ISS Security Alert Summary
December 15, 1999
Volume 4 Number 10
X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to majordomo@iss.net, and within the body of the message
type: 'subscribe alert'.
Date Reported: 1999-12-09
Vulnerability: nt-resource-enum-dos
Platforms Affected: Windows NT 4.0
Risk Level: Medium
Attack Type: Network Based
Windows NT 4.0 (Workstation, Server, Enterprise, and Terminal Editions)
contains a vulnerability that could allow a remote attacker to make the
machine stop responding to service requests. A remote attacker sending
a malformed resource enumeration argument can cause the Windows NT
Control Manager to fail, resulting in services to stop responding to
requests. The system would then have to be restarted to resume normal
operation.
Date Reported: 1999-12-09
Vulnerability: sol-snoop-bo
Platforms Affected: Solaris (2.x)
Risk Level: High
Attack Type: Network Based
The Solaris Snoop application contains a buffer overflow. The Solaris
Snoop application is a network sniffing tool that ships with all Solaris
2.x operating systems. This buffer overflow allows a remote attacker to
gain privileged access to machines running the Solaris operating system
while using Snoop. This vulnerability also allows an attacker to bypass
security measures in place by Solaris based firewall machines. It is not
recommended to use a sniffing tool such as Snoop from a firewall to
diagnose network problems.
Date Reported: 1999-12-08
Vulnerability: ie-server-side-redirect
Platforms Affected: Microsoft Internet Explorer (4.01, 5.0, 5.01)
Risk Level: High
Attack Type: Network Based
Microsoft Internet Explorer cointains a vulnerability that could allow a
malicious web page operator to view files on the browser's machine. The
web page operator would need to already know the name of the file he
wishes to view such as a normal startup file.
Date Reported: 1999-12-05
Vulnerability: ie-msradio-bo
Platforms Affected: Microsoft Internet Explorer (5.x)
Risk Level: High
Attack Type: Host Based
Internet Explorer 5.x contains a buffer overflow. A user can call
the local URL vnd.ms.radio:\\ for streaming audio and, send it 360 or more
characters causing it to crash. A user then could execute arbitrary
code on the machine.
Date Reported: 1999-12-01
Vulnerability: netscape-fasttrack-auth-bo
Platforms Affected: Netscape Enterprise Server (3.5.1 - 3.6sp2)
Netscape Fast Track Server (3.01)
Risk Level: High
Attack Type: Network Based
Netscape Enterprise Server and Netscape FastTrack Server are widely used
Internet web servers. A buffer overflow is present in the HTTP Basic
Authentication portion of the server. When accessing a password protected
portion of the Administration or Web server, a username or password that
is longer than 508 characters will cause the server to crash with an
access violation error. An attacker could utilize the Base64 encoded
Authorization string to execute arbitrary code as SYSTEM on Windows NT, or
as root on Unix. Attackers can use these privileges to gain full access to
the server.
Date Reported: 1999-11-29
Vulnerability: qpopper-auth-bo
Platforms Affected: qpop 3.2
Risk Level: High
Attack Type: Network Based
Qpopper server contains a buffer overflow. Qpopper is a server that
supports the POP3 protocol for downloading Internet e-mail from software
clients on Unix. An attacker could overflow the qpop3 server code and
compromise the system with root privileges.
Date Reported: 1999-11-29
Vulnerability: solaris-dtmail-overflow
Platforms Affected: Solaris 7x86
Risk Level: High
Attack Type: Host Based
The Solaris 7 dtmail program contains a buffer overflow. The dtmail
program is a mailer program. It has an exploitable command line buffer
overflow in the -f argument. It is unknown if sparc versions are
exploitable, but an exploit does exist for intel/x86 Solaris 7. It is
verified by executing dtmail -f with 2000 characters.
Date Reported: 1999-11-29
Vulnerability: solaris-dtmailpr-overflow
Platforms Affected: Solaris 7x86
Risk Level: High
Attack Type: Host Based
The Solaris 7 dtmailpr program contains a buffer overflow. The dtmailpr
program is a mail message print filter. It has an exploitable command
line buffer overflow in the -f argument. It is unknown if Sparc versions
are exploitable, but an exploit does exist for intel/x86 Solaris 7. It is
verified by executing dtmail -f with 2000 characters.
Date Reported: 1999-11-25
Vulnerability: unixware-su-username-bo
Platforms Affected: SCO's UnixWare 7
Risk Level: High
Attack Type: Host Based
SCO's Unixware 7 contains a buffer overflow in the su command. If a local
user sends a long username to the su command, it is possible to crash su
and execute commands with root privileges.
Date Reported: 1999-11-25
Vulnerability: unixware-xlock-username-bo
Platforms Affected: SCO's UnixWare 7
Risk Level: High
Attack Type: Host Based
SCO's Unixware 7 contains a buffer overflow in the xlock program that is
used to lock the X display. If a local user supplies a long username,
xlock will crash and allow the user to execute commands with root
privileges.
Date Reported: 1999-11-19
Vulnerability: linux-syslogd-dos
Platforms Affected: Linux
Risk Level: High
Attack Type: Host Based
A denial of service attack exists against Linux operating systems and the
syslogd service. The service normally receives system log messages using
Unix domain stream sockets. If a local attacker opens many local syslog
connections, the service will crash affecting many normal processes such
as sendmail and telnetd.
References:
Caldera Systems, Inc. Security Advisory CSSA-1999-035.0: "DoS with
sysklogd, glibc" at:
ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-035.0.txt
Date Reported: 1999-11-18
Vulnerability: sol-ttdbserverd-dos
Platforms Affected: Solaris (7, 7x86)
Risk Level: Medium
Attack Type: Network Based
A denial of service attack exists against the Solaris 7 rpc.ttdbserverd
service. A remote attacker could crash the ttdbserverd service by
calling function 15 using garbage characters.
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
Copyright (c) 1999 by Internet Security Systems, Inc. Permission is
hereby granted for the redistribution of this Alert Summary
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert Summary in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
