SecurityFocus Microsoft Newsletter #255
----------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
------------------------------------------------------------------
I. FRONT AND CENTER
1. Exploiting Cisco with FX
2. A changing landscape
3. A new way to bypass Windows heap protections
II. MICROSOFT VULNERABILITY SUMMARY
1. FUDforum Avatar Upload Arbitrary Script Upload Vulnerability
2. Novell Netware CIFS.NLM Denial of Service Vulnerability
3. DameWare Mini Remote Control Server Pre-Authentication Username Buffer
Overflow Vulnerability
4. Symantec LiveUpdate Client Local Information Disclosure Vulnerability
5. 3Com Network Supervisor Directory Traversal Vulnerability
6. Novell NetMail Remote IMAP Heap Buffer Overflow Vulnerability
7. WhitSoft Development SlimFTPd Remote Denial of Service Vulnerability
8. OpenSSH DynamicForward Inadvertent GatewayPorts Activation
Vulnerability
9. OpenSSH GSSAPI Credential Disclosure Vulnerability
10. FileZilla FTP Client Hard-Coded Cipher Key Vulnerability
11. Rediff Bol Instant Messenger ActiveX Control Information Disclosure
Vulnerability
12. Microsoft Windows Keyboard Event Privilege Escalation Weakness
13. Microsoft Internet Explorer Unspecified Remote Code Execution
Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION
I. FRONT AND CENTER
---------------------
1. Exploiting Cisco with FX
By Federico Biancuzzi
This interview with FX discusses Cisco IOS exploitation, Michael Lynn's work,
and what FX believes can be done when hacking IOS.
http://www.securityfocus.com/columnists/351
2. A changing landscape
By Rohyt Belani
In 2004, I came across an empirical study published by the CERT/CC that
indicated a diminishing correlation between the number of vendor-issued
vulnerabilities and the number of reported security incidents.
http://www.securityfocus.com/columnists/352
3. A new way to bypass Windows heap protections
By Nicolas Falliere
Windows heap overflows have become increasingly popular over the last couple of
years.
http://www.securityfocus.com/infocus/1846
II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. FUDforum Avatar Upload Arbitrary Script Upload Vulnerability
BugTraq ID: 14678
Remote: Yes
Date Published: 2005-08-29
Relevant URL: http://www.securityfocus.com/bid/14678
Summary:
FUDforum is prone to a remote arbitrary PHP file upload vulnerability.
An attacker can merge an image file with a script file and upload it to an
affected server.
This issue can facilitate unauthorized remote access.
FUDforum versions prior to 2.7.1 are reported to be affected. Currently
Symantec cannot confirm if version 2.7.1 is affected as well.
2. Novell Netware CIFS.NLM Denial of Service Vulnerability
BugTraq ID: 14701
Remote: Yes
Date Published: 2005-08-31
Relevant URL: http://www.securityfocus.com/bid/14701
Summary:
Netware CIFS.NLM is reportedly prone to a remote denial of service
vulnerability.
Reportedly, the W32.Randex.CCC worm can trigger this issue resulting in a
denial of service condition due to an ABEND.
NetWare 5.1, 6.0, 6.5 SP2 and 6.5 SP3 are vulnerable to this issue.
3. DameWare Mini Remote Control Server Pre-Authentication Username Buffer
Overflow Vulnerability
BugTraq ID: 14707
Remote: Yes
Date Published: 2005-08-31
Relevant URL: http://www.securityfocus.com/bid/14707
Summary:
DameWare Mini Remote Control Server is affected by a remote buffer overflow
vulnerability. This issue presents itself because the application fails to
perform boundary checks prior to copying user-supplied data into sensitive
process buffers.
Remote attackers may execute arbitrary machine code in the context of the
affected server process, facilitating system compromise.
This issue is similar to the one described in BID 9213 (DameWare Mini Remote
Control Server Pre-Authentication Buffer Overflow Vulnerability). This issue
may be related, or possibly a regression in the affected application.
4. Symantec LiveUpdate Client Local Information Disclosure Vulnerability
BugTraq ID: 14708
Remote: No
Date Published: 2005-08-31
Relevant URL: http://www.securityfocus.com/bid/14708
Summary:
Symantec LiveUpdate Client is susceptible to a local information disclosure
vulnerability.
Sensitive information such as the server name, IP address, subnet, subnet mask,
connection protocol, username and password to access the LiveUpdate server are
logged in a plain text file.
A local attacker can subsequently access the file and disclose authentication
credentials to access the server. This may lead to various attacks including
the potential compromise of the server.
5. 3Com Network Supervisor Directory Traversal Vulnerability
BugTraq ID: 14715
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14715
Summary:
Network Supervisor is prone to a directory traversal vulnerability.
The application fails to properly sanitize input supplied through HTTP GET
requests.
Exploitation of this vulnerability could lead to a loss of confidentiality as
arbitrary files are disclosed to an attacker. It should be noted that all
files on the affected drive can be disclosed by a successful attack.
6. Novell NetMail Remote IMAP Heap Buffer Overflow Vulnerability
BugTraq ID: 14718
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14718
Summary:
Novell NetMail is susceptible to a buffer overflow vulnerability in the IMAP
command continuation function in the IMAP agent. This issue is due to a lack of
proper boundary checks when copying user-supplied data to insufficiently-sized
memory buffers.
This vulnerability allows remote attackers to execute arbitrary machine code in
the context of the affected server process.
This issue was originally documented in BID 13926 (Novell NetMail Multiple
Remote Vulnerabilities).
7. WhitSoft Development SlimFTPd Remote Denial of Service Vulnerability
BugTraq ID: 14723
Remote: Yes
Date Published: 2005-09-02
Relevant URL: http://www.securityfocus.com/bid/14723
Summary:
SlimFTPd is prone to a remote denial of service vulnerability. This issue is
due to a failure in the application to handle exceptional conditions.
The problem presents itself during login. The application fails to handle
malicious input in a proper manner resulting in a crash of the server, thus
denying service to legitimate users.
8. OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability
BugTraq ID: 14727
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14727
Summary:
OpenSSH is susceptible to a vulnerability that causes improper activation of
the 'GatewayPorts' option, allowing unintended hosts to utilize the SSH SOCKS
proxy.
Specifically, if the 'DynamicForward' option is activated, 'GatewayPorts' is
also unconditionally enabled.
This vulnerability allows remote attackers to utilize the SOCKS proxy to make
arbitrary TCP connections through the configured SSH session, allowing them to
attack computers and services through a connection that was inappropriately
thought to be secure.
This issue affects OpenSSH 4.0, and 4.1.
9. OpenSSH GSSAPI Credential Disclosure Vulnerability
BugTraq ID: 14729
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14729
Summary:
OpenSSH is susceptible to a GSSAPI credential delegation vulnerability.
Specifically, if a user has GSSAPI authentication configured, and
'GSSAPIDelegateCredentials' is enabled, their Kerberos credentials will be
forwarded to remote hosts. This occurs even when the user uses authentication
methods other than GSSAPI to connect, which is not what is usually expected.
This vulnerability allows remote attackers to improperly gain access to GSSAPI
credentials, allowing them to utilize the credentials to access resources
granted to the original principal.
This issue affects versions of OpenSSH prior to 4.2.
10. FileZilla FTP Client Hard-Coded Cipher Key Vulnerability
BugTraq ID: 14730
Remote: No
Date Published: 2005-09-02
Relevant URL: http://www.securityfocus.com/bid/14730
Summary:
FileZilla FTP client may allow local attackers to obtain user passwords and
access remote servers.
The application uses a hard-coded cipher key to decrypt the password, which is
stored in an XML file or the Windows Registry.
This can allow the attacker to gain access to an FTP server with the privileges
of the victim.
11. Rediff Bol Instant Messenger ActiveX Control Information Disclosure
Vulnerability
BugTraq ID: 14740
Remote: Yes
Date Published: 2005-09-05
Relevant URL: http://www.securityfocus.com/bid/14740
Summary:
Rediff Bol Instant Messenger is prone to an information disclosure
vulnerability. A malicious ActiveX control could allow an attacker to obtain
the contents of a vulnerable user's Windows Address Book.
12. Microsoft Windows Keyboard Event Privilege Escalation Weakness
BugTraq ID: 14743
Remote: No
Date Published: 2005-09-05
Relevant URL: http://www.securityfocus.com/bid/14743
Summary:
Microsoft Windows is prone to a privilege escalation weakness. This issue is
due to a design error when desktop applications handle keyboard events sent
through the keybd_event() function. The specific issue is that programs may
send keyboard events to higher privileged desktop applications.
This poses a local security risk as malicious keyboard events may be sent to a
desktop application such as 'explorer.exe' that is running as a higher
privileged user. These keyboard events will be interpreted in the context of
the target user. This issue could likely be abused after exploitation of a
latent remote code execution vulnerability in a service to elevate privileges.
In this scenario, a user with higher privileges than the service must be logged
into the desktop.
13. Microsoft Internet Explorer Unspecified Remote Code Execution Vulnerability
BugTraq ID: 14755
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14755
Summary:
Microsoft Internet Explorer is affected by an unspecified remote vulnerability.
This vulnerability allows a remote attacker to execute arbitrary code and
potentially gain unauthorized access in the context of the user running the
browser.
This issue also affects Microsoft Outlook and Microsoft Outlook Express.
Due to a lack of information, further details cannot be described at the
moment. This BID will be updated when more information becomes available.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to
be manually removed.
V. SPONSOR INFORMATION
------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
----------------------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------
I. FRONT AND CENTER
1. Exploiting Cisco with FX
2. A changing landscape
3. A new way to bypass Windows heap protections
II. MICROSOFT VULNERABILITY SUMMARY
1. FUDforum Avatar Upload Arbitrary Script Upload Vulnerability
2. Novell Netware CIFS.NLM Denial of Service Vulnerability
3. DameWare Mini Remote Control Server Pre-Authentication Username Buffer
Overflow Vulnerability
4. Symantec LiveUpdate Client Local Information Disclosure Vulnerability
5. 3Com Network Supervisor Directory Traversal Vulnerability
6. Novell NetMail Remote IMAP Heap Buffer Overflow Vulnerability
7. WhitSoft Development SlimFTPd Remote Denial of Service Vulnerability
8. OpenSSH DynamicForward Inadvertent GatewayPorts Activation
Vulnerability
9. OpenSSH GSSAPI Credential Disclosure Vulnerability
10. FileZilla FTP Client Hard-Coded Cipher Key Vulnerability
11. Rediff Bol Instant Messenger ActiveX Control Information Disclosure
Vulnerability
12. Microsoft Windows Keyboard Event Privilege Escalation Weakness
13. Microsoft Internet Explorer Unspecified Remote Code Execution
Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
IV. UNSUBSCRIBE INSTRUCTIONS
V. SPONSOR INFORMATION
I. FRONT AND CENTER
---------------------
1. Exploiting Cisco with FX
By Federico Biancuzzi
This interview with FX discusses Cisco IOS exploitation, Michael Lynn's work,
and what FX believes can be done when hacking IOS.
http://www.securityfocus.com/columnists/351
2. A changing landscape
By Rohyt Belani
In 2004, I came across an empirical study published by the CERT/CC that
indicated a diminishing correlation between the number of vendor-issued
vulnerabilities and the number of reported security incidents.
http://www.securityfocus.com/columnists/352
3. A new way to bypass Windows heap protections
By Nicolas Falliere
Windows heap overflows have become increasingly popular over the last couple of
years.
http://www.securityfocus.com/infocus/1846
II. MICROSOFT VULNERABILITY SUMMARY
------------------------------------
1. FUDforum Avatar Upload Arbitrary Script Upload Vulnerability
BugTraq ID: 14678
Remote: Yes
Date Published: 2005-08-29
Relevant URL: http://www.securityfocus.com/bid/14678
Summary:
FUDforum is prone to a remote arbitrary PHP file upload vulnerability.
An attacker can merge an image file with a script file and upload it to an
affected server.
This issue can facilitate unauthorized remote access.
FUDforum versions prior to 2.7.1 are reported to be affected. Currently
Symantec cannot confirm if version 2.7.1 is affected as well.
2. Novell Netware CIFS.NLM Denial of Service Vulnerability
BugTraq ID: 14701
Remote: Yes
Date Published: 2005-08-31
Relevant URL: http://www.securityfocus.com/bid/14701
Summary:
Netware CIFS.NLM is reportedly prone to a remote denial of service
vulnerability.
Reportedly, the W32.Randex.CCC worm can trigger this issue resulting in a
denial of service condition due to an ABEND.
NetWare 5.1, 6.0, 6.5 SP2 and 6.5 SP3 are vulnerable to this issue.
3. DameWare Mini Remote Control Server Pre-Authentication Username Buffer
Overflow Vulnerability
BugTraq ID: 14707
Remote: Yes
Date Published: 2005-08-31
Relevant URL: http://www.securityfocus.com/bid/14707
Summary:
DameWare Mini Remote Control Server is affected by a remote buffer overflow
vulnerability. This issue presents itself because the application fails to
perform boundary checks prior to copying user-supplied data into sensitive
process buffers.
Remote attackers may execute arbitrary machine code in the context of the
affected server process, facilitating system compromise.
This issue is similar to the one described in BID 9213 (DameWare Mini Remote
Control Server Pre-Authentication Buffer Overflow Vulnerability). This issue
may be related, or possibly a regression in the affected application.
4. Symantec LiveUpdate Client Local Information Disclosure Vulnerability
BugTraq ID: 14708
Remote: No
Date Published: 2005-08-31
Relevant URL: http://www.securityfocus.com/bid/14708
Summary:
Symantec LiveUpdate Client is susceptible to a local information disclosure
vulnerability.
Sensitive information such as the server name, IP address, subnet, subnet mask,
connection protocol, username and password to access the LiveUpdate server are
logged in a plain text file.
A local attacker can subsequently access the file and disclose authentication
credentials to access the server. This may lead to various attacks including
the potential compromise of the server.
5. 3Com Network Supervisor Directory Traversal Vulnerability
BugTraq ID: 14715
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14715
Summary:
Network Supervisor is prone to a directory traversal vulnerability.
The application fails to properly sanitize input supplied through HTTP GET
requests.
Exploitation of this vulnerability could lead to a loss of confidentiality as
arbitrary files are disclosed to an attacker. It should be noted that all
files on the affected drive can be disclosed by a successful attack.
6. Novell NetMail Remote IMAP Heap Buffer Overflow Vulnerability
BugTraq ID: 14718
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14718
Summary:
Novell NetMail is susceptible to a buffer overflow vulnerability in the IMAP
command continuation function in the IMAP agent. This issue is due to a lack of
proper boundary checks when copying user-supplied data to insufficiently-sized
memory buffers.
This vulnerability allows remote attackers to execute arbitrary machine code in
the context of the affected server process.
This issue was originally documented in BID 13926 (Novell NetMail Multiple
Remote Vulnerabilities).
7. WhitSoft Development SlimFTPd Remote Denial of Service Vulnerability
BugTraq ID: 14723
Remote: Yes
Date Published: 2005-09-02
Relevant URL: http://www.securityfocus.com/bid/14723
Summary:
SlimFTPd is prone to a remote denial of service vulnerability. This issue is
due to a failure in the application to handle exceptional conditions.
The problem presents itself during login. The application fails to handle
malicious input in a proper manner resulting in a crash of the server, thus
denying service to legitimate users.
8. OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability
BugTraq ID: 14727
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14727
Summary:
OpenSSH is susceptible to a vulnerability that causes improper activation of
the 'GatewayPorts' option, allowing unintended hosts to utilize the SSH SOCKS
proxy.
Specifically, if the 'DynamicForward' option is activated, 'GatewayPorts' is
also unconditionally enabled.
This vulnerability allows remote attackers to utilize the SOCKS proxy to make
arbitrary TCP connections through the configured SSH session, allowing them to
attack computers and services through a connection that was inappropriately
thought to be secure.
This issue affects OpenSSH 4.0, and 4.1.
9. OpenSSH GSSAPI Credential Disclosure Vulnerability
BugTraq ID: 14729
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14729
Summary:
OpenSSH is susceptible to a GSSAPI credential delegation vulnerability.
Specifically, if a user has GSSAPI authentication configured, and
'GSSAPIDelegateCredentials' is enabled, their Kerberos credentials will be
forwarded to remote hosts. This occurs even when the user uses authentication
methods other than GSSAPI to connect, which is not what is usually expected.
This vulnerability allows remote attackers to improperly gain access to GSSAPI
credentials, allowing them to utilize the credentials to access resources
granted to the original principal.
This issue affects versions of OpenSSH prior to 4.2.
10. FileZilla FTP Client Hard-Coded Cipher Key Vulnerability
BugTraq ID: 14730
Remote: No
Date Published: 2005-09-02
Relevant URL: http://www.securityfocus.com/bid/14730
Summary:
FileZilla FTP client may allow local attackers to obtain user passwords and
access remote servers.
The application uses a hard-coded cipher key to decrypt the password, which is
stored in an XML file or the Windows Registry.
This can allow the attacker to gain access to an FTP server with the privileges
of the victim.
11. Rediff Bol Instant Messenger ActiveX Control Information Disclosure
Vulnerability
BugTraq ID: 14740
Remote: Yes
Date Published: 2005-09-05
Relevant URL: http://www.securityfocus.com/bid/14740
Summary:
Rediff Bol Instant Messenger is prone to an information disclosure
vulnerability. A malicious ActiveX control could allow an attacker to obtain
the contents of a vulnerable user's Windows Address Book.
12. Microsoft Windows Keyboard Event Privilege Escalation Weakness
BugTraq ID: 14743
Remote: No
Date Published: 2005-09-05
Relevant URL: http://www.securityfocus.com/bid/14743
Summary:
Microsoft Windows is prone to a privilege escalation weakness. This issue is
due to a design error when desktop applications handle keyboard events sent
through the keybd_event() function. The specific issue is that programs may
send keyboard events to higher privileged desktop applications.
This poses a local security risk as malicious keyboard events may be sent to a
desktop application such as 'explorer.exe' that is running as a higher
privileged user. These keyboard events will be interpreted in the context of
the target user. This issue could likely be abused after exploitation of a
latent remote code execution vulnerability in a service to elevate privileges.
In this scenario, a user with higher privileges than the service must be logged
into the desktop.
13. Microsoft Internet Explorer Unspecified Remote Code Execution Vulnerability
BugTraq ID: 14755
Remote: Yes
Date Published: 2005-09-01
Relevant URL: http://www.securityfocus.com/bid/14755
Summary:
Microsoft Internet Explorer is affected by an unspecified remote vulnerability.
This vulnerability allows a remote attacker to execute arbitrary code and
potentially gain unauthorized access in the context of the user running the
browser.
This issue also affects Microsoft Outlook and Microsoft Outlook Express.
Due to a lack of information, further details cannot be described at the
moment. This BID will be updated when more information becomes available.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
IV. UNSUBSCRIBE INSTRUCTIONS
-----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe (at) securityfocus (dot) com [email concealed] from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer. Alternatively
you can also visit http://www.securityfocus.com/newsletters and unsubscribe via
the website.
If your email address has changed email listadmin (at) securityfocus (dot) com [email concealed] and ask to
be manually removed.
V. SPONSOR INFORMATION
------------------------
Need to know what's happening on YOUR network? Symantec DeepSight Analyzer
is a free service that gives you the ability to track and manage attacks.
Analyzer automatically correlates attacks from various Firewall and network
based Intrusion Detection Systems, giving you a comprehensive view of your
computer or general network. Sign up today!
http://www.securityfocus.com/sponsor/Symantec_sf-news_041130
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]