From xforce@iss.net Fri Oct 22 17:07:11 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Date: Thu, 21 Oct 1999 11:14:07 -0400 (EDT) Subject: ISSalert: ISS Security Alert Summary v4 n8 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary October 15, 1999 Volume 4 Number 8 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 14 Reported Vulnerabilities - http-teamtrack-file-read - iams-passwords-plaintext - iams-pop3-command-dos - iams-smtp-vrfy-dos - linux-cdda2cdr - ie-download-behavior - mediahouse-stats-adminpw-cleartext - mediahouse-stats-login-bo - ihtml-merchant-file-access - yahoo-messenger-dos - iis-ftp-no-access-files - nt-ip-source-route - nt-rasman-pathname - http-cgi-wwwboard-default Risk Factor Key _____ Date Reported: 1999-10-04 Vulnerability: http-teamtrack-file-read Platforms Affected: TeamTrack Server (3.00) Risk Factor: Medium Attack Type: Network/Host Based The HTTP server supplied with TeamShare's TeamTrack problem-tracking software is vulnerable to a security hole that will allow a remote attacker to read files on the same logical partition as the server. This is exploited by using "dot dot" (/../) sequences to traverse the filesystem outside the server's document root. Reference: rfp.labs: "RFP9904: TeamTrack webserver vulnerability" at: http://www.technotronic.com/rfp/ _____ Date Reported: 1999-10-01 Vulnerability: iams-passwords-plaintext Platforms Affected: Internet Anywhere Mail Server (2.3.1, 3.1) Risk Factor: High Attack Type: Host Based Internet Anywhere Mail Server is a standard Internet Mail server for Microsoft platforms. It stores all of its account passwords in the msgboxes.dbf file as cleartext. A user with local access to the server could obtain the passwords. Reference: NTBUGTRAQ Mailing List: "Vulnerabilities in the Internet Anywhere Mail Server" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662 _____ Date Reported: 1999-10-01 Vulnerability: iams-pop3-command-dos Platforms Affected: Internet Anywhere Mail Server (2.3.1, 3.1) Risk Factor: Medium Attack Type: Network Based Internet Anywhere Mail Server is a standard Internet Mail server for Microsoft platforms. It contains a denial of service attack in which a remote user can issue POP3 commands such as USER, RETR, LIST, or UIDL with arguments of 200 characters. Another denial of service exists if a remote user issues POP3 commands with letters where numbers should be, such as "list a" or "top a a". These will both cause the mail server to crash and have to be restarted. Reference: NTBUGTRAQ Mailing List: "Vulnerabilities in the Internet Anywhere Mail Server" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662 _____ Date Reported: 1999-10-01 Vulnerability: iams-smtp-vrfy-dos Platforms Affected: Internet Anywhere Mail Server (2.3.1, 3.1) Risk Factor: Medium Attack Type: Network Based Internet Anywhere Mail Server is a standard Internet Mail server for Microsoft platforms. It contains a denial of service attack in which a remote user can issue VRFY commands with an additional 250 characters. This will cause the mail server to crash and have to be restarted. Reference: NTBUGTRAQ Mailing List: "Vulnerabilities in the Internet Anywhere Mail Server" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9910&L=ntbugtraq&F=&S=&P=662 _____ Date Reported: 1999-09-30 Vulnerability: linux-cdda2cdr Platforms Affected: Linux Risk Factor: High Attack Type: Host Based cdda2cdr is a CD copying utility found in cdwtools-0.93-78. It is sgid disk by default and contains a buffer overflow that would allow a malicious local user to gain disk priviliges. This would allow them to have read/write access to the entire hard drive (/dev/hd*). From there, the user would easily be able to obtain root access. Reference: BUGTRAQ Mailing List: "Linux cdda2cdr local exploit" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-09-29&msg=19990930185514.20605.qmail@nwcst314.netaddress.usa.net _____ Date Reported: 1999-09-28 Vulnerability: ie-download-behavior Platforms Affected: Internet Explorer (5.0) Risk Factor: Medium Attack Type: Host Based A vulnerability has been discovered in Microsoft Internet Explorer 5 that could allow a malicious web site to download files that are normally for use with the client side script. Normally, web pages can only download files in their own domain; however, this vulnerability allows the restriction to be bypassed. Reference: Microsoft Security Bulletin MS99-040: "Workaround for 'Download Behavior' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-040.asp _____ Date Reported: 1999-09-28 Vulnerability: mediahouse-stats-adminpw-cleartext Platforms Affected: Mediahouse Statistics Server (4.28, 5.0) Risk Factor: Medium Attack Type: Host Based Mediahouse Statistics Server is a web tool that provides live statistics of the user's web server and historical data. It stores the administrator password in cleartext in the ss.cfg configuration file. A user with local access to the machine could then control and or make modifications to the stats server. Reference: Per Bergehed's Web: "Security flaw in Mediahouse Statistics Server v4.28 & 5.01" at: http://w1.855.telia.com/~u85513179/index.html _____ Date Reported: 1999-09-28 Vulnerability: mediahouse-stats-login-bo Platforms Affected: Mediahouse Statistics Server (4.28, 5.0) Risk Factor: Medium Attack Type: Network Based Mediahouse Statistics Server is a web tool that provides live statistics of the user's web server and historical data. It contains a buffer overflow in the remote site administration login that if a remote user enters a username longer than 3773 characters, it will crash and have to be restarted. Reference: Per Bergehed's Web: "Security flaw in Mediahouse Statistics Server v4.28 & 5..01" at: http://w1.855.telia.com/~u85513179/index.html _____ Date Reported: 1999-09-27 Vulnerability: ihtml-merchant-file-access Platforms Affected: iHTML Merchant Risk Factor: High Attack Type: Network Based iHTML Merchant is an e-commerce web solution that can be used to perform e-commerce type transactions on a web page. It contains a vulnerability that would allow a remote user to steal credit card information stored on the server, delete files, upload trojan horse programs, or perform a number of highly malicious activities. Reference: Team Asylum Security at: http://www.team-asylum.com/advisories/files/09-16-99-ihtml.txt _____ Date Reported: 1999-09-27 Vulnerability: yahoo-messenger-dos Platforms Affected: Yahoo! Messenger Risk Factor: Low Attack Type: Network Based Yahoo! Messenger is a online instant message program that allows users to message, send files, exchange e-mail, and read news. It contains a denial of service where a remote user can connect to port 5010, causing Messenger to crash. Reference: Team Asylum Security at: http://www.team-asylum.com/advisories/files/09-18-99-yahoo.txt _____ Date Reported: 1999-09-23 Vulnerability: iis-ftp-no-access-files Platforms Affected: IIS (4.0) Microsoft Commercial Internet System (2.5) Risk Factor: Medium Attack Type: Network/Host Based The post-SP5 FTP hotfix introduced a problem in Internet Information Server (IIS) 4.0 that allows FTP clients to download and delete files that are marked as 'No Access'. An attacker using a web browser FTP client could view and download 'No Access' files or use requests from non-browser based FTP clients to delete 'No Access' files. Reference: Microsoft Security Bulletin MS99-039: "Patch Available for 'Domain Resolution' and 'FTP Download' Vulnerabilities" at: http://www.microsoft.com/security/bulletins/ms99-039.asp _____ Date Reported: 1999-09-20 Vulnerability: nt-ip-source-route Platforms Affected: Windows 95 Windows 98 Windows NT Risk Factor: High Attack Type: Network/Host Based Windows 95, 98, and NT (excluding Terminal Server Edition) contain a vulnerability that would allow source routing to be performed through hosts that have source routing disabled. Reference: Microsoft Security Bulletin MS99-038: "Patch Available for 'Spoofed Route Pointer' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-038.asp _____ Date Reported: 1999-09-17 Vulnerability: nt-rasman-pathname Platforms Affected: Windows NT (4.0) Risk Factor: High Attack Type: Host Based A vulnerability in Windows NT Remote Access Service Manager (RASMAN) allows a normal domain user to modify the pathname for the RASMAN binary in the registry. The user can specify a trojan horse program in the place of the normal binary. The next time RAS is started, the trojan is executed. This could allow the local attacker to gain privileges, as the trojan is executed in the context of the system. Reference: Microsoft Security Bulletin MS99-041: "Tool Available for 'RASMAN Security Descriptor' Vulnerability" at: http://www.microsoft.com/Security/Bulletins/ms99-041.asp _____ Date Reported: 1999-09-16 Vulnerability: http-cgi-wwwboard-default Platforms Affected: WWWBoard Risk Factor: Low Attack Type: Network Based WWWBoard is a CGI-based web message board. It contains a default account that can be used for remote administration: WebAdmin / WebBoard. If not changed, remote users can access the message boards with full access. Reference: BUGTRAQ Mailing List: "More fun with WWWBoard" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-09-15&msg=Pine.LNX.4.10.9909170435200.30548-100000@puffer.quadrunner.com _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOAzdAjRfJiV99eG9AQGQ1gP+NUPY9l1ZHxaQCgPoZjyJJpj7F9fLAQv/ OqZtYXHHdXe3W5hXKMFwWOHVBy6Na0qYemVwmDise2OWv3RbhpayopRf2S1Hsg2t ZETN1ATKvykuRW7O9mRGyL8Y5NzARwMLIUU/UPrWp9cHewtnIM1sjsJmu/9YE9TF UYFV5lUQKfM= =hgSH -----END PGP SIGNATURE-----