[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ms
Subject: SecurityFocus Microsoft Newsletter #170
From: Marc Fossi <mfossi () securityfocus ! com>
Date: 2004-01-05 23:41:22
Message-ID: Pine.LNX.4.58.0401051641090.1583 () mail ! securityfocus ! com
[Download RAW message or body]
SecurityFocus Microsoft Newsletter #170
----------------------------------------
This Issue Sponsored by: RSA Conference 2004
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't
miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches security,
you need to be here. Learn more or register at:
http://www.securityfocus.com/sponsor/RSA_ms-secnews_031117 and use
priority code SF4.
------------------------------------------------------------------------
I. FRONT AND CENTER
1. Checklist for Deploying an IDS
II. MICROSOFT VULNERABILITY SUMMARY
1. OpenBB Index.PHP Remote SQL Injection Vulnerability
2. OpenBB Board.PHP Cross-Site Scripting Vulnerability
3. MiniBB Profile Website Name HTML Injection Vulnerability
4. Sygate Personal Firewall DLL Authentication Bypass Vulnerabi...
5. Microsoft IIS Failure To Log Undocumented TRACK Requests Vul...
6. phpBB GroupCP.PHP SQL Injection Vulnerability
7. Jordan Windows Telnet Server Username Stack Based Buffer Ove...
8. Alt-N MDaemon/WorldClient Form2Raw Raw Message Handler Buffe...
9. PHPCatalog ID Parameter SQL Injection Vulnerability
10. Microsoft Internet Explorer showHelp CHM File Execution Weak...
III. MICROSOFT FOCUS LIST SUMMARY
1. SecurityFocus Microsoft Newsletter #169 (Thread)
2. Disabling Cached Logon Credentials (Thread)
3. Accessing eventlogs remotely on W2K3 Server (Thread)
4. TCP/IP Stack Hardening - Disabling PMTU Discovery (Thread)
5. FPSE Admin Listner on IIS 6.0 (Thread)
6. Article Announcement: Checklist for Deploying an IDS (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. AccessMaster
2. KeyGhost SX
3. SafeKit
4. SecurDataStor
5. Proactive Windows Security Explorer
6. Outpost Personal Firewall Pro 2.0
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. Fingerprint Verification System v0.1.0
2. mrtg v2.10.11
3. Mod_security v 1.8dev1
4. Stealth HTTP Security Scanner v2.0b47
5. IDA Pro - Freeware Edition
6. Enigmail v0.82.5
VI. UNSUBSCRIBE INSTRUCTIONS
VII. SPONSOR INFORMATION
I. FRONT AND CENTER
-------------------
1. Checklist for Deploying an IDS
By Andy Cuff
The scope of this article considers the worst case scenario, that of
deploying a Network IDS on a remote network (target). The introduction of
an IDS into a organization's network can be sensitive and often has
political implications with the network staff, and thus a checklist
written
from the perspective of an outside consultant (even if the IDS is deployed
internally) that appeases all parties can be useful to ensure a successful
implementation.
http://www.securityfocus.com/infocus/1754
II. MICROSOFT VULNERABILITY SUMMARY
-----------------------------------
1. OpenBB Index.PHP Remote SQL Injection Vulnerability
BugTraq ID: 9300
Remote: Yes
Date Published: Dec 26 2003
Relevant URL: http://www.securityfocus.com/bid/9300
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
A problem with the software may make it possible for remote users to
modify database query logic.
It has been reported that OpenBB does not properly check input passed via
the 'CID' parameter of 'index.php' script. Because of this, it may be
possible for a remote user to inject malicious arbitrary SQL queries in
the context of the database user for the bulletin board software. The
consequences of successful exploitation will vary depending on the
underlying database implementation, but may allow for disclosure of
sensitive information such as administrator passwords or remote compromise
of the bulletin board or database itself.
OpenBB 1.06 has been reported to be prone this issue, however, other
versions could be affected as well.
This issue may be related to BID 7401.
2. OpenBB Board.PHP Cross-Site Scripting Vulnerability
BugTraq ID: 9303
Remote: Yes
Date Published: Dec 27 2003
Relevant URL: http://www.securityfocus.com/bid/9303
Summary:
OpenBB is a freely available, open source bulletin board software package.
It is available for Unix, Linux, and Microsoft Windows operating systems.
OpenBB is prone to a cross-site scripting vulnerability in the 'board.php'
script. The source of the problem is that HTML and script code are not
adequately sanitized from input supplied via the 'FID' URI parameter. This
input will be included in dynamically generated web pages. A remote
attacker could exploit this issue by embedding hostile HTML and script
code in a malicious link to the vulnerable script. The attacker-supplied
code will be rendered in the browser of an unsuspecting user who follows
the link, code execution would occur in the context of the site hosting
the vulnerable software.
Exploitation could allow for theft of cookie-based authentication
credentials. Other attacks are also possible.
It should be noted that although this vulnerability has been reported to
affect OpenBB 1.06 other versions might also be affected.
3. MiniBB Profile Website Name HTML Injection Vulnerability
BugTraq ID: 9310
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9310
Summary:
miniBB is web forum software. It is written in PHP and will run on most
Unix and Linux variants as well as Microsoft Windows operating systems.
miniBB is prone to an HTML injection vulnerability. The vulnerability
exists in the 'bb_edit_prf.php' script but is exposed via the
'bb_func_usernfo.php' script, which provides the interface for editing
user profiles. The source of the issue is that 'bb_func_usernfo.php' does
not sufficient sanitize input supplied via the 'website name' field of
user profiles. This issue could permit registered users to inject hostile
HTML and script code into the 'website name' field of their user profile,
which would be rendered by other web users when the user profile is
viewed.
This could be exploited to steal cookie-based authentication credentials.
It is also possible to use this type of vulnerability as an attack vector
to exploit latent browser security flaws.
4. Sygate Personal Firewall DLL Authentication Bypass Vulnerabi...
BugTraq ID: 9312
Remote: No
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9312
Summary:
Sygate Personal Firewall is a personal firewall application for Microsoft
Windows operating systems. Sygate Personal Firewall supports an "Enable
DLL authentication" option designed to prompt the user every time a DLL
that has not been previously authorized is loaded by an application that
has been authorized to access the Internet.
A vulnerability has been reported to affect Sygate Personal Firewall that
may allow a user to bypass DLL authentication controls. The issue has been
reported to present itself in the routines that are used to enforce DLL
authentication. These routines unsafely assume that all DLL libraries will
be loaded with LoadLibraryA() or LoadLibraryW() calls, if a DLL is loaded
with custom Portable Executable loaders, for example, the loaders used in
packing utilities, DLL authentication controls can be bypassed.
A local attacker may exploit this condition to bypass Sygate Personal
Firewall DLL authentication controls. It should be noted that this
vulnerability might also be leveraged by malicious applications to bypass
firewall access controls.
5. Microsoft IIS Failure To Log Undocumented TRACK Requests Vul...
BugTraq ID: 9313
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9313
Summary:
Microsoft IIS is a web server implementation for Microsoft Windows
systems. It has been reported that Microsoft IIS ships with support for an
undocumented 'TRACK' HTTP request. 'TRACK' functions in a similar manner
to the 'TRACE' HTTP request.
A vulnerability has been reported to affect Microsoft IIS. It has been
reported that IIS fails to log HTTP TRACK requests made to the affected
server. A remote attacker may exploit this condition in order to enumerate
server banners in a covert manner; these scans will not be logged and may
go unnoticed by the server administrator. Additionally it has been
reported that an attacker may potentially leverage this condition to
exhaust resources on the affected server by invoking multiple successive
TRACK requests in a bid to deny service to legitimate users. Other
attacks, for example XST attacks, might also be possible.
It should be noted that while this vulnerability has been reported to
affect Microsoft IIS 5.0, earlier versions might also be affected.
6. phpBB GroupCP.PHP SQL Injection Vulnerability
BugTraq ID: 9314
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9314
Summary:
phpBB is an open-source web forum application that is written in PHP and
supported by a number of database products. It will run on most Unix and
Linux variants, as well as Microsoft Windows operating systems.
A vulnerability has been reported to exist in the software that may allow
a remote user who has group moderator privileges to inject malicious SQL
syntax into database queries. The problem reportedly exists in the $sql_in
parameter of the groupcp.php script. This issue is caused by insufficient
sanitization of user-supplied data. A remote attacker may exploit this
issue to influence SQL query logic to have unauthorized SQL queries
executed in the database.
A malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
database.
7. Jordan Windows Telnet Server Username Stack Based Buffer Ove...
BugTraq ID: 9316
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9316
Summary:
Jordan Windows Telnet Server is a Telnet server for Microsoft Windows
platforms.
Jordan Windows Telnet Server has been reported prone to a remote buffer
overrun vulnerability. The issue has been reported to present itself when
a username is supplied to the Telnet server that is 518 bytes in length.
Due to a lack of bounds checking, when this username is copied into an
insufficient reserved buffer in stack-based memory, data that exceeds the
size of the buffer will overrun its bounds and corrupt adjacent memory.
An attacker may exploit this condition to corrupt a saved instruction
pointer for the vulnerable function, and thereby influence execution flow
into attacker supplied instructions. These instructions will subsequently
be executed in the context of the affected service.
The severity of this vulnerability may be exaggerated due to the fact that
the overflow occurs pre-authentication.
It should be noted that although this issue has been reported to affect
Jordan Windows Telnet Server version 1.0, other versions might also be
affected.
8. Alt-N MDaemon/WorldClient Form2Raw Raw Message Handler Buffe...
BugTraq ID: 9317
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9317
Summary:
MDaemon is a mail server for Microsoft Windows operating systems. It
includes WorldClient, which is a web-based email client.
A vulnerability has been identified in MDaemon/WorldClient mail server
when handling certain messages with a 'From' field of over 249 bytes.
Because of this, it may be possible for a remote attacker to gain
unauthorized access to a system running the vulnerable software. The
condition is present due to insufficient boundary checking.
It has been reported that FORM2RAW.exe is a CGI script used by MDaemon for
sending and receiving mail via the web. In order to send a message,
FORM2RAW.exe creates a RAW message file in the Raw queue Directory of
MDaemon mail server by processing an HTML form.
The issue presents itself when an attacker composes and sends a message
with more than 249 bytes of data in the 'From' field of the message. The
resulting RAW message file is reported to cause a denial of service
condition in the server.
An attacker may leverage the issue by exploiting an unbounded memory copy
operation to overwrite the saved return address/base pointer, causing an
affected procedure to return to an address of their choice. Successful
exploitation of this issue may allow an attacker to execute arbitrary code
in the context of the vulnerable software in order to gain unauthorized
access.
9. PHPCatalog ID Parameter SQL Injection Vulnerability
BugTraq ID: 9318
Remote: Yes
Date Published: Dec 29 2003
Relevant URL: http://www.securityfocus.com/bid/9318
Summary:
PHPCatalog is expandable web based e-catalog software implemented in PHP.
It will run on most Unix and Linux variants, as well as Microsoft Windows
operating systems.
A vulnerability has been reported to exist in the software that may allow
a remote user to inject malicious SQL syntax into database queries. The
problem reportedly exists in the $id parameter of PHPCatalog. This issue
is caused by insufficient sanitization of user-supplied data supplied as
input to this parameter, which will then be included in a database query.
A remote attacker may exploit this issue to influence SQL query logic to
have unauthorized SQL queries executed in the database.
A malicious user may influence database queries in order to view or modify
sensitive information potentially compromising the software or the
database.
This vulnerability has been reported to affect PHPCatalog version 2.6.7
and prior versions.
10. Microsoft Internet Explorer showHelp CHM File Execution Weak...
BugTraq ID: 9320
Remote: Yes
Date Published: Dec 30 2003
Relevant URL: http://www.securityfocus.com/bid/9320
Summary:
Microsoft Internet Explorer is prone to a security flaw in the
implementation of the showHelp() function. Microsoft previously released
patches that provide security measures to prevent abuse of the showHelp()
function to reference local compiled help files (.CHM) from within a web
page. This initial problem was described in BID 6780/MS03-004. However,
using directory traversal sequences and special syntax when referring to
the CHM file, it is possible to bypass this restriction. The following is
an example of how to bypass this restriction:
showHelp("mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\chmfile.chm::/fileinchm.html");
The directory traversal sequences are used to form a relative path to the
resource and by appending two colons (::) to the name of the compiled
help file (which will have a file extension other than .CHM), the browser
will interpret the file as a compiled help file. The attacker would still
need a method to place the file in a known location on the victim system
and a way to run executable content referenced by the .CHM file. However,
there are known issues in Internet Explorer (such as BID 8984) which be
exploited in combination with this weakness with the end result of
installing and executing malicious code on the client system.
III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. SecurityFocus Microsoft Newsletter #169 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/348564
2. Disabling Cached Logon Credentials (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/348563
3. Accessing eventlogs remotely on W2K3 Server (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/348540
4. TCP/IP Stack Hardening - Disabling PMTU Discovery (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/348539
5. FPSE Admin Listner on IIS 6.0 (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/348538
6. Article Announcement: Checklist for Deploying an IDS (Thread)
Relevant URL:
http://www.securityfocus.com/archive/88/348498
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. AccessMaster
By: Evidian Inc.
Platforms: IRIX, Solaris, Windows 2000, Windows 95/98, Windows NT
Relevant URL: http://www.evidian.com/accessmaster/about/index.htm
Summary:
Extending onto a networked world means embracing the unknown. Piracy,
vandalism, industrial espionage... - attacks on companies are doubling
each year. With uniquely integrated security software, AccessMaster
manages and safeguards access to your data, end-to-end, from portals to
legacy, and lets you enforce a single, unified security policy across the
enterprise and beyond.
AccessMaster ensures high security level by federating your existing
security solutions, while ensuring at the same time user's convenience
with Single Sign-On and security officer's ease of administration with
centralized, Ldap-compliant, user and PKI management. In this way,
AccessMaster reduces IT security cost of ownership, with rapid return on
investment.
AccessMaster is recognized by analysts as a leading security suite for
large enterprises today. It was awarded "best access control" software by
Secure Computing Magazine three years running, in 2000, 2001, and 2002.
2. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, Windows
95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary:
KeyGhost SX discreetly captures and records all keystrokes typed,
including chat conversations, email, word processor, or even activity
within an accounting or specialist system. It is completely undetectable
by software scanners and provides you with one of the most powerful
stealth surveillance applications offered anywhere.
Because KeyGhost uses STRONG 128-Bit encryption to store the recorded data
in it?s own internal memory (not on the hard drive), it is impossible for
a network intruder to gain access to any sensitive data stored within the
device.
3. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary:
Evidian's SafeKit technology makes it possible to render any application
available 24 hours per day. With no extra hardware: just use your existing
servers and install this software-only solution.
This provides ultimate scalability. As your needs grow, all you need to do
is add more standard servers into the cluster. With the load balancing
features of SafeKit, you can distribute applications over multiple
servers. If one system fails completely, the others will continue to serve
your users.
4. SecurDataStor
By: encryptX Corporation
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.encryptx.com/products/securdatastor.asp
Summary:
The SecurDataStor product line is designed to provide a comprehensive
software security solution that manages and controls access to sensitive
information that you need to share internally and externally.
SecurDataStor is available in three versions: Basic, Premium, and
Platinum. Depending on the level of security that you need, you can choose
the SecurDataStor product that suits your needs.
With its end-to-end protection of sensitive business information,
SecurDataStor products protect sensitive information when used by the
originator, stored locally on a hard drive or file server, and when
shared. Users can safely share sensitive information across different
Microsoft Windows operating systems, over different network and firewall
technologies, and across different forms of removable media.
5. Proactive Windows Security Explorer
By: Elcomsoft Co. Ltd.
Platforms: Windows 2000, Windows NT, Windows XP
Relevant URL: http://www.elcomsoft.com/pwsex.html#
Summary:
Proactive Windows Security Explorer (PWSEX) is a password security test
tool that's designed to allow Windows NT, Windows 2000, and Windows
XP-based systems administrators to identify and close security holes in
their networks. Proactive Windows Security Explorer helps secure networks
by executing an audit of account passwords, and exposing insecure account
passwords. If it is possible to recover the password within a reasonable
time, the password is considered insecure.
An administrator can also use it to recover any lost password and access a
user's Windows account. Proactive Windows Security Explorer works by
analyzing user password hashes and recovering plain-text passwords.
6. Outpost Personal Firewall Pro 2.0
By: Agnitum
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.outpost.uk.com
Summary:
New Outpost Personal Firewall Pro 2.0 outdistances the award-winning
Outpost Personal Firewall Pro 1.0 on multiple levels, from enhanced
privacy features to ease-of-use. As the foremost security application for
personal computers, Outpost Personal Firewall Pro 2.0 gives you the latest
in personal firewall technology, making version 2.0 the clear security
choice for your system.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Fingerprint Verification System v0.1.0
By: Shivang Patel
Relevant URL: http://fvs.sourceforge.net/
Platforms: FreeBSD, Linux, UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:
Fingerprint Verification System is an easy-to-use library that allows
programmers to integrate fingerprint technology into their software
without specific know-how. It is fast and small, and is great for embedded
systems.
2. mrtg v2.10.11
By: Tobias Oetiker
Relevant URL: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/
Platforms: POSIX, Windows 2000, Windows NT
Summary:
The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic
load on network-links. MRTG generates HTML pages containing GIF/PNG images
which provide a live visual representation of this traffic.
3. Mod_security v 1.8dev1
By: Ivan Ristic
Relevant URL: http://www.modsecurity.org
Platforms: FreeBSD, Linux, Solaris, Windows 2000, Windows NT, Windows XP
Summary:
ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting as
a powerful umbrella - shielding applications from attacks. ModSecurity
supports Apache (both branches) today, with support for Java-based servers
coming soon.
4. Stealth HTTP Security Scanner v2.0b47
By: qw erty <qw@erty.net >
Relevant URL: http://www.devhood.com/tools/tool_details.aspx?tool_id=353
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:
Stealth 1.0 scans for 2883 HTTP vulnerabilities. This tool is designed
especially for the system administrators, security consultants and IT
professionals to check the possible security holes and to confirm any
present security vulnerabilities that hackers can exploit. Totally free
for commercial and non-commercial use.
5. IDA Pro - Freeware Edition
By: DataRescue Inc.
Relevant URL: http://www.datarescue.com/idabase
Platforms: DOS, Windows 2000, Windows 95/98, Windows NT
Summary:
The freeware version of the Interactive Disassembler Pro. Supports 80x86
binaries and FLIRT, a unique Fast Library Identification and Recognition
Technology that automagically recognizes standard compiler library calls.
Widely used in COTS validation and hostile code analysis.
6. Enigmail v0.82.5
By: Patrick
Relevant URL: http://enigmail.mozdev.org/thunderbird.html
Platforms: Linux, MacOS, POSIX, UNIX, Windows 2000, Windows 3.x, Windows
95/98, Windows CE, Windows NT, Windows XP
Summary:
Enigmail is a "plugin" for the mail client of Mozilla and Netscape 7.x
which allows users to access the authentication and encryption features
provided by the popular GnuPG software. Enigmail can encrypt/sign mail
when sending, and can decrypt/authenticate received mail. It can also
import/export public keys. Enigmail supports both the inline PGP format
and the PGP/MIME format, which can be used to encrypt attachments.
Enigmail is cross-platform, although binaries are supplied only for a
limited number of platforms. Enigmail uses inter-process communication to
execute GPG to carry out encryption/authentication.
VI. UNSUBSCRIBE INSTRUCTIONS
----------------------------
To unsubscribe send an e-mail message to
ms-secnews-unsubscribe@securityfocus.com from the subscribed address. The
contents of the subject or message body do not matter. You will receive a
confirmation request message to which you will have to answer.
Alternatively you can also visit http://www.securityfocus.com/newsletters
and unsubscribe via the website.
If your email address has changed email listadmin@securityfocus.com and
ask to be manually removed.
VII. SPONSOR INFORMATION
-----------------------
This Issue Sponsored by: RSA Conference 2004
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year. Don't
miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches security,
you need to be here. Learn more or register at:
http://www.securityfocus.com/sponsor/RSA_ms-secnews_031117 and use
priority code SF4.
------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic