Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 22
June 7, 2004

SANS Newsletters Home

Mac users are busy this week deploying an important patch, but Windows users are enjoying a third quiet week in a row. On the other hand, on Tuesday June 8, Microsoft's monthly vulnerability announcement may give Windows users several high priority security tasks.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows -
    • 1
    • Third Party Windows Apps -
    • 3 (#2)
    • MacOS -
    • 1
    • UNIX -
    • 5 (#1)
    • Linux -
    • 1 (#1)
    • MacOS -
    • 1 (#3, #7)
    • Cross Platform -
    • 4 (#6)
    • Web Application -
    • 7 (#4, #5)
    • Network Device -
    • 4

******************** Security Training Update *************************

This Week's Featured Security Training Program: SANSFIRE 2004 Monterey, CA, July 5-13, 2004 SANSFIRE offers you 14 immersion training tracks in one of the most beautiful and romantic places in America. Phenomenal training for auditors who want to master the challenges of security auditors, for managers who want to build a great security program, for security beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from security business law to cyberwarrior training, and vendor exhibits, too.

Register soon to get a seat at your choice of courses. http://www.sans.org/sansfire2004

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Mac Os
Linux
Unix
Cross Platform
Web Application
Network Device

************ SPONSORED LINKS: FREE SANS RESOURCES **********************

(1) More than 1000 original research papers on 75 topics in computer security, now posted in the SANS Reading Room. A wealth of useful information. All free. http://www.sans.org/rr

(2) Security products explained - twenty four categories of products with an overview of what they do and the principal products in each category. http://www.sans.org/securityproducts/

(3) Internet Storm Center Threat Update Web Briefing Wednesday June 9 Johannes Ullrich monitors thousands of sensors in 60 countries. He has a unique overview of the types of attacks that are being launched every day. Listen to his monthly webcast on Wednesday June 9 at 2 PM EDT (1800 UTC). http://www.sans.org/webcasts/show.php?webcastid=90489

(4) New Series of "What Works" Webcast shows you which products actually do the job they claim to do, so you can recommend them with confidence. The first one, on vulnerability remediation, is available for your use at http://www.sans.org/webcasts/show.php?webcastid=90510 Full list of archived webcasts at: http://www.sans.org/webcasts/archive.php

***********************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) LOW: MIT Kerberos "krb5_aname_to_localname" Buffer Overflows
  • Affected: All versions of MIT Kerberos prior to version krb5-1.3.4.

  • Description: MIT Kerberos is an implementation of the Kerberos network authentication protocol, which is used by many vendors in their products. The software contains multiple heap-based buffer overflows in the "krb5_aname_to_localname" function, which converts a Kerberos "principal" name to a Unix machine's local user name. The flaws in this function may be exploited to execute arbitrary code on hosts running Kerberized services, typically with root privileges. This is rated as a low risk vulnerability because 1) an attacker requires authentication credentials to the Kerberized service in order to exploit the flaws, and 2) the vulnerabilities can be leveraged only when "auth_to_local" or "auth_to_local_names" mappings are configured in the Kerberos configuration file (not a default configuration). The technical details required to exploit the flaws are exposed by comparing the fixed and the vulnerable version of the software.

  • Status: Vendor confirmed, updating to krb5-1.3.4 would fix the problem. For other vendors using the MIT Kerberos library, the CERT advisory provides the status.

  • Council Site Actions: Four of the reporting council sites are using the affected software. One site is not using the vulnerable configuration but they plan to update within the next few months. Another site is still investigating the potential impact. They use products such as HP Openview Operations Advanced Security where the vulnerable software is embedded. The third site is still investigating the potential impact and the fourth site is treating the vulnerability as low risk and does not plan any action at this time.

  • References:
  • (2) LOW: Trend Micro PC-cillin Remote Code Execution Vulnerability
  • Affected: Trend Micro PC-cillin anti-virus product version 11

  • Description: This vulnerability in the Trend Micro PC-cillin anti-virus product reportedly enables a remote attacker to execute arbitrary code on the client machine. The problem occurs because the anti-virus software creates a local HTML alert file, and uses Internet Explorer to display that alert file, when any malware is found on the client machine. The Internet Explorer opens the alert file in the context of the "local" computer zone. Hence, a specially constructed zip file, which is detected as malware, can execute arbitrary code on the client system. An attacker can deliver such a crafted file to the client via a webpage, email or peer-to-peer network. Note that the PC-cillin anti-virus product does not examine a zip file for malicious content in its default configuration. A proof-of-concept exploit has been posted.

  • Status: Vendor not confirmed, no patches available.

  • Council Site Actions: Two sites are using the affected software, but in very small installations. The first site notified the system support groups as their only course of action. The second site has fewer than 40 potential users of the software. Their expectation is that some of the affected users will obtain a fix for the vulnerability through the Trend Micro Update Center, and other affected users will switch over to their supported anti-virus solution.

  • References:
Other Software
  • (4) HIGH: e107 Content Management System Multiple Vulnerabilities
  • Affected: e107 CMS prior to version 0.616

  • Description: e107, a PHP-based content management system (CMS), reportedly contains remote file include and multiple SQL injection vulnerabilities. Both problems arise due to lack of sanitization of the user-supplied values for the HTTP parameters in multiple PHP scripts. An attacker can execute arbitrary PHP script code by specifying a remote file in the "secure_img_render.php" script's "p" parameter. The "content.php" and the "news.php" scripts contain SQL injection vulnerabilities that can be exploited to extract the md5 hash of the administrator's password. Postings show how to craft the various HTTP requests. Note that the vulnerabilities can be exploited only if the server's "register_globals" PHP configuration parameter is turned "On". The default setting for this parameter is "Off" for PHP versions 4.2.0 or higher.

  • Status: Vendor confirmed. Upgrade to version 0.616.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (5) HIGH: Mail Manage EX Remote File Include Vulnerability
  • Affected: Mail Manage EX version 3.1.8

  • Description: Mail Manage EX, a PHP based online form management software, contains a remote file include vulnerability. An attacker can specify a remote file value for the "Settings" parameter in the "mmex.php" script, and execute arbitrary PHP scripts on the web server. The posting contains an example of such a malicious request.

  • Status: Vendor has been informed, no fix available yet.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
  • (7) MODERATE: Qualcomm Eudora Internet Mail Server Buffer Overflow
  • Affected: Eudora Internet Mail Server for Macintosh System 7

  • Description: Eudora Internet Mail Server (EIMS), a freeware mail server for Mac OS, is reportedly vulnerable to a heap based buffer overflow. The flaw can be triggered by sending specially crafted data to port 105/tcp. Exploits of this flaw may execute arbitrary code on the mail server. Limited technical details regarding the flaw have been posted.

  • Status: Vendor not confirmed, no patches available.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 22, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3466 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.22.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows 2000 Domain Security Policy Weakness
  • Description: Windows 2000 domains are vulnerable to a security policy violation weakness. Reportedly, if a Windows 2000 domain has a Fully Qualified Domain Name (FQDN) of exactly 8 characters, domain accounts with expired passwords can still be used to authenticate into the domain.
  • Ref: http://support.microsoft.com/default.aspx?scid=kb;en-us;830847
  • 04.22.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Opera Browser Favicon Address Bar Spoofing Weakness
  • Description: The Opera web browser is vulnerable to a security weakness that may permit malicious web pages to spoof address bar information. The issue presents itself when an attacker uses a malicious "Shortcut Icon" or "favicon" to obfuscate information displayed in the address bar. Opera versions 7.50 and earlier are affected.
  • Ref: http://www.greymagic.com/security/advisories/gm007-op/
  • 04.22.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Sambar Server Multiple Vulnerabilities
  • Description: Sambar Server is a web server and proxy package. The server is reported to be vulnerable to various directory traversal, arbitrary file access and cross-site scripting issues. Sambar Server versions 6.1 Beta 2 and earlier are affected.
  • Ref: http://www.oliverkarow.de/research/sambar.txt
  • 04.22.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: TinyWeb HTTP Server Script Disclosure
  • Description: TinyWeb is an HTTP server. It has been reported that Tinyweb is vulnerable to an unauthorized script disclosure issue. By using directory traversal techniques, it is possible for a malicious user to view or download the contents of CGI scripts stored in the cgi-bin directory. TinyWeb version 1.9.2 is reported to be vulnerable. Version 1.9.3 has been released by the vendor to remedy the problem.
  • Ref: http://secunia.com/advisories/11731/
  • 04.22.5 - CVE:CAN-2004-0513,CAN-2004-0514,CAN-2004-0515,CAN-2004-0516,CAN-2004-0517,CAN-2004-0171,CAN-2004-0518,CAN-2004-0485
  • Platform: Mac Os
  • Title: Apple Mac OS X Multiple Unspecified Vulnerabilities
  • Description: Multiple unspecified security vulnerabilities were reported in Mac OS X. These issues are present in NFS logging, LoginWindow, package installation, TCP/IP stack and AppleFileServer. Mac OS X version 10.3.4 has been released to address these issues.
  • Ref: http://docs.info.apple.com/article.html?artnum=61798
  • 04.22.6 - CVE: Not Available
  • Platform: Linux
  • Title: Slackware PHP Package Library Injection
  • Description: It has been reported that the stock installation of PHP on Slackware is linked against a static library in the "/tmp" directory. A local user could place malicious libraries in the "/tmp" directory, resulting in PHP loading arbitrary code on execution. Slackware has released a new package php-4.3.6 to remedy this problem.
  • Ref: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&
    ;m=slackware-security.4197657
  • 04.22.7 - CVE: Not Available
  • Platform: Unix
  • Title: Isoqlog Remote Buffer Overflows
  • Description: Isoqlog is a mail log analysis package for UNIX variant operating systems. It has been reported that Isoqlog is vulnerable to multiple remote buffer overflow attacks. Isoqlog version 2.2 has been released to remedy these problems.
  • Ref: http://www.securityfocus.com/archive/1/364657
  • 04.22.8 - CVE: Not Available
  • Platform: Unix
  • Title: SpamGuard Multiple Buffer Overflows
  • Description: SpamGuard is an MTA anti-spam software package. The "qmail_parseline()" and "sendmail_parseline()" functions in "parser.c" are vulnerable to remotely exploitable buffer overflows. SpamGuard versions prior to 1.7-BETA are known to be vulnerable.
  • Ref: http://www.enderunix.org/spamguard/devel/spamguard-devel/CHANGELOG
  • 04.22.9 - CVE: CAN-2004-0448
  • Platform: Unix
  • Title: jftpgw Remote Format String Vulnerability
  • Description: jftpgw is an FTP proxy for UNIX variant operating systems. It has been revealed that jftpgw FTP proxy is vulnerable to a remotely exploitable format string attack. The vulnerability is found in its use of the "syslog()" function. The vendor has released jftpgw version 0.13.4 to remedy the problem.
  • Ref: http://www.securityfocus.com/advisories/6795
  • 04.22.10 - CVE: Not Available
  • Platform: Unix
  • Title: Firebird Remote Database Name Buffer Overflow
  • Description: Firebird is a database derived from Borland Interbase source code. A buffer overflow condition occurs when the database server is handling database names that are longer than 300 bytes. This issue could possibly lead to the remote execution of arbitrary code. Firebird database versions 1.0.x and Borland Interbase versions 6.x and 7.x are known to be vulnerable.
  • Ref: http://secunia.com/advisories/11756/
  • 04.22.11 - CVE: CAN-2004-0395
  • Platform: Unix
  • Title: GATOS xatitv Privilege Escalation
  • Description: The GATOS project provides enhanced drivers for ATI chipset graphic boards. It has been revealed that a flaw exists in the xatitv component that could allow local users to gain root access if no configuration file exists.
  • Ref: http://www.debian.org/security/2004/dsa-509
  • 04.22.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Tripwire Email Reporting Format String Vulnerability
  • Description: Tripwire is an integrity monitoring and reporting tool. A format string vulnerability exists when Tripwire generates an email report. This vulnerability allows an attacker to execute arbitrary code. Tripwire commercial versions 2.4 and earlier and Tripwire open source versions 2.3.1 and earlier are known to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0032.html
  • 04.22.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: XFree86 XDM Configuration Setting Bypass
  • Description: xdm is an X11 window display manager. xdm has been reported to ignore its "DisplayManager.requestPort" configuration setting. Even if set to false, xdm will open its "chooserFd" TCP socket on all network interfaces, which could lull the user into a false sense of security.
  • Ref: http://bugs.xfree86.org/show_bug.cgi?id=1376
  • 04.22.14 - CVE: CAN-2004-0523
  • Platform: Cross Platform
  • Title: Kerberos 5 Multiple Buffer Overruns
  • Description: MIT Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It is reported to be vulnerable to multiple buffer overrun conditions due to insufficient boundary checks in the "krb5_aname_to_localname()" function. MIT Kerberos 5 versions krb5-1.3.3 and earlier are affected.
  • Ref: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-001-an_to_ln.txt
  • 04.22.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Multiple Products Credential Theft
  • Description: It has been reported that multiple IBM products suffer from session hijacking vulnerabilities. An attacker can exploit the products' cookie handling to gain unauthorized access. The affected products include Tivoli Access Manager, Tivoli Configuration Manager, and WebSphere Everyplace Server. IBM has released patches for all affected versions.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg21168762
  • 04.22.16 - CVE: CAN-2004-0520
  • Platform: Web Application
  • Title: SquirrelMail Content-Type Cross-Site Scripting
  • Description: SquirrelMail is a web-mail application. SquirrelMail versions 1.4.3 and earlier are vulnerable to a cross-site scripting issue due to insufficient sanitization in the "mime.php" script. This issue allows remote attackers to insert arbitrary HTML and script via the content-type mail header. Upon opening such an email, the unsuspecting user will launch the malicious script.
  • Ref: http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
  • 04.22.17 - CVE: Not Available
  • Platform: Web Application
  • Title: Gallery Authentication Bypass Vulnerability
  • Description: Gallery is a web-based photo-album package. It is reportedly vulnerable to an authentication bypass issue. The issue occurs when an attacker passes the "GALLERY_EMBEDDED_INSIDE" and the "GALLERY_EMBEDDED_INSIDE_TYPE" variables to the application. This tricks Gallery into thinking that authentication has been handled by the application it is embedded in. All versions prior to 1.4.3-pl2 are vulnerable.
  • Ref: http://gallery.menalto.com/modules.php?op=modload&name=News&file=article
    &sid=123&mode=thread&order=0&thold=0
  • 04.22.18 - CVE: Not Available
  • Platform: Web Application
  • Title: Mail Manage EX "Settings" Parameter Remote File Include
  • Description: Mail Manage EX, a form-mailer application, is reportedly vulnerable to an arbitrary remote PHP file include issue. This occurs due to insufficient user-input sanitization of the "Settings" parameter in the "mmex.php" script. Mail Manage EX version 3.1.8 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/11774/
  • 04.22.19 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPoto Unauthorized Access Vulnerability
  • Description: PHPoto is a web-based application that generates dynamic photo galleries. PHPoto is reportedly vulnerable to an unspecified unauthorized access issue that can allow remote users to view any pictures hosted on a site, regardless of the user's privileges. This was reported by the vendor for PHPoto versions 0.4.0-pre-5 and prior.
  • Ref: http://www.davidbindel.com/opensource/PHPoto/
  • 04.22.20 - CVE: Not Available
  • Platform: Web Application
  • Title: Land Down Under BBCode HTML Injection
  • Description: Land Down Under is a web-based content management system. Land Down Under is reportedly vulnerable to an HTML injection issue. This issue is present in the BBCode implementation. This is due to insufficient user-input sanitization of the "img" HTML tags. Land Down Under versions prior to 700-04 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/364663
  • 04.22.21 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 Website System Multiple Vulnerabilities
  • Description: e107 Website System is prone to multiple cross-site scripting, HTML injection, file inclusion, and SQL injection vulnerabilities. The vulnerabilities are exposed due to insufficient sanitization of "clock_menu.php", "secure_img_render.php", "content.php" and "news.php" scripts. e107 Website System versions 0.615 and earlier are affected.
  • Ref: http://www.waraxe.us/index.php?modname=sa&id=31
  • 04.22.22 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke Direct Script Access Security Bypass
  • Description: PHP-Nuke is a web content management system. It supports the use of third-party module extensions. PHP-Nuke attempts to disallow clients from directly accessing the embedded modules through a security check. This check is reportedly weak and can be bypassed easily. An attacker could use this to access normally protected files. All current versions of PHP-Nuke and derivative content management systems are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/364847
  • 04.22.23 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys Routers Denial of Service
  • Description: Multiple Linksys routers have been reported to be vulnerable to a denial of service attack. The vulnerability expresses itself in the lack of sanitization performed on arguments passed to the "Gozila.cgi" script on the web administration interface. If exploited, the router could become unresponsive, denying service to legitimate users. It is required that the administrator follow a specially-crafted link to successfully exploit this problem. Linksys router firmware versions prior to 1.42.7 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/7428/
  • 04.22.24 - CVE: Not Available
  • Platform: Network Device
  • Title: Canon imageRUNNER Denial of Service
  • Description: The Canon imageRUNNER is a laser printer. The web-based administration interface contains a denial of service issue. The issue exists in the handling of repeated port scans, causing the printer to hang.
  • Ref: http://www.securitytracker.com/alerts/2004/May/1010297.html
  • 04.22.25 - CVE: CAN-2003-0970
  • Platform: Network Device
  • Title: Sun Fire B1600 Denial of Service
  • Description: Sun Fire B1600 switch is vulnerable to a remote denial of service condition. The issue exposes itself when the switch receives a specially-crafted ARP datagram on the network management port. When this happens, the switch firmware will disable all of the network ports on the switch, resulting in a denial of service condition. The vendor has released patch 114783-03 to address the issue.
  • Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57430
  • 04.22.26 - CVE: Not Available
  • Platform: Network Device
  • Title: Netgear WG602 Undocumented Administrative Account
  • Description: The Netgear WG602 has an undocumented administrative account that can be used to gain full access to the web-based administration site. The default login is "super" and the password is "5777364". Netgear WG602 firmware version 1.04.0 is known to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/004 9.html

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

It's very dynamic and I will be able to apply what I learned directly into my area of work.
-Wagner Nascimento, eBay, Inc.

Healthcare Cyber Security Summit - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage