I. INTRODUCTION
II. BUGTRAQ SUMMARY
1. Microsoft hhopen OLE Control Buffer Overflow Vulnerability
2. Mutt Text/Enriched Handler Buffer Overflow Vulnerability
3. Diva LAN ISDN Modem Denial of Service Vulnerability
4. Adobe Acrobat Viewer ActiveX Buffer Overflow Vulnerability
5. Microsoft IE Setupctl ActiveX Control Buffer Overflow Vulnerability
6. Microsoft MSN Setup BBS ActiveX Control Buffer Overflow Vulnerability
7. Linux Predictable TCP Initial Sequence Number Vulnerability
8. Microsoft IE Registration Wizard Buffer Overflow Vulnerability
9. Microsoft IE5 Download Behavior Vulnerability
10. AIX ftpd Remote Buffer Overflow
11. Mirror File Creation Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: Yahoo IM Denial of Service Attack
2. Vulnerability Patched: Remote ftpd Buffer Overflow (AIX)
3. Vulnerability Patched: Microsoft IE Setupctl ActiveX Control Buffer Overflow Vulnerability
4. Vulnerability Patched: iHTML Merchant "feedback" Vulnerability
5. Vulnerability Patched: getnewbuf() Vulnerability
6. Vulnerability Patched: NT RASMAN Privilege Escalation Vulnerability
7. Vulnerability Patched: SSH Authentication Socket File Creation Vulnerability
8. Vulnerability Patched: WWWBoard Password Disclosure Vulnerability
IV. INCIDENTS SUMMARY
1. Interesting scans in the past few days (Thread)
2. Recent crack: what does it do?
3. Simple domain authority question
4. Scans
V. VULN-DEV RESEARCH LIST SUMMARY
1. Rlogin from Ascend MAX/6000.
2. Re: Several ActiveX Buffer Overruns (Thread)
3. Re: ARP silliness w/ Cisco 675 (Thread)
4. Windows Update Error
5. Cisco IOS password types overview. (Thread)
6. Creating the NT Rootkit patch
VI. SECURITY JOBS
Discussion:
1. Re: yet another question about entering the security field (Thread)
Seeking Employment:
1. Contact: Security Administrator Looking For Different Gig , Stephen P. Berry
Seeking Staff:
1. Perl Programmer/System Administrator - NYC
2. Wirex: Linux Systems Administrator, Portland, Oregon
3. 10+ positions in the Bay Area, LA
4. Security Engineers in Waltham, MA
VII. SECURITY SURVEY RESULTS
VIII. SECURITY FOCUS EVENTS
IX. SECURITY FOCUS TOP 6 TOOLS
1. Xtcpdump (Unix)
2. TotoStat Enhanced 2.0 (NT)
3. GNU Privacy Guard for GNU/Linux
4. EARS (Emergency Audit Response System) (Unix)
5. Youko SHIRAKI Version 1.25 (Unix)
6. Snort (Unix)
X. SPONSOR INFORMATION - Tripwire Security
I. INTRODUCTION
-----------------
Welcome to the Security Focus 'week in review' newsletter issue 9.
II. BUGTRAQ SUMMARY 1999-09-27 to 1999-10-03
---------------------------------------------
1. Microsoft hhopen OLE Control Buffer Overflow Vulnerability
BugTraq ID: 669
Remote: Unknown
Date Published: 1999-09-27
Relevant URL:
http://www.securityfocus.com/bid/669 Summary:
There is a buffer overflow in the 1.0.0.1 version of the hhopen OLE
control (hhopen.ocx) that ships with some versions of Internet Explorer.
This control is marked 'Safe for Scripting' . Arbitrary commands may be
executed if the OLE control is run in a malicious manner.
A buffer overflow vulnerability in Mutt's handlers for the text/enriched
MIME type allows malicious email messages to execute commands as the user
running Mutt.
3. Diva LAN ISDN Modem Denial of Service Vulnerability
BugTraq ID: 665
Remote: Yes
Date Published: 1999-09-27
Relevant URL:
http://www.securityfocus.com/bid/665 Summary:
A vulnerability in the Diva LAN ISDN Modem allows remote malicious users
to lock up the modem requiring a hard reset.
The vulnerability manifests itself when a remote users connects to the
Diva HTTP port and sends a GET request of the form
'login.html?password=<very long string>'.
There is a buffer overflow in the 1.3.188 version of the Adobe Acrobat
ActiveX control (pdf.ocx) that ships with Acrobat Viewer 4.0. This ActiveX
control is marked 'Safe for Scripting' within Internet Explorer 4.X.
Arbitrary commands may be executed if the ActiveX control is run in a
malicious manner
5. Microsoft IE Setupctl ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 667
Remote: Unknown
Date Published: 1999-09-27
Relevant URL:
http://www.securityfocus.com/bid/667 Summary:
There is a buffer overflow in the setupctl ActiveX control that used to
ship with some versions of Microsoft's Internet Explorer. This ActiveX
control is used to link to an update site at Microsoft and is marked 'Safe
for Scripting' . Arbitrary commands may be executed if the ActiveX control
is run in a malicious manner.
6. Microsoft MSN Setup BBS ActiveX Control Buffer Overflow Vulnerability
BugTraq ID: 668
Remote: Unknown
Date Published: 1999-09-27
Relevant URL:
http://www.securityfocus.com/bid/668 Summary:
There is a buffer overflow in the 4.71.0.10 version of the MSN Setup BBS
ActiveX control (setupbbs.ocx).. This ActiveX control is marked 'Safe for
Scripting' . Arbitrary commands may be executed if the ActiveX control is
run in a malicious manner.
7. Linux Predictable TCP Initial Sequence Number Vulnerability
BugTraq ID: 670
Remote: Yes
Date Published: 1999-09-27
Relevant URL:
http://www.securityfocus.com/bid/670 Summary:
A vulnerability in the Linux kernel allows remote users to guess the
initial sequence number of TCP sessions. This can be used to create
spoofed TCP sessions bypassing some types of IP based access controls.
The function 'secure_tcp_sequence_number' in the file
'drivers/char/random.c' at line 1684 is used to generate the initial
sequence number. It used the MD4 hash with a set of inputs to generate the
new ISN.
8. Microsoft IE Registration Wizard Buffer Overflow Vulnerability
BugTraq ID: 671
Remote: Unknown
Date Published: 1999-09-27
Relevant URL:
http://www.securityfocus.com/bid/671 Summary:
There is a buffer overflow in the Internet Explorer Registration Wizard
control (regwizc.dll). This control is marked 'Safe for Scripting' .
Arbitrary commands may be executed if the control is run in a malicious
manner.
9. Microsoft IE5 Download Behavior Vulnerability
BugTraq ID: 674
Remote: Yes
Date Published: 1999-09-27
Relevant URL:
http://www.securityfocus.com/bid/674 Summary:
The "download behavior" feature of Microsoft's Internet Explorer 5 may
allow a malicious web site operator to read files on an IE5 client
computer or on a computer that is in the client's 'Local Intranet' web
content zone.
IE5 introduced a new feature called DHTML Behaviors. DHTML Behaviors
allow web developers to encapsulate methods, properties and events that
can then be applied to HTML and XML elements. IE5 comes with set of
built-in DHTML behaviors. One of them is the "#default#download"
behaviors. This behavior defines a new Javascript method called
"startDownload" that takes two parameters, the file to download and a
function to call once the file has been downloaded.
By default the "startDownload" method checks that the file to be
downloaded is in the same web content zone as the file calling the method.
When both the file to be downloaded and the file executing the behavior
are in the same security zone, the client will safely download the
requested file and subsequently perform the specified function.
A malicious web site owner may bypass this security restriction and force
an IE5 client to both read and perform a follow-up action on the contents
of a local file or files in other security zones. This action may include
sending the contents of the file back to the malicious web site operator.
Here's how it works:
1: An IE5 client visits a malicious website and loads a web page
containing a client side scripting that makes use of the
"#default#download" behavior.
2: The client side script calls the "startDownload" method and passes it
the URL of a file to download and a function to call with the contents of
the file once the file is finished downloading.
3. The startDownload method verifies that the URL is in fact in the same
zone as the malicious web server.
4: The startDownload method begins the download, requesting the URL
specified in step 2 from a malicious web server.
5: The malicious web server send an HTTP redirect to some other file in
any security zone including local files on the IE5 client machine (for
example: c:\winnt\repair\sam._).
6: startDownload reads the file and executes the function specified in
step 2 on that file's content.
The malicious web server has now bypassed the security restrictions
outlined earlier by successfully forcing the client to load and act upon a
file that resides in a web content zone different than that of the
malicious web server. This can all be done transparently to the end user.
This vulnerability cannot be used to delete or modify files on the
vulnerable IE5 client. The vulnerability can only retrieve text files or
small parts of binary files.
A vulnerability in the Mirror Perl script allows remote FTP server
operators to create or overwrite arbitrary files in the local system with
the permission of the user running Mirror.
Mirror is a Perl script designed to duplicate a directory hierarchy
between two machines via FTP. Lack of proper input validation on the part
of Mirror allows malicious remote web sites to send it filenames formatted
in such a way that force Mirror to create or overwrite arbitrary files on
the system with the permissions of the user running the script. For
example a malicous FTP server can send filenames with embedded ".." and
'\' strings that will not be filtered by the script.
III. PATCH UPDATES 1999-09-27 to 1999-10-03
-------------------------------------------
1. Vendor: Yahoo
Product: Yahoo Instant Messenger
Patch Locations (new build):
http://rd.yahoo.com/pager/zd/?http://download.yahoo.com/dl/ymsgr.exe
Vulnerability Patched: Yahoo IM Denial of Service Attack
Bugtraq ID:
Relevant URL:
5. Vendor: FreeBSD
Product: FreeBSD
Patch Location:
Fixed in FreeBSD 3.3-Release, available at ftp.freebsd.org
Vulnerability Patched: getnewbuf() Vulnerability
Bugtraq ID:
Relevant URLS:
6. Vendor: Microsoft
Product: Windows NT
Patch Location:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes- PostSP6/Security/Rasman-fix/
Vulnerability Patched:
NT RASMAN Privilege Escalation Vulnerability
Bugtraq ID: 645
Relevant URLS:
http://www.securityfocus.com/bid/645/
4. Security Engineers in Waltham, MA
Reply to: Hal Lockhart <hal.lockhart@storagenetworks.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-09- 29&msg=9D8B3C643D2AD311BC8D00508B120BA40F5B5F@mahqexc01.storagenetworks.com
VII. SECURITY SURVEY 1999-09-27 to 1999-10-03
----------------------------------------------
The question for 1999-09-27 to 1999-10-03 was:
"Which commercial network security scanner do you consider to be the
industry leader?"
The following products were voted on an recieved scores. A series of
products recieved no votes and are not listed here.
1. CyberCop Scanner 23% / 29 votes
by Network Associates
2. Expert 2% / 3 votes
by L3 Network Security
3. Internet Scanner 32% / 40 votes
by Internet Security Systems
4. NetRecon 1% / 2 votes
by AXENT Technologies
5. NetScanTools 1% / 2 votes
by Northwest Performance Software
6. NetSonar 16% / 20 votes
by Cisco Systems
7. Retina 4% / 6 votes
by eEye
8. WebTrends Security Scanner 13% / 17 votes
by WebTrends
Total Number of Votes cast: 122
III. SECURITY FOCUS EVENTS for 1999-09-27 to 1999-10-03
---------------------------------------------------------
No announcements were made in this period.
IX. SECURITY FOCUS TOP 6 TOOLS 1999-09-27 to 1999-10-03
--------------------------------------------------------
1. Xtcpdump
by Sveinar Rasmussen
Platforms: AIX, BSDI, FreeBSD, HP-UX, IRIX, Linux, NetBSD, OpenBSD, Solaris, SunOS and UNIX
XTcpdump is a program providing an easy to use graphical user interface
towards tcpdump(1). Tcpdump is a network monitoring program capable of
observing all the traffic on a local network. As such, it can be used to
provide raw trace data to a performance or security monitoring tool.
TotoStat is a program similar in operation to the DOS based utility,
Netstat.exe that displays protocol statistics & network activities.
It can be used by networking professionals to determine what connections
are on the machine at any time along with all the ports that may be
listening (i.e. services, trojan horses etc.).
This new version, is a major upgrade from the previous incarnations &
includes all that was previously available plus many more new & innovative
features.
Much more efficient & faster code Native SNMP and Multithreading Supports
Windows 95, 98 &Windows NT - should work in Windows 2000 although this
needs to be confirmed - anyone help here?? NEW - Fast DNS Lookup NEW -
Ping Tools NEW - Port Lookup NEW - Autostat - will automatically run when
the machine starts up NEW - AutoRefresh - will automatically update the
connection information every X minutes NEW - Minimizes to system tray New
updated interface Shows TCP and UDP connections Shows established and
listening ports.
TotoStat is definately the fastest and easiest way to see what exactly is
going on over the Internet or your LAN.
3. GNU Privacy Guard for GNU/Linux
by The Free Software Foundation
Platforms: FreeBSD, Linux and OpenBSD
Relevant URLS:
http://www.d.shuttle.de/isil/gnupg/
GnuPG is a complete and free replacement for PGP. Because it does not use
IDEA or RSA it can be used without any restrictions. GnuPG is a RFC2440
(OpenPGP) compliant application.
4. EARS (Emergency Audit Response System)
by Tishina Syndicate
Platforms: Linux
Relevant URLS:
http://tishina.cjb.net
EARS (Emergency Audit Response System) is an intrusion detection system
which responds to abnormal system, user and network behaviors in real
time, in a distributed manner. EARS are distributed agents which reside on
the end point, monitoring the host, and reporting activities to it's
peers.
This utility searches the joe-accounts for specified host using ftp
bruteforce attack based on the userlist file. Administrator should change
the passwords if such users have been found. This utility also can attack
by using the fixed password and username+string.
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules based
logging and can perform protocol analysis, content searching/matching and
can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting
attempts, and much more. Snort has a real-time alerting capabilty, with
alerts being sent to syslog or a seperate "alert" file. As of version 1.1
it can also send WinPopup messages via Samba.
X. SPONSOR INFORMATION - Tripwire Security
------------------------------------------
This Newsletter was sponsored by Tripwire Security. Tripwire Security
Systems, Inc. (TSS) is a Portland-based software development company
specializing in system security and policy compliance applications. The
company is developing a family of Defense in Depth(SM) security solutions
based on its Tripwirefile integrity assessment technology. Tripwire's file
integrity assessment technology is the most fundamental component of any
Intrusion Detection system. Tripwire monitors all servers and clients on a
network, detecting and reporting any changes to critical system or data
files. Tripwire can absolutely, unequivocally determine if a protected
file has been altered in a way that violates the policy set by the
administrator. This ensures that any change, whether due to an external
intruder or internal misuse, will be identified and documented on a timely
basis. After an intrusion has been detected, Tripwire enables the system
administrator to quickly identify which systems have been compromised,
allowing the organization to get back to business.
