SecurityFocus.com Newsletter #23
Table of Contents:
I. INTRODUCTION
1. Info.Sec.Radio - The *FIRST* Online Radio Show For InfoSec
2. New Guest Feature : Internet Application Security
3. Exchange Server section added to Microsoft Focus Area
II. BUGTRAQ SUMMARY
1. Allaire ColdFusion 4.0x CFCACHE Vulnerability
2. PHP3 'safe_mode' Failure Vulnerability
3. Microsoft CIS IMAP Buffer Overflow Vulnerability
4. RedHat userhelper/PAM Path Vulnerability
5. IMail IMonitor status.cgi DoS Vulnerability
6. Allaire Spectra 1.0 Webtop Vulnerability
7. Allaire Spectra Data Indexing DoS Vulnerability
8. Solaris chkperm Buffer Overflow Vulnerability
9. WarFTPd Multiple Macro Vulnerabilities
10. Handspring Visor Network HotSync Vulnerability
11. SolutionScripts Home Free search.cgi Directory Traversal
Vulnerability
12. Zope DTML editing Vulnerability
13. 13. Microsoft Internet Explorer Security Zone Settings Lag
Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: Allaire ColdFusion 4.0x CFCACHE
2. Vulnerability Patched: PHP3 'safe_mode' Failure
3. Vulnerability Patched: CIS IMAP Buffer Overflow
4. Vulnerability Patched: userhelper/PAM Path
5. Vulnerability Patched: Spectra 1.0 Webtop Access Violation
6. Vulnerability Patched: Spectra Data Indexing DoS
7. Vulnerability Patched: chkperm Buffer Overflow
8. Vulnerability Patched: DTML editing
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
1. Information theft losses double in three years (Mon Jan 3 2000)
2. A'Hacking The Military Will Go (Wed Jan 05 2000)
3. Employees, Not Hackers, Greatest Computer Threat (Wed Jan 05
2000)
4. Hacker startup joins e-security market (Thu Jan 06 2000)
5. Angry Hacker Posts Credit Card Numbers Online (Sun Jan 09 2000)
6. First Virus Of The Year (Tue Jan 04 2000)
V. INCIDENTS SUMMARY
1. Scanners using netcraft? (Thread)
2. R: correlation between porscans and local activity (Thread)
3. traceroute ICMP packets (Thread)
4. Ports 25092 / 20869 (Thread)
5. unusual UDP probes (Thread)
6. Connection attempts with source port 113 (Thread)
7. port 119 (Thread)
8. Port 3593 (Thread)
9. Attacks from cr595282-a.hnsn1.on.wave.home.com (Thread)
10. IIS 5.0 not displaying asp (Thread)
11. Source Host 0.0.0.0 (Thread)
12. Distributed Scanning? (Thread)
VI. VULN-DEV RESEARCH LIST SUMMARY
1. No messages for this period.
VII. SECURITY JOBS
Seeking Staff:
1. Enterprise Security Manager (Account/Product/Program) #618
2. System Architect - New York (#536)
3. Security Software Engineer - Atlanta, GA - #4
4. Security/Compliance Officer - Enfield, CT - #619
5. E-Business and Information Security Consultant - Boston, MA -
#615
6. Senior Business Manager (Security Services) - Reston, VA - #332
7. Information Security Analyst - Reston, VA - #332
8. Information Security Systems Programmer - Reston, VA - #332
9. Security Product Specialist - NY, VA, LA, MD - #618
10. Linux Contract at Counterpane
VIII. SECURITY SURVEY RESULTS
IX. SECURITY FOCUS TOP 6 TOOLS
1. SecurityFocus.com Pager (Win95/98/NT)
2. StormWindows 4.54 (Windows 95/98)
3. IMON 0.9b (Linux)
4. Triplight 0.01 (Linux)
5. Strip (source) 0.5 (PalmOS)
6. PalmCrack 1.1 (PalmOS)
X. SPONSOR INFORMATION - VeriSign - The Internet Trust Company
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the SecurityFocus.com 'week in review' newsletter issue 23
sponsored by VeriSign - The Internet Trust Company. Protect your servers
with 128-bit SSL encryption today! Get VeriSign's FREE guide, "Securing
Your Web Site for Business". It tells you everything you need to know
about using SSL to encrypt your e-commerce transactions for serious online
security. Click here!
1. Info.Sec.Radio - The *FIRST* Online Radio Show For InfoSec
Security Focus is pleased to present Info.sec.radio a bi-monthly radio
program focusing on the latest news and events in computer security.
Info.sec.radio is broadcast every 2nd Monday via:
It is also available on CJSW 90.9 FM in Calgary, Alberta Canada.
Monday January 10th is the inaugural show and features the top news,
tools, and vulnerabilities of 1999 as well as the first of a three part
series on Intrusion Detection and an interview with OpenBSD founder Theo
de Raadt.
Mondays showtime is at:
1:00 PM Eastern Standard
11:00 AM Mountain Standard
10:00 AM Pacific Standard
Please tune in and give us your feedback. Any questions may be directed to
Dean Turner <dtu@securityfocus.com>.
2. New Guest Feature : Internet Application Security by Eran Reshef,
Founder, Perfecto Technologies
This excellent new paper, Internet Application Security, speaks to
security for eBusiness applications and addresses the most important
eBusiness application security challenge: how to ensure that eBusiness
applications interact with end users only in ways that were intended by
the application's developers.
ColdFusion 4.x includes a function called CFCACHE. This function improves
server performance by caching the HTML output of processed CFM pages.
When the CFCACHE tag is used in a CFM page, it creates temporary files.
Some of these files are .tmp files, which contain the actual HTML output.
It also creates a cfcache.map file, which contains pointers to the .tmp
files including absolute pathnames, timestamps, and other URL information.
This information could be potentially harmful if exposed to the public.
These files are all placed in the same web-accessible directory as the CFM
file itself, and can be remotely accessed via an explicit URL.
PHP Version 3.0 is an HTML-embedded scripting language. Much of its syntax
is borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers to
write dynamically generated pages quickly.
Because it runs on a webserver and allows for user implemented (and
perhaps security relevant) code to be executed on it, PHP has built in a
security feature called 'safe_mode' to control executed commands to the
webroot environment which PHP operates in.
This is done by forcing any system call which executes shell commands to
have their shell commands passed to the EscapeShellCmd() function which
ensures the commands do not take place outside the webroot directory.
Under certain versions of PHP however, the popen() command fails to be
applied to the EscapeShellCmd() command and as such users can possibly
exploit PHP applications running in 'safe_mode' which make of use of the
'popen' system call.
3. Microsoft CIS IMAP Buffer Overflow Vulnerability
BugTraq ID: 912
Remote: Yes
Date Published: 2000-01-04
Relevant URL:
http://www.securityfocus.com/bid/912 Summary:
Microsoft's Commercial Internet System has an unchecked buffer in the IMAP
service that could allow an attacker to crash or execute arbitrary code on
the server.
Only MCIS servers that are running mail services with IMAP enabled are
vulnerable to this attack.
4. RedHat userhelper/PAM Path Vulnerability
BugTraq ID: 913
Remote: No
Date Published: 2000-01-04
Relevant URL:
http://www.securityfocus.com/bid/913 Summary:
Because of double path vulnerabilities in the binary userhelper and PAM,
it is possible to get root locally on RedHat 6.0 and 6.1 systems. Both
userhelper and PAM follow ".." paths and userhelper allows you to specifiy
a program to execute as an argument to the -w parameter (which is expected
to have an entry in /etc/security/console.apps). Because of this, it's
possible to specifiy a program such as "../../../tmp/myprog", which would
(to userhelper) be "/etc/security/console.apps/../../../tmp/myprog". If
"myprog" exists, PAM will then try to execute it (with the same filename).
PAM first does a check to see if the configuration file for
"../../../tmp/myprog" is in /etc/pam.d/ but also follows ".." directories
-- to an attacker's custom pam configuration file. Specified inside the
malicious configuration file (/tmp/myprog) would be arbitrary shared
libraries to be opened with setuid privileges. The arbitrary libraries can
be created by an attacker specifically to compromise superuser access,
activating upon dlopen() by PAM.
5. IMail IMonitor status.cgi DoS Vulnerability
BugTraq ID: 914
Remote: Yes
Date Published: 2000-01-05
Relevant URL:
http://www.securityfocus.com/bid/914 Summary:
IMail includes a service called IMail Monitor which is used for local and
remote performance measuring and diagnostics. It includes a small
webserver operating on port 8181 to support web-based monitoring. One of
the cgi scripts, status.cgi, is used to determine which services are
currently running and create a web pafge to report this information.
Multiple simultaneous requests for status.cgi will cause the software to
crash, with a Dr. Watson error of "Invalid Memory Address".
6. Allaire Spectra 1.0 Webtop Vulnerability
BugTraq ID: 915
Remote: No
Date Published: 2000-01-04
Relevant URL:
http://www.securityfocus.com/bid/915 Summary:
Allaire Spectra is a web-based e-commerce product. The Webtop portion of
Spectra allows for the creation of customizable web interfaces for
administration of the various services provided by the Spectra system.
These interfaces can be tailored to provide seperate functionality for
users with different roles in the administration and deployment of the
product.
Due to an error in a configuration file shipped with Spectra, users who
have access to only one part of the Webtop feature can gain access to all
other Webtop enabled controls by typing in the explicit URL of those
features. Note that to exploit this vulnerability the attacker must
already have authorized access to at least one part of the Webtop
interface.
7. Allaire Spectra Data Indexing DoS Vulnerability
BugTraq ID: 916
Remote: Yes
Date Published: 2000-01-04
Relevant URL:
http://www.securityfocus.com/bid/916 Summary:
The web-based Configuration Wizard used to finalize settings during an
install of Allaire Spectra is left on the machine after installation is
complete, and can be used in a denial of service attack on the Spectra
server. One of the functions performed by this wizard is indexing all data
collections on the server. This process is CPU-intensive, and can be
accessed remotely via a URL. An attacker could repeatedly start the
indexing process, causing a degradation or denial of service.
8. Solaris chkperm Buffer Overflow Vulnerability
BugTraq ID: 918
Remote: No
Date Published: 2000-01-06
Relevant URL:
http://www.securityfocus.com/bid/918 Summary:
A buffer overrun exists in the 'chkperm' program, as included by Sun in
its version of AT&T's FACE (Framed Access Command Environment). By
supplying a well crafted buffer of executable code to the -n option to the
chkperm executable, arbitrary commands may be executed as root.
While no code to exploit this vulnerability was made available by the
discoverer of the vulnerability, it is likely that either one already
exists in the wild, or will be made available shortly.
WarFTPd ships with various macro's to assist in the setup of complex FTP
sites.
It is possible to call these macros remotely, without needing to be an
authenticated user. Some of these macros will give out server and
operating system information, and can be used to reveal the contents of
files in error messages, including the configuration files for WarFTP
which can include plaintext administrator passwords.
The Handspring Visor is a Palm-compatible personal organizer. It ships
with Network Hotsync, an application designed to perform backups and
synchronizations of the Visor to a PC or Macintosh computer over an IP
network. There is no authentication done for this transaction, so anybody
with a Visor users name and IP address can initiate the hotsync and
retrieve the users email and other information. This also gives an
attacker with a Visor the aability to send email as the user.
11. SolutionScripts Home Free search.cgi Directory Traversal Vulnerability
BugTraq ID: 921
Remote: Yes
Date Published: 2000-01-03
Relevant URL:
http://www.securityfocus.com/bid/921 Summary:
Home Free is a suite of Perl cgi scripts that allow a website to support
user contributions of various types. One of the scripts, search.cgi,
accepts a parameter called letter which can be any text string. The
supplied argument can contain the '../' string, which the script will
process. This can be used to obtain directory listings and the first line
of files outside of the intended web filesystem.
Zope is a free web application development system written in python
available at http://www.zope.org. According to a security advisory
published by zope.org, there is a problem with the DTML document editing
component which may lead to a remote compromise (especially if anyone on
the web can edit DTML documents). Unfortunately not much more information
is available about the specifics of this vulnerability.
13. Microsoft Internet Explorer Security Zone Settings Lag Vulnerability
BugTraq ID: 923
Remote: Yes
Date Published: 2000-01-07
Relevant URL:
http://www.securityfocus.com/bid/923 Summary:
When a new document is loaded into an IE window, IE will not update the
Security Zone settings for that window until the new document is
completely loaded. This means that if a local document is loaded, and then
a large remote document is loaded that has JavaScript at the very
beginning, the JavaScript may load and execute before the Security Zone
settings are updated. This could lead to remote and untrusted JavaScript
running as local trusted code, with full access to local files, cookies,
etc.
III. PATCH UPDATES 2000-01-03 to 2000-01-09
-------------------------------------------
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
-----------------------------------------
The following represent articles which recieved the highest rate of click
throughs when compared to other news articles on the SecurityFocus.com
website.
1. Information theft losses double in three years (Mon Jan 3 2000)
Excerpt:
A report just out says that while many firms are watching their systems
for hackers over the Y2K period, they may have shut the door after the
horse has bolted.
2. A'Hacking The Military Will Go (Wed Jan 05 2000)
Excerpt:
In a move to enlist hackers as part of the nation's defense, the US
military is drafting a plan to penetrate and disrupt the computers of
enemy nations, officials said Wednesday.
3. Employees, Not Hackers, Greatest Computer Threat (Wed Jan 05 2000)
Excerpt:
The greatest security threat to companies' computer systems comes from
disgruntled employees stealing confidential information and trade secrets,
according to a new study on cyber-security.
Armed with $10 million in venture funding and a phalanx of Internet
industry veterans, startup firm AtStake Inc. on Thursday announced plans
to help secure the e-commerce revolution. AtStake also said on Thursday
that L0pht Heavy Industries, a computer "hacker" think tank, has merged
with the newly formed firm to serve as its research and development arm.
After an apparent failure to blackmail an online retailer, a computer
hacker posted names, addresses and valid credit card numbers for dozens of
Americans on a public Web site.
5. E-Business and Information Security Consultant - Boston, MA - #615
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 01&msg=20000105205258.15168.qmail@securityfocus.com
6. Senior Business Manager (Security Services) - Reston, VA - #332
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 01&msg=20000106151701.26677.qmail@securityfocus.com
7. Information Security Analyst - Reston, VA - #332
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 01&msg=20000106152014.26826.qmail@securityfocus.com
8. Information Security Systems Programmer - Reston, VA - #332
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 01&msg=20000106153627.28145.qmail@securityfocus.com
9. Security Product Specialist - NY, VA, LA, MD - #618
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 01&msg=20000106163755.1766.qmail@securityfocus.com
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
2. StormWindows 4.54
by Cetus Software, cetussoft@aol.com
URL: http://www.cetussoft.com Platforms: Windows 95/98
Cetus StormWindows for Windows 95 will allow the authorized user to add
several types and degrees of protections to the desktop and system of any
Windows 95 computer. Intelligent use of StormWindows security measures
will allow for the secure use of a shared Windows PC.
IMON is a powerfull tool to monitor/analyze ICMP traffic in your LAN. With
IMON you are able to see, what ICMP messages go through your network
interface.
Triplight is an intrusion detection, and integrity monitor system. This
release is rather unpolished (you need to hack up a crontab file, and to
set a file path in the perl source), but fully functional. To accomplish
its design goals, it reads in a list of files stored in flat ASCII, and
uses md5sum to check their integrity against that recorded earlier in a
database. If the database is placed on a read-only medium such as a
write-protected floppy, then it should provide an infallible record
against remotely installed trojan horses. Thus by monitoring the integrity
of the system, triplight will serve as an aid in intrusion detection.
Strip is a password and account managment program for the Palm(T)
Computing Platform. Designed to fit the needs of both IT professionals
and the average user, it combines ease of use with flexibility and
security. 128 bit IDEA encryption ensures that even if your Palm Pilot is
lost or stolen your important account and password information will remain
confidential. Strip has a quick and easy to use interface, with many
useful features including the ability to beam shared accounts to other
Strip users.
Noncon has released PalmCrack, the password testing tool for the Palm
Computing Platform. Designed to help security professionals determine the
strength of passwords, PalmCrack is able to check UNIX and NT passwords
against a dictionary and decrypt certain Cisco router passwords. PalmCrack
runs on PalmOS 2 and PalmOS 3 devices, including the PalmPilot
Professional through the PalmVII and the IBM WorkPad series. It requires
31KB to 1MB of memory depending on the size of the dictionary installed.
X. SPONSOR INFORMATION - VeriSign - The Internet Trust Company
------------------------------------------
VeriSign - The Internet Trust Company. Protect your servers with 128-bit
SSL encryption today! Get VeriSign's FREE guide, "Securing Your Web Site
for Business". It tells you everything you need to know about using SSL to
encrypt your e-commerce transactions for serious online security. Click
here!
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
