I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary October 15, 1998 Volume 3 Number 1 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Contents 5 Reported Vulnerabilities - [14]Lotus-Domino-webinfo - [15]Sun-ftp - [16]SGI-mail - [17]snork - [18]Novell-groupwise-bo 2 Updates - [19]SGI-at - [20]SGI-mail-patches Risk Factor Key [21]Top of Page || [22]Back to Alert List ___ Date Reported: 10/9/98 Vulnerability: Lotus-Domino-webinfo Platforms Affected: Lotus Domino Risk Level: High The l0pht has received information that many Domino web applications have improper permissions set. It is possible for a remote attacker to gain information such as credit card numbers, names and addresses, etc using web tricks such as formatted URLs. Reference: L0pht Security Advisory: "Web users can retrieve sensitive data in many Domino based Internet applications at "[23]http://www.l0pht.com/advisories/domino3.txt" [24]Top of Page || [25]Back to Alert List ___ Date Reported: 9/29/98 Vulnerability: Sun-ftp Platforms Affected: Solaris (2.3, 2.5, 2.5.1, 2.6) Risk Level: High The ftp command is used to transfer files to and from one site to another. A vulnerability has been found that would allow a malicious ftp server to trick the ftp client into executing arbitrary commands. References: Sun Microsystems, Inc. Security Bulletin #00176: "ftp" at [26]http://sunsolve.Sun.COM/pub-cgi/us/sec2html?secbull/176 CIAC Information Bulletin: "SunOS ftp client Vulnerability" at [27]http://www.ciac.org/ciac/bulletins/j-004.shtml [28]Top of Page || [29]Back to Alert List ___ Date Reported: 9/29/98 Vulnerability: SGI-mail Platforms Affected: IRIX (3.x, 4.x, 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x 6.1, 6.2, 6.3, 6.4, 6.5, 6.5.1m) Risk Level: High This Silicon Graphics advisory contains information on several vulnerabilities. First, a buffer overrun was found in the mailx program that would allow an attacker to manipulate any file owned by the mail group. The second vulnerability was in the Mail(1) program that would allow an attacker to obtain root level access. References: Silicon Graphics Inc. Security Advisory: "IRIX Mail(1)/mailx(1) Security Issues" at [30]ftp://sgigate.sgi.com/security/19980605-01-PX CIAC Information Bulletin: "SGI IRIX Mail(1)/mailx(1) Security Vulnerabilities" at [31]http://www.ciac.org/ciac/bulletins/j-002.shtml [32]Top of Page || [33]Back to Alert List ___ Date Reported: 9/29/98 Vulnerability: snork Platforms Affected: Windows NT 4.0 (Workstation and Server) Risk Level: Medium The ISS X-Force has been researching a denial of service attack against the Windows NT RPC service. This attack allows an attacker with minimal resources to cause a remote NT system to consume 100% CPU Usage for an indefinite period of time. It also allows a remote attacker to utilize a very large amount of bandwidth on a remote NT network by inducing vulnerable systems to engage in a continuous bounce of packets between all combinations of systems. This attack is similar to those found in the "Smurf" and "Fraggle" exploits, and is known as the "Snork" attack. This vulnerability exists on Windows NT 4.0 Workstation and Server. All systems with service packs up to and including SP4 RC 1.99 are vulnerable, including any hotfixes released prior to 9/10/98. Reference: ISS Security Advisory: "Snork Denial of Service Attack Against Windows NT RPC Service" at [34]http://www.iss.net/xforce/alerts/advise9.html [35]Top of Page || [36]Back to Alert List ___ Date Reported: 9/23/98 Vulnerability: Novell-groupwise-bo Platforms Affected: Novell IntranetWare (GroupWise) Risk Level: High NMRC has found a remote buffer overflow condition in the POP3 and LDAP ports that can be exploited to crash the server. Novell has released a patch as of 10/6. Find gwia551.exe at [37]http://support.novell.com. Reference: Nomad Mobile Research Centre Advisory: "GroupWise Buffer Overflow" at [38]http://www.nmrc.org/news/group1.txt [39]Top of Page || [40]Back to Alert List ___ Date Reported: 10/5/98 Update: SGI-at (NetBSD Security Advisory 1998-004) Vendor: Silicon Graphics Inc. Platforms Affected: IRIX (6.2, 6.4, 6.5, 6.5.1) SGI has released patches for the at(1) vulnerability that can be used to read normally unreadable files on the system. A local user can use at to queue a file for execution on the system, and the at command will return errors that can contain parts of the unreadable file. References: Silicon Graphics Inc. Security Advisory: "IRIX at(1) vulnerability" at [41]ftp://sgigate.sgi.com/security/19981001-01-PX NetBSD Security Advisory 1998-004: "Problem with at(1) allows any file to be read." at [42]ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-004. txt.asc [43]Top of Page || [44]Back to Alert List ___ Date Reported: 9/29/98 Update: SGI-mail-patches (CERT CA-96.20) Vendor: Silicon Graphics Inc. Platforms Affected: IRIX (3.x, 4.x, 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x 6.1, 6.2, 6.3, 6.4, 6.5, 6.5.1m) Silicon Graphics Inc, has replaced patches with new patches that correct multiple Mail(1) security issues. See reference for exact patches and vulnerabilities. References: Silicon Graphics Inc. Security Advisory: "IRIX mail(1)/rmail(1M)/sendmail(1M) Security Vulnerabilities at [45]ftp://sgigate.sgi.com/security/19980604-02-PX CERT(*) Advisory CA-96.20: "Sendmail Vulnerabilities" at [46]ftp://info.cert.org/pub/cert_advisories/CA-96.20.sendmail_vul [47]Top of Page || [48]Back to Alert List ___ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse and security policy violations. The Company has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, 9 of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at [49]http://www.iss.net. [50]Top of Page || [51]Back to Alert List ___ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please email [52]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [53]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net > of Internet Security Systems, Inc. [54]News | [55]Serious Fun | [56]Mail Lists | [57]Security Library [58]Protoworx | [59]Alerts | [60]Submissions | [61]Feedback [62]Advanced Search [63]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [64]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [65]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 13. http://xforce.iss.net/alerts/alerts.php3 14. http://xforce.iss.net/alerts/vol-3_num-1.php3#Lotus-Domino-webinfo 15. http://xforce.iss.net/alerts/vol-3_num-1.php3#Sun-ftp 16. http://xforce.iss.net/alerts/vol-3_num-1.php3#SGI-mail 17. http://xforce.iss.net/alerts/vol-3_num-1.php3#snork 18. http://xforce.iss.net/alerts/vol-3_num-1.php3#Novell-groupwise-bo 19. http://xforce.iss.net/alerts/vol-3_num-1.php3#SGI-at 20. http://xforce.iss.net/alerts/vol-3_num-1.php3#SGI-mail-patches 21. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 22. http://xforce.iss.net/alerts/alerts.php3 23. http://www.l0pht.com/advisories/domino3.txt 24. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 25. http://xforce.iss.net/alerts/alerts.php3 26. http://sunsolve.Sun.COM/pub-cgi/us/sec2html?secbull/176 27. http://www.ciac.org/ciac/bulletins/j-004.shtml 28. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 29. http://xforce.iss.net/alerts/alerts.php3 30. ftp://sgigate.sgi.com/security/19980605-01-PX 31. http://www.ciac.org/ciac/bulletins/j-002.shtml 32. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 33. http://xforce.iss.net/alerts/alerts.php3 34. http://www.iss.net/xforce/alerts/advise9.html 35. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 36. http://xforce.iss.net/alerts/alerts.php3 37. http://support.novell.com/ 38. http://www.nmrc.org/news/group1.txt 39. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 40. http://xforce.iss.net/alerts/alerts.php3 41. ftp://sgigate.sgi.com/security/19981001-01-PX 42. ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA1998-004.txt.asc 43. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 44. http://xforce.iss.net/alerts/alerts.php3 45. ftp://sgigate.sgi.com/security/19980604-02-PX 46. ftp://info.cert.org/pub/cert_advisories/CA-96.20.sendmail_vul 47. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 48. http://xforce.iss.net/alerts/alerts.php3 49. http://www.iss.net/ 50. http://xforce.iss.net/alerts/vol-3_num-1.php3#list 51. http://xforce.iss.net/alerts/alerts.php3 52. mailto:xforce@iss.net 53. http://www.iss.net/xforce/sensitive.html 54. http://xforce.iss.net/news.php3 55. http://xforce.iss.net/seriousfun/ 56. http://xforce.iss.net/maillists/ 57. http://xforce.iss.net/library/ 58. http://xforce.iss.net/protoworx/ 59. http://xforce.iss.net/alerts/ 60. http://xforce.iss.net/submission.php3 61. http://xforce.iss.net/feedback.php3 62. http://xforce.iss.net/search.php3 63. http://xforce.iss.net/about.php3 64. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 65. http://xforce.iss.net/privacy.php3