SecurityFocus Microsoft Newsletter #172
----------------------------------------
I. FRONT AND CENTER
1. Problems and Challenges with Honeypots
II. MICROSOFT VULNERABILITY SUMMARY
1. LionMax Software WWW File Share Pro Remote Denial of Service...
2. Sun Microsystems Sun One Web Server Remote Buffer Overflow V...
3. Zope Multiple Vulnerabilities
4. Mabry Software FTPServer/X Controls Format String Vulnerabil...
5. Mabry Software FTPServer/X Controls Unspecified Buffer Overf...
6. Multiple Vendor H.323 Protocol Implementation Vulnerabilitie...
7. Microsoft MDAC Function Broadcast Response Buffer Overrun Vu...
8. Microsoft ISA Server 2000 H.323 Filter Remote Buffer Overflo...
9. Microsoft Exchange Server 2003 Outlook Web Access Random Mai...
10. Real Networks Helix Server/Gateway Administration Service HT...
11. TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Over...
12. LionMax Software WWW File Share Pro Multiple Remote Vulnerab...
13. FishNet FishCart Rounding Function Integer Wrapping Vulnerab...
14. Vicomsoft RapidCache Server Host Argument Denial of Service ...
15. Vicomsoft RapidCache Server Directory Traversal Vulnerabilit...
16. Rit Research Labs The Bat! PGP Message Memory Writing Vulner...
17. XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerab...
III. MICROSOFT FOCUS LIST SUMMARY
1. About MS-Networking security. (Thread)
2. Encrypt data - SQL Server 2000 (Thread)
3. USB - Devices (Thread)
4. MDAC security patch problem? (Thread)
5. Disable NTLM on W2k (Thread)
6. SMTP Service in private DMZ OK? (Thread)
7. Betr.: Active Directory Question (Thread)
8. Active Directory Question (Thread)
9. SecurityFocus Microsoft Newsletter #171 (Thread)
10. application whitelisting (was Active Directory Ques... (Thread)
11. [work] RE: Active Directory Question (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AccessMaster
2. SafeKit
3. SecurDataStor
4. Proactive Windows Security Explorer
5. Outpost Personal Firewall Pro 2.0
6. Dekart Logon
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. OSIRIS v3.0.0
2. mrtg v2.10.13
3. Enigmail v0.83.0
4. MyPasswordSafe v1.1
5. WinRelay v2.0
6. http://www.ntsecurity.nu/toolbox/etherchange/ v1.0
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Problems and Challenges with Honeypots
By Lance Spitzner Jan 14, 2004
In this paper we take a look at some of the many challenges and problems
facing honeypots, and possible approaches on how to solve them. By
identifying these problems now, we can hope to make honeypots a stronger
technology for the future.
http://www.securityfocus.com/infocus/1757
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. LionMax Software WWW File Share Pro Remote Denial of Service...
BugTraq ID: 9398
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9398
Summary:
LionMax Software WWW File Share Pro is a HTTP server that runs on
Microsoft Windows platforms.
A denial of service vulnerability has been reported to exist in WWW File
Share Pro that may allow a remote attacker to cause the server to crash or
hang. The problem reportedly occurs during the handling of HTTP GET
requests. An attacker may crash the server process by sending an
excessively long HTTP GET request causing a denial of service condition.
Successful exploitation of this vulnerability may allow a remote attacker
to cause the vulnerable server to crash or hang, affectively denying
service to legitimate users. Although unconfirmed, exploitation could
result in memory corruption, which could in turn be leveraged to execute
arbitrary code.
WWW File Share Pro versions 2.46 and prior may be prone to this issue.
2. Sun Microsystems Sun One Web Server Remote Buffer Overflow V...
BugTraq ID: 9399
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9399
Summary:
Sun ONE is the enterprise web server package distributed and maintained by
Sun Microsystems. It is available for the Unix and Microsoft Windows
platforms.
Sun Microsystems Sun ONE has been reported to be vulnerable to a remote
buffer overflow vulnerability. Because of this, it is possible for a
remote attacker to deny service to legitimate users of an affected web
server. This problem is known to affect Sun ONE on the HP-UX platform
only.
Specific details of the impact and affected component are not currently
available. However, it is theorized that due to the nature of the
problem, a boundary condition error, it may also be possible to execute
arbitrary code with the privileges of the web server process. This theory
has not been confirmed by Symantec or Sun Microsystems.
The technical description of this vulnerability will be further updated as
additional information on the scope of this issue becomes available.
3. Zope Multiple Vulnerabilities
BugTraq ID: 9400
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9400
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to carry out attacks resulting from improper input
validation, access validation, information disclosure, and various
improper security checks on a vulnerable system. Successful exploitation
of these issues may lead to cross-site scripting attacks, denial of
service conditions, and other attacks.
The following specific issues have been identified:
The ZSearch interface has been reported to be prone to a cross-site
scripting vulnerability. Successful exploitation of this issue may allow
a remote attacker to carry out cross-site scripting attacks by enticing a
victim user to follow a malicious link to a site hosting the software that
contains embedded HTML and script code. The embedded code may be rendered
in the web browser of the victim user in the security context of the site
hosting the vulnerable software.
A denial of service vulnerability has been identified in
'ZTUtils.SimpleTree' that may allow an attacker to cause a denial of
service condition the software. This condition results from improper
state handling.
An access validation issue has been reported to exist in the admin "find"
functions. This issue may lead to an attacker gaining access to sensitive
information without proper authentication.
An unspecified access validation issue has been identified in the
PropertyManager 'lines' and 'tokens' properties. It has been reported
that some property types are stored in a mutable data type (list) and may
allow untrusted code to effect changes on the properties without proper
security validation.
An unspecified access validation issue may exist in the DTMLDocument
objects. This issue could allow an attacker to gain access to sensitive
information.
Another access validation issue has been identified in DTMLMethods. It
has been reported that DTMLMethods proxy rights may be incorrectly
inherited when traversing to a parent object.
A denial of service vulnerability has been identified in DTML tag
'dtml-tree' that may allow an attacker to cause a denial of service
condition the software.
An information disclosure vulnerability is reported to exist in the
software. This issue may allow an attacker to disclose certain attributes
via XML-RPC marshalling of class instances.
An access validation issue has been reported to exist in the software that
may allow unauthorized access to certain variables. This issue occurs due
to improper initialization of PythonScript class security.
A denial of service vulnerability exists in RESPONSE.write() that may
allow an attacker to pass malicious unicode values resulting in Zserver
main loop to terminate resulting in a crash or hang.
An access validation issue may exist in the software due to Unpacking via
function calls, variable assignment, exception variables without
sufficient security check. This issue may allow an attacker to gain
access to sensitive data.
Another access validation issue may allow an attacker to execute a
malicious script on a vulnerable system in order to gain unauthorized
access to certain objects. This issue results from improper verification
of variables bound to page templates and Python scripts such as 'context'
and 'container'.
An unspecified error has been reported to exist due to the use of min,
max, enumerate, iter, and sum in untrusted code.
An issue has been identified in the use of 'import as' in Python scripts
that may allow an attacker to bypass security checks.
Another access validation issue has been identified in the list and
dictionary instance methods that may allow an attacker to gain
unauthorized access to certain objects. A similar issue has also been
identified in for loops, list comprehensions, and other iterations of
untrusted code.
Further analysis of these issues is currently underway. This BID will be
separated into individual BIDs upon completion of analysis.
These issues have been reported to exist in Zope versions 2.6.2 and prior
and development releases 2.7.0 beta3. Other versions could be affected as
well.
4. Mabry Software FTPServer/X Controls Format String Vulnerabil...
BugTraq ID: 9402
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9402
Summary:
Mabry Software FTPServer/X is an ActiveX Control and COM Object, designed
to be incorporated into FTP server software for Microsoft Windows
platforms.
FTPServer/X has been reported to be prone to a remote format string
vulnerability when processing a malicious request from a client.
The vulnerability presents itself when the server receives a malicious
request containing embedded format string specifiers from a remote client
when supplying a username during FTP authentication. The source of the
problem is incorrect use of a formatted printing function, which processes
data supplied during FTP server authentication. As a result, format
specifiers supplied in this manner will be interpreted literally and may
result in attacker-specified memory being corrupted or disclosed.
Although it has been demonstrated that this could crash the server, the
vulnerability could also theoretically allow for execution of arbitrary
code on the system hosting the server. This would occur in the security
context of the server process.
FTPServer/X COM Object version 1.00.050 has been reported to be
vulnerable to this issue, however, other versions could be affected as
well. It should be noted that any software that implements the Mabry
Software FTPServer/X control, is likely affected by this vulnerability. It
has been confirmed that this control is in use by Mollensoft(Hyperion) FTP
Server.
5. Mabry Software FTPServer/X Controls Unspecified Buffer Overf...
BugTraq ID: 9403
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9403
Summary:
Mabry Software FTPServer/X is an ActiveX Control and COM Object, designed
to be incorporated into FTP server software for Microsoft Windows
platforms.
FTPServer/X has been reported to be prone to an unspecified remote buffer
overflow vulnerability. Because of this, it may be possible for a remote
attacker to gain unauthorized access to a system running the vulnerable
software. The condition is present due to insufficient boundary checking.
The issue may be related to the 'mkdir' command. An attacker may send a
malformed 'mkdir' command containing excessive data to a vulnerable
server. Immediate consequences of an attack may result in a denial of
service condition.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed.
FTPServer/X COM Object version 1.00.050 has been reported to be vulnerable
to this issue, however, other versions could be affected as well. It
should be noted that any software that implements the Mabry Software
FTPServer/X control, is likely affected by this vulnerability. It has been
confirmed that this control is in use by Mollensoft(Hyperion) FTP Server.
6. Multiple Vendor H.323 Protocol Implementation Vulnerabilitie...
BugTraq ID: 9406
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9406
Summary:
The H.323 protocol is used in various telephony and multimedia products in
IP networks. It may be used in hardware products supporting multimedia
conferencing as well as various operating systems.
The H.225 subcomponent of the H.323 protocol was found to have multiple
vulnerabilities in various vendor implementations of the protocol. H.225
is most commonly used as a component of Voice over IP (VoIP). These
vulnerabilities may range from a denial of service to potential arbitrary
code execution.
For a complete listing of vulnerable vendors and products, see the
referenced advisory.
Not all vendor advisories are currently available. Once more information
becomes available on specific vulnerabilities contained in affected
products, this BID will be split into separate records.
Cisco has reported that Cisco IOS 11.3T and all later Cisco IOS versions
might be affected if the software supports voice or multimedia
applications.
7. Microsoft MDAC Function Broadcast Response Buffer Overrun Vu...
BugTraq ID: 9407
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9407
Summary:
Microsoft Data Access Components (MDAC) provide components for database
access, including functionality for querying local and remote databases of
various formats.
Microsoft has released an advisory reporting a buffer overrun
vulnerability in an MDAC function. This issue is exposed when an
application makes a broadcast request to query for SQL Servers on the
network and malformed data is returned in the broadcast response. The
source of the issue is insufficient bounds checking of reply data,
allowing for process memory to be corrupted and execution flow to be
influenced by remote attackers, resulting in execution of malicious code.
An attacker could exploit this by simulating an SQL Server to return a
malicious UDP packet to a client that initiated the broadcast.
Successful exploitation will allow for code execution in the context of
the application using the vulnerable MDAC function. If the application is
run with system-level privileges, this could completely compromise a
vulnerable system. Exploitation attempts may also result in a denial of
service in client applications.
Microsoft has reported that this would only result in a denial of service
with MDAC 2.8.
8. Microsoft ISA Server 2000 H.323 Filter Remote Buffer Overflo...
BugTraq ID: 9408
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9408
Summary:
The H.323 filter is used by Microsoft ISA Server 2000 to monitor and
filter traffic using H.323 and T.120 protocols. The H.323 and T.120
protocols are used by IP Telephony applications. The H.323 filter is
reported to be enabled by default on ISA Server 2000.
A buffer overflow vulnerability has been reported to exist in the H.323
filter that may allow a remote attacker to execute arbitrary code on a
vulnerable system. The issue presents itself when an attacker sends
malformed H.323 traffic to a vulnerable system. The condition exists due
to insufficient boundary checking. Because of this, it may be possible
for a remote attacker to gain unauthorized access to a system running the
vulnerable software.
Successful exploitation of this vulnerability may allow a remote attacker
to execute arbitrary code in the context of Microsoft Firewall Service on
ISA Server 2000. This may lead to complete control of the vulnerable
system.
This issue was originally described as part of BID 9406. It is now being
assigned a separate BID and the original record will be retired.
9. Microsoft Exchange Server 2003 Outlook Web Access Random Mai...
BugTraq ID: 9409
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9409
Summary:
Microsoft Exchange Server 2003 is an e-mail and directory server offered
by Microsoft. Outlook Web Access (OWA) is a service provided by Exchange
server that allows users to access their Exchange mailbox via the web.
A vulnerability exists that could allow an authenticated OWA user to
connect to another OWA user's mailbox. Only mailboxes recently accessed
through OWA on the same Exchange server could be accessed in this way. An
attacker could not choose which mailbox to connect to; the connection
would be random.
The vulnerability only exists when the back-end Exchange server hosting
the OWA mailboxes is configured not to use Kerberos authentication with
the front-end Exchange server running on the IIS server. In this case,
authentication would fall back to NTLM authentication. The only method
for exposing the vulnerability in this way without intervention by an
administrator would be through the weakness described in BID 9118.
When these circumstances occur, the front-end Exchange server will
periodically attempt to authenticate with the back-end server using
Kerberos authentication. On these requests, IIS 6 will ignore the
Kerberos authentication and allow access to the open connections that were
already authenticated with NTLM.
Successful exploitation of this vulnerability could allow a remote
attacker to access sensitive information in another user's mailbox or send
email as that user.
10. Real Networks Helix Server/Gateway Administration Service HT...
BugTraq ID: 9421
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9421
Summary:
Helix Universal Server is a media delivery server distributed and
maintained by Real Networks. It is available for the Unix, Linux, and
Microsoft Windows platforms.
A problem has been identified in the handling of HTTP post requests by the
administrative service in Real Networks Helix Universal Server. Because
of this, a remote attacker may deny service to legitimate users of the
server on an affected host.
This issue requires the attacker to have legitimate administrative service
login credentials to exploit. The root of the problem appears to be an
issue in the adminfs.so library, available on Microsoft Windows as
admi3260.dll. An attacker may send a maliciously crafted HTTP POST
request to the service, and upon the service receiving the request, it
crashes. This is likely due to an input-handling bug in the adminfs.so
library; this however has not been confirmed.
The server requires a manual restart to resume normal operation. In
addition to the Helix Universal Server, this problem is known to affect
the Helix Universal Gateway, Helix Universal Mobile Server, and Helix
Universal Mobile Gateway.
11. TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Over...
BugTraq ID: 9423
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9423
Summary:
tcpdump is a freely available open source network monitoring tool. It is
available for the Unix, Linux, and Microsoft Windows operating systems.
Multiple buffer overflow vulnerabilities have been reported to exist in
tcpdump that may allow a remote attacker to gain unauthorized access to a
system running the vulnerable software. The conditions are present due to
insufficient boundary checking.
The conditions are reported to exist in the ISAKMP decoding routines of
tcpdump. It has been reported that a remote attacker may be able to cause
a buffer overrun condition by sending specially crafted packets to a
vulnerable system. Immediate consequences of a successful attack may
cause a denial of service condition in the software, however, it has been
reported that an attacker may be able to execute arbitrary code on a
vulnerable system as the 'pcap' user.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of these issues may allow an attacker to execute arbitrary
code as the 'pcap' user in order to gain unauthorized access.
Some of the issues are reported to affect tcpdump versions prior to 3.8.1
and others reportedly affect all versions up to and including tcpdump
3.8.1.
This vulnerability record will be divided into multiple Bugtraq IDs when
analysis of the individual issues is complete. Some of these issues may
already be known. Where it is appropriate, existing Bugtraq IDs will also
be updated to reflect the information in the advisory.
12. LionMax Software WWW File Share Pro Multiple Remote Vulnerab...
BugTraq ID: 9425
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9425
Summary:
LionMax Software WWW File Share Pro is a HTTP server that runs on
Microsoft Windows platforms.
WWW File Share Pro has been reported prone to multiple remote
vulnerabilities.
The first reported issue is that a remote attacker may employ the "upload"
functionality of the vulnerable software to overwrite arbitrary files that
are writable by the WWW File Share Pro process. An attacker may exploit
this vulnerability by including "../" directory traversal sequences in the
filename of the uploaded file.
The second issue reported, may allow a remote user to deny service to the
affected software. It has been reported that if WWW File Share Pro handles
a POST request that contains excessive data it will consume system
resources and leave the affected system unresponsive. The POST request
must consist of a large Content-Length HTTP header value, and may contain
POST data that exceeds 2 megabytes of data.
The final issue that has been reported regards the access control routines
used to control access to directories that are protected by WWW File Share
Pro. It has been reported that a remote attacker may invoke a specially
crafted HTTP request for the target protected resource and in doing so may
bypass access controls. The malicious URI must include a period character
appended to the target folder name. Alternatively the URI may contain one
or more slash or backslash characters prepended to the target folder name.
13. FishNet FishCart Rounding Function Integer Wrapping Vulnerab...
BugTraq ID: 9426
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9426
Summary:
FishCart is a commercially available, open source shopping cart software
package. It is available for the Unix, Linux, and Microsoft platforms.
A problem in the handling of rounding has been discovered in FishNet
FishCart. Because of this, attackers entering numbers of excessive size
may be able to produce unexpected results in a vulnerable implementation.
The problem is in the rnd() function. By passing numbers of one billion
or more to fields in the software that pass the value to the rnd()
function, it is possible to force the value to wrap to a negative value.
An attacker could exploit this issue to interrupt business operations, and
potentially create security issues.
14. Vicomsoft RapidCache Server Host Argument Denial of Service ...
BugTraq ID: 9427
Remote: Yes
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9427
Summary:
Vicomsoft RapidCache is a web caching server that runs on Microsoft
Windows and Apple MacOS platforms.
A remote denial of service vulnerability has been reported to exist in the
software that may allow an attacker to cause the server to crash.
The issue presents itself when an attacker sends an excessively large
string value to the server via the 'Host' argument through an HTTP GET
request. Immediate consequences of an attack may result in a denial of
service condition affectively denying service to legitimate users.
Although unlikely, there is a possibility that this issue may allow an
attacker to execute arbitrary code with the privileges of the server
process in order to gain unauthorized access.
RapidCache versions 2.2.6 and prior have been reported to be prone to this
issue.
15. Vicomsoft RapidCache Server Directory Traversal Vulnerabilit...
BugTraq ID: 9428
Remote: Yes
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9428
Summary:
Vicomsoft RapidCache is a web-caching server that runs on Microsoft
Windows and Apple MacOS platforms.
A vulnerability has been reported to exist in RapidCache that may allow a
remote attacker to access information outside the server root directory.
The problem exists due to insufficient sanitization of user-supplied data.
The issue may allow a remote attacker to traverse outside the server root
directory by using '../' character sequences.
Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive web server readable information that may be
used to launch further attacks against a vulnerable system.
RapidCache versions 2.2.6 and prior have been reported to be prone to this
issue.
16. Rit Research Labs The Bat! PGP Message Memory Writing Vulner...
BugTraq ID: 9433
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9433
Summary:
The Bat! is a commercially-available mail user agent, distributed and
maintained by Rit Research Labs. It is available for the Microsoft Windows
platform.
It has been reported that there is an issue with the way The Bat! handles
certain malformed PGP signed messages. PGP support is configured by
default.
The issue exists when The Bat! processes email messages containing PGP
signatures with multiple recursively included parts. Specially
constructed malformed signatures could allow The Bat! to read and write to
unallocated regions of memory. This could potentially allow for execution
of arbitrary attacker-supplied code.
It is important to note that since The Bat! contains its own exception
handler, the application will not crash when processing messages
containing these malformed PGP signatures.
This issue was reported to affect The Bat! 2.01. The vendor has reported
that the issue could not be reproduced on The Bat! 2.03 beta and that 2.02
CE is probably not vulnerable. The Bat! versions 1.x are not vulnerable
to this issue.
17. XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerab...
BugTraq ID: 9438
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9438
Summary:
XtremeASP PhotoGallery is a web-based picture gallery script. It is
implemented in ASP and available for Microsoft Windows platforms.
XtremeASP PhotoGallery is back-ended by a MySQL database.
XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The
issue is reported to exist in 'adminlogin.asp', which does not
sufficiently sanitize user-supplied input for username and password values
before including it in SQL queries. This could permit remote attackers to
pass malicious input to database queries, resulting in modification of
query logic or other attacks.
Successful exploitation could result in compromise of the photo gallery,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. About MS-Networking security. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/350278
2. Encrypt data - SQL Server 2000 (Thread)
Relevant URL:
6. SMTP Service in private DMZ OK? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349811
7. Betr.: Active Directory Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349769
8. Active Directory Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349767
9. SecurityFocus Microsoft Newsletter #171 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349746
10. application whitelisting (was Active Directory Ques... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349706
11. [work] RE: Active Directory Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349599
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AccessMaster
By: Evidian Inc.
Platforms: IRIX, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.evidian.com/accessmaster/about/index.htm
Summary:
Extending onto a networked world means embracing the unknown. Piracy,
vandalism, industrial espionage... - attacks on companies are doubling
each year. With uniquely integrated security software, AccessMaster
manages and safeguards access to your data, end-to-end, from portals to
legacy, and lets you enforce a single, unified security policy across the
enterprise and beyond.
AccessMaster ensures high security level by federating your existing
security solutions, while ensuring at the same time user's convenience
with Single Sign-On and security officer's ease of administration with
centralized, Ldap-compliant, user and PKI management. In this way,
AccessMaster reduces IT security cost of ownership, with rapid return on
investment.
AccessMaster is recognized by analysts as a leading security suite for
large enterprises today. It was awarded "best access control" software by
Secure Computing Magazine three years running, in 2000, 2001, and 2002.
2. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
3. SecurDataStor
By: encryptX Corporation
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.encryptx.com/products/securdatastor.asp
Summary:
The SecurDataStor product line is designed to provide a comprehensive
software security solution that manages and controls access to sensitive
information that you need to share internally and externally.
SecurDataStor is available in three versions: Basic, Premium, and
Platinum. Depending on the level of security that you need, you can choose
the SecurDataStor product that suits your needs.
With its end-to-end protection of sensitive business information,
SecurDataStor products protect sensitive information when used by the
originator, stored locally on a hard drive or file server, and when
shared. Users can safely share sensitive information across different
Microsoft Windows operating systems, over different network and firewall
technologies, and across different forms of removable media.
4. Proactive Windows Security Explorer
By: Elcomsoft Co. Ltd.
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.elcomsoft.com/pwsex.html#
Summary:
Proactive Windows Security Explorer (PWSEX) is a password security test
tool that's designed to allow Windows NT, Windows 2000, and Windows
XP-based systems administrators to identify and close security holes in
their networks. Proactive Windows Security Explorer helps secure networks
by executing an audit of account passwords, and exposing insecure account
passwords. If it is possible to recover the password within a reasonable
time, the password is considered insecure.
An administrator can also use it to recover any lost password and access a
user's Windows account. Proactive Windows Security Explorer works by
analyzing user password hashes and recovering plain-text passwords.
5. Outpost Personal Firewall Pro 2.0
By: Agnitum
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.outpost.uk.com
Summary:
New Outpost Personal Firewall Pro 2.0 outdistances the award-winning
Outpost Personal Firewall Pro 1.0 on multiple levels, from enhanced
privacy features to ease-of-use. As the foremost security application for
personal computers, Outpost Personal Firewall Pro 2.0 gives you the latest
in personal firewall technology, making version 2.0 the clear security
choice for your system.
6. Dekart Logon
By:
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.dekart.com/products/authentication_access/logon/
Summary:
Dekart Logon is a solution designed to provide an additional level of
security for the Microsoft Windows operating system. Access to the Windows
environment can only be gained after inserting a USB key or smart card
into the appropriate slot and by entering the correct PIN code.
Dekart Logon offers a number of security options: you can select to have
Windows access blocked once the key is removed, during a screen saver
timeout or other user assigned prompts. This flexibility automatically
reduces the possibility of human error by maintaining predefined security
levels even if the user leaves their PC unattended.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. OSIRIS v3.0.0
By: The Shmoo Group
Relevant URL: http://osiris.shmoo.com
Platforms: BSDI, FreeBSD, Linux, MacOS, OpenBSD, UNIX, Windows 2000,
Windows NT, Windows XP
Summary:
Osiris is a host integrity management system that can be used to monitor
changes to a network of hosts over time and report those changes back to
the administrator(s). Currently, this includes monitoring any changes to
the filesystems. Osiris takes periodic snapshots of the filesystem and
stores them in a database. These databases, as well as the
configurations and logs, are all stored on a central management host.
When changes are detected, Osiris will log these events to the system
log and optionally send email to an administrator. In addition to files,
Osiris has preliminary support for the monitoring of other system
information including user lists, file system details, kernel modules,
and network interface configurations (not included with in this beta
release).
2. mrtg v2.10.13
By: Tobias Oetiker
Relevant URL: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Platforms: POSIX, Windows 2000, Windows NT
Summary:
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic
load on network-links. MRTG generates HTML pages containing GIF/PNG images
which provide a live visual representation of this traffic.
3. Enigmail v0.83.0
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
4. MyPasswordSafe v1.1
By: Nolan
Relevant URL: http://www.semanticgap.com/myps/
Platforms: Linux, Os Independent, POSIX, UNIX, Windows 2000, Windows
95/98, Windows NT, Windows XP
Summary:
MyPasswordSafe is a straightforward, easy-to-use password manager that
uses the Blowfish algorithm to store encrypt passwords. It uses the same
file format as Password Safe.
5. WinRelay v2.0
By: Arne Vidstrom <arne.vidstrom (at) ntsecurity (dot) nu [email concealed]>
Relevant URL: http://www.ntsecurity.nu/toolbox/winrelay/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
WinRelay is a TCP/UDP forwarder/redirector. You can choose the port and IP
it will listen on, the source port and IP that it will connect from, and
the port and IP that it will connect to.
6. http://www.ntsecurity.nu/toolbox/etherchange/ v1.0
By: Arne Vidstrom
Relevant URL: http://www.ntsecurity.nu/toolbox/etherchange/
Platforms: Windows 2000, Windows XP
Summary:
EtherChange can change the Ethernet address of the network adapters in
Windows 2000 / XP.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
------------------------------------------------------------------------
----------------------------------------
I. FRONT AND CENTER
1. Problems and Challenges with Honeypots
II. MICROSOFT VULNERABILITY SUMMARY
1. LionMax Software WWW File Share Pro Remote Denial of Service...
2. Sun Microsystems Sun One Web Server Remote Buffer Overflow V...
3. Zope Multiple Vulnerabilities
4. Mabry Software FTPServer/X Controls Format String Vulnerabil...
5. Mabry Software FTPServer/X Controls Unspecified Buffer Overf...
6. Multiple Vendor H.323 Protocol Implementation Vulnerabilitie...
7. Microsoft MDAC Function Broadcast Response Buffer Overrun Vu...
8. Microsoft ISA Server 2000 H.323 Filter Remote Buffer Overflo...
9. Microsoft Exchange Server 2003 Outlook Web Access Random Mai...
10. Real Networks Helix Server/Gateway Administration Service HT...
11. TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Over...
12. LionMax Software WWW File Share Pro Multiple Remote Vulnerab...
13. FishNet FishCart Rounding Function Integer Wrapping Vulnerab...
14. Vicomsoft RapidCache Server Host Argument Denial of Service ...
15. Vicomsoft RapidCache Server Directory Traversal Vulnerabilit...
16. Rit Research Labs The Bat! PGP Message Memory Writing Vulner...
17. XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerab...
III. MICROSOFT FOCUS LIST SUMMARY
1. About MS-Networking security. (Thread)
2. Encrypt data - SQL Server 2000 (Thread)
3. USB - Devices (Thread)
4. MDAC security patch problem? (Thread)
5. Disable NTLM on W2k (Thread)
6. SMTP Service in private DMZ OK? (Thread)
7. Betr.: Active Directory Question (Thread)
8. Active Directory Question (Thread)
9. SecurityFocus Microsoft Newsletter #171 (Thread)
10. application whitelisting (was Active Directory Ques... (Thread)
11. [work] RE: Active Directory Question (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AccessMaster
2. SafeKit
3. SecurDataStor
4. Proactive Windows Security Explorer
5. Outpost Personal Firewall Pro 2.0
6. Dekart Logon
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. OSIRIS v3.0.0
2. mrtg v2.10.13
3. Enigmail v0.83.0
4. MyPasswordSafe v1.1
5. WinRelay v2.0
6. http://www.ntsecurity.nu/toolbox/etherchange/ v1.0
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Problems and Challenges with Honeypots
By Lance Spitzner Jan 14, 2004
In this paper we take a look at some of the many challenges and problems
facing honeypots, and possible approaches on how to solve them. By
identifying these problems now, we can hope to make honeypots a stronger
technology for the future.
http://www.securityfocus.com/infocus/1757
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. LionMax Software WWW File Share Pro Remote Denial of Service...
BugTraq ID: 9398
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9398
Summary:
LionMax Software WWW File Share Pro is a HTTP server that runs on
Microsoft Windows platforms.
A denial of service vulnerability has been reported to exist in WWW File
Share Pro that may allow a remote attacker to cause the server to crash or
hang. The problem reportedly occurs during the handling of HTTP GET
requests. An attacker may crash the server process by sending an
excessively long HTTP GET request causing a denial of service condition.
Successful exploitation of this vulnerability may allow a remote attacker
to cause the vulnerable server to crash or hang, affectively denying
service to legitimate users. Although unconfirmed, exploitation could
result in memory corruption, which could in turn be leveraged to execute
arbitrary code.
WWW File Share Pro versions 2.46 and prior may be prone to this issue.
2. Sun Microsystems Sun One Web Server Remote Buffer Overflow V...
BugTraq ID: 9399
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9399
Summary:
Sun ONE is the enterprise web server package distributed and maintained by
Sun Microsystems. It is available for the Unix and Microsoft Windows
platforms.
Sun Microsystems Sun ONE has been reported to be vulnerable to a remote
buffer overflow vulnerability. Because of this, it is possible for a
remote attacker to deny service to legitimate users of an affected web
server. This problem is known to affect Sun ONE on the HP-UX platform
only.
Specific details of the impact and affected component are not currently
available. However, it is theorized that due to the nature of the
problem, a boundary condition error, it may also be possible to execute
arbitrary code with the privileges of the web server process. This theory
has not been confirmed by Symantec or Sun Microsystems.
The technical description of this vulnerability will be further updated as
additional information on the scope of this issue becomes available.
3. Zope Multiple Vulnerabilities
BugTraq ID: 9400
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9400
Summary:
Zope is an open source web application server, maintained by the Zope
Project. Zope is available for Linux, Unix, and Microsoft Windows based
systems.
Multiple vulnerabilities have been reported to exist in the software that
may allow an attacker to carry out attacks resulting from improper input
validation, access validation, information disclosure, and various
improper security checks on a vulnerable system. Successful exploitation
of these issues may lead to cross-site scripting attacks, denial of
service conditions, and other attacks.
The following specific issues have been identified:
The ZSearch interface has been reported to be prone to a cross-site
scripting vulnerability. Successful exploitation of this issue may allow
a remote attacker to carry out cross-site scripting attacks by enticing a
victim user to follow a malicious link to a site hosting the software that
contains embedded HTML and script code. The embedded code may be rendered
in the web browser of the victim user in the security context of the site
hosting the vulnerable software.
A denial of service vulnerability has been identified in
'ZTUtils.SimpleTree' that may allow an attacker to cause a denial of
service condition the software. This condition results from improper
state handling.
An access validation issue has been reported to exist in the admin "find"
functions. This issue may lead to an attacker gaining access to sensitive
information without proper authentication.
An unspecified access validation issue has been identified in the
PropertyManager 'lines' and 'tokens' properties. It has been reported
that some property types are stored in a mutable data type (list) and may
allow untrusted code to effect changes on the properties without proper
security validation.
An unspecified access validation issue may exist in the DTMLDocument
objects. This issue could allow an attacker to gain access to sensitive
information.
Another access validation issue has been identified in DTMLMethods. It
has been reported that DTMLMethods proxy rights may be incorrectly
inherited when traversing to a parent object.
A denial of service vulnerability has been identified in DTML tag
'dtml-tree' that may allow an attacker to cause a denial of service
condition the software.
An information disclosure vulnerability is reported to exist in the
software. This issue may allow an attacker to disclose certain attributes
via XML-RPC marshalling of class instances.
An access validation issue has been reported to exist in the software that
may allow unauthorized access to certain variables. This issue occurs due
to improper initialization of PythonScript class security.
A denial of service vulnerability exists in RESPONSE.write() that may
allow an attacker to pass malicious unicode values resulting in Zserver
main loop to terminate resulting in a crash or hang.
An access validation issue may exist in the software due to Unpacking via
function calls, variable assignment, exception variables without
sufficient security check. This issue may allow an attacker to gain
access to sensitive data.
Another access validation issue may allow an attacker to execute a
malicious script on a vulnerable system in order to gain unauthorized
access to certain objects. This issue results from improper verification
of variables bound to page templates and Python scripts such as 'context'
and 'container'.
An unspecified error has been reported to exist due to the use of min,
max, enumerate, iter, and sum in untrusted code.
An issue has been identified in the use of 'import as' in Python scripts
that may allow an attacker to bypass security checks.
Another access validation issue has been identified in the list and
dictionary instance methods that may allow an attacker to gain
unauthorized access to certain objects. A similar issue has also been
identified in for loops, list comprehensions, and other iterations of
untrusted code.
Further analysis of these issues is currently underway. This BID will be
separated into individual BIDs upon completion of analysis.
These issues have been reported to exist in Zope versions 2.6.2 and prior
and development releases 2.7.0 beta3. Other versions could be affected as
well.
4. Mabry Software FTPServer/X Controls Format String Vulnerabil...
BugTraq ID: 9402
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9402
Summary:
Mabry Software FTPServer/X is an ActiveX Control and COM Object, designed
to be incorporated into FTP server software for Microsoft Windows
platforms.
FTPServer/X has been reported to be prone to a remote format string
vulnerability when processing a malicious request from a client.
The vulnerability presents itself when the server receives a malicious
request containing embedded format string specifiers from a remote client
when supplying a username during FTP authentication. The source of the
problem is incorrect use of a formatted printing function, which processes
data supplied during FTP server authentication. As a result, format
specifiers supplied in this manner will be interpreted literally and may
result in attacker-specified memory being corrupted or disclosed.
Although it has been demonstrated that this could crash the server, the
vulnerability could also theoretically allow for execution of arbitrary
code on the system hosting the server. This would occur in the security
context of the server process.
FTPServer/X COM Object version 1.00.050 has been reported to be
vulnerable to this issue, however, other versions could be affected as
well. It should be noted that any software that implements the Mabry
Software FTPServer/X control, is likely affected by this vulnerability. It
has been confirmed that this control is in use by Mollensoft(Hyperion) FTP
Server.
5. Mabry Software FTPServer/X Controls Unspecified Buffer Overf...
BugTraq ID: 9403
Remote: Yes
Date Published: Jan 12 2004
Relevant URL: http://www.securityfocus.com/bid/9403
Summary:
Mabry Software FTPServer/X is an ActiveX Control and COM Object, designed
to be incorporated into FTP server software for Microsoft Windows
platforms.
FTPServer/X has been reported to be prone to an unspecified remote buffer
overflow vulnerability. Because of this, it may be possible for a remote
attacker to gain unauthorized access to a system running the vulnerable
software. The condition is present due to insufficient boundary checking.
The issue may be related to the 'mkdir' command. An attacker may send a
malformed 'mkdir' command containing excessive data to a vulnerable
server. Immediate consequences of an attack may result in a denial of
service condition.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access, however, this has not been confirmed.
FTPServer/X COM Object version 1.00.050 has been reported to be vulnerable
to this issue, however, other versions could be affected as well. It
should be noted that any software that implements the Mabry Software
FTPServer/X control, is likely affected by this vulnerability. It has been
confirmed that this control is in use by Mollensoft(Hyperion) FTP Server.
6. Multiple Vendor H.323 Protocol Implementation Vulnerabilitie...
BugTraq ID: 9406
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9406
Summary:
The H.323 protocol is used in various telephony and multimedia products in
IP networks. It may be used in hardware products supporting multimedia
conferencing as well as various operating systems.
The H.225 subcomponent of the H.323 protocol was found to have multiple
vulnerabilities in various vendor implementations of the protocol. H.225
is most commonly used as a component of Voice over IP (VoIP). These
vulnerabilities may range from a denial of service to potential arbitrary
code execution.
For a complete listing of vulnerable vendors and products, see the
referenced advisory.
Not all vendor advisories are currently available. Once more information
becomes available on specific vulnerabilities contained in affected
products, this BID will be split into separate records.
Cisco has reported that Cisco IOS 11.3T and all later Cisco IOS versions
might be affected if the software supports voice or multimedia
applications.
7. Microsoft MDAC Function Broadcast Response Buffer Overrun Vu...
BugTraq ID: 9407
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9407
Summary:
Microsoft Data Access Components (MDAC) provide components for database
access, including functionality for querying local and remote databases of
various formats.
Microsoft has released an advisory reporting a buffer overrun
vulnerability in an MDAC function. This issue is exposed when an
application makes a broadcast request to query for SQL Servers on the
network and malformed data is returned in the broadcast response. The
source of the issue is insufficient bounds checking of reply data,
allowing for process memory to be corrupted and execution flow to be
influenced by remote attackers, resulting in execution of malicious code.
An attacker could exploit this by simulating an SQL Server to return a
malicious UDP packet to a client that initiated the broadcast.
Successful exploitation will allow for code execution in the context of
the application using the vulnerable MDAC function. If the application is
run with system-level privileges, this could completely compromise a
vulnerable system. Exploitation attempts may also result in a denial of
service in client applications.
Microsoft has reported that this would only result in a denial of service
with MDAC 2.8.
8. Microsoft ISA Server 2000 H.323 Filter Remote Buffer Overflo...
BugTraq ID: 9408
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9408
Summary:
The H.323 filter is used by Microsoft ISA Server 2000 to monitor and
filter traffic using H.323 and T.120 protocols. The H.323 and T.120
protocols are used by IP Telephony applications. The H.323 filter is
reported to be enabled by default on ISA Server 2000.
A buffer overflow vulnerability has been reported to exist in the H.323
filter that may allow a remote attacker to execute arbitrary code on a
vulnerable system. The issue presents itself when an attacker sends
malformed H.323 traffic to a vulnerable system. The condition exists due
to insufficient boundary checking. Because of this, it may be possible
for a remote attacker to gain unauthorized access to a system running the
vulnerable software.
Successful exploitation of this vulnerability may allow a remote attacker
to execute arbitrary code in the context of Microsoft Firewall Service on
ISA Server 2000. This may lead to complete control of the vulnerable
system.
This issue was originally described as part of BID 9406. It is now being
assigned a separate BID and the original record will be retired.
9. Microsoft Exchange Server 2003 Outlook Web Access Random Mai...
BugTraq ID: 9409
Remote: Yes
Date Published: Jan 13 2004
Relevant URL: http://www.securityfocus.com/bid/9409
Summary:
Microsoft Exchange Server 2003 is an e-mail and directory server offered
by Microsoft. Outlook Web Access (OWA) is a service provided by Exchange
server that allows users to access their Exchange mailbox via the web.
A vulnerability exists that could allow an authenticated OWA user to
connect to another OWA user's mailbox. Only mailboxes recently accessed
through OWA on the same Exchange server could be accessed in this way. An
attacker could not choose which mailbox to connect to; the connection
would be random.
The vulnerability only exists when the back-end Exchange server hosting
the OWA mailboxes is configured not to use Kerberos authentication with
the front-end Exchange server running on the IIS server. In this case,
authentication would fall back to NTLM authentication. The only method
for exposing the vulnerability in this way without intervention by an
administrator would be through the weakness described in BID 9118.
When these circumstances occur, the front-end Exchange server will
periodically attempt to authenticate with the back-end server using
Kerberos authentication. On these requests, IIS 6 will ignore the
Kerberos authentication and allow access to the open connections that were
already authenticated with NTLM.
Successful exploitation of this vulnerability could allow a remote
attacker to access sensitive information in another user's mailbox or send
email as that user.
10. Real Networks Helix Server/Gateway Administration Service HT...
BugTraq ID: 9421
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9421
Summary:
Helix Universal Server is a media delivery server distributed and
maintained by Real Networks. It is available for the Unix, Linux, and
Microsoft Windows platforms.
A problem has been identified in the handling of HTTP post requests by the
administrative service in Real Networks Helix Universal Server. Because
of this, a remote attacker may deny service to legitimate users of the
server on an affected host.
This issue requires the attacker to have legitimate administrative service
login credentials to exploit. The root of the problem appears to be an
issue in the adminfs.so library, available on Microsoft Windows as
admi3260.dll. An attacker may send a maliciously crafted HTTP POST
request to the service, and upon the service receiving the request, it
crashes. This is likely due to an input-handling bug in the adminfs.so
library; this however has not been confirmed.
The server requires a manual restart to resume normal operation. In
addition to the Helix Universal Server, this problem is known to affect
the Helix Universal Gateway, Helix Universal Mobile Server, and Helix
Universal Mobile Gateway.
11. TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Over...
BugTraq ID: 9423
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9423
Summary:
tcpdump is a freely available open source network monitoring tool. It is
available for the Unix, Linux, and Microsoft Windows operating systems.
Multiple buffer overflow vulnerabilities have been reported to exist in
tcpdump that may allow a remote attacker to gain unauthorized access to a
system running the vulnerable software. The conditions are present due to
insufficient boundary checking.
The conditions are reported to exist in the ISAKMP decoding routines of
tcpdump. It has been reported that a remote attacker may be able to cause
a buffer overrun condition by sending specially crafted packets to a
vulnerable system. Immediate consequences of a successful attack may
cause a denial of service condition in the software, however, it has been
reported that an attacker may be able to execute arbitrary code on a
vulnerable system as the 'pcap' user.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of these issues may allow an attacker to execute arbitrary
code as the 'pcap' user in order to gain unauthorized access.
Some of the issues are reported to affect tcpdump versions prior to 3.8.1
and others reportedly affect all versions up to and including tcpdump
3.8.1.
This vulnerability record will be divided into multiple Bugtraq IDs when
analysis of the individual issues is complete. Some of these issues may
already be known. Where it is appropriate, existing Bugtraq IDs will also
be updated to reflect the information in the advisory.
12. LionMax Software WWW File Share Pro Multiple Remote Vulnerab...
BugTraq ID: 9425
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9425
Summary:
LionMax Software WWW File Share Pro is a HTTP server that runs on
Microsoft Windows platforms.
WWW File Share Pro has been reported prone to multiple remote
vulnerabilities.
The first reported issue is that a remote attacker may employ the "upload"
functionality of the vulnerable software to overwrite arbitrary files that
are writable by the WWW File Share Pro process. An attacker may exploit
this vulnerability by including "../" directory traversal sequences in the
filename of the uploaded file.
The second issue reported, may allow a remote user to deny service to the
affected software. It has been reported that if WWW File Share Pro handles
a POST request that contains excessive data it will consume system
resources and leave the affected system unresponsive. The POST request
must consist of a large Content-Length HTTP header value, and may contain
POST data that exceeds 2 megabytes of data.
The final issue that has been reported regards the access control routines
used to control access to directories that are protected by WWW File Share
Pro. It has been reported that a remote attacker may invoke a specially
crafted HTTP request for the target protected resource and in doing so may
bypass access controls. The malicious URI must include a period character
appended to the target folder name. Alternatively the URI may contain one
or more slash or backslash characters prepended to the target folder name.
13. FishNet FishCart Rounding Function Integer Wrapping Vulnerab...
BugTraq ID: 9426
Remote: Yes
Date Published: Jan 14 2004
Relevant URL: http://www.securityfocus.com/bid/9426
Summary:
FishCart is a commercially available, open source shopping cart software
package. It is available for the Unix, Linux, and Microsoft platforms.
A problem in the handling of rounding has been discovered in FishNet
FishCart. Because of this, attackers entering numbers of excessive size
may be able to produce unexpected results in a vulnerable implementation.
The problem is in the rnd() function. By passing numbers of one billion
or more to fields in the software that pass the value to the rnd()
function, it is possible to force the value to wrap to a negative value.
An attacker could exploit this issue to interrupt business operations, and
potentially create security issues.
14. Vicomsoft RapidCache Server Host Argument Denial of Service ...
BugTraq ID: 9427
Remote: Yes
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9427
Summary:
Vicomsoft RapidCache is a web caching server that runs on Microsoft
Windows and Apple MacOS platforms.
A remote denial of service vulnerability has been reported to exist in the
software that may allow an attacker to cause the server to crash.
The issue presents itself when an attacker sends an excessively large
string value to the server via the 'Host' argument through an HTTP GET
request. Immediate consequences of an attack may result in a denial of
service condition affectively denying service to legitimate users.
Although unlikely, there is a possibility that this issue may allow an
attacker to execute arbitrary code with the privileges of the server
process in order to gain unauthorized access.
RapidCache versions 2.2.6 and prior have been reported to be prone to this
issue.
15. Vicomsoft RapidCache Server Directory Traversal Vulnerabilit...
BugTraq ID: 9428
Remote: Yes
Date Published: Jan 15 2004
Relevant URL: http://www.securityfocus.com/bid/9428
Summary:
Vicomsoft RapidCache is a web-caching server that runs on Microsoft
Windows and Apple MacOS platforms.
A vulnerability has been reported to exist in RapidCache that may allow a
remote attacker to access information outside the server root directory.
The problem exists due to insufficient sanitization of user-supplied data.
The issue may allow a remote attacker to traverse outside the server root
directory by using '../' character sequences.
Successful exploitation of this vulnerability may allow a remote attacker
to gain access to sensitive web server readable information that may be
used to launch further attacks against a vulnerable system.
RapidCache versions 2.2.6 and prior have been reported to be prone to this
issue.
16. Rit Research Labs The Bat! PGP Message Memory Writing Vulner...
BugTraq ID: 9433
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9433
Summary:
The Bat! is a commercially-available mail user agent, distributed and
maintained by Rit Research Labs. It is available for the Microsoft Windows
platform.
It has been reported that there is an issue with the way The Bat! handles
certain malformed PGP signed messages. PGP support is configured by
default.
The issue exists when The Bat! processes email messages containing PGP
signatures with multiple recursively included parts. Specially
constructed malformed signatures could allow The Bat! to read and write to
unallocated regions of memory. This could potentially allow for execution
of arbitrary attacker-supplied code.
It is important to note that since The Bat! contains its own exception
handler, the application will not crash when processing messages
containing these malformed PGP signatures.
This issue was reported to affect The Bat! 2.01. The vendor has reported
that the issue could not be reproduced on The Bat! 2.03 beta and that 2.02
CE is probably not vulnerable. The Bat! versions 1.x are not vulnerable
to this issue.
17. XtremeASP PhotoGallery Adminlogin.ASP SQL Injection Vulnerab...
BugTraq ID: 9438
Remote: Yes
Date Published: Jan 16 2004
Relevant URL: http://www.securityfocus.com/bid/9438
Summary:
XtremeASP PhotoGallery is a web-based picture gallery script. It is
implemented in ASP and available for Microsoft Windows platforms.
XtremeASP PhotoGallery is back-ended by a MySQL database.
XtremeASP PhotoGallery is prone to an SQL injection vulnerability. The
issue is reported to exist in 'adminlogin.asp', which does not
sufficiently sanitize user-supplied input for username and password values
before including it in SQL queries. This could permit remote attackers to
pass malicious input to database queries, resulting in modification of
query logic or other attacks.
Successful exploitation could result in compromise of the photo gallery,
disclosure or modification of data or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. About MS-Networking security. (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/350278
2. Encrypt data - SQL Server 2000 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/350216
3. USB - Devices (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/350036
4. MDAC security patch problem? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349982
5. Disable NTLM on W2k (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349815
6. SMTP Service in private DMZ OK? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349811
7. Betr.: Active Directory Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349769
8. Active Directory Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349767
9. SecurityFocus Microsoft Newsletter #171 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349746
10. application whitelisting (was Active Directory Ques... (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349706
11. [work] RE: Active Directory Question (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/349599
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AccessMaster
By: Evidian Inc.
Platforms: IRIX, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.evidian.com/accessmaster/about/index.htm
Summary:
Extending onto a networked world means embracing the unknown. Piracy,
vandalism, industrial espionage... - attacks on companies are doubling
each year. With uniquely integrated security software, AccessMaster
manages and safeguards access to your data, end-to-end, from portals to
legacy, and lets you enforce a single, unified security policy across the
enterprise and beyond.
AccessMaster ensures high security level by federating your existing
security solutions, while ensuring at the same time user's convenience
with Single Sign-On and security officer's ease of administration with
centralized, Ldap-compliant, user and PKI management. In this way,
AccessMaster reduces IT security cost of ownership, with rapid return on
investment.
AccessMaster is recognized by analysts as a leading security suite for
large enterprises today. It was awarded "best access control" software by
Secure Computing Magazine three years running, in 2000, 2001, and 2002.
2. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
3. SecurDataStor
By: encryptX Corporation
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.encryptx.com/products/securdatastor.asp
Summary:
The SecurDataStor product line is designed to provide a comprehensive
software security solution that manages and controls access to sensitive
information that you need to share internally and externally.
SecurDataStor is available in three versions: Basic, Premium, and
Platinum. Depending on the level of security that you need, you can choose
the SecurDataStor product that suits your needs.
With its end-to-end protection of sensitive business information,
SecurDataStor products protect sensitive information when used by the
originator, stored locally on a hard drive or file server, and when
shared. Users can safely share sensitive information across different
Microsoft Windows operating systems, over different network and firewall
technologies, and across different forms of removable media.
4. Proactive Windows Security Explorer
By: Elcomsoft Co. Ltd.
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.elcomsoft.com/pwsex.html#
Summary:
Proactive Windows Security Explorer (PWSEX) is a password security test
tool that's designed to allow Windows NT, Windows 2000, and Windows
XP-based systems administrators to identify and close security holes in
their networks. Proactive Windows Security Explorer helps secure networks
by executing an audit of account passwords, and exposing insecure account
passwords. If it is possible to recover the password within a reasonable
time, the password is considered insecure.
An administrator can also use it to recover any lost password and access a
user's Windows account. Proactive Windows Security Explorer works by
analyzing user password hashes and recovering plain-text passwords.
5. Outpost Personal Firewall Pro 2.0
By: Agnitum
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.outpost.uk.com
Summary:
New Outpost Personal Firewall Pro 2.0 outdistances the award-winning
Outpost Personal Firewall Pro 1.0 on multiple levels, from enhanced
privacy features to ease-of-use. As the foremost security application for
personal computers, Outpost Personal Firewall Pro 2.0 gives you the latest
in personal firewall technology, making version 2.0 the clear security
choice for your system.
6. Dekart Logon
By:
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.dekart.com/products/authentication_access/logon/
Summary:
Dekart Logon is a solution designed to provide an additional level of
security for the Microsoft Windows operating system. Access to the Windows
environment can only be gained after inserting a USB key or smart card
into the appropriate slot and by entering the correct PIN code.
Dekart Logon offers a number of security options: you can select to have
Windows access blocked once the key is removed, during a screen saver
timeout or other user assigned prompts. This flexibility automatically
reduces the possibility of human error by maintaining predefined security
levels even if the user leaves their PC unattended.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. OSIRIS v3.0.0
By: The Shmoo Group
Relevant URL: http://osiris.shmoo.com
Platforms: BSDI, FreeBSD, Linux, MacOS, OpenBSD, UNIX, Windows 2000,
Windows NT, Windows XP
Summary:
Osiris is a host integrity management system that can be used to monitor
changes to a network of hosts over time and report those changes back to
the administrator(s). Currently, this includes monitoring any changes to
the filesystems. Osiris takes periodic snapshots of the filesystem and
stores them in a database. These databases, as well as the
configurations and logs, are all stored on a central management host.
When changes are detected, Osiris will log these events to the system
log and optionally send email to an administrator. In addition to files,
Osiris has preliminary support for the monitoring of other system
information including user lists, file system details, kernel modules,
and network interface configurations (not included with in this beta
release).
2. mrtg v2.10.13
By: Tobias Oetiker
Relevant URL: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Platforms: POSIX, Windows 2000, Windows NT
Summary:
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic
load on network-links. MRTG generates HTML pages containing GIF/PNG images
which provide a live visual representation of this traffic.
3. Enigmail v0.83.0
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
4. MyPasswordSafe v1.1
By: Nolan
Relevant URL: http://www.semanticgap.com/myps/
Platforms: Linux, Os Independent, POSIX, UNIX, Windows 2000, Windows
95/98, Windows NT, Windows XP
Summary:
MyPasswordSafe is a straightforward, easy-to-use password manager that
uses the Blowfish algorithm to store encrypt passwords. It uses the same
file format as Password Safe.
5. WinRelay v2.0
By: Arne Vidstrom <arne.vidstrom (at) ntsecurity (dot) nu [email concealed]>
Relevant URL: http://www.ntsecurity.nu/toolbox/winrelay/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:
WinRelay is a TCP/UDP forwarder/redirector. You can choose the port and IP
it will listen on, the source port and IP that it will connect from, and
the port and IP that it will connect to.
6. http://www.ntsecurity.nu/toolbox/etherchange/ v1.0
By: Arne Vidstrom
Relevant URL: http://www.ntsecurity.nu/toolbox/etherchange/
Platforms: Windows 2000, Windows XP
Summary:
EtherChange can change the Ethernet address of the network adapters in
Windows 2000 / XP.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and
ask to be manually removed.
------------------------------------------------------------------------
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]