SecurityFocus.com Newsletter #24
Table of Contents:
I. INTRODUCTION
1. Marcus Ranum to be interviewed on Info.Sec.Radio
2. SecurityFocus.com @ RSA - Intrusion Detection Book Signing
II. BUGTRAQ SUMMARY
1. MsgCore/NT Denial of Service Vulnerability
2. Winamp Playlist Vulnerability
3. MySQL GRANT Global Password Changing Vulnerability
5. Corel Linux get_it PATH Vulnerability
6. ICQ URL Remote Buffer Overflow Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: MsgCore SMTP Denial of Service
2. Vulnerability Patched: MySQL GRANT Global Password Changing
3. Vulnerability Patched: Linux lpd Vulnerabilities
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
1. Clinton: $2B for cybersecurity (Mon Jan 10 2000)
2. Extortion Hack Raises Doubt of Online Security (Tue Jan 11
2000)
3. Reducing US Crypto Export Rules (Wed Jan 12 2000)
4. High court ruling could impact Net privacy (Thurs Jan 13 2000)
5. Stealing cards easy as Web browsing (Fri Jan 14 2000)
6. Hacker gang blackmails firms with stolen files (Sun Jan 16
2000)
V. INCIDENTS SUMMARY
1. port 1150 and 4833 ? (Thread)
2. Ports 12345, 5742 and 20034 (Thread)
3. Maillog Suspicious (Thread)
4. Attempted port scans. (Thread)
5. Text file monitor? (Thread)
6. strange icmp traffic (Thread)
7. IRC-bots: what are they for ? (Thread)
8. strange entrys in /var/log/messages (Thread)
9. R: correlation between porstcans and local activity (Thread)
10. New vulnerability (fwd)
11. Strange behaviour
12. Large quantity of traffic from amazon.com - source_port 3000
13. Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167]
14. Port 4 (Thread)
15. More icmp floating around...
VI. VULN-DEV RESEARCH LIST SUMMARY
1. [Fwd: Administrivia #4883]
2. Firewall-1 Logging *Issue* (Thread)
3. Administrivia #4883 (fwd) (Thread)
4. Administrivia #4883/flowpoints (Thread)
6. Secure coding in C (was Re: Administrivia #4883) (Thread)
VII. SECURITY JOBS
Seeking Staff:
1. Amazon.com - PKI Security Engineer - Seattle, WA
2. Sr Internet Security Specialist Needed - TX area
3. Senior Systems Engineer, Houston, Texas
4. Unix Security Administrator - Washington DC
5. Network Security Engineers wanted - Raleigh, N.C. and Buffalo,
N.Y.
6. Director, Systems Security - IL - #602
7. Internet Security Systems (ISS) Sales Engineer Needed - United
Kingdom
8. Security Software Developers, San Jose, CA
9. Security Practice Manager - NYC
10. Security Developers, Boston, MA
11. Senior Security Unix Admin, San Jose, CA
12. Senior QA Engineer, San Jose, CA
13. e-Security Consultants, NY, MA, NJ, MD, DC, RI
14. Senior Network Security Engineers - Los Gatos, CA
VIII. SECURITY SURVEY RESULTS
1. Do you think security vendors exaggerate the importance of
security issues as a marketing strategy?
IX. SECURITY FOCUS TOP 6 TOOLS
1. Security Focus Pager (Win95/98/NT)
2. Snort 1.3.1 (FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
OpenBSD and Solaris)
3. cgi-check99 v0.4 (rebol capable systems)
4. HookProtect (Win95/98/NT
5. Bastille Linux 1.0 (Linux)
6. SuperScan 2.06 (Win95/98/2000)
X. SPONSOR INFORMATION - CORE-SDI http://www.core-sdi.com XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the SecurityFocus.com 'week in review' newsletter issue 24
for the time period of sponsored 2000-01-10 to 2000-01-16 by CORE SDI.
1. Marcus Ranum to be interviewed on Info.Sec.Radio
The January 24th edition of Info.sec.radio from SecurityFocus.com features
part two of a three part series on Intrusion Detection as well as our
regular features on tools, vulnerabilites and security news in review. In
addition, Info.sec.radio is pleased to bring you an interview with Paul
Proctor, Director of Information Technology for Cybersafe Corporation.
February 7th's edition of Info.sec.radio will feature the final
installment of our look at Intrusion Detection and an interview with
Marcus Ranum of NFR. Do you have a question you want to ask Marcus or one
of our future guests? Drop us a line at radio@securityfocus.com Questions
for Marcus Ranum need to be recieved no later than January 30, 2000.
As always, your questions, comments and suggestions are welcome at the
same address as above.
2. SecurityFocus.com @ RSA - Intrusion Detection Book Signing
SecurityFocus.com, Tripwire Security Systems, and Macmillan Technical
Publishing are sponsoring a book signing at the RSA conference. featuring
Rebecca (Becky) Bace, author of "Intrusion Detection," published by
Macmillan earlier this month as part of its Technology Series. Bace will
be available to talk with readers and inscribe their copies of her book.
A series of drawings will also be held during the book signing - enter to
win a free copy of the book!
Join us on Tuesday, January 18, at the RSA Conference (San Jose McEnery
Convention Center) The book signing will be held from 1-3 pm in the
Tripwire Security Systems booth (1008) in the Security Expo.
II. BUGTRAQ SUMMARY 2000-01-10 to 2000-01-16
---------------------------------------------
1. MsgCore/NT Denial of Service Vulnerability
BugTraq ID: 930
Remote: Yes
Date Published: 2000-01-13
Relevant URL:
http://www.securityfocus.com/bid/930 Summary:
There is a denial of service condition in Nosque Workshop's MsgCore SMTP
server. The problem lies in memory used to store server input not being
deallocated and eventually exhausted, causing the target NT host to freeze
requiring a reboot. If a smtp client (or user sending input manually)
sends multiple sequences of "HELO/ MAIL FROM/ RCPT TO / DATA" in a single
connection, the memory allocated to store all of those values will not be
freed and the target will stop functioning once memory runs out.
2. Winamp Playlist Vulnerability
BugTraq ID: 925
Remote: No
Date Published: 2000-01-10
Relevant URL:
http://www.securityfocus.com/bid/925 Summary:
Winamp, a program for playing mp3 and other audio files, uses playlist
files (*.pls) to store lists of files for playback. The code that reads
these files has an unchecked buffer which can be overflowed to cause
arbitrary code to be executed. If an entry longer than 580 bytes is
specified in the file, EIP gets overwritten.
This vulnerability can only be exploited remotely by convincing someone to
download the hostile playlist and load it into Winamp. IE5 will download
.pls files without user confirmation if winamp is installed.
3. MySQL GRANT Global Password Changing Vulnerability
BugTraq ID: 926
Remote: Yes
Date Published: 2000-01-11
Relevant URL:
http://www.securityfocus.com/bid/926 Summary:
MySQL is a popular RDBMS used by many websites as a back-end. It is
possible for users with GRANT access to change passwords for every user in
the database (including the mysql superuser). MySQL also ships with a
default "test" account which has GRANT privileges and is unpassworded,
meaning anyone can connect to the db. These two problems combined can
result in a total, remote (and probably anonymous) database compromise.
The database can be compromised even if the test account is disabled
(given a local user account with GRANT privs).
The version of lpd shipped with most linux distributions is vulnerable to
a number of serious security problems. The most significant is proper
authentication, or lack thereof. It is hostname-based, and is done through
comparing the reverse-resolved hostname of the connecting IP to the local
hostname. If the attacker were to change the reverse-resolved hostname of
his IP address to match the hostname of the target machine, access to lpd
would be granted without question. What could then be done is as follows:
- as many files as the attacker wants could be sent to the printer spool
directory
- anything can be specified in the control-file
- arbitrary arguments to sendmail could be passed (because there is an
option to send mail to someone when a print job is completed, but anything
can be used instead of an email address as an argument), which could lead
to a root compromise if a disguised sendmail cf file were sent over as a
file to print and used when the argument "-C" is passed to sendmail.
There were similar problems discovered by SNI (acquired by Network
Associates) in older versions of *BSD lpd, which were fixed shortly after.
5. Corel Linux get_it PATH Vulnerability
BugTraq ID: 928
Remote: No
Date Published: 2000-01-12
Relevant URL:
http://www.securityfocus.com/bid/928 Summary:
A component of the "Corel Update" utility distributed with Corel's Linux
OS is vulnerable to a local PATH vulnerability. The binary "get_it", which
is stored in /usr/X11R6/bin, is setuid root installed by default on all
Corel LinuxOS systems (it's part of their .deb package install/update
utils). get_it relies on PATH to be valid when it calls 'cp' (without the
full path), making it possible to spawn an arbitrary program (called 'cp')
with inherited root privs by changing the first searched path to one in
which a malicious cp lies. The consequences are immediate local root
compromise.
ICQ is an individual to individual chat network which has clients
installed on millions of computers around the world. It is, by far, the
most widely used and is vulnerable to a remote buffer overflow. When the
Mirabilis ICQ client parses an url recieved from another user _inside of a
message_, it does not perform bounds checking on the length of the url.
Because of this, it is possible to overwrite the EIP ("instruction
pointer", or return address, that was pushed onto the stack when the
offending function was first called) and execute arbitrary and possibly
malicious code stuffed inside the oversized URL on the target host once
the url is clicked on.
This example string was taken from Drew Copley's Bugtraq post:
(With no line breaks in the url string) !!!! is where EBP is overwritten,
and the four characters after that are where EIP is overwritten.
The consequences of this being exploited can be a compromise of the target
host in ways such as installing bo2k or netcat to allow for remote access
and/or control. it is suspected that there are more similar unpublished
vulnerabilities in the ICQ client. This was verified to crash Mirabilis
ICQ client version .99b Beta v.3.19.
III. PATCH UPDATES 2000-01-10 to 2000-01-16
-------------------------------------------
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
-----------------------------------------
The following represent articles which recieved the highest rate of click
throughs when compared to other news articles on the SecurityFocus.com
website.
1. Clinton: $2B for cybersecurity (Mon Jan 10 2000)
Excerpt:
The Clinton administration today plans to release details of a
controversial plan for defending the nation’s critical networks from
attack, marking the first time any government has developed a
comprehensive strategy to defend its cyberspace.
2. Extortion Hack Raises Doubt of Online Security (Tue Jan 11 2000)
Excerpt:
A failed extortion plot that resulted in the online posting of a music
store's customer credit card database has raised questions about
cybersecurity just weeks after a record-setting holiday shopping season.
3. Reducing US Crypto Export Rules (Wed Jan 12 2000)
Excerpt:
The Clinton administration Thursday will dramatically reduce export limits
on computer data-scrambling technology, fulfilling a promise made in
September, people familiar with the new rules said.
4. High court ruling could impact Net privacy (Thurs Jan 13 2000)
Excerpt:
The Supreme Court ruled Wednesday that Congress is free to stop states
from selling home addresses, telephone numbers, vehicle descriptions and
other information collected by motor vehicles departments.
5. Stealing cards easy as Web browsing (Fri Jan 14 2000)
Excerpt:
Just how easy is it to steal credit card numbers on the Internet? On
Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored
by seven small e-commerce Web sites within a few minutes.
6. Hacker gang blackmails firms with stolen files (Sun Jan 16 2000)
Excerpt:
A BRITISH group of hackers has broken into the computer systems of at
least 12 multinational companies and stolen confidential files. It has
issued ransom demands of up to Ј10 million pounds.
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
2. Snort 1.3.1
by Martin Roesch (roesch@clark.net)
URL: http://www.clark.net/~roesch/security.html >
Platforms: FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD, OpenBSD and Solaris
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules based
logging and can perform content searching/matching in addition to being
used to detect a variety of other attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and much more.
Snort has a real-time alerting capabilty, with alerts being sent to
syslog, a seperate "alert" file, or even to a Windows computer via Samba.
3. cgi-check99 v0.4
URL: by deepquest URL: http://www.deepquest.pf/ Platforms: BSDI, BeOS, DOS, FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
OS/2, OpenBSD, OpenVMS, PalmOS, Solaris, SunOS, UNIX, Windows 2000,
Windows 3.x, Windows 95/98, Windows CE and Windows NT
One of the worlds most cross platform cgi scanners, running on 37
operating systems! Even Palmos soon! Will check for 119 of common cgi and
other remote issues. Plus it will report you the Bugtraq ID of some
vulnerabilities. Get the rebol interpreter at http://www.rebol.com.
HookProtect version 2.05 is an another powerful product of PCinvestigator
series. It is specialized on detecting the programs that infringe the
privacy and confidentiality on personal computers. There are many various
types of such programs: keyloggers, interceptors, spies, Trojans and so
on. Their main function is monitoring of some kind of user's activity on a
computer (for example, typing the text, running the applications, opening
the windows, Internet activity, etc.).
Bastille Linux is aimed primarily at non-security-experts, who are less
knowledgeable about security, but want to run a more secure distribution
of Linux. Our goal is to build a more secure distribution based on an
well-supported existing distribution. Our solution currently takes the
form of a Universal Hardening Program which must be run immediately after
installation of Redhat 6.0. Our Hardening Program is most unique in that
virtually every task it performs is optional, giving immense flexibility,
and that it educates the installing admin before asking any question. The
interactive nature allows the program to be more thorough when securing,
while the educational component produces an admin who is less likely to
compromise the greater security.
This is a powerful connect-based TCP port scanner, pinger and hostname
resolver. Multithreaded and asynchronous techniques make this program
extremely fast and versatile. Perform ping scans and port scans using any
IP range or specify a text file to extract addresses from. Scan any port
range from a built in list or any given range.
X. SPONSOR INFORMATION - CORE-SDI
---------------------------------
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. CORE SDI also has extensive experiance dealing with financial
and government contracts through out Latin and North America.
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
