[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ms
Subject: SecurityFocus Microsoft Newsletter #134
From: Marc Fossi <mfossi () securityfocus ! com>
Date: 2003-04-21 18:35:06
[Download RAW message or body]
SecurityFocus Microsoft Newsletter #134
---------------------------------------
This Issue is Sponsored By: SpiDynamics
ALERT: How a Hacker Launches a SQL Injection Attack - Step-by-Step!
It's as simple as placing additional SQL commands into an input box on a
web form giving hackers complete access to all your backend data! Firewalls
and IDS will not stop SQL Injection attempts because they are NOT seen as
intrusions.
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.securityfocus.com/SPIDynamics-ms-secnews
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. Statistical-Based Intrusion Detection
2. On Cures That Are Worse than the Disease
3. SecurityFocus DPP Program
II. MICROSOFT VULNERABILITY SUMMARY
1. Mozilla Browser Cross Domain Violation Vulnerability
2. Novell Groupwise Mail Transport Agent Unspecified Denial Of...
3. Snort TCP Packet Reassembly Integer Overflow Vulnerability
4. Microsoft Windows Active Directory Policy Bypass Vulnerability
5. EZ Publish Multiple Path Disclosure Vulnerabilities
6. Microsoft Windows EngTextOut Non-ASCII Character Denial Of...
7. EZ Publish site.ini Information Disclosure Vulnerability
8. Microsoft Windows 2000/XP Registry Editor Custom Permissions...
9. SmartMax MailMax Password Field Buffer Overflow Denial Of...
10. SmartMax MailMax Undisclosed Buffer Overflow Vulnerability
11. ActivCard Gold Cached Static Password Vulnerability
12. Novell GroupWise WebAccess Information Disclosure Vulnerability
13. BitchX Trojan Horse Vulnerability
14. FipsGuestbook New_Entry.ASP HTML Injection Vulnerability
15. EZ Publish Multiple Cross Site Scripting Vulnerabilities
16. Progress Database BINPATHX Environment Variable Buffer...
17. Python Documentation Server Error Page Cross-Site Scripting...
III. MICROSOFT FOCUS LIST SUMMARY
1. Does In-Place Upgrade of Microsoft Exchange Create Open...
2. interoperability of VPN checkpoint FW1 to ISA (Thread)
3. Does In-Place Upgrade of Microsoft Exchange Create Open...
4. user level access problems: from CD (Thread)
5. Updating Non-Internet Connected Windows Hosts (Thread)
6. SecurityFocus Microsoft Newsletter #133 (Thread)
7. How to generate a report of inactive domain user accounts (Thread)
8. checking server status (Thread)
9. Central software update (Thread)
10. Network Load balancing software (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. Advanced EFS Data Recovery
2. FloodGuard
3. Sourcefire Intrusion Management System
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Iptables made easy v1.0
2. Crypt Blowfish v0.4.5
3. Paranoia OTP Generator v1.0
VI. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Statistical-Based Intrusion Detection
By Jamil Farshchi
This article will examine statistical-based intrusion detection systems,
which alert on anomalous network behaviour, thus providing better
monitoring for zero-day exploits than traditional IDS.
http://www.securityfocus.com/infocus/1686
2. On Cures That Are Worse than the Disease
By George Smith
In which your columnist ponders the question, which is worst for the
Internet: computer viruses, spam that advertises anti-virus products, or
clueless anti-spam solutions.
http://www.securityfocus.com/columnists/155
3. SecurityFocus DPP Program
Attention Universities!! Sign-up now for preferred pricing on the only
global early-warning system for cyber attacks - SecurityFocus DeepSight
Threat Management System.
Click here for more information:
http://www.securityfocus.com/corporate/products/dpsection.shtml
II. BUGTRAQ SUMMARY
-------------------
1. Mozilla Browser Cross Domain Violation Vulnerability
BugTraq ID: 7363
Remote: Yes
Date Published: Apr 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7363
Summary:
Mozilla is an open source web browser available for a number of platforms,
including Microsoft Windows and Linux.
A problem has been reported in Mozilla that could allow access to
information in other browser windows. The vulnerability exists because
Mozilla does not properly sanitize links when transferring documents from
one domain to another. Specifically, malicious HTML code is not sanitized
from the 'onclick' property.
Upon the execution of code through the 'onclick' property, a violation in
browser security zone policy would occur that allows the original web site
to view the contents of web pages in other browser windows.
This problem would require a user visiting a web page that has been
designed to present malicious dialog boxes. This type of attack would most
commonly occur through social engineering.
Other browsers based on the Mozilla codebase are vulnerable to this issue.
2. Novell Groupwise Mail Transport Agent Unspecified Denial Of Service Vulnerability
BugTraq ID: 7364
Remote: Yes
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7364
Summary:
Novell GroupWise is an email, calendaring and collaborative application
available from Novell. It is designed for use on Novell Netware platforms,
and includes a web access component for use through a web browser. The
GroupWise client application runs on Microsoft Windows platforms.
An unspecified vulnerability has been reported for the GroupWise MTA (Mail
Transport Agent). The vulnerability exists due to the inclusion of a
vulnerable version of OpenSSL.
Further details of this vulnerability are currently unknown. However, as
further information becomes available this BID will be updated
accordingly.
This vulnerability may be related to the issues described in BIDs 7101 or
7148.
3. Snort TCP Packet Reassembly Integer Overflow Vulnerability
BugTraq ID: 7178
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7178
Summary:
Snort is a freely available, open source intrusion detection system. It is
available for Unix, Linux, and Microsoft Windows platforms.
The stream4 preprocessor is designed to reassemble fragmented TCP packets
before passing them to Snort for analysis. It is also designed to detect
various IDS evasion attacks.
A vulnerability has been discovered in the stream4 preprocessor which may
allow an attacker to execute arbitrary code with the privileges of Snort.
The problem occurs in the Traversefunc() function, located in the
spp_stream4.c source file, while carrying out various sanity checks.
Specifically, an integer overflow may occur while making a bounds check,
which could result in a potential heap overflow going undetected.
The integer overflow can be triggered by passing fragmented TCP packets
across a network monitored by Snort which contain specially calculated
sequence and acknowledgement values. The sequence numbers must be a large
enough value so that, when added to the packet size, a 32 bit calculation
integer will overflow. When these values are later calculated during a
check for potential memory corruption, the integer overflow will trigger a
miscalculation where an exception would typically be triggered.
When memcpy() is later called to copy the data to a heap buffer, the
previously undetected overflow will occur. This may allow an attacker to
corrupt heap memory.
Successful exploitation of this issue may allow an attacker to overwrite
sensitive heap memory with malicious values. By overwriting a function
pointer or corrupting memory management headers, it may be possible to
leverage this vulnerability to execute arbitrary code.
This issue effects Snort releases prior to Snort 2.0 RC1.
4. Microsoft Windows Active Directory Policy Bypass Vulnerability
BugTraq ID: 7330
Remote: Yes
Date Published: Apr 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7330
Summary:
A vulnerability has been reported for Microsoft Active Directory (AD)
Domain Controllers (DC) that may allow for the modification of sensitive
data.
The vulnerability is related to the way DCs handle the task of managing
the Schema and Configuration partitions. Typically, an action performed on
any DC is replicated to other DCs. However, the AD Schema and
Configuration management is relegated to a single DC to be administered by
certain user accounts.
Exploitation of this vulnerability will result in attackers being able to
manipulate the Schema and Configuration partitions on other DCs. This has
the potential to cause serious network problems for an existing Windows
domain.
Each of the Schema and Configuration partitions exist in child DCs as
read-only data. Malicious administrators for child DCs, through the use of
weak permissions, are able to execute certain services under the SYSTEM
context to manipulate the contents of these partitions.
5. EZ Publish Multiple Path Disclosure Vulnerabilities
BugTraq ID: 7349
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7349
Summary:
eZ Publish is a web content management system for Microsoft Windows and
Unix and Linux variants.
Several path disclosure vulnerabilities have been reported for eZ Publish.
The vulnerabilities affect several PHP script files in the kernel/class
and kernel/classes directory.
An attacker can exploit this vulnerability by making a HTTP request for
any of the affected pages. This may result in a condition where path
information is returned to the attacker. Information gathered in this way
may be used in further attacks against the system.
This vulnerability affects eZ Publish 3.0. It is likely that earlier
versions are also affected.
6. Microsoft Windows EngTextOut Non-ASCII Character Denial Of Service Vulnerability
BugTraq ID: 7358
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7358
Summary:
A vulnerability has been alleged in the EngTextOut function on some
versions of the Microsoft Windows operating systems. The EngTextOut
function uses GDI to display a set of glyphs at user-specified locations.
Text may be passed to the function in a STROBJ structure.
If this function is passed non-ASCII characters, this will reportedly
result in an operating system crash. The crash occurs in the 'win32k.sys'
module. This issue may potentially be triggered through applications
which use the vulnerable function.
7. EZ Publish site.ini Information Disclosure Vulnerability
BugTraq ID: 7347
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7347
Summary:
eZ Publish is a web content management system for Microsoft Windows and
Unix and Linux variants.
eZ Publish has been reported prone to sensitive information disclosure
vulnerability.
An attacker may make a request for and download the underlying site.ini
configuration file. The file contains eZ Publish administration
credentials stored in plaintext format. Any HTTP requests for this file
will reveal the contents of this file to remote attackers.
Information collected in this way may be used to aid in further attacks
against the system.
This vulnerability was reported for eZ Publish 3.0. It is likely that
earlier versions are affected by this vulnerability.
8. Microsoft Windows 2000/XP Registry Editor Custom Permissions Weakness
BugTraq ID: 7360
Remote: No
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7360
Summary:
Windows systems using the NTFS file system allow granular security
permissions to be set on individual keys.
A problem exists when a registry key with custom permissions is renamed.
The renamed key will lose any custom permissions that are set and instead
inherit the permissions of its parent. This will occur regardless of
whether the "Allow inheritable permissions from parent to propagate to
this object" box is checked or not.
It has been speculated that this may occur because keys are not renamed in
the traditional sense but are possibly deleted and recreated using the new
name.
This weakness was reported to affect Windows 2000 and XP, however, Windows
NT 4.0 may also be affected.
9. SmartMax MailMax Password Field Buffer Overflow Denial Of Service Vulnerability
BugTraq ID: 7326
Remote: Yes
Date Published: Apr 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7326
Summary:
Smartmax MailMax is an email server for Microsoft Windows operating
systems.
A buffer overflow vulnerability has been reported for MailMax that may
result in a a denial of service condition. The vulnerability exists when
users attempt to login to the IMAP server using an overly long password.
This will trigger the overflow condition and will result in the IMAP
server crashing thereby resulting in a denial of service condition.
Restarting the affected service is required to restore normal
functionality. Although unconfirmed, exploitation of this vulnerability
may result in the execution of malicious attacker-supplied code.
This vulnerability was reported for MailMax 5.
10. SmartMax MailMax Undisclosed Buffer Overflow Vulnerability
BugTraq ID: 7327
Remote: Yes
Date Published: Apr 11 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7327
Summary:
Smartmax MailMax is an email server for Microsoft Windows operating
systems.
A buffer overflow vulnerability has been reported for MailMax. Further
details of this vulnerability are currently unknown and this BID will be
updated as more information becomes available.
This vulnerability may have similar consequences as the issue described in
BID 7326.
11. ActivCard Gold Cached Static Password Vulnerability
BugTraq ID: 7340
Remote: No
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7340
Summary:
ActivCard Gold is a smart card solution for Microsoft Windows and other
operating systems.
ActivCard Gold is reported to cache static passwords in memory.
Credentials are stored in the memory of the "scardsrv" process. These
credentials will be disclosed if an attacker can cause the process to dump
memory or can gain access to an existing memory dump.
Though unconfirmed, it has been alleged that static passwords will remain
in memory after the smart card is removed. This issue apparently does not
affect PKI private keys and dynamic password keys, which are reported to
be stored in a more secure manner by ActivCard Gold.
12. Novell GroupWise WebAccess Information Disclosure Vulnerability
BugTraq ID: 7366
Remote: Yes
Date Published: Apr 16 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7366
Summary:
Novell WebAccess is a Web based authentication component of GroupWise for
Novell Netware.
It has been reported that Novell WebAccess may disclose sensitive
information to other users in the form of URLs contained in the Internet
history.
This vulnerability has been reported to present itself as an issue when
Microsoft Internet explorer 5.0 is used to authenticate and retrieve
messages, using WebAccess, that are stored on the GroupWise server.
It has been reported that URLs of the retrieved messages become part of
the History cache and therefore can be perused by other users who also
access the workstation.
Due to the nature of this vulnerability, the impact is far greater in a
shared workstation environment.
13. BitchX Trojan Horse Vulnerability
BugTraq ID: 7333
Remote: Yes
Date Published: Apr 13 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7333
Summary:
BitchX is a freely available, open source IRC client. It is available for
Unix, Linux, and Microsoft operating systems.
It has been announced that the server hosting BitchX, www.bitchx.org, was
compromised recently. It has been reported that the intruder made
modifications to the source code of BitchX to include trojan horse code.
Downloads of the source code of BitchX from www.bitchx.org, and mirrors,
likely contain the trojan code.
Reports say that the trojan will run once upon compilation of BitchX. Once
the trojan is executed, it attempts to connect to host 207.178.61.5 on
port 6667.
The trojan horse modifications can be found in the configure script in
BitchX 1.0c19.
Additionally, the trojan displays similarity to those found in irssi,
fragroute, fragrouter, tcpdump, libpcap, OpenSSH, and Sendmail.
This BID will be updated as more information becomes available.
14. FipsGuestbook New_Entry.ASP HTML Injection Vulnerability
BugTraq ID: 7339
Remote: Yes
Date Published: Apr 14 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7339
Summary:
fipsGuestbook is web-based guestbook application. It is implemented in
ASP and VBScript and available for Microsoft Windows operating systems.
fipsGuestbook does not sufficiently sanitize form data of HTML and script
code. This issue exists in the 'new_entry.asp' script. Attackers may
inject HTML and script code via the "Name" field of the guestbook. This
code will be displayed and possibly interpreted when the guestbook is
viewed by other users. Hostile code injected in this manner will be
interpreted in the context of the site hosting the guestbook software.
Exploitation of this issue could allow for theft of cookie-based
authentication credentials or other attacks.
This issue was reported in fipsGuestbook 1.12.7. Other versions may also
be affected.
15. EZ Publish Multiple Cross Site Scripting Vulnerabilities
BugTraq ID: 7348
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7348
Summary:
eZ Publish is a web content management system for Microsoft Windows and
Unix and Linux variants.
Several cross site scripting vulnerabilities have been reported for eZ
Publish. These vulnerabilities are due to insufficient sanitization of
user-supplied data submitted to eZ Publish.
An attacker can exploit this vulnerability by creating malicious links to
a site hosting the vulnerable software which contains hostile HTML and
script code. If this link is visited, the attacker-supplied HTML and
script code will be interpreted by their browser. This will occur in the
context of the site hosting the vulnerable software.
Exploitation may allow theft of cookie-based authentication credentials or
other attacks.
This issue was reported in eZ Publish 3.0. It is likely that earlier
versions are affected.
16. Progress Database BINPATHX Environment Variable Buffer Overflow Vulnerability
BugTraq ID: 7352
Remote: No
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7352
Summary:
Progress Database is a commercial database for Microsoft Windows and Unix
systems.
A buffer overflow vulnerability has been discovered in Progress Database.
The problem occurs due to insufficient bounds checking when processing the
'BINPATHX' environment variable.
The 'BINPATHX' variable is used to specify the location of shared
libraries and other installation files however, placing approximately 240
bytes within the variable may trigger a buffer overflow. This may result
in sensitive locations in memory being replaced with attacker-supplied
values.
Exploitation of this issue may make it possible for an attacker to execute
arbitrary code with the privileges of the Progress Database application
17. Python Documentation Server Error Page Cross-Site Scripting Vulnerability
BugTraq ID: 7353
Remote: Yes
Date Published: Apr 15 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7353
Summary:
Python Documentation Server is a freely available server distributed with
the Python software package. It is available for Unix, Linux, and
Microsoft Operating Systems.
It has been reported that the Python Documentation Server is vulnerable to
a cross-site scripting vulnerability.
The problem is due to insufficient sanitization of HTML and script code
from error output. When HTML and script code are passed to the vulnerable
server in a URI, the code will be displayed in the server's error page.
An attacker could exploit this issue by constructing a malicious link
which contains hostile HTML and script code and then enticing web users to
visit the link. When the error page is displayed, the attacker-supplied
code may be rendered in the user's web browser. This will occur in the
security context of the documentation server.
The server runs on port 7464 by default.
IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Does In-Place Upgrade of Microsoft Exchange Create Open Relays? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/319033
2. interoperability of VPN checkpoint FW1 to ISA (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/319013
3. Does In-Place Upgrade of Microsoft Exchange Create Open Relays? (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/319003
4. user level access problems: from CD (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/319004
5. Updating Non-Internet Connected Windows Hosts (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/318682
6. SecurityFocus Microsoft Newsletter #133 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/318508
7. How to generate a report of inactive domain user accounts (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/318379
8. checking server status (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/318255
9. Central software update (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/318191
10. Network Load balancing software (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/318182
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Advanced EFS Data Recovery
by Elcomsoft Co. Ltd.
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL:
http://www.elcomsoft.com/aefsdr.html
Summary:
Advanced EFS Data Recovery (or simply AEFSDR) is a program to recover
(decrypt) files encrypted on NTFS (EFS) partitions created in Windows
2000. Files are being decrypted even in a case when the system is not
bootable and so you cannot log on, and/or some encryption keys have been
tampered. Besides, decryption is possible even when Windows is protected
using SYSKEY. AEFSDR effectively (and instantly) decrypts the files
protected under all versions of Windows 2000 (including Service Packs 1, 2
and 3).
2. FloodGuard
by Reactive Network
Platforms: N/A
Relevant URL:
http://www.reactivenetwork.com/products/products.htm
Summary:
FloodGuard, from Reactive Network Solutions, is dedicated to detecting -
and mitigating - all types of flooding attacks. By distributing
intelligence through the network, FloodGuard is the most effective
hardware-software solution for shutting down flooding attacks before they
shut down your business.
3. Sourcefire Intrusion Management System
by Sourcefire
Platforms: N/A
Relevant URL:
http://www.tfstech.com/solutions/unixcontrol/ucmain.htm
Summary:
Sourcefire Intrusion Management System (IMS) delivers all of the
capabilities needed to proactively defend against intruders. Unlike
current intrusion detection systems, Sourcefire offers a comprehensive
system that gives one granular flexibility, scalability, and complete data
management. Sourcefire IMS offers the best protection and allows users to
customize every aspect of the system to suit their specific environment
and security needs.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
-------------------------------------
1. Iptables made easy v1.0
by e5ke
Relevant URL:
http://e5ke.dk/iptables/
Platforms: Os Independent
Summary:
Iptables made easy is a set of PHP scripts that are based on Iptables
script generator. It uses PHP to make an iptables script based on the
provided values. It features NAT functionality that works with dynamic IP
addresses. It makes input and forward rules which are easy to modify after
the script is written. There are also built-in checks to make sure that
the administrator doesn't get locked out because of wrong network
information.
2. Crypt Blowfish v0.4.5
by OpenWall Project
Relevant URL:
http://www.openwall.com/crypt/
Platforms: N/A
Summary:
Crypt Blowfish is an implementation of a modern password hashing
algorithm, based on the Blowfish block cipher, provided via the crypt(3)
and a reentrant interface. It is compatible with bcrypt.
3. Paranoia OTP Generator v1.0
by shadau
Relevant URL:
http://student.dei.uc.pt/~subtil/paranoia/
Platforms: Os Independent
Summary:
Paranoia OTP Generator is a simple one-time password generator intended to
run on Java-enabled mobile phones.
VI. SPONSOR INFORMATION
-----------------------
This Issue is Sponsored By: SpiDynamics
ALERT: How a Hacker Launches a SQL Injection Attack - Step-by-Step!
It's as simple as placing additional SQL commands into an input box on a
web form giving hackers complete access to all your backend data!
Firewalls
and IDS will not stop SQL Injection attempts because they are NOT seen as
intrusions.
Download this *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.securityfocus.com/SPIDynamics-ms-secnews
-------------------------------------------------------------------------------
-----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
------------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic