From xforce@iss.net Wed Mar 17 19:26:27 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Wed, 17 Mar 1999 18:20:06 -0500 (EST) Subject: ISSalert: ISS Security Alert Summary v3 n7 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary March 17, 1999 Volume 3 Number 7 X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 25 Reported Vulnerabilities - ldap-mds-bo - cisco-router-commands - cisco-router-dos - shockwave-updater - default-bay-switches - nt-screen-saver - solaris-psinfo-crash - linux-blind-spoof - iis-isapi-execute - irix-font-path-overflow - testtrack-dos - testtrack-passwords - win-redirects-freeze - sco-startup-scripts - sol-cancel - gnuplot-home-overflow - netscape-server-dos - imail-passwords - oracle-passwords - xcmail-reply-overflow - imail-imap-overflow - imail-imonitor-overflow - imail-ldap-overflow - imail-websvc-overflow - imail-whois-overflow Risk Factor Key _____ Date Reported: 1999-03-15 Vulnerability: ldap-mds-bo Platforms Affected: Microsoft Exchange Server (5.5) Risk Factor: High ISS X-Force has discovered a buffer overflow exploit against Microsoft Exchange's LDAP (Lightweight Directory Access Protocol) server which allows read access to the Exchange server directory by using an LDAP client. This buffer overflow consists of a malformed bind request that overflows the buffer and can execute arbitrary code. This attack can also cause the Exchange LDAP service to crash. This vulnerability exists in Microsoft Exchange Server version 5.5. Reference: ISS Security Advisory: "LDAP Buffer overflow against Microsoft Directory Services" at: http://www.iss.net/xforce/alerts/advise22.html _____ Date Reported: 1999-03-11 Vulnerability: cisco-router-commands Platforms Affected: Cisco Risk Factor: High Internet Security Systems (ISS) X-Force has discovered several vulnerabilities in Cisco Series 700 routers. The Cisco 700 series is designed for personal or small office ISDN connectivity. A vulnerability has been found that allows remote attackers to issue commands to the router without authentication. References: ISS Security Advisory: "Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers" at: http://www.iss.net/xforce/alerts/advise21.html Cisco Security Notice: "Cisco 7xx TCP and HTTP Vulnerabilities" at: http://www.cisco.com/warp/public/770/7xxconn-pub.shtml _____ Date Reported: 1999-03-11 Vulnerability: cisco-router-dos Platforms Affected: Cisco Risk Factor: High Internet Security Systems (ISS) X-Force has discovered several vulnerabilities in Cisco Series 700 routers. The Cisco 700 series is popular among corporate users and telecommuters. It is used to support networks in small offices or home offices. It is also recommended by Internet Service Providers (ISPs) for personal ISDN connectivity. Remote attackers can deny network connectivity by forcing the router to reboot. References: ISS Security Advisory: "Remote Reconfiguration and Denial of Service Vulnerabilities in Cisco 700 ISDN Routers" at: http://www.iss.net/xforce/alerts/advise21.html Cisco Security Notice: "Cisco 7xx TCP and HTTP Vulnerabilities" at: http://www.cisco.com/warp/public/770/7xxconn-pub.shtml _____ Date Reported: 1999-03-11 Vulnerability: shockwave-updater Platforms Affected: Shockwave Plugin 7 Risk Factor: High A vulnerability has been discovered in the auto-update feature of the Shockwave 7 plugin. When the plug-in contacts the Macromedia web site for updates, it transfers sensitive information about the sites that it has visited, and in some cases includes passwords used to enter that site. Reference: BUGTRAQ Mailing List: "Shockwave 7 Security Hole" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903b&L=bugtraq&F=&S=&P=7706 _____ Date Reported: 1999-03-10 Vulnerability: default-bay-switches Platforms: Bay Networks Risk Factor: High The password "NetICs" has been found to, by default, allow access to the 350T and 350F line of switches produced by Bay Networks. If an attacker can gain interactive login access to one of the affected switches, then they could take complete administrative control of the device. Reference: BUGTRAQ Mailing List: "Default password in Bay Networks switches" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903b&L=bugtraq&F=&S=&P=7051 _____ Date Reported: 1999-03-11 Tagname: nt-screen-saver Platforms Affected: Windows NT (4.0) Risk Factor: High A vulnerability exists in the Windows NT screen saver that could allow local administrator privileges to be compromised. The hole exists because under some circumstances the screen saver will fail to drop its elevated privileges and can then be tricked into running arbitrary commands with adminsitrative rights. References: Cybermedia Software Private Limited: "Screen Saver vulnerability" at: http://www.cybermedia.co.in/NT_Security/SS_vulnerability.htm Microsoft Knowledgebase Article ID: 221991: "Screen Saver Vulnerability Lets User Privileges be Elevated" at: http://support.microsoft.com/support/kb/articles/q221/9/91.asp Microsoft Security Bulletin MS99-008: "Patch Available for Windows NT 'Screen Saver' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-008.asp _____ Date Reported: 1999-03-10 Vulnerability: solaris-psinfo-crash Platforms Affected: Solaris (7) Risk Factor: Medium A bug has been discovered in the procfs distributed with Solaris 7 for Sparc that allows any local user to crash the system. The bug exists when the '/usr/xpg4/bin/more' command is used on the '/proc/self/psinfo' file, which causes an exception and then a crash. Reference: BUGTRAQ Mailing List: "Re: 64 Bit Solaris 7 procfs bug" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903b&L=bugtraq&F=&S=&P=9202 _____ Date Reported: 1999-03-09 Vulnerability: linux-blind-spoof Platforms Affected: Linux (2.0.x) Risk Factor: High A vulnerability exists in the Linux kernel's TCP/IP implementation up to and including version 2.0.35. The hole allows remote attackers to send data to listening daemons without completing the necessary TCP three-way handshake. Reference: NAI Security Advisory: "Linux Blind TCP Spoofing" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903b&L=bugtraq&F=&S=&P=4475 _____ Date Reported: 1999-03-08 Vulnerability: iis-isapi-execute Platforms Affected: IIS (4.0) Risk Factor: High A vulnerability exists in the way Microsoft Internet Information Server (IIS), and maybe other Windows NT in the way IIS, and maybe other NT web servers, launches ISAPI extensions. Normally, these programs are run under a nonprivileged context, but it is been found to be possible to execute code from these extensions under the system context. Reference: NTBUGTRAQ Mailing List: "ISAPI Extension vulnerability allows to execute code as SYSTEM" at: http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9903&L=ntbugtraq&F=P&S=&P=2439 _____ Date Reported: 1999-03-08 Vulnerability: irix-font-path-overflow Platforms Affected: IRIX (5.3, 6.2, 6.3, 6.4, 6.5) Risk Factor: High A vulnerability has been discovered in the X server's font path on many IRIX systems that allows local users to gain root privileges. Exploit information for this problem has been widely distributed. Reference: SGI Security Advisory 19990301-01-PX: "X server font path buffer overflow vulnerability" at: ftp://sgigate.sgi.com/security/19990301-01-PX _____ Date Reported: 1999-03-08 Vulnerability: testtrack-dos Platforms Affected: TestTrack Risk Factor: Medium A denial of service vulnerability exists against the commercial bug tracking software TestTrack from Seapine Software. If a user connects to the TestTrack port and then disconnects without having sent any data, the process will consume 100% CPU for an indefinite amount of time. Reference: NTBUGTRAQ Mailing List: "Password and DOS Vulnerability with Testrack (bug tracking software)" at: http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9903&L=NTBUGTRAQ&P=R1215 _____ Date Reported: 1999-03-08 Vulnerability: testtrack-passwords Platforms Affected: TestTrack Risk Factor: Medium The TestTrack bug tracking program from Seapine contains a design weakness in which stores cleartext login information in log files. This behavior could allow anyone with read access to these files to compromise the security of the TestTrack server. Reference: NTBUGTRAQ Mailing List: "Password and DOS Vulnerability with Testrack (bug tracking software)" at: http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9903&L=NTBUGTRAQ&P=R1215 _____ Date Reported: 1999-03-08 Vulnerability: win-redirects-freeze Platforms Affected: Windows (95, 98) Windows NT Risk Factor: Medium A flaw in the way Windows 9x and NT handle ICMP redirect packets allows a remote attacker to spoof packets from a router and cause the Windows box to modify its routing tables. This attack will effectively freeze the machine during the duration of the attack. Exploit information and source code has been made widely available. References: NTBUGTRAQ Mailing List: "Winfreeze EXPLOIT Win9x/NT" at: http://www.ntbugtraq.com/page_archives_wa.asp?A2=ind9903&L=ntbugtraq&F=P&S=&P=2580 _____ Date Reported: 1999-03-07 Vulnerability: sco-startup-scripts Platforms Affected: SCO Openserver SCO Openserver Enterprise System (5.0.4p) Risk Factor: Medium A vulnerability exists in the way startup scripts under some versions of SCO Unix handle temporary files. This hole could allow local users to cause the system to possibly delete or overwrite arbitrary files on the system. References: BUGTRAQ Mailing List: "Little exploit for startup scripts (SCO 5.0.4p)" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903b&L=bugtraq&F=&S=&P=162 Santa Cruz Operation, Inc. "SCO Security Home Page" at: http://www.sco.com/security/ _____ Date Reported: 1999-03-05 Vulnerability: sol-cancel Platforms Affected: Solaris (2.6, 2.6 x86) Risk Factor: High A buffer overflow vulnerability has been identified in the '/usr/bin/cancel' program under some versions of Solaris. The hole could possibly allow local users to gain root privileges on the system. While the hole exists in several versions of Solaris, it only affects version 2.6, which installs cancel suid root. Reference: BUGTRAQ Mailing List: "buffer overflow in /usr/bin/cancel" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903a&L=bugtraq&F=&S=&P=2132 _____ Date Reported: 1999-03-05 Vulnerability: gnuplot-home-overflow Platforms Affected: Solaris (2.6, 2.6 x86) Risk Factor: High A buffer overflow vulnerability has been identified in the '/usr/bin/cancel' program under some versions of Solaris. The hole could possibly allow local users to gain root privileges on the system. While the hole exists in several versions of Solaris, it only affects version 2.6 which installs cancel suid root. Reference: BUGTRAQ Mailing List: "buffer overflow in /usr/bin/cancel" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903a&L=bugtraq&F=&S=&P=2132 _____ Date Reported: 1999-03-04 Vulnerability: netscape-server-dos Platforms Affected: HPUX (10.24 VVOS which is distributed with Netscape Enterprise Server 3.6) Risk Factor: Medium A vulnerability has been discovered in the Netscape Enterprise Server version 3.6, in particular the one distributed with HP Praesidium VirtualVault 3.50, which could allow a remote attacker to significantly slow repsonse times. This attack doesn't lead to any unauthorized access being gained but could deny service to legitimate users. References: HP Security Bulletin HPSBUX9903-092: "Security Vulnerability with NES3.6 on VVOS" at: http://us-support.external.hp.com Netscape Communications, Inc: "Netscape Security Solutions" at: http://www.netscape.com/products/security/ _____ Date Reported: 1999-03-04 Vulnerability: imail-passwords Platforms Affected: Imail Risk Factor: Medium The IMail multi-protocol mail server for Windows stores user's passwords inside the NT registry file. The encryption algorithm used to store these passwords is cryptographically insecure and easily cracked. This weakness could allow an attacker with access to these registry keys to gain user passwords. Reference: BUGTRAQ Mailing List: "IMAIL password recovery is trivial" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903a&L=bugtraq&F=&S=&P=1193 _____ Date Reported: 1999-03-04 Vulnerability: oracle-passwords Platforms Affected: Oracle Risk Factor: Medium Oracle by default creates databases with a master password of 'oracle'. Also, Oracle reports these passwords to a world readable log file in cleartext form, which means anyone with access to the disk can gain access to the exposed database. Reference: BUGTRAQ Mailing List: "Oracle Plaintext Password" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903a&L=bugtraq&F=&S=&P=876 _____ Date Reported: 1999-03-02 Vulnerability: xcmail-reply-overflow Platforms Affected: X11 XCMail Risk Factor: High XCmail is a multi-protocol mail client for the X Windows environment. A buffer overflow has been discovered in the client when responding to messages with overly long subjects. This overflow could allow an attacker to gain access to the UID running the XCmail program. References: BUGTRAQ Mailing List: "[0z0n3] XCmail remotely exploitable vulnerability" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903a&L=bugtraq&F=&S=&P=180 XCmail Project: "XCmail" at: http://www.fsai.fh-trier.de/~schmitzj/Xclasses/XCmail/ _____ Date Reported: 1999-03-02 Vulnerability: imail-imap-overflow Platforms Affected: Imail Risk Factor: Medium IMail is a popular multi-protocol mail server for Windows NT environments. A buffer overflow has been discovered in the login command of the IMAP server which could allow a remote attacker to crash the service. It is not known whether this overflow can be manipulated to gain access to the machine. References: eEye Advisory AD03011999: "Multiple IMail Vulnerabilities" at: http://www.eeye.com/database/advisories/ad03011999/ad03011999.html Ipswitch, Inc. Product Information: "IMail Server by Ipswitch" at: http://www.ipswitch.com/Products/IMail_Server/index.asp _____ Date Reported: 1999-03-02 Vulnerability: imail-imonitor-overflow Platforms Affected: Imail Risk Factor: Medium IMail is a popular multi-protocol mail server for Windows NT environments. The IMonitor service distributed as part of the IMail package contains a buffer overflow vulnerability. A remote attacker can send the service an especially a long string of characters that will cause the IMonitor service to fail and deny further service to legitimate users. It isn't known whether this hole can be manipulated to execute arbitrary code on the victim machine. References: eEye Advisory AD03011999: "Multiple IMail Vulnerabilities" at: http://www.eeye.com/database/advisories/ad03011999/ad03011999.html Ipswitch, Inc. Product Information: "IMail Server by Ipswitch" at: http://www.ipswitch.com/Products/IMail_Server/index.asp _____ Date Reported: 1999-03-02 Vulnerability: imail-ldap-overflow Platforms Affected: Imail Risk Factor: Medium IMail is a popular multi-protocol mail server for Windows NT environments. A buffer overflow exists in the LDAP server, which is part of the IMail package. This vulnerability allows remote attackers to cause the LDAP service to consume all available processor resources on the victim's machine. It isn't known whether this hole can be manipulated to execute arbitrary code. References: eEye Advisory AD03011999: "Multiple IMail Vulnerabilities" at: http://www.eeye.com/database/advisories/ad03011999/ad03011999.html Ipswitch, Inc. Product Information: "IMail Server by Ipswitch" at: http://www.ipswitch.com/Products/IMail_Server/index.asp _____ Date Reported: 1999-03-02 Vulnerability: imail-websvc-overflow Platforms Affected: Imail Risk Factor: Medium IMail is a popular multi-protocol mail server for Windows NT environments. A buffer overflow vulnerability exists in the web service feature of IMail (usually TCP 8383) which allows a remote attacker to crash the service with a long URL request. It isn't known whether this hole can be manipulated to execute arbitrary code on the victim's machine. References: eEye Advisory AD03011999: "Multiple IMail Vulnerabilities" at: http://www.eeye.com/database/advisories/ad03011999/ad03011999.html Ipswitch, Inc. Product Information: "IMail Server by Ipswitch" at: http://www.ipswitch.com/Products/IMail_Server/index.asp _____ Date Reported: 1999-03-02 Vulnerability: imail-whois-overflow Platforms Affected: Imail Risk Factor: Medium IMail is a popular multi-protocol mail server for Windows NT environments. The Whois32 service included in the IMail package contains a buffer overflow vulnerability which that allow remote attackers to crash the service. It isn't known whether this hole can be manipulated to execute arbitrary code on the victim machine. References: eEye Advisory AD03011999: "Multiple IMail Vulnerabilities" at: http://www.eeye.com/database/advisories/ad03011999/ad03011999.html Ipswitch, Inc. Product Information: "IMail Server by Ipswitch" at: http://www.ipswitch.com/Products/IMail_Server/index.asp _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNvA3WDRfJiV99eG9AQERSgP/Qu8rcmI8lKvUvLvdV9coam+d2FkA2rMs 98cdt/RG8rFJ1m6CHRj7Wj/6I/Y5ffkrLO4tWZZ4IDK0l8Xm9GPuxE6CkIHTGenn jX+BxJdMahiiVLxSu0vAJngYrrUbaP/y6vgMAGMZSq0woqb4jhInPWAlXDQwowhh DxhrY8Iz+Yw= =hA18 -----END PGP SIGNATURE-----