Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: II, Issue: 53
December 31, 2003

SANS Newsletters Home

Looks like an easier week for most of you. The eight critical vulnerabilities are all in products that are not widely used.

Happy New Year to you.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 2 (Part II)
    • Third Party Windows Apps
    • 6 (Parts I & II)
    • Unix
    • 5 (Parts I & II)
    • Cross Platform
    • 3 (Parts I & II)
    • Web Application
    • 17 (Part II)

*************** Sponsored By SANS 2004 This Week ************************

Announcing: SANS2004, The First Security Mega Conference April 1 - 9, at Walt Disney World Dolphin Resort in Orlando, Florida

  • Watch for the SANS2004 brochure and poster to arrive in your snail
mail box next week**

In greatest advance in security training in the past six years, SANS has expanded its security education programs to more than 600 hours of unique training and education programs for:

--Security Technologists (five new programs)

--Auditors (four extraordinary tracks)

--Security Managers and Security Officers (three great tracks)

Plus new programs on the legal aspects of security, on ISO 17799, on E-Warfare and many more. Even the world's only training program on the newest developments in hacker exploits. Plus evening sessions and a great vendor exposition. Get the full program and register before your favorite courses fill up (SANS annual conference sessions always fill faster than any of our other programs.)

http://www.sans.org/sans2004

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Unix
Cross Platform
Web Application
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description on the process may be found at http://www.sans.org/newsletters/cva/#process Archives at http://www.sans.org/newsletters/Table of Contents

Other Software
  • (1) HIGH: ALT-N MDaemon Raw Message Handler Buffer Overflow
  • Affected: ALT-N MDaemon 6.52 through 6.85
    • Description:
    • The MDaemon Mail Server package includes a web-based email component
    • called "WorldClient". The WorldClient web server uses a default port of
    • 3000/tcp and allows remote access to a CGI program called
    • "form2raw.exe". This program allows users to create and send email
    • messages by typing the relevant information into a web-based form.
    • Specifically, the program accepts form data and uses it to create an
    • email message that is written directly to MDaemon's raw message queue.
    • A problem arises because "form2raw" can be forced to generate a
    • specially crafted message that, when processed by the mail server,
    • causes a stack-based buffer overflow. Remote attackers can exploit the
    • flaw to execute arbitrary code with the privileges of the MDaemon
    • process, possibly Local System. The advisory shows how to craft a web
    • request that causes "form2raw" to generate a malformed email message.

  • Status: The vendor has reportedly confirmed the problem and plans to release a patch. The suggested workaround is to disable "form2raw" functionality on the web server. Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (2) HIGH: NetObserve Authentication Bypass Vulnerability
  • Affected: ExploreAnywhere NetObserve v. 2.0 and prior
    • Description:
    • NetObserve is a remote control and monitoring agent for Windows
    • desktops. The NetObserve daemon listens on a TCP port, authenticates
    • users, and accepts HTTP-formatted commands to perform various functions.
    • A vulnerability arises because the daemon relies on a constant HTTP
    • header value to signify whether a user has properly authenticated. This
    • header value is provided by the client, and can therefore be faked by
    • remote attackers. The advisory shows how to craft requests that will
    • bypass the NetObserve authentication and execute arbitrary Windows shell
    • commands on a vulnerable system.

  • Status: Unclear. The vulnerability is reported in version 2.0 and prior, but the version currently available from the vendor website is 2.9. It is unknown whether the problem exists in current versions. Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) MODERATE: LANDesk IRCRBOOT.DLL ActiveX Control Buffer Overflow
  • Affected: LANDesk Management Suite v. 6.x, 7.x and possibly 8.x
    • Description:
    • The LANDesk Management Suite allows centralized monitoring and control
    • of heterogeneous computer systems distributed throughout an enterprise.
    • The software includes an ActiveX component, called IRCRBOOT.DLL, that
    • reportedly contains a buffer overflow vulnerability in the
    • SetClientAddress() function. A malicious web server can invoke the
    • ActiveX control on any system where it is installed, and exploit the
    • flaw to execute arbitrary code with the privileges of the user running
    • the browser. Technical details are available but no exploit code has
    • been posted at this time.

  • Status: The vendor has reportedly been informed but has not yet taken action to address the issue. Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (5) MODERATE: Platinum FTP Server Format String Vulnerabilities
  • Affected: Platinum FTP Server v. 1.0.18 and possibly prior versions
    • Description:
    • Platinum FTP, a popular shareware server for Windows, reportedly
    • contains format string errors in handling specially crafted arguments
    • provided to multiple different FTP commands. Vulnerabilities in two
    • flawed commands, USER and PASS, can be exploited prior to
    • authentication. Remote attackers can potentially leverage the flaws to
    • execute arbitrary code with the privileges of the server process. An
    • example malicious username was given as "%s%s%s%s", no further technical
    • details have been posted.

  • Status: Unclear. No patches are currently available. Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary. One site did comment that the ftp protocol has been banned on their critical servers.

  • References:
  • (7) MODERATE: Jordan Windows Telnet Server Buffer Overflow
  • Affected: Jordan Stojanovski Windows Telnet Server versions 1.0, 1.2
    • Description:
    • "Windows Telnet Server" is a shareware server daemon that allows remote
    • access to Windows 98/NT/2000 machines via telnet. The server reportedly
    • contains a buffer overflow in handling large usernames provided during
    • authentication. Remote attackers can exploit the flaw to execute
    • arbitrary code with the privileges of the daemon process. The technical
    • details required for exploitation have been posted.

  • Status: The vendor has reportedly been contacted but has not yet responded. Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary. One site did comment that the telnet protocol has been banned on their critical servers.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 53, 2003

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3140 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that can not be scanned remotely.

  • 03.53.1 - CVE: CAN-2003-1328
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer showHelp CHM Weakness
  • Description: The showHelp() function on Microsoft Internet Explorer has previous suffered from an exploitable code execution issue, Microsoft released patches to fix the problem (described in MS03-004). However it has been discovered that it it possible to bypass the patch and the restrictions by using directory traversal sequences.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0337.html
  • 03.53.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer HTTP Referer Information Disclosure
  • Description: Internet Explorer for MacOS forwards HTTP Referer data in HTTP requests made from secure HTTPS servers, this violates the HTTP 1.1 RFC and presents a security risk in certain circumstances. In particular, links followed from Outlook Web Access will contain sensitive user account information which may assist an attacker. Ref: http://www.gadgetopia.com/2003/12/23/OutlookWebAccessPrivacyHole.html
  • 03.53.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: LANDesk Management Suite IRCBoot.DLL Buffer Overflow Vulnerability
  • Description: LANDesk Management Suite is a software application designed to help manage networks, a buffer overflow exists in the IRCBoot.DLL ActiveX Control, attackers can exploit this by building a malicious website which references the vulnerable control. When the site is visited the buffer overflow in the control can be triggered allowing malicious code to be executed in the context of the web browser.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0328.html
  • 03.53.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: NETObserve Authentication Bypass Vulnerability
  • Description: NETObserve is web-based PC surveillance software, authenticated users may observe activity on the system and issue commands. It is possible to bypass the authentication mechanism by making HTTP requests containing the header 'Cookie: login=0', thus allowing any remote user full access to the target host.
  • Ref: http://www.elitehaven.net/netobserve.txt
  • 03.53.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Alt-N MDaemon/WorldClient Buffer Overflow Vulnerability
  • Description: MDaemon is a mail server for Microsoft Windows operating systems, the package includes WorldClient, a web-based email client. The 'FORM2RAW.exe' binary is vulnerable to a buffer overflow attack when sending a message with a 'From' field greater then 249 characters in length. Users of WorldClient may exploit this vulnerability to execute arbitrary code in the context of the mail server.
  • Ref: http://hat-squad.com/bugreport/mdaemon-raw.txt
  • 03.53.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Jordan Windows Telnet Server Buffer Overflow Vulnerability
  • Description: Jordan Windows Telnet Server for Windows has been reported to be vulnerable to a buffer overflow attack due to lack of bounds checking on the username field, this is trivially exploitable and may result in the execution of arbitrary code by the affected service.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0335.html
  • 03.53.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Opera Download Dialog File Corruption Vulnerability
  • Description: Opera is vulnerable to an issue whereby a file download dialog can result in the corruption of local files. If a downloaded file contains relative path components such as '%5C..' it is possible for the remote site to specify where the temporary file is written. This has been observer on Opera for Windows platforms, other versions may also be affected.
  • Ref: http://opera.rainyblue.org/modules/cjaycontent/index.php?id=16
  • 03.53.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Xlight FTP Server Remote Buffer Overflow Vulnerability
  • Description: XLight FTP Server is an FTP server for the Microsoft Windows platform, a buffer overflow in the handling of the 'PASS' command has been discovered in the software. Attackers may be able to exploit this to gain unauthorised access to the system by using specially crafted FTP command.
  • Ref: http://www.securiteam.com/windowsntfocus/6X00R0K95E.html
  • 03.53.9 - CVE: Not Available
  • Platform: Unix
  • Title: Surfboard httpd Server Buffer Overflow Vulnerability
  • Description: Surfboard is a freely available web server for Unix, a problem in the handling of URL requests results in a buffer overflow condition. This condition may be exploited by attackers to crash the service and deny service to legitemate users, furthermore it may be possible to execute arbitrary code in the context of the web server.
  • Ref: http://www.securitytracker.com/alerts/2003/Dec/1008549.html
  • 03.53.10 - CVE: Not Available
  • Platform: Unix
  • Title: PServ HTTP Server Directory Traversal
  • Description: pServ is an open source web server package, a problem has been reported whereby it is possible for requests containing double-slash '//' sequences to serve content from outside the webserver root directory. Thus it is possible for malicious users to access any file on the host readable by the webserver process.
  • Ref: http://sourceforge.net/tracker/index.php?func=detail& aid=863248&group_id=59378&atid=490803
  • 03.53.11 - CVE: Not Available
  • Platform: Unix
  • Title: indent Memory Corruption Vulnerability
  • Description: Indent is a text processing tool designed to improve the readability of C source code, a memory corruption issue related to the parsing of large labels results in an exploitable overflow condition which may lead to arbitrary code execution. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3799.html
  • 03.53.12 - CVE: Not Available
  • Platform: Unix
  • Title: John Sage ACK_hole01 Heap Buffer Overrun Vulnerability
  • Description: John Sage ACK_hole01 is a TCP/IP network data sink for Unix and Linux platforms. It has been reported that the software fails to initialise the 'bytes' parameter therefore resulting in memory corruption which may lead to an exploitable overrun condition. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3790.html
  • 03.53.13 - CVE: Not Available
  • Platform: Unix
  • Title: ViewCVS Cross-Site Scripting Vulnerability
  • Description: ViewCVS is an application that allows users to browse CVS repositories using a web interface, it is reported to suffer from a cross-site scripting vulnerability in the 'viewcvs.py' script whereby error pages fail to completely sanitize user supplied input.
  • Ref: http://lwn.net/2002/0523/a/viewcvs.php3
  • 03.53.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CVS PServer Passwd File Code Execution Vulnerability
  • Description: CVS servers prior to 1.11.11, are reported to be vulnerable to an arbitrary code execution issue. The vulnerability is only exploitable by certain users, specifically those with write access to the CVSROOT/passwd file may potentially execute arbitrary code as the root user.
  • Ref: http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88
  • 03.53.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: L_Soft Listserv Cross-Site Scripting Vulnerabilities
  • Description: Listserv is a multi-platform mailing list management application, several cross-site scripting issues have been discovered. Specifically the WA-MSD.EXE, WA-USIAINFO.EXE and WA-DEMO.EXE binaries in the windows version have been reported vulnerable. Versions for other platforms are also affected. Ref: http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0320.html
  • 03.53.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Browser URL Display Obfuscation
  • Description: A weakness in Opera allows attackers to obfuscate the URL for a visisted page, certain UTF-8 encoded characters may be interpreted as a NULL resulting in the URL display being truncated.
  • Ref: http://www.securityfocus.com/archive/1/348275
  • 03.53.17 - CVE: Not Available
  • Platform: Web Application
  • Title: Squirrelmail G/PGP Plugin Command Execution Vulnerability
  • Description: Squirrelmail is an open source webmail package, a problem with the handling of data passed to the G/PGP Plugin results in a command execution vulnerability. Malicious users can place shell commands in the To: line of an e-mail sent through Squirrelmail which will result in the plugin executing the commands in the context of the web server.
  • Ref: http://www.bugtraq.org/advisories/_BSSADV-0001.txt
  • 03.53.18 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenBB Index.PHP SQL Injection Vulnerability
  • Description: OpenBB is an open source bulletin board software package implemented in PHP, the software does not correctly sanitize input passed to the 'index.php' script and this makes it possible for malicious users to modify SQL queries made by the software.
  • Ref: http://www.teusink.net/research/T2003-002.php
  • 03.53.19 - CVE: Not Available
  • Platform: Web Application
  • Title: Web Merchant Services Storefront SQL Injection Vulnerability
  • Description: Storefront shopping cart is web-based shopping cart software implemented in ASP, a vulnerability exists in the software which allows a remote user to inject malicious SQL syntax into database queries using the 'login.asp' script.
  • Ref: http://www.securityfocus.com/bid/9301
  • 03.53.20 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenBB Cross-Site Scripting Vulnerability
  • Description: The 'board.php' script in OpenBB is vulnerable to a cross-site scripting issue, URI parameters passed to the script are not correctly sanitised allowing an attacker to create a malicious link which will lead to potentially malicious HTML code being rendered in a target's browser.
  • Ref: http://www.securityfocus.com/bid/9303
  • 03.53.21 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke Survey Module SQL Injection Vulnerability
  • Description: PHP-Nuke is a web Portal system implemented in PHP, a vulnerability in the software allows malicious users to influence the logic of SQL queries by injecting specially crafted data into the $pollID variable used by the Survey module.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0327.html
  • 03.53.22 - CVE: Not Available
  • Platform: Web Application
  • Title: Private Message System Cross-Site Scripting Vulnerability
  • Description: Private Message System (PMSys) is a web chat application implemented in PHP, it is reported that the software is susceptible to cross-site scripting attacks via the 'index.php' script due to incomplete sanitisation of the 'page' parameter.
  • Ref: http://pmsys.sourceforge.net/index.php
  • 03.53.23 - CVE: Not-Available
  • Platform: Web Application
  • Title: php-ping Arbritary Command Execution Vulnerability
  • Description: php-ping is a ping script written in PHP, due to a failure to sanitize the 'count' parameter it is possible for attackers to execute arbitrary commands on the target server via the use of shell meta characters. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3821.html
  • 03.53.24 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPCatalog SQL Injection Vulnerability
  • Description: PHPCatalog is a web based e-catalog package implemented in PHP, insufficient sanitization of the '$id' parameter results in remote attackers being able to modify SQL queries and modify SQL logic.
  • Ref: http://www.secunia.com/advisories/10516/
  • 03.53.25 - CVE: Not Available
  • Platform: Web Application
  • Title: MiniBB Profile Website Cross-Site Scripting Vulnerability
  • Description: miniBB is a PHP web forum application, there is a cross-site scripting problem in the 'bb_edit_prf.php' script which is a result of the 'bb_func_usernfo.php' failing to correctly sanitize data supplied via the 'website name' field in the user profile.
  • Ref: http://www.secunia.com/advisories/10517/
  • 03.53.26 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB GroupCP.PHP SQL Injection Vulnerability
  • Description: phpBB is a PHP web forum application, it has been discovered that users with Group Moderator privileges can exploit a problem with the 'groupcp.php' script to inject data into SQL queries and therefore modify SQL query logic.
  • Ref: http://www.secunia.com/advisories/10515/
  • 03.53.27 - CVE: Not Available
  • Platform: Web Application
  • Title: iSoft QuikStore Shopping Cart Path Disclosure Vulnerability
  • Description: QuikStore, a shopping-cart web package, discloses the installation path when specific malformed requests are made via the 'store' parameter.
  • Ref: http://drponidi.5u.com/advisory.htm
  • 03.53.28 - CVE: Not Available
  • Platform: Web Application
  • Title: iSoft QuikStore Shopping Cart Directory Traversal Vulnerability
  • Description: QuikStore, a shopping-cart package, allows directory traversal remotely through simple '../' character sequences in the the requested URIs.
  • Ref: http://drponidi.5u.com/advisory.htm
  • 03.53.29 - CVE: Not Available
  • Platform: Web Application
  • Title: Webfroot Shoutbox Cross-Site Scripting Vulnerability
  • Description: Webfroot Shoutbox is a web messaging system, it is implemented in PHP. Webfroot Shoutbox is vulnerable to a cross-site scripting issue in the 'viewshoutbox.php' script, input supplied via the 'error' URI parameter is not correctly sanitized and may allow an attacker to render potentially malicious HTML in a user's browser.
  • Ref: http://www.securityfocus.com/bid/9289
  • 03.53.30 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Privmsg.PHP Cross-Site Scripting Issue
  • Description: phpBB is an open-source web forum application implemented in PHP, phpBB is prone to a cross-site scripting vulnerability in the 'privmsg.php' script. Data supplied via the 'mode' parameter is not completely sanitized and this it is possible to embed potentially malicious HTML in pages.
  • Ref: http://www.securityfocus.com/bid/9290
  • 03.53.31 - CVE: Not Available
  • Platform: Web Application
  • Title: KnowledgeBuilder Remote File Include Vulnerability
  • Description: KnowledgeBuilder is a web-based application for managing articles and FAQs, it is reported to be vulnerable to a remote PHP include attack which allows remote attackers to execute arbitrary PHP code on the target server.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0321.html
  • 03.53.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Psychoblogger Cross-Site Scripting Vulnerabilities
  • Description: Psychoblogger is a weblog application implemented in MySQL and PHP. A number of cross site scripting issues have been identified in the 'imageview.php', 'entryadmin.php', 'authoredit.php', 'blockedit.php', 'configadmin.php' and 'quoteedit.php' scripts.
  • Ref: http://www.fribble.net/advisories/psychoblogger_19-12-03.txt
  • 03.53.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Psychoblogger SQL Injection Vulnerabilities
  • Description: Psychoblogger is a weblog application implemented in MySQL and PHP. Multiple SQL injection vulnerabilities have been discovered in the application which will allow attackerd to influend SQL queries. The 'shouts.php', 'comments.php' and 'category.php' scripts are known to be vulnerable.
  • Ref: http://www.fribble.net/advisories/psychoblogger_19-12-03.txt

(c) 2003. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==END OF PART II==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2003. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

The industry knowledge of the SANS instructors is without compare and the free night courses add immeasurable value to the conferences.
-Ken Rode, Unapen, Inc.

Forensics 572

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU