I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary September 10, 1997 Volume 1 Number 2 --- 8 Reported New Vulnerabilities [10]Back to Alert List [11]- FreeBSD-procfs [12]- wu_ftpd [13]- majordomo [14]- SGI-webdist [15]- AIX-syslogd [16]- IEcorrupt [17]- HP-vue/dt [18]- AIX-bugfiler 2 Updates [19]- xlock (HP-UX) [20]- libXt (HP-UX) --- Date Reported: 8/12/97 Vulnerability: FreeBSD-procfs Affected Platforms: FreeBSD (2.1.x, 2.2.x) Risk Factor: High procfs is used by programs like ps to interface processes on a system. It contains a bug that allows procfs processes to write memory of other processes. This allows any local user to gain root privileges. Reference: [21]http://ciac.llnl.gov/ciac/bulletins/h-101.shtml [22]ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-97%3A04.procfs.asc [23]Top of Page || [24]Back to Alert List --- Date Reported: 8/15/97 Vulnerability: wu_ftpd Affected Platforms: BSDI (3.0) FreeBSD (2.2.1) SunOS (4.1.3) (others likely, untested as of 9/9/97) Risk Factor: Medium A denial of service attack exists in all versions of wu_ftp servers. It is possible to create large directory listings with a recursive nlist command. CPU usage can rise to up to 99% and with multiple attacks can stay that way for hours. Reference: Posted on security@FreeBSD.ORG. Subject: FTP compromise. [25]Top of Page || [26]Back to Alert List --- Date Reported: 8/24/97 Vulnerability: majordomo Affected Platforms: Any platform running majordomo server Risk Factor Medium majordomo is a program that is used to subscribe and unsubscribe users to mailing lists on a system. It contains a bug that allows both local and remote users to execute commands with the privileges of the user running the majordomo server. If the server has a list that includes the 'advertise' or 'noadvertise' lines in the configuration file, the server is vulnerable. [27]Top of Page || [28]Back to Alert List --- Date Reported: 5/6/97 (original), 8/26/97 (updated) Vulnerability: sgi-webdist Affected Platforms: IRIX (5.3, 6.0.1, 6.1, 6.2, 6.3, 6.4) Risk Factor: High webdist.cgi is a cgi program that allows users to install software via a web interface. It does not check arguements passed to it sufficiently and therefore allows for the execution of commands with uid of the httpd server, which on some insecure networks, could be privileged accounts. Reference: [29]ftp://sgigate.sgi.com/security/19970501-02-PX [30]ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist [31]Top of Page || [32]Back to Alert List --- Date Reported: 8/27/97 Vulnerability: AIX-syslogd Affected Platforms: AIX (4.1, 4.2) Risk Factor: Medium Because syslogd logs remote messages by default, AIX is vulnerable to denial of service attacks as well as fake messages being logged to syslog. A temporary fix is avaliable and patches will be announced as soon as they become public. Temporary Fix: [33]ftp://testcase.software.ibm.com/aix/fromibm/security.syslogd.tar.Z [34]Top of Page || [35]Back to Alert List --- Date Reported: 9/5/97 Vulnerability: IEcorrupt Affected Platforms: Windows NT/95 (running Microsoft Internet Explorer 3 or 4) Risk Factor: High A security hole exists in Microsoft's Internet Explorer web browser that allows malicious web pages to corrupt files of viewers of that page. Although this is not a bug in Java, it is a bug in Microsoft's extensions to Java. This problem will be fixed in the release of Microsoft's Internet Explorer 4 which should be out towards the end of September. Reference: [36]http://web.mit.edu/twm/www/expbug2/ [37]Top of Page || [38]Back to Alert List --- Date Reported: 9/8/97 Vulnerability: HP-vue/dt Affected Platforms: HP-UX (9.x, 10.x) Risk Factor: Medium Xserver programs vuefile, vuepad, dtfile, and dtpad do not authenticate users. If a user runs one of these programs while su'd to another user, it can result in allowed access to their accounts. Although there is no patch for this problem, a good solution would be to avoid running these programs when su'd to another account. Reference: HP Security Bulletin #00069 - [39]http://us-support.external.hp.com/ [40]Top of Page || [41]Back to Alert List --- Date Reported: 9/8/97 Vulnerability: AIX-bugfiler Affected Platforms: AIX (3.x) Risk Factor: High bugfiler is a program that automatically stores bug reports in specified mail directories specified by the MailDirectory variable after summarizing them. This program is setuid root which makes it possible for users to circumvent file access restrictions. On some systems, this allows root access to be gained. Reference: Posted on comp.security.unix - Subject: (fwd) AIX bugfiler vulnerability [42]Top of Page || [43]Back to Alert List ------ Update: libXt (ISS Security Alert Summary v1 n1) Date: 9/8/97 Vendor: Hewlett Packard Platform: HP-UX (9.x, 10.x) Hewlett Packard has released patches for buffer overflow problems in the Xt library. These patches can be obtained from HP's patch site: http://us-support.external.hp.com/ Reference: HP Security Bulletin #00058 - [44]http://us-support.external.hp.com/ [45]Top of Page || [46]Back to Alert List --- Update: xlock (ISS Security Alert Summary v1 n1) Date: 9/8/97 Vendor: Hewlett Packard Platform: HP-UX (any version with vhelock) Hewlett Packard has released patches for buffer overflow problems in X11/Motif libraries. These patches can be obtained from HP's patch site: http://us-support.external.hp.com/ Reference: HP Security Bulletin #00067 - [47]http://us-support.external.hp.com/ [48]Top of Page || [49]Back to Alert List --- Risk Factor Key: High any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium any vulnerability that provides information that has a high potential of giving access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that possibly can contain an account with a guessable password. Low any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via bruteforce. [50]Top of Page || [51]Back to Alert List -------- Copyright (c) 1997 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail [52]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: X Force [53]xforce@iss.net of Internet Security Systems, Inc. Internet Security Systems, Inc. Internet Security Systems, Inc., (ISS) is the pioneer and world's leading supplier of network security assessment and monitoring tools, providing comprehensive software that enables organizations to proactively manage and minimize their network security risks. ISS' SAFEsuite® product family automatically detects, monitors, and responds to the growing number of network security vulnerabilities and threats. The Atlanta-based company's flagship product, Internet Scanner, is the world's leading security auditing tool used to eliminate network security vulnerabilities in corporations, government agencies, and financial institutions including 9 out of the top 10 U.S. banks. ISS' real time attack recognition and response tool, RealSecure(tm), is the leading network monitoring software used to automatically guard networks from external threats and internal misuse. For more information, contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS Web site at [54]http://www.iss.net. [55]Top of Page || [56]Back to Alert List [57]News | [58]Serious Fun | [59]Mail Lists | [60]Security Library [61]Protoworx | [62]Alerts | [63]Submissions | [64]Feedback [65]Advanced Search [66]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [67]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [68]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://xforce.iss.net/alerts/alerts.php3 11. http://xforce.iss.net/alerts/vol-1_num-2.php3#free 12. http://xforce.iss.net/alerts/vol-1_num-2.php3#ftpd 13. http://xforce.iss.net/alerts/vol-1_num-2.php3#major 14. http://xforce.iss.net/alerts/vol-1_num-2.php3#sgi 15. http://xforce.iss.net/alerts/vol-1_num-2.php3#aix 16. http://xforce.iss.net/alerts/vol-1_num-2.php3#corrupt 17. http://xforce.iss.net/alerts/vol-1_num-2.php3#vue 18. http://xforce.iss.net/alerts/vol-1_num-2.php3#bugfiler 19. http://xforce.iss.net/alerts/vol-1_num-2.php3#xlockupdate 20. http://xforce.iss.net/alerts/vol-1_num-2.php3#libxtupdate 21. http://ciac.llnl.gov/ciac/bulletins/h-101.shtml 22. ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-97%3A04.procfs.asc 23. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 24. http://xforce.iss.net/alerts/alerts.php3 25. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 26. http://xforce.iss.net/alerts/alerts.php3 27. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 28. http://xforce.iss.net/alerts/alerts.php3 29. ftp://sgigate.sgi.com/security/19970501-02-PX 30. ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist 31. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 32. http://xforce.iss.net/alerts/alerts.php3 33. ftp://testcase.software.ibm.com/aix/fromibm/security.syslogd.tar.Z 34. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 35. http://xforce.iss.net/alerts/alerts.php3 36. http://web.mit.edu/twm/www/expbug2/ 37. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 38. http://xforce.iss.net/alerts/alerts.php3 39. http://us-support.external.hp.com/ 40. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 41. http://xforce.iss.net/alerts/alerts.php3 42. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 43. http://xforce.iss.net/alerts/alerts.php3 44. http://us-support.external.hp.com/ 45. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 46. http://xforce.iss.net/alerts/alerts.php3 47. http://us-support.external.hp.com/ 48. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 49. http://xforce.iss.net/alerts/alerts.php3 50. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 51. http://xforce.iss.net/alerts/alerts.php3 52. mailto:x-force@iss.net 53. mailto:x-force@iss.net 54. http://www.iss.net/ 55. http://xforce.iss.net/alerts/vol-1_num-2.php3#list 56. http://xforce.iss.net/alerts/alerts.php3 57. http://xforce.iss.net/news.php3 58. http://xforce.iss.net/seriousfun/ 59. http://xforce.iss.net/maillists/ 60. http://xforce.iss.net/library/ 61. http://xforce.iss.net/protoworx/ 62. http://xforce.iss.net/alerts/ 63. http://xforce.iss.net/submission.php3 64. http://xforce.iss.net/feedback.php3 65. http://xforce.iss.net/search.php3 66. http://xforce.iss.net/about.php3 67. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 68. http://xforce.iss.net/privacy.php3