SecurityvulnsSECURITYVULNS:DOC:45SecurityFocus.com Newsletter 36
Sponsored by CORE SDI
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
SecurityFocus.com Newsletter #36
I. FRONT AND CENTER
1. SecurityFocus.com needs your opinion on our new pager
application!
2. SecurityFocus.com is hiring!
3. Organizational Notes
II. BUGTRAQ SUMMARY
1. MS Index Server '%20' ASP Source Disclosure Vulnerability
2. Allaire Forums "rightAccessAllForums" Vulnerability
3. FCheck Shell Metacharacter in Filename Vulnerability
4. Microsoft Excel XML Vulnerability
5. Real Networks RealPlayer 6/7 Location Buffer Overflow
Vulnerability
6. SalesLogix eViewer DoS Vulnerability
7. HP VirtualVault Aliased IP Addresses Vulnerability
8. Nbase-Xyplex EdgeBlaster DoS Vulnerability
9. IBM ikeyman Java Class Creation Vulnerability
10. Symantec pcAnywhere Weak Encryption Vulnerability
11. Ipswitch IMail Server 5.x/6.x DoS Vulnerability
III. SECURITYFOCUS.COM NEWS ARTICLES
1. 911 Virus hits Houston
2. Building in Big Brother
3. "Copyright War" Declared
IV.SECURITY FOCUS TOP 6 TOOLS
1. IISperms (NT)
2. DynFw for ipchains 0.2.1 (Linux)
3. Netsaint Console Monitor 0.50c (HP-UX, IRIX, Linux and Solaris)
4. VTun (FreeBSD, Linux, NetBSD, OpenBSD and Solaris)
5. Linux Trustees 1.6 (Linux)
6. Sentinel Project 0.09 (FreeBSD, NetBSD and OpenBSD) V.
SECURITYJOBS LIST SUMMARY
1. Dir of Recruitment and Retention at InfoSec Startup (Thread)
2. SEEKING FOR SUMMER JOB (Thread)
3. Information Security Specialist - Baltimore/Owings Mills, MD
(Thread)
4. Security Engineers @ PhoenixDSL (Thread)
5. SecurityFocus.com is looking for a developer (Thread)
6. Offering jobs online via a desktop applet (Thread)
7. Site Content Manager (Thread)
8. COR4006 - Computer Security Engineers and Programmers -
Northern Virginia (Thread)
9. COR4005 - Office Manager - Northern Virginia (Thread)
10. Security/VPN - SE - Boston (Thread)
11. Books (Thread)
12. Network Security Engineers wanted (Thread)
13. CoSine Communications Inc. (Thread)
VI. INCIDENTS LIST SUMMARY
1. Lots of DNS Exploit attempts (Thread)
2. rooted by r0x - from address 212.177.241.127 (Thread)
3. Scans on Port 98 (linuxconf) (Thread)
4. Cracked by the Brazilians (Thread)
5. Cracking tools and backdoors [was cracked by Brazilians]
(Thread)
6. Smurf/broadcast "pings" (Thread)
7. Port 65535, again (Thread)
8. connections from Microsoft to dns server? (Thread)
VII. VULN-DEV RESEARCH LIST SUMMARY
1. Kill BIOS (Thread)
2. Windows: Local Security Workarounds-DD (Thread)
3. Award BIOS passwords (Thread)
4. local security workaround through IE (Thread)
VIII. MICROSOFT FOCUS LIST SUMMARY
1. 2k with webhosting…? (Thread)
2. R: Nessus Scanner (Thread)
3. Nessus Scanner (Thread)
4. HELP…any suggestions welcome… (Thread)
6. Upcoming new pager (Thread)
7. Home firewalling-one solution for NT (Thread)
8. PcAnywhere weak password encryption (Thread)
9. Server Tools (Thread)
10. Home firewalling (Thread)
11. Proxy Server on Windows 2000 (Thread)
12. FW: PcAnywhere weak password encryption (Thread)
13. Thanks for the Administrator Quotes (Thread)
14. Need System Administrator Quotes (Thread)
IX. SPONSOR INFORMATION - CORE SDI
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. FRONT AND CENTER
Welcome to the SecurityFocus.com 'week in review' newsletter issue 36.
- SecurityFocus.com needs your opinion on our new pager application!
The SecurityFocus Pager has proven to be a popular tool, and we are
pleased to announce the upcoming release of version 3.0, with a much
greater range of features. 3.0 will run on Windows 95, 98, NT, 2000 and
Linux. It allows, in addition to the functionality of version 2, more
advanced content filtering and a feature that will enable it to track
specifically vulnerabilities in equipment listed in a user-defined
inventory. It also includes search and browsing capability for the
SecurityFocus website. Version 3.0 will be Open Sourced.
We invite you to participate in a brief survey to determine your
collective opinion on the appearance of the new pager. Many of you that
use the pager currently use it on a regular basis, and we would like you
to help decide what that portion of your desktop will look like.
The survey is located at:
http://www.securityfocus.com/data/pager/questions.html
- SecurityFocus.com is hiring!
Currently SecurityFocus.com is hiring for two positions:
- Developer
Security Focus the leading Internet security portal is looking to expand
our team for web development. The position involves the development and
maintenance of a highly dynamic and database driven website.
We are looking for someone with experience in developing this type of web
site in a Unix environment. This person should be capable of taking
ownerships of tasks, acting independently and seeing them to completion.
Applicants should be familiar with startups and must be willing to work in
a fast paced environment with tight deadlines.
This position is in Calgary, Alberta, Canada.
Skillsets required:
- programming experience (C and Perl)
- web applications development
- XML, JavaScript, HTML, CSS
- experience with database driven web sites
- Strong knowledge of SQL
- Solaris, FreeBSD and Windows NT/95/98 OSes
Skills highly sought after:
- Familiarity with the Roxen web server. http://www.roxen.com/
- Knowledge of Pike programming language. http://pike.roxen.com/
- Knowledge of MySQL database server. http://www.mysql.com/
Pluses:
- Knowledge of ASP and IIS.
- Knowledge of Java
- Familiarity with computer security products (scanners, intrusion detection systems,
etc)
Please respond to Alfred Huger [email protected]
- Site Content Manager
An opportunity exists for a talented writer that understands leading edge
IT technology - its uses and security within the small office environment.
This opportunity is a chance for a talented individual to get into a
fast-moving pre-IPO company that is the leader in its specialty area and
is lead by a seasoned team that has taken other companies to IPO and
acquisition.
The Site Content Manager will be a manager/contributor responsible for a
set of topic areas on a security information portal. These topic areas
require the candidate to have writing experience and an interest in the
security of office IT products: desktops, laptops, servers, printers,
PDAs, phones, modems, networks, software and utilities. The ideal
candidate will possess excellent written and oral communication skills, IT
journalism or writing experience, and an interest in technical products,
information security and software.
Responsibilities
- Creation and updating of topic areas on a web site including: planning, project
management,
writing, moderating guest author content, editing, and daily maintenance of topic
areas. - Contracting writers and experts to create articles and content for the
topic area.
Skill requirements
- BA degree in journalism or English with at least two years of professional
journalism or writing
experience OR - 5 years work experience as a journalist or writer specializing in IT topics.
- Professional experience with, or personal interest in IT products or topics *
Experience editing
columns and content from other writers. - Experience developing web pages or using professional web/type editing programs such
as MS
FrontPage, Adobe FrameMaker - Deadline and results oriented, with attention to detail
- Self-motivated and independent, with the ability to take initiative
The successful candidate will be highly attentive to details, able to
produce under tight deadlines, self-motivated and a good team player.
The position may work in SecurityFocus.com's San Mateo, CA or Calgary,
Alberta office.
Submit Resume, including samples of written work to:
OR
Alfred Huger
VP of Engineering
(403) 213-3939 ext. 223 217 -
10th Avenue S.W. Calgary, Alberta, Canada
T2R 0A4
- Organizational Notes
As many people have noted, the newsletter changes minutely with each
issue. The reasoning behind these changes is driven by the comments of
people on the distribution list. For instance, this issue has been
reorganized to place the high volume mailing list summaries close to the
end of the newsletter. Thus giving more immediate room for the topics
which take up less space and therefore less time to read.
Should you have any comments, I would love to hear them. Please feel free
to mail me at [email protected].
II. BUGTRAQ SUMMARY
- MS Index Server '%20' ASP Source Disclosure Vulnerability
BugTraq ID: 1084
Remote: Yes
Date Published: 2000-03-31
Relevant URL:
http://www.securityfocus.com/bid/1084
Summary:
Index Server can be used to cause IIS to display the source of .asp and
possibly other server-side processed files.
By appending a space (%20) to the end of the filename specified in the
'CiWebHitsFile' variable, and setting 'CiHiliteType' to 'Full' and
'CiRestriction' to 'None', it is possible to retrieve the unprocessed
source of the file.
This is possible on any machine with Index Server installed, even those
with no normal .htw files, because the virtual file null.htw is stored in
memory and the .htw extension is mapped by default to webhits.dll .
- Allaire Forums "rightAccessAllForums" Vulnerability
BugTraq ID: 1085
Remote: Yes
Date Published: 2000-04-03
Relevant URL:
http://www.securityfocus.com/bid/1085
Summary:
Allaire Forums 2.0.5 can allow unauthorized users to view and post to
secure Threads. This is possible due to a flaw in the handling of the
"rightAccessAllForums" variable.
- FCheck Shell Metacharacter in Filename Vulnerability
BugTraq ID: 1086
Remote: No
Date Published: 2000-04-03
Relevant URL:
http://www.securityfocus.com/bid/1086
Summary:
FCheck, when invoked with the -l switch, will send reports to syslog
instead of stdout. In the course of doing so, it makes a system() call
with the filename in the argument. Therefore, if a filename contains a
shell metacharacter followed by a command, that command will be executed
at the privilege level of FCheck (usually root). Any user who can create
files in a filestructure that is monitored by FCheck can exploit this
vulnerability.
- Microsoft Excel XML Vulnerability
BugTraq ID: 1087
Remote: Yes
Date Published: 2000-04-03
Relevant URL:
http://www.securityfocus.com/bid/1087
Summary:
Under normal circumstances, Microsoft Excel produces a warning dialogue
when a user attempts to open a macro file that resides outside of the
spreadsheet that is currently in use. The dialog box will not appear if
the user opens a macro file consisting of Excel 4.0 Macro Language (XML)
in an external text file. Even if a user were to have chosen the option
of 'High Security' in Excel, they would still be affected by this
vulnerability. It is not possible to exploit this vulnerability in such a
way that it would self launch.
- Real Networks RealPlayer 6/7 Location Buffer Overflow Vulnerability
BugTraq ID: 1088
Remote: Yes
Date Published: 2000-04-03
Relevant URL:
http://www.securityfocus.com/bid/1088
Summary:
Unchecked buffer code exists in the 'location' field of Real Networks
RealPlayer versions 6.0 and 7.0. Requesting a URL containing a string
consisting of 300 or more characters would cause the application to crash
and would require a restart in order to regain normal functionality.
Arbitrary code can potentially be executed through this vulnerability.
This vulnerability may be exploited remotely if such a URL were embedded
in a HTML file with the command 'autostart' set as 'true'. Both
RealPlayer and the accompanying browser would crash in this case and
require to be restarted to regain functionality.
So far only the Windows versions of the Real Player have been proven to be
vulnerable in this manner.
- SalesLogix eViewer DoS Vulnerability
BugTraq ID: 1089
Remote: Yes
Date Published: 2000-03-31
Relevant URL:
http://www.securityfocus.com/bid/1089
Summary:
SalesLogix eViewer is a web application integrated with the SalesLogix
2000 package.
eViewer will not perform authorization on administrative commands if they
are requested directly in the URL. Therefore, the URL:
http: //target/scripts/slxweb.dll/admin?command=shutdown
will cause the program to shutdown. Possibly other commands aside from
'shutdown' could be performed by a remote user as well.
Additional notes: The program which issues administrative commands
(slxweb.dll) is installed by default in the /scripts directory and cannot
be relocated. In addition to this security concern, the package requires
a user to change the default anonymous username (IUSR_{systemname}) in
Microsoft IIS to 'slxwebuser' and grant it administrative privileges.
- HP VirtualVault Aliased IP Addresses Vulnerability
BugTraq ID: 1090
Remote: Yes
Date Published: 2000-04-06
Relevant URL:
http://www.securityfocus.com/bid/1090
Summary:
HP's VirtualVault is a trusted web server platform that implements
compartmentalization. HP-UX 11.04 (VVOS) revision of VirtualVault contains
a vulnerability which allows data to be delivered to via a network
interface to unprivileged processes if multiple IP addresses are assigned
to the interface.
- Nbase-Xyplex EdgeBlaster DoS Vulnerability
BugTraq ID: 1091
Remote: Yes
Date Published: 2000-04-06
Relevant URL:
http://www.securityfocus.com/bid/1091
Summary:
The NBase-Xyplex EdgeBlaster router will hang if scanned by CyberCop for
the FormMail CGI vulnerability. There is no error message or visible
activity other than traffic halting at the router. It will need to be
rebooted to restore functionality.
- IBM ikeyman Java Class Creation Vulnerability
BugTraq ID: 1092
Remote: No
Date Published: 2000-04-06
Relevant URL:
http://www.securityfocus.com/bid/1092
Summary:
IBM's IBMHSSB package, which ships with Solaris, is used to enable SSL for
the IBM webserver. The package includes a shell script, /usr/bin/ikeyman,
which is SUID by default and updates the user's CLASSPATH variable before
calling another script, /opt/ibm/gsk/bin/ikmgui.
This second script calls com.ibm.gsk.ikeyman.Ikeyman . Since the user's
CLASSPATH is read into the new CLASSPATH variable, they could make a
replacement /com/ibm/gsk/ikeyman/Ikeyman and put it in a directory
included in their original CLASSPATH. This code would then get run as root
when /usr/bin/ikeyman was run.
- Symantec pcAnywhere Weak Encryption Vulnerability
BugTraq ID: 1093
Remote: Yes
Date Published: 2000-04-06
Relevant URL:
http://www.securityfocus.com/bid/1093
Summary:
Symantec pcAnywhere is shipped by default with a weak encryption scheme
that is used to encrypt username and password transmittal. Therefore,
usernames and password can be retrieved by anyone sniffing the network in
between the host computer running pcAnywhere and the NT domain controller.
Users of pcAnywhere can be authenticated with their NT domain username and
password. In this case, the weakly encrypted transmitted authentication
would be transmitted domain wide.
- Ipswitch IMail Server 5.x/6.x DoS Vulnerability
BugTraq ID: 1094
Remote: Yes
Date Published: 2000-04-06
Relevant URL:
http://www.securityfocus.com/bid/1094
Summary:
Due to the implementation of IMail's authentication scheme, the server
could be remotely forced to stop responding to login requests. If the
client fails to terminate the connection, IMail will not be able to
authenticate any other users due to the fact that it can only authorize
one user at a time.
Once the client times out the connection, IMail will regain normal
functionality. Otherwise the service will have to be restarted.
III. SECURITYFOCUS.COM NEWS ARTICLES
- 911 Virus hits Houston
A federal investigation in Texas has uncovered a virus that calls for
help.
URL: http://www.securityfocus.com/news/14
- Building in Big Brother
FBI Director Louis Freeh knows how to milk cyberattacks for all they're
worth.
URL: http://www.securityfocus.com/commentary/13
- "Copyright War" Declared
Electronic civil libertarians rally in Toronto.
URL: http://www.securityfocus.com/news/15
IV.SECURITY FOCUS TOP 6 TOOLS
- IISperms (NT)
by Microsoft
Relevant URL:
http://www.securityfocus.com/data/tools/auditing/host/iisperms.exe
The IIS Security "What If" tool is a Dynamic HTML (DHTML) utility designed
to assist in troubleshooting security issues with IIS.
- DynFw for ipchains 0.2.1 (Linux)
by Marcus Schopen, [email protected]
Relevant URL:
http://www.securityfocus.com/data/tools/dynfw.tgz
DynFW for ipchains constantly checks /var/log/messages for packets denied
by ipchains and responds by temporarily setting up firewallrules that deny
any access from the originating IPs. Optionally it can do an ident lookup
before setting up the rules.
- Netsaint Console Monitor 0.50c (HP-UX, IRIX, Linux and Solaris)
by Stig H. Jacobsen, [email protected]
Relevant URL:
http://www.securityfocus.com/data/tools/nsc-0.50c.tar.gz
Netsaint Console Monitor (NSC) is a curses-based console monitor for
Netsaint. It allows you to monitor Netsaint services without the expense
or availability of a GUI.
- VTun (FreeBSD, Linux, NetBSD, OpenBSD and Solaris)
by Maxim Krasnyansky, [email protected]
Relevant URL:
http://www.securityfocus.com/external/http%3a%2f%2fvtun.sourceforge.net%2f
VTun is an easy way to create Virtual Tunnels over TCP/IP networks with
traffic shaping, compression, and encryption. It is a user space
implementation and doesn't need modification of any kernel parts. VTun
supports IP, PPP, SLIP, Ethernet and other tunnel types. VTun is easily
and highly configurable, it can be used for various network tasks like
VPN