function).
This issue poses a security risk when a privileged application is
implementing the use of these affected control classes and is running in
the environment of an unprivileged user. An attacker could effectively
transmit a malicious windows message containing excessive data designed to
trigger the buffer overrun and control the execution flow of the target
program. This could ultimately allow a user with interactive local system
access to gain administrative privileges.
Microsoft has also reported that this issue affects the Utility Manager
application, designed to manage various accessibility utilities found on a
system. This application runs with administrative privileges by default on
Windows 2000 systems and is affected by this issue. As a result, this
program would likely be the target of choice for an attacking user. It
should be noted however, that the scope of this vulnerability is not
limited to the Utility Manager, as any third-party program implementing
the use of the affected controls will be vulnerable.
Finally, Microsoft has stated that the XP and 2003 versions of the Utility
Manager application are not exploitable to gain elevated privileges, as
they are invoked with the privileges of the current user.
10. Microsoft Windows Help And Support Center URI Handler Buffer...
BugTraq ID: 8828
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8828
Summary:
Microsoft Windows contains a Help and Support Center (HSC) facility that
provides help on several topics such as Windows features and hardware
support. The HSC also contains a URI handler that allows pages to be
opened through an 'hcp://' prefix.
A buffer overflow vulnerability has been reported to affect the Help and
Support Center for Microsoft Windows systems. The issue exists in
helpsvc.exe, which is started by the svchost.exe process.
The issue has been reported to present itself due to a lack of sufficient
bounds checking performed when handling 'hcp://' URI links. This could
allow an unusually long string supplied to the HSC through the URI handler
to overrun the bounds of a reserved buffer in memory.
An attacker may deliberately trigger this issue to corrupt stack memory
adjacent to the affected buffer with attacker-supplied values. This could
allow for corruption of an instruction pointer or SEH (Structured
Exception Handler). Ultimately the attacker may influence program
execution flow into attacker-controlled memory leading to the execution of
arbitrary code on the system in the local computer security context.
This vulnerability could be exploited by including a malformed link using
'hcp://' prefixes in a web page or through HTML email. It is also
possible to exploit this issue locally to gain elevated privileges.
It should be noted, the vendor has stated that although the vulnerable
code is present on all supported operating systems, attack vectors that
could lead to an exploitable issue are believed to only be present on
Windows XP and Windows Server 2003 systems. This is because the HCP
protocol is not supported on all other supported Windows operating
systems.
Additionally this vulnerability may be related to the issue reported in
BID 6802.
11. Microsoft ActiveX Authenticode Verification Bypass Vulnerabi...
BugTraq ID: 8830
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8830
Summary:
Authenticode is a component that allows for the verification of ActiveX
controls. When a web page attempts to install an ActiveX control,
Authenticode verifies the publisher of a signed control and prompts the
user whether or not to install the control.
A problem exists that could allow Authenticode to be bypassed by ActiveX
controls.
Under certain low memory conditions, an ActiveX control may be installed
without Authenticode prompting the user. This could allow a malicious
ActiveX control embedded in a web page or HTML e-mail to install and
execute on the vulnerable system. The control would be executed in the
security context of the current user.
12. Microsoft Exchange Server 5.5 Outlook Web Access Cross-Site ...
BugTraq ID: 8832
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8832
Summary:
Microsoft Exchange Server 5.5 is an e-mail and directory server offered by
Microsoft. Outlook Web Access is a service provided by Exchange server
that allows users to access their Exchange mailbox via the web.
A vulnerability has been reported to be present in the software that may
allow remote attackers to execute HTML or script code in the browser of a
user running the vulnerable version of the software.
The problem is reported to exist due to improper handling of user-supplied
data in the Compose New Message form of Outlook Web Access. HTML and
script code will be rendered in a user's browser, therefore making it
possible for an attacker to a construct a malicious link containing HTML
or script code that may be rendered in a user's browser upon visiting that
link. This attack would occur in the security context of the user.
Successful exploitation of this attack may allow an attacker to steal
cookie-based authentication information that could be used to launch
further attacks.
13. Microsoft Windows 2000 TroubleShooter ActiveX Control Buffer...
BugTraq ID: 8833
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8833
Summary:
A vulnerability has been discovered in the Microsoft TroubleShooter
ActiveX control. Because of this, it may be possible for a remote
attacker to execute arbitrary with the privileges of a client user.
The issue is due to insufficient bounds checking of data supplied via the
RunQuery2 method by the ActiveX control. By viewing an HTML document that
invokes the control in a malicious manner, an attacker could potentially
force the execution of arbitrary instructions with the privileges of the
user viewing the document.
It should be noted that this vulnerability could be exploited through one
of several means, such as the viewing of a web page through a browser,
through HTML e-mail, and other programs that may invoke ActiveX controls.
It should be noted that the control is also marked as "Safe For
Scripting", so the user may not be prompted when the control is invoked.
This vulnerability affects only Windows 2000 systems, which included the
TroubleShooter ActiveX control (tshoot.ocx) in default installations.
14. Microsoft Word Macro Name Handler Buffer Overflow Vulnerabil...
BugTraq ID: 8835
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8835
Summary:
Microsoft Word is text document editing software that is distributed as
part of Microsoft Office suite.
Microsoft Word has been reported prone to a buffer overflow vulnerability.
The issue has been reported to present itself due to a lack of sufficient
bounds checking performed in macro name handler routines. It has been
reported that when a macro is saved, its information, including Unicode
internal and external macro names and their corresponding string size are
stored in internal structures that are embedded into an associated word
document. When these macro-names are processed, the name is copied into an
internal reserved buffer in memory that is a fixed size to accommodate a
256 Unicode character macro name.
The procedures that copy the macro name into the reserved buffers have
been reported to lack boundary checking conditional statements. As a
result of this vulnerability, an attacker may construct a malicious word
document and modify macro name string sizes so that they exceed the size
of the reserved buffer in memory. When an unsuspecting user opens this
Word document, memory corruption will occur, likely causing Word to fail.
It is not currently known if this vulnerability may be exploited to
execute arbitrary code.
Microsoft Word that ships with Office XP has not been reported prone to
this issue.
15. Microsoft Exchange Server Buffer Overflow Vulnerability
BugTraq ID: 8838
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8838
Summary:
Microsoft has announced that Exchange Server is affected by a remotely
exploitable buffer overflow condition. The overflow can be triggered
remotely by unauthenticated SMTP clients.
Microsoft has stated that remote code execution is possible on hosts
running Exchange 2000 Server. Servers running Exchange Server 5.5 are
vulnerable to a denial of service attack.
A remote user may connect to the SMTP port of the server and issue an
unusually large extended verb request. On an Exchange Server 5.5 system,
this would result in a denial of service due to memory exhaustion.
On a system running Exchange 2000 Server, this unusually large request
would result in an internal buffer being overrun. Execution of arbitrary
code in the security context of the Exchange service may be possible.
It is important to note that the SMTP services on Windows NT, 2000, XP,
and 2003 are not affected by this issue, unless a vulnerable version of
Exchange has been installed on the system.
16. RealOne Player Temporary File Default Browser Script Executi...
BugTraq ID: 8839
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8839
Summary:
RealOne Player is a media player that is available for a number of
platforms including Microsoft Windows and MacOS systems.
It has been reported that RealOne Player is vulnerable to an issue in the
handling of temporary files. Because of this, an attacker may be able to
perform unauthorized actions in a user's web browser.
Specific details pertaining to this issue are not currently available. It
is known that under some circumstances, it is possible to write to
temporary files before they are loaded in the default browser on a system.
Data written to these files could include arbitrary URLs, as well as
script code.
It is conjectured that this problem may be permit a loaded file to execute
script through the default browser in the local security zone, thus making
it possible to carry out actions on the local system on behalf of the
RealOne Player user. However, this has not been confirmed by Real or
Symantec.
17. Macromedia ColdFusion MX SQL Error Message Cross-Site Scrip...
BugTraq ID: 8840
Remote: Yes
Date Published: Oct 15 2003
Relevant URL: http://www.securityfocus.com/bid/8840
Summary:
ColdFusion MX is the application server for developing and hosting
infrastructure distributed by Macromedia. It is available as a standalone
product for Unix, Linux, and Microsoft Operating Systems.
A vulnerability has been reported to exist in the software that may allow
a remote attacker to execute HTML or script code in the browser of a user
running the vulnerable version of ColdFusion MX.
The problem is due to a lack of sanitization of user-supplied input by the
software. Although unconfirmed, it has been reported to occur when the
software displays error messages generated by the underlying database.
Therefore making it possible for an attacker to construct a malicious link
containing HTML or script code that may be rendered in a user's browser
upon visiting that link. This attack would occur in the security context
of the vulnerable site.
Successful exploitation of this vulnerability may allow an attacker to
steal cookie-based authentication credentials. Other attacks are also
possible.
Macromedia ColdFusion MX version 6.0 was reported to be vulnerable to this
issue, however other versions may be affected as well.
18. Bajie HTTP Server Example Scripts And Servlets Cross-Site Sc...
BugTraq ID: 8841
Remote: Yes
Date Published: Oct 16 2003
Relevant URL: http://www.securityfocus.com/bid/8841
Summary:
Bajie HTTP Web Server is a Java web server. It is available for Microsoft
Windows and Unix and Linux variants.
Demonstration scripts and servlets that are distributed as part of Bajie
HTTP Server have been reported prone to multiple cross-site scripting
vulnerabilities. These demonstration scripts and servlets are likely not
supposed to be published for external access, but rather supposed to act
as a demonstration of the functionality contained in the Bajie HTTP
server.
It has been reported that a remote attacker may construct a malicious link
containing script and HTML code to any one of the vulnerable demonstration
scripts or servlets on the affected server. If this link is followed the
code contained therein will be rendered in the browser of the user who
followed the link. Code execution will occur in the context of the
vulnerable script running on the Bajie HTTP Server.
A remote attacker may exploit this vulnerability to steal cookie based
authentication tokens. Other attacks are also possible.
It should be noted that although this vulnerability has been reported to
affect Bajie HTTP server version 0.95zxv4, previous versions that are
bundled with the same demonstration scripts are also likely vulnerable.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. RPC Scan Issues (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341738
2. group policy question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341736
3. Win2003 RPC failure after Hotfix (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341624
4. USB memory supporting NTFS? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341623
5. automating reboot (was RE: RPC Scan Issues) (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341621
6. question re: continued RPC vulnerability (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341577
7. Article Announcement: The Flaw of Security Through D... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341507
8. Blocking and allowing ActiveX (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341471
9. Article Announcement: CCIA Report is Bad Medicine (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341349
10. Windows 2000 Server hardening (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341333
11. SecurityFocus Microsoft Newsletter #158 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341129
12. Guest Feature Announcement: Counterpoint: Linux vs. ... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/341092
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. East-Tec Eraser 2003 v4.0
By: EAST Technologies
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.east-tec.com/eraser/index.htm
Summary:
East-Tec Eraser ("Eraser" in short) is an advanced security application
for Windows 95/98/Me/NT/2000/XP designed to help you completely eliminate
sensitive data from your computer and protect your computer and Internet
privacy.
Eraser introduces a new meaning for the verb TO ERASE. Erasing a file now
means wiping its contents beyond recovery, scrambling its name and dates
and finally removing it from disk. When you want to get rid of sensitive
files or folders beyond recovery, add them to the Eraser list of doomed
files and ask Eraser to do the job. Eraser offers tight integration with
the Windows shell, so you can drag files and folders from Explorer and
drop them in Eraser, or you can erase them directly from Explorer by
selecting Erase beyond recovery from the context menu.
2. ZoneAlarm Pro 4.0
By: Zone Labs
Platforms: Windows 2000, Windows 95/98, Windows XP
Relevant URL: http://www.zonelabs.com
Summary:
Hackers lurk everywhere on the Internet, waiting for an "in" into your
personal and financial information. Even legitimate Web sites have
sophisticated methods of snooping, such as cookies that track your
identity and browsing habits. You need nothing less than the industry's
best protection?ZoneAlarm Pro. It offers you the award-winning firewall
that Zone Labs is famous for. Plus, it stops annoying and potentially
malicious cookies and pop-ups from invading your system.
3. ActiveScout Enterprise
By: ForeScout Technologies
Platforms: Linux, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.forescout.com/enterprise.html
Summary:
ActiveScout Enterprises actively protects a network with multiple access
points. In addition to the identification of attackers and automatic
action to stop them, this solution offers full management capabilities,
from configuration and reporting, to the sharing of threat information
between multiple deployed scouts.
4. Immunity CANVAS
By: Immunity, Inc.
Platforms: Linux, Windows 2000
Relevant URL: http://www.immunitysec.com/CANVAS/
Summary:
Immunity CANVAS is 100% pure Python, and every license includes full
access to the entire CANVAS codebase. Python is one of the easiest
languages to learn, so even novice programmers can be productive on the
CANVAS API, should they so chose.
Immunity CANVAS is both a valuable demonstration tool for enterprise
information security teams or system adminstrators, and an advanced
development platform for exploit developers, or people learning to become
exploit developers.
5. Password Creator Pro
By: TransDigital Solutions
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: https://www.transdig.com/products/pcp/pcp.cfm
Summary:
Password Creator Professional is an extremely full featured password
generator utility for Windows.
6. Advanced Cisco Security Agent
By: Cisco Systems
Platforms: Solaris, Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html
Summary:
The advanced Cisco Security Agent product provides threat protection for
server and desktop computing systems, also known as endpoints. The Cisco
Security Agent goes beyond conventional host and desktop security
solutions by identifying and preventing malicious behavior before it can
occur, thereby removing potential known and unknown ("Day Zero") security
risks that threaten enterprise networks and applications. The Cisco
Security Agent aggregates and extends multiple endpoint security functions
by providing host intrusion prevention, distributed firewall, malicious
mobile code protection, operating system integrity assurance, and audit
log consolidation all within a single agent package.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Steghide v0.5.1
By: Stefan Hetzl
Relevant URL: http://steghide.sourceforge.net
Platforms: AIX, BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, IRIX, Linux,
NetBSD, OpenBSD, SCO, Solaris, SunOS, True64 UNIX, Ultrix, UNIX, Unixware,
Windows 95/98, Windows NT
Summary:
Steghide is steganography program which hides bits of a data file in some
of the least significant bits of another file in such a way that the
existence of the data file is not visible and cannot be proven. Steghide
is designed to be portable and configurable and features hiding data in
bmp, wav and au files, blowfish encryption, MD5 hashing of passphrases to
blowfish keys, and pseudo-random distribution of hidden bits in the
container data.
2. COMbust v07.30.03
By: Frederic Bret-Mounet
Relevant URL: http://atstake.com/research/tools/vulnerability_scanning/
Platforms: Windows 2000, Windows XP
Summary:
COMbust is a tool for testing ActiveX/COM/DCOM components on the Windows
platform. It enumerates the interfaces provided by the components and uses
intelligent fuzzing to automatically exercise component functionality for
testing. It can quickly find security vulnerabilities due to improper
input validation.
3. OpenSSL 0.9.7c
By: The OpenSSL Project Team <openssl (at) openssl (dot) org [email concealed]>
Relevant URL: http://www.openssl.org/
Platforms: UNIX, Windows NT
Summary:
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as
well as a full-strength general-purpose cryptography library.
4. Glub Tech Secure FTP v2.0.10
By: glub
Relevant URL: http://secureftp.glub.com
Platforms: MacOS, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows
XP
Summary:
Glub Tech Secure FTP is a command-line utility that allows FTP connections
to be made using SSL.
5. mrtg v2.10.5
By: Tobias Oetiker
Relevant URL: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Platforms: POSIX, Windows 2000, Windows NT
Summary:
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic
load on network-links. MRTG generates HTML pages containing GIF/PNG images
which provide a live visual representation of this traffic.
6. ACID-XML v1.0
By: Sleepy
Relevant URL: http://www.maximumunix.org/ACID-XML/
Platforms: FreeBSD, Linux, NetBSD, OpenBSD, Windows 2000, Windows 95/98,
Windows XP
Summary:
ACID XML is a stand alone application that can read and parse snort
xml logs. It was inspired by ACID, but was designed so you can get up and
running quickly
with your logs rather than spending hours getting ACID requirments
together and
working.it uses QT and expat and it is fully open source.
VI. SPONSOR INFORMATION
-----------------------
This issue is Sponsored by: SPIDynamics
ALERT: "How Hackers Launch Blind SQL Injection Attacks"- New White Paper
The newest web app vulnerability... Blind SQL Injection! Even if your web
application does not return error messages, it may still be open to a
Blind SQL Injection Attack. Blind SQL Injection can deliver total control
of your server to a hacker giving them the ability to read, write and
manipulate all data stored in your backend systems!
Download this *FREE* white paper from SPI Dynamics for a complete guide
to protection!
http://www.securityfocus.com/sponsor/SPIDynamics_ms-secnews_031020
------------------------------------------------------------------------
------------------------------------------------------------------------
---
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
------------------------------------------------------------------------
---
[ reply ]