From xforce@iss.net Sun Jun 4 14:23:38 2000 From: X-Force Resent-From: mea culpa To: ISS Employees , alert@iss.net Resent-To: jericho@attrition.org Date: Thu, 1 Jun 2000 16:52:35 -0400 (EDT) Subject: ISSalert: ISS Security Alert Summary: v5 n5 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary June 1, 2000 Volume 5 Number 5 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 78 Reported Vulnerabilities - linux-cdrecord-execute - xlock-bo-read-passwd - bsd-syscall-cpu-dos - win-browser-hostannouncement - nai-webshield-config-mod - nai-webshield-bo - mdbms-bo - mailsite-get-overflow - hp-jetadmin-malformed-url-dos - hp-jetadmin-directory-traversal - deerfield-mdaemon-dos - cayman-dsl-dos - carello-file-duplication - netscape-ssl-certificate - cobalt-cgiwrap-bypass - gnome-gdm-bo - linux-fdmount-bo - qualcomm-qpopper-euidl - cart32-price-change - gauntlet-cyberdaemon-bo - ip-fragment-reassembly-dos - domino-doc-modify - domino-web-apps-access - axent-netprowler-ipfrag-dos - lotus-domino-esmtp-bo - linux-masquerading-dos - netice-icecap-alert-execute - netice-icecap-default - beos-tcp-frag-dos - ie-frame-domain-verification - ie-malformed-component-attribute - kerberos-krb-rd-req-bo - kerberos-krb425-conv-principal-bo - kerberos-ksu-bo - kscd-shell-env-variable - cproxy-http-dos - emurl-account-access - eudora-long-attachment-filename - ie-active-movie-control - antisniff-dns-overflow - delphi-ics-dot-attack - netscape-invalid-ssl-sessions - sol-netpr-bo - ie-cookie-disclosure - iis-malformed-information-extension - iis-url-extension-data-dos - netscape-import-certificate-symlink - ssh-zedz-consultants - coldfusion-cfcache-dos - http-cgi-formmail-environment - libmytinfo-bo - netopia-snmp-comm-strings - gnapster-view-files - netstructure-root-compromise - netstructure-wizard-mode - allaire-clustercats-url-redirect - aolim-file-path - iis-shtml-reveal-path - http-cgi-dbman-db - http-cgi-dnews-bo - ultraboard-cgi-dos - aladdin-etoken-pin-reset - http-cgi-dmailweb-bo - interscan-viruswall-bo - quake3-auto-download - ultraboard-printabletopic-fileread - cart32-expdate - cisco-online-help - hp-shutdown-privileges - http-cgi-listserv-wa-bo - aaabase-execute-dot-files - aaabase-file-deletion - macos-appleshare-invalid-range - win-netbios-source-null - linux-knfsd-dos - macos-filemaker-anonymous-email - macos-filemaker-email - macos-filemaker-xml Risk Factor Key _____ Date Reported: 5/29/2000 Vulnerability: linux-cdrecord-execute Platforms Affected: Linux Mandrake 7.0 Risk Factor: High Attack Type: Host Based The cdrecord command on some Linux systems is used for burning cds and is installed gid 'cdburner'. A buffer overflow exists in the dev argument and would allow a local user to overflow the stack, and execute arbitrary code as the group running cdrecord, normally 'cdburner'. Reference: Bugtraq Mailing List: "Mandrake 7.0: /usr/bin/cdrecord gid=80 (strike #2)" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=392FEB2E.10996FFD@gsu.linux.org.tr _____ Date Reported: 5/29/2000 Vulnerability: xlock-bo-read-passwd Platforms Affected: xlock 4.16 Risk Factor: High Attack Type: Host Based The 'xlock' program is a utility for locking X Windows sessions until a password is provided to unlock the screen. It contains a vulnerability in the -mode argument that would allow a user to overwrite the variable. This would allow the user to read the passwd file. Reference: NetBSD Security Advisory 2000-003: "Exploitable Vulnerability in Xlockmore" at: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-003.txt.asc _____ Date Reported: 5/28/2000 Vulnerability: bsd-syscall-cpu-dos Platforms Affected: NetBSD (1.4.1, 1.4.2) Risk Factor: Medium Attack Type: Host Based BSD 4.x based Unix operating systems contain a problem that would allow a local user to create a system call process that would trick the kernel into allocating all CPU usage to the process. This would effectively deny all other processes any CPU usage. Reference: NetBSD Security Advisory 2000-005: "Local 'cpu-hog' denial of service" at: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2000-005.txt.asc _____ Date Reported: 5/25/2000 Vulnerability: win-browser-hostannouncement Platforms Affected: Windows 95 Windows NT 4.0 Windows NT 4.0 Terminal Server Edition Risk Factor: Medium Attack Type: Network/Host Based Windows NT 4.0 and Windows 95/98 operating systems are vulnerable to a denial of service attack, due to a flaw in the Computer Browser protocol. The browser protocol does not limit the number of entries that can be added to the browse table on a Master Browser. A remote attacker could send a flood of HostAnnouncement frames to a Master Browser, causing the table to grow to an unmanageable size. When this table is transferred to clients or replicated to Backup Master Browsers, it could consume available network bandwidth, or consume available resources on systems attempting to handle the large browse table. References: Microsoft Security Bulletin MS00-036: "Patch Available for 'ResetBrowser Frame' and 'HostAnnouncement Flooding' Vulnerabilities" at: http://www.microsoft.com/technet/security/bulletin/ms00-036.asp Cerberus Information Security Advisory (CISADV000527): "Windows Browser Service DoS" at: http://www.cerberus-infosec.co.uk/advntdos.html _____ Date Reported: 5/25/2000 Vulnerability: nai-webshield-config-mod Platforms Affected: WebShield 4.5.44 Risk Factor: High Attack Type: Network/Host Based Network Associates WebShield SMTP version 4.5.44 (and potentially others) management agent configurations could be modified by a remote attacker. By default, WebShield SMTP runs the management agent on port 9999. A remote attacker can connect to port 9999 using the "GET_CONFIG" command and gain access to the management agent to modify the configuration. Reference: BugTraq Mailing List: "DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool [sic]" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=6C740781F92BD411831F0090273A8AB806FD4A@exchange.servers.delphis.net _____ Date Reported: 5/25/2000 Vulnerability: nai-webshield-bo Platforms Affected: WebShield 4.5.44 Risk Factor: High Attack Type: Network/Host Based Network Associates WebShield SMTP version 4.5.44 is vulnerable to a buffer overflow that could allow a remote attacker to execute arbitrary code. A remote attacker can send more than 208 bytes of data along with a configuration parameter to the remote management service listening on TCP port 9999 to execute arbitrary code with the privilege level of the service's account (default SYSTEM). Reference: BugTraq Mailing List: "DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool [sic]" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=6C740781F92BD411831F0090273A8AB806FD4A@exchange.servers.delphis.net _____ Date Reported: 5/24/00 Vulnerability: mdbms-bo Platforms Affected: Red Hat Linux (6.0, 6.1, 6.2) SuSE Linux (6.2, 6.3, 6.4) Debian Linux (2.1, 2.2, 2.3) Risk Factor: High Attack Type: Network/Host Based Marty Bochane's MDBMS database that ships with several Linux distributions is vulnerable to a buffer overflow. A remote attacker can supply a long string to the MDBMS server, containing machine executable code, to overflow the buffer and execute arbitrary commands on the server. Reference: Bugtraq Mailing List: "Remote xploit for MDBMS" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=009a01bfc558$1a38fec0$01dc11ac@ofi.interno.peoplecall.com _____ Date Reported: 5/24/00 Vulnerability: mailsite-get-overflow Platforms Affected: MailSite Risk Factor: High Attack Type: Network/Host Based MailSite is a program for providing web access to POP email accounts. MailSite is vulnerable to a buffer overflow in the GET command. A local or remote user can send a GET command followed by 240K of characters to overflow the buffer and execute arbitrary code on the system. Reference: Cerberus Information Security Advisory (CISADV000524a): "Rockliffe Mailsite Buffer Overflow" at: http://www.cerberus-infosec.co.uk/advhttpma.html _____ Date Reported: 5/24/2000 Vulnerability: hp-jetadmin-malformed-url-dos Platforms Affected: JetAdmin 6.0 Risk Factor: Medium Attack Type: Network/Host Based Hewlett Packard's Web JetAdmin program is a peripheral management software that allows installing, monitoring, and troubleshooting network connected peripherals. It contains a vulnerability that would allow a user to shutdown the services. If the user connects to port 8000 with a malformed URL then it will cause the services process to stop responding to requests. Reference: Underground Security Systems Research: "HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability" at: http://www.ussrback.com/labs42.html _____ Date Reported: 5/24/2000 Vulnerability: hp-jetadmin-directory-traversal Platforms Affected: JetAdmin 6.0 Risk Factor: Medium Attack Type: Network/Host Based Hewlett Packard's Web JetAdmin program is a peripheral management software that allows installing, monitoring, and troubleshooting network connected peripherals. A user can traverse directories by connecting to port 8000 and issuing a ../ in the URL. This would allow the user to read any file outside of the JetAdmin directory. Reference: Underground Security Systems Research: "HP Web JetAdmin Version 6.0 Remote DoS attack Vulnerability" at: http://www.ussrback.com/labs41.html _____ Date Reported: 5/24/2000 Vulnerability: deerfield-mdaemon-dos Platforms Affected: Mdaemon (3.0.3, 3.1 Beta) Risk Factor: Medium Attack Type: Network/Host Based MDaemon is multi-protocol mail server for Microsoft Windows based systems. The MDaemon POP server is vulnerable to a denial of service attack, caused by a buffer overflow in the login component. An attacker can issue a string to the user command of 256 bytes or more to overflow the user buffer, causing the MDaemon mail server to stop responding after issuing the pass command. Reference: BugTraq Mailing List: "Deerfield Communications MDaemon Mail Server DoS" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005241728.KAA13584@mail5.hushmail.com _____ Date Reported: 5/24/2000 Vulnerability: cayman-dsl-dos Platforms Affected: Cayman Gatorsurf Cayman 3220-H DSL Router 1.0 Risk Factor: Medium Attack Type: Network Based The Cayman 3220H DSL Router is vulnerable to a denial of service attack caused by flooding the server with oversized ICMP echo requests. The effects of this attack vary from stopping the telnet and http admin services to restarting the router. Reference: BugTraq Mailing List: "Cayman 3220H DSL Router Software Update and New Bonus Attack" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005232351.QAA13204@mail5.hushmail.com _____ Date Reported: 5/24/2000 Vulnerability: carello-file-duplication Platforms Affected: Windows NT 4.0 Risk Factor: High Attack Type: Network Based A vulnerability exists in the Carello web shopping cart that could enable an attacker to create files on the server's computer. If the file already exists, then a copy of it is made with a different file extension. This could allow remote attackers to the view the source of server-side .asp files. Reference: Cerberus Information Security Advisory (CISADV000524b): "Carello Web file overwriting vulnerability" at: http://www.cerberus-infosec.co.uk/advcarello.html _____ Date Reported: 5/24/2000 Vulnerability: netscape-ssl-certificate Platforms Affected: Netscape Navigator Risk Factor: High Attack Type: Network Based A flaw exists in Netscape Navigator that could allow an attacker to masquerade as a legitimate web site if the attacker can compromise the validity of certain DNS information. This could allow attackers to trick users into disclosing information intended for a legitimate web site. Reference: CERT Advisory CA-2000-08: "Inconsistent Warning Messages in Netscape Navigator" at: http://www.cert.org/advisories/CA-2000-08.html _____ Date Reported: 5/23/2000 Vulnerability: cobalt-cgiwrap-bypass Platforms Affected: Cobalt RaQ Risk Factor: Medium Attack Type: Network Based The Cobalt RaQ2 and RaQ3 web hosting appliances could allow any user on the system to change, delete, or overwrite a Microsoft FrontPage web site. When a site is uploaded to a RaQ2/3 with FrontPage, all of the files are owned by the user httpd instead of a site-specific user. RaQ servers use cgiwrap so that CGI scripts run as the user that owns the CGI instead of httpd. However, a malicious user can bypass cgiwrap, by creating an .htaccess file containing specific parameters to run scripts as user httpd. Reference: BugTraq Mailing List: "Problem with FrontPage on Cobalt RaQ2/RaQ3" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000523100045.B11049@HiWAAY.net _____ Date Reported: 5/23/2000 Vulnerability: gnome-gdm-bo Platforms Affected: Gnome 1.0.x Risk Factor: High Attack Type: Network Based The gdm package, included in the GNOME desktop environment, is a commonly used replacement for xdm, the X Windows display manager. The gdm package is vulnerable to a buffer overflow in the XDMCP parsing code. If gdm is configured to use the XDMCP protocol on UDP port 177, a remote attacker overflow a buffer and execute arbitrary code as root. Reference: BugTraq Mailing List: "'gdm' remote hole" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0005212220430.6695-100000@ferret.lmh.ox.ac.uk _____ Date Reported: 5/22/2000 Vulnerability: linux-fdmount-bo Platforms Affected: Slackware Linux (4.0, 7.0) Mandrake Linux (7.0) Risk Factor: High Attack Type: Host Based The fdmount program in Slackware Linux 4.0 and 7.0, and possibly other Linux distributions, is vulnerable to a buffer overflow. The fdmount program is installed by default as suid-root, and it is normally only executable by users fo the 'floppy' group. Any member of the 'floppy' group could overflow a buffer to obtain root privileges on the system. Reference: BugTraq Mailing List: "fdmount buffer overflow" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-22&msg=20000522115143.10352.qmail@securityfocus.com _____ Date Reported: 5/22/2000 Vulnerability: qualcomm-qpopper-euidl Platforms Affected: Qpopper 2.53 Risk Factor: Medium Attack Type: Network Based Qpopper is the most widely used server for the POP3 protocol. A flaw exists in Qpopper 2.53 that could allow an authorized user to gain access to a remote shell with gid=mail. This is exploitable via the "euidl" command which uses user input as a format string for the pop_msg() function. Reference: BugTraq Mailing List: "Qpopper 2.53 remote problem" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005231643.JAA16829@Rage.Resentment.org _____ Date Reported: 5/22/2000 Vulnerability: cart32-price-change Platforms Affected: Cart32 (2.6, 3.0) Risk Factor: High Attack Type: Network/Host Based Cart32 is an online shopping cart system developed by McMurtrey/Whitaker & Associates. A vulnerability in Cart32 could allow a remote user to change the price of a particular item they intend to buy. Remote users can change the value for the hidden HTML tag that specifies the price to purchase products at any price they choose. Reference: BugTraq Mailing List: "Another hole in Cart32" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-22&msg=20000522133607.10888.qmail@securityfocus.com _____ Date Reported: 5/22/2000 Vulnerability: gauntlet-cyberdaemon-bo Platforms Affected: Gauntlet Firewall (4.1, 4.2, 5.0, 5.5) WebShield (300 and 100 Series) Risk Factor: High Attack Type: Network/Host Based Gauntlet is a multi-platform firewall system produced by Network Asscoiates. One feature of the firewall is its integration with the CyberPatrol content monitoring system. A buffer overflow exists in the "cyberdaemon" component of Gauntlet that could allow a remote attacker to crash the service and deny further proxied HTTP connections to legitimate users. This overflow also allows arbitrary code to be executed on the firewall with the privileges of "root." References: Network Associates, Inc.: "Gauntlet Advisory - May 22, 2000" at: http://www.pgp.com/jump/gauntlet_advisory.asp Gauntlet Support: "Gauntlet Firewall for Unix and WebShield cyberdaemon Buffer Overflow Vulnerability Advisory" at: http://www.tis.com/support/cyberadvisory.html _____ Date Reported: 5/19/00 Vulnerability: ip-fragment-reassembly-dos Platforms Affected: Windows 95, 98 Windows NT 4.0 Windows 2000 Risk Factor: Medium Attack Type: Host Based Windows 95, 98, NT, and 2000 are vulnerable to a denial of service attack, due to a flaw in the code that handles IP fragment reassembly. A remote attacker could consume most or all of the CPU resources by sending a continuous stream of identical fragmented IP packets. References: Microsoft Security Bulletin MS00-029: "Patch Available for 'IP Fragment Reassembly' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-029.asp BindView Security Advisory BV-010: "Jolt2 - Remote Denial of Service attack against Windows 2000, NT4, and Win9x" at: http://www.securityfocus.com/templates/advisory.html?id=2240 _____ Date Reported: 5/19/2000 Vulnerability: domino-doc-modify Platforms Affected: Lotus Domino Risk Factor: Medium Attack Type: Network/Host Based Lotus Domino Server could allow files to be modified by unauthorized users if the files are not properly configured to restrict access. If certain files have improperly configured access control lists (ACLs), a remote attacker can modify the files through a web browser. By sending a URL to the server containing ?EditDocument, an attacker can modify the requested document through the browser. If administrator has set up ACLs correctly this is not a problem. Reference: Black Watch Lab - Vulnerabilities: "Lotus Domino Server Misconfiguration - Documents Can Be Modified over the Web" at: http://www.perfectotech.com/blackwatchlabs/vul5_11a.html _____ Date Reported: 5/19/2000 Vulnerability: domino-web-apps-access Platforms Affected: Lotus Domino Risk Factor: Medium Attack Type: Network/Host Based Some web applications that run on Lotus Domino Server could allow unauthorized access to private web pages. If the applications rely on improperly configured access control lists (ACLs), a remote attacker can bypass the login procedure to access private web pages. This vulnerability is restricted to certain web applications with inappropriate ACLs and is not a part of the Lotus Domino platform. Reference: Black Watch Labs Security Advisory #00-08: "Web Applications Should Not Assume That Lotus Domino Enforces Login When a Privileged Access Is Required" at: http://www.perfectotech.com/blackwatchlabs/vul5_11b.html _____ Date Reported: 5/18/2000 Vulnerability: axent-netprowler-ipfrag-dos Platforms Affected: NetProwler 3.0 Risk Factor: High Attack Type: Network/Host Based NetProwler version 3.0 and possibly other versions are vulnerable to a denial of service attack. NetProwler is a network intrusion detection system (NIDS) developed by Axent Technologies. An attacker can send fragmented IP packets to a host that is monitored by NetProwler to generate a Dr. Watson error and crash the IDS. Reference: RFP2K05: "Remote denial of service in Axent NetProwler" at: http://www.wiretrip.net/rfp/p/doc.asp?id=53&iface=2 _____ Date Reported: 5/18/2000 Vulnerability: lotus-domino-esmtp-bo Platforms Affected: Domino Enterprise Server 5.01 Risk Factor: Medium Attack Type: Network/Host Based The ESMTP service in Lotus Domino Server 5.0.1 is vulnerable to a denial of service attack. A remote attacker can crash the server by sending a MAIL FROM: argument larger than 4 KB. It may be possible for an attacker to use this vulnerability to execute arbitrary code on the system. Reference: BugTraq Mailing List: "Lotus ESMTP Service (Lotus Domino Release 5.0.1)" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-15&msg=Pine.LNX.4.21.0005182111120.8955-100000@dione.ids.pl _____ Date Reported: 5/17/2000 Vulnerability: linux-masquerading-dos Platforms Affected: Linux kernel (2.2.14 and earlier) Risk Factor: High Attack Type: Network/Host Based The Linux kernel version 2.2.14 and earlier contains a vulnerability in the UDP and FTP masquerading code. A remote user could uses exploit the masquerading feature to bypass ipchains filter rules and possibly crash the system. Reference: SuSE Security Announcement #48: "Security hole in kernel < 2.2.15" at: http://www.suse.de/de/support/security/suse_security_announce_48.txt _____ Date Reported: 5/17/2000 Vulnerability: netice-icecap-alert-execute Platforms Affected: BlackICE ICEcap (2.0.23 and earlier) Risk Factor: High Attack Type: Network/Host Based NetworkICE ICEcap console allows authenticated users to inject false alrets into the system. The ICEcap console is an HTTP service that listens on TCP port 8081 to collect and monitor events received from various BlackICE IDS agents. ICEcap allows authenticated users to inject false alerts into the system with arbitrary information. ICEcap server by default uses an Access (Jet) database, allowing an attacker to insert VBA (Visual Basic for Applications) code in a false alerts to cause arbitrary commands to be executed on the ICEcap server. ICEcap uses HTTP Basic authentication to validate users and includes a default username with no password. Reference: RFP2K04: "Remote command execution on BlackICE ICECap stations" at: http://www.wiretrip.net/rfp/p/doc.asp?id=52&iface=2 _____ Date Reported: 5/17/2000 Vulnerability: netice-icecap-default Platforms Affected: BlackICE ICEcap (2.0.23 and earlier) Risk Factor: High Attack Type: Network/Host Based NetworkICE ICEcap console includes a default username "iceman" with no password. The ICEcap console is an HTTP service that listens on TCP port 8081 to collect and monitor events received from various BlackICE IDS agents. ICEcap uses HTTP Basic authentication to validate users. The default login should be changed, as indicated by the system's documentation, to prevent remote attackers from gaining access to the console. Once authenticated, another vulnerability in ICEcap allows attackers to forge alerts, or possibly execute arbitrary commands on the main ICEcap server. Reference: RFP2K04: "Remote command execution on BlackICE ICECap stations" at: http://www.wiretrip.net/rfp/p/doc.asp?id=52&iface=2 _____ Date Reported: 5/17/2000 Vulnerability: beos-tcp-frag-dos Platforms Affected: BeOS 5.0 Risk Factor: Medium Attack Type: Network/Host Based The BeOS operating system version 5.0 is vulnerable to a denial of service caused by a TCP fragmentation attack. A local or remote attacker can lock up the system by using IP Stack Integrity Checker (ISIC), which is normally used for testing the stability of an IP stack. Reference: BugTraq Mailing List: "AUX Security Advisory on Be/OS 5.0 (DoS)" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10005172127020.215-100000@ebola.chinatown.org _____ Date Reported: 5/17/2000 Vulnerability: ie-frame-domain-verification Platforms Affected: Internet Explorer (4.0, 4.1, 5.0, 5.0.1) Risk Factor: Low Attack Type: Host Based Microsoft Internet Explorer could allow a malicious web site operator to view files on the visiting user's computer. Due to insufficient domain checking when accessing frames, a malicious web site operator could create a web page to open a frame containing a file on the local computer. The web site operator can only read files that can be viewed through a web browser, and only if the file and path name are known or could be guessed. Reference: Microsoft Security Bulletin MS00-033: "Patch Available for 'Frame Domain Verification', 'Unauthorized Cookie Access', and 'Malformed Component Attribute' Vulnerabilities" at: http://www.microsoft.com/technet/security/bulletin/ms00-033.asp _____ Date Reported: 5/17/2000 Vulnerability: ie-malformed-component-attribute Platforms Affected: Internet Explorer (4.0, 4.1, 5.0, 5.0.1) Risk Factor: Medium Attack Type: Host Based Microsoft Internet Explorer is vulnerable to a buffer overflow in the portion of the code that handles ActiveX parameters. A malicous web site operator could execute arbitrary code on a visting user's system by providing a specially-crafted parameter when invoking an ActiveX component. The malicious code would run with the privileges of the visiting user on that system, making it possible for the web site operator to create, modify, or delete files on the computer. Reference: Microsoft Security Bulletin MS00-033: "Patch Available for 'Frame Domain Verification', 'Unauthorized Cookie Access', and 'Malformed Component Attribute' Vulnerabilities" at: http://www.microsoft.com/technet/security/bulletin/ms00-033.asp _____ Date Reported: 5/17/2000 Vulnerability: kerberos-krb-rd-req-bo Platforms Affected: MIT Kerberos 5 (krb5-1.0.x, krb5-1.1) MIT Kerberos 4 (patch 10 and earlier) Cygnus KerbNet Risk Factor: High Attack Type: Network/Host Based MIT Kerberos 4 is vulnerable to a buffer overflow in the krb_rd_req() library function that could allow a remote user to gain root access over the network. In addition, if v4rcp is installed setuid root, a local user could execute arbitrary code as root to gain access. MIT Kerberos 5 is also vulnerable when using version 4 authentication. References: Red Hat, Inc. Security Advisory RHSA-2000:025-08: "Kerberos 5 packages" at: http://www.redhat.com/support/errata/RHSA-2000-025.html CERT Advisory CA-2000-06: "Multiple Buffer Overflows in Kerberos Authenticated Services:" at: http://www.cert.org/advisories/CA-2000-06.html _____ Date Reported: 5/17/2000 Vulnerability: kerberos-krb425-conv-principal-bo Platforms Affected: MIT Kerberos 5 (krb5-1.0.x, krb5-1.1) MIT Kerberos 4 (patch 10 and earlier) Risk Factor: High Attack Type: Network/Host Based MIT Kerberos 5 is vulnerable to a buffer overflow in the krb425_conv_principal() library function, which is part of the Kerberos 4 compatibility code. When used in conjunction with a vulnerability in krb_rd_req, a remote attacker could exploit this buffer overflow to gain root access to the system. References: Red Hat, Inc. Security Advisory RHSA-2000:025-08: "Kerberos 5 packages" at: http://www.redhat.com/support/errata/RHSA-2000-025.html CERT Advisory CA-2000-06: "Multiple Buffer Overflows in Kerberos Authenticated Services:" at: http://www.cert.org/advisories/CA-2000-06.html _____ Date Reported: 5/17/2000 Vulnerability: kerberos-ksu-bo Platforms Affected: MIT Kerberos 5 (krb5-1.0.x, krb5-1.1) MIT Kerberos 4 (patch 10 and earlier) Risk Factor: High Attack Type: Network/Host Based MIT Kerberos 5 is vulnerable to a buffer overflow in ksu that could allow a local user to gain root privileges on the system. Kerberos 5 version 5-1.1 and versions 5-1.0.6 and earlier are believed to be vulnerable. References: Red Hat, Inc. Security Advisory RHSA-2000:025-08: "Kerberos 5 packages" at: http://www.redhat.com/support/errata/RHSA-2000-025.html CERT Advisory CA-2000-06: "Multiple Buffer Overflows in Kerberos Authenticated Services:" at: http://www.cert.org/advisories/CA-2000-06.html _____ Date Reported: 5/16/2000 Vulnerability: kscd-shell-env-variable Platforms Affected: K Desktop Environment (KDE) Risk Factor: Low Attack Type: Host Based The kscd program is a CD player for the KDE desktop and is part of the KDE multimedia package. Due to a vulnerability in the SHELL environmental variable, an attacker can execute something other than the shell, which could lead to a higher level of unauthorized access. References: BugTraq Mailing List: "kscd vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.1000516113744.514A-101000@ati15.cs.uni-potsdam.de SuSE Security Announcement #50: "Security hole in kmulti <= 1.1.2" at: http://www.suse.de/de/support/security/suse_security_announce_50.txt _____ Date Reported: 5/16/2000 Vulnerability: cproxy-http-dos Platforms Affected: Cproxy 3.3 Risk Factor: Medium Attack Type: Network/Host Based CProxy version 3.3 SP2 is vulnerable to a denial of service attack caused by a buffer overflow. CProxy is a Windows based proxy server, developed by Computalynx. A local or remote attacker can crash the Cproxy server by sending a large amount of data to the HTTP service port (8080). Reference: BugTraq Mailing List: "CProxy v3.3 SP 2 DoS" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=007d01bfbf48$e44f0e40$01dc11ac@peopletel.org _____ Date Reported: 5/15/2000 Vulnerability: emurl-account-access Platforms Affected: Seattle Labs Emurl Risk Factor: Medium Attack Type: Network Based Emurl is a web-based email host developed by Seattle Lab. The method used by Emurl to encode account names in the URL could allow a remote attacker to compromise another user's mail account. Remote attackers can generate encoded usernames to read other users' emails, modify their account settings, and possibly steal their POP passwords. Reference: BugTraq Mailing List: "Vulnerability in EMURL-based e-mail providers" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=381440323.958408403403.JavaMail.root@web307-mc.mail.com _____ Date Reported: 5/15/2000 Vulnerability: eudora-long-attachment-filename Platforms Affected: Eudora Risk Factor: Medium Attack Type: Network/Host Based Eudora Pro by Qualcomm is vulnerable to a buffer overflow in the handling of attachments with long file names. When Eudora Pro receives an email with an attached file with an overly long file name, it can overflow the buffer. A remote attacker could use this vulnerability to execute arbitrary code on the system or lock the email account of the Eudora user. Reference: BugTraq Mailing List: "Eudora Pro & Outlook Overflow - too long filenames again" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=002801bfbe6c$eccd5bd0$0100a8c0@ultor _____ Date Reported: 5/15/2000 Vulnerability: ie-active-movie-control Platforms Affected: Internet Explorer (5.0. 5.0.1) Risk Factor: High Attack Type: Network/Host Based An ActiveX control included in Internet Explorer 5 could allow a malicious web page, email message, or newsgroup posting to download any file to a user's system. An attacker can use the ActiveX Active Movie Control to specify in the control parameters of an HTML document any file to download to the Windows temporary directory on users' computers without their knowledge or consent. Reference: BugTraq Mailing List: "MICROSOFT SECURITY FLAW?" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-15&msg=20401721.958441051714.JavaMail.imail@tiptoe _____ Date Reported: 5/15/2000 Vulnerability: antisniff-dns-overflow Platforms Affected: AntiSniff Risk Factor: High Attack Type: Network/Host Based The AntiSniff program developed by L0pht Heavy Industries determines if a device is listening to traffic on the local network. The AntiSniff DNS test is vulnerable to a buffer overflow that would allow an attacker to execute arbitrary code by sending a malformed DNS packet to the system running AntiSniff. Reference: L0pht Research Labs Security Advisory: "AntiSniff version 1.01 and Researchers version 1 DNS overflow" at: http://www.l0pht.com/advisories/asniff_advisory.txt _____ Date Reported: 5/14/2000 Vulnerability: delphi-ics-dot-attack Platforms Affected: Internet Component Suite HTTP Server Risk Factor: Medium Attack Type: Network/Host Based Delphi Internet Component Suite (ICS) could allow a remote attacker to download files from the suite's HTTP server component. By setting HTTP root to 'c:\httproot' and launching the server, an attacker can use '..' in the URL to traverse the directory structure and download files from the HTTP server. Reference: Vuln-Dev Mailing List: "Fwd: [Newssubmission: Security vulnerability in the ICS HTTPServer component]" at: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-05-8&msg=20000514183755.12778.qmail@pb151.postoffice.net _____ Date Reported: 5/12/2000 Vulnerability: netscape-invalid-ssl-sessions Platforms Affected: Netscape Navigator (4.72 and earlier) Risk Factor: High Attack Type: Host Based Netscape Navigator versions 4.72 and earlier could allow an attacker to bypass invalid SSL certificate warnings. Due to a vulnerability in the implementation of SSL certificate checks, a malicious web site operator could bypass certificate warnings and trick users into submitting obtain sensitive information, such as credit card numbers or passwords, to the attacker's web site, instead of to the legitimate web site. References: CERT Advisory CA-2000-05: "Netscape Navigator Improperly Validates SSL Sessions" at: http://www.cert.org/advisories/CA-2000-05.html Netscape Security Notes: "The Acros-Suencksen SSL Vulnerability" at: http://home.netscape.com/security/notes/index.html Red Hat, Inc. Security Advisory RHSA-2000:028-02: "netscape SSL telnet rlogin" at: http://www.redhat.com/support/errata/RHSA-2000-028.html _____ Date Reported: 5/12/2000 Vulnerability: sol-netpr-bo Platforms Affected: Solaris (2.6, 2.6x86, 7, 7x86, 8, 8x86, Risk Factor: High Attack Type: Host Based Solaris 2.6, 7, and 8 are vulnerable to a buffer overflow in the netpr program. The netpr program is part of the print (LP) system. A local attacker can pass a long argument with the -p flag to execute arbitrary code and spawn a root shell. Reference: BugTraq Mailing List: "New Solaris root exploit for /usr/lib/lp/bin/netpr" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000512215804.8714.qmail@hades.rpini.com _____ Date Reported: 5/11/2000 Vulnerability: ie-cookie-disclosure Platforms Affected: Internet Explorer (4.0, 4.01, 5.0, 5.01) Risk Factor: Low Attack Type: Host Based Microsoft Internet Explorer contains a vulnerability that would allow a malicious webpage to view the contents of the vulnerable parties cookie. If a malicious webpage operator imbeds an specificly constructed URL with certain escape characters, it can fool Internet Explorer into thinking the page is in the host domain, thus allowing the operator to view the users cookie content. Reference: Microsoft Security Bulletin (MS00-033): "Patch Available for "Frame Domain Verification", "Unauthorized Cookie Access", and "Malformed Component Attribute" Vulnerabilities" at: http://www.microsoft.com/technet/security/bulletin/ms00-033.asp _____ Date Reported: 5/11/2000 Vulnerability: iis-malformed-information-extension Platforms Affected: IIS (4.0, 5.0) Risk Factor: Medium Attack Type: Network/Host Based Internet Information Server (IIS) versions 4.0 and 5.0 are vulnerable to a denial of service attack, based on the program's method for handling of file extensions in a URL. A remote attacker can slow the performance of the web server or temporarily stop it, by requesting a complex URL with specially-malformed file extension information. Reference: Microsoft Security Bulletin MS00-030: "Patch Available for 'Malformed Extension Data in URL' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-030.asp _____ Date Reported: 5/11/2000 Vulnerability: iis-url-extension-data-dos Platforms Affected: IIS (4.0, 5.0) Risk Factor: Medium Attack Type: Network/Host Based Internet Information Server (IIS) versions 4.0 and 5.0 are vulnerable to a denial of service attack, based on the program's method for handling of file extensions in a URL. A remote attacker can consume CPU usage and slow the performance of the web server or temporarily stop it, by requesting a complex URL with specially-malformed file extension information. References: Underground Security Systems Research: "Remote DoS attack in Internet Information Server 4.0 & 5.0 Vulnerability" at: http://www.ussrback.com/labs40.html Microsoft Security Bulletin MS00-030: "Patch Available for 'Malformed Extension Data in URL' Vulnerability" at: http://www.microsoft.com/technet/security/bulletin/ms00-030.asp _____ Date Reported: 5/10/2000 Vulnerability: netscape-import-certificate-symlink Platforms Affected: Netscape Communicator (4.73 and earlier) Risk Factor: Medium Attack Type: Host Based Netscape Communicator versions 4.73 and earlier are vulnerable to a symbolic link attack. When importing certificates, Netscape Communicator creates a /tmp file that is world writable and readable. An attacker could create a symbolic link to the temporary file, and use it to overwrite other files on the system. Reference: BugTraq Mailing List: "Possible symlink problems with Netscape 4.73" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-8&msg=Pine.BSF.4.21.0005101547150.99077-100000@blacklisted.intranova.net _____ Date Reported: 5/10/2000 Vulnerability: ssh-zedz-consultants Platforms Affected: SSH 1.2.27-8i Risk Factor: High Attack Type: Network/Host Based The secure shell distribution 1.2.27-8i.src.rpm from the Zedz Consultants FTP site could allow users to bypass authentication. A PAM patch included in the RPM contains faulty logic that could allow a local or remote attacker to gain shell access without using the correct password. Reference: Sword & Shield Enterprise Security, Inc. Security Advisory: "Secure Shell Authentication Vulnerability" at: ftp://ftp.sses.net/pub/security/advisories/sses-002-ssh-auth-vul.txt _____ Date Reported: 5/10/2000 Vulnerability: coldfusion-cfcache-dos Platforms Affected: ColdFusion 4.5.1 Risk Factor: Medium Attack Type: Network/Host Based The ColdFusion web application server is vulnerable to a denial of service attack caused by a vulnerability with the CFCACHE option for caching static HTML of dynamic pages. Due to a flaw in the processing of files using CFCACHE functionality, a remote attacker can cause the server to stop responding by making several simultaneous requests to a CFCACHE page that is not loaded into cache. Reference: NTBugtraq Mailing List: "Cold Fusion Server 4.5.1 DoS Vulnerability" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0005&L=ntbugtraq&F=&S=&P=4843 _____ Date Reported: 5/10/2000 Vulnerability: http-cgi-formmail-environment Platforms Affected: FormMail Risk Factor: Low Attack Type: Network/Host Based Matt Wright's FormMail CGI script allows a remote attacker to retrieve the values of environment variables. By making an HTTP request to formmail.cgi, a remote attacker can have the value of any environment variable sent in an email message to an address specified by the attacker. The desired envrionment variable is requested with the "env_report" parameter, and the email addresss is specified in the "recipient" parameter. Reference: Black Watch Labs Security Advisory #00-06: "Environment and Setup Variables can be Viewed through FormMail Script" at: http://www.perfectotech.com/blackwatchlabs/vul5_10.html _____ Date Reported: 5/9/2000 Vulnerability: libmytinfo-bo Platforms Affected: FreeBSD 3.x Risk Factor: Medium Attack Type: Host Based FreeBSD version 3.x prior to 2000-04-25 are vulnerable to a buffer overflow in libmytinfo, a part of the ncurses text-mode display library. By sending a long TERMCAP environment variable to overflow a buffer in the library, an attacker may be able to gain elevated privileges through certain setuid or setgid third-party software. Reference: FreeBSD, Inc. Security Advisory FreeBSD-SA-00:17: "Buffer overflow in libmytinfo may yield increased privileges with third-party software." at: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:17-libmytinfo.asc _____ Date Reported: 5/9/2000 Vulnerability: netopia-snmp-comm-strings Platforms Affected: Netopia R-series router Risk Factor: Low Attack Type: Network/Host Based The Netopia R-series router is an ethernet router used with cable modem and DSL connections. Firmware versions 4.3.8 through 4.6.2 could allow a user with an existing account on the router, access to modify the SNMP community strings even if the administrator has set restricted access to do so. Reference: Bugtraq Mailing List: "Advisory: Netopia R9100 router vulnerability" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005082054.NAA32590@linux.mtndew.com _____ Date Reported: 5/9/2000 Vulnerability: gnapster-view-files Platforms Affected: Gnapster (1.3.8 and earlier) Risk Factor: Medium Attack Type: Network/Host Based Gnapster is the Unix client for Napster, a program that allows users to exchange MP3 files. Gnapster version 1.3.8 and earlier could allow other remote gnapster users to view local files using the current user's privileges. References: BugTraq Mailing List: "Gnapster Vulnerability Compromises User-readable Files" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-8&msg=Pine.GSO.4.10.10005101428110.26725-100000@lisa.cs.purdue.edu FreeBSD, Inc. Security Advisory FreeBSD-SA-00:18: "gnapster port allows remote users to view local files" at: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:18-gnapster.adv _____ Date Reported: 5/8/2000 Vulnerability: netstructure-root-compromise Platforms Affected: NetStructure 7180 Risk Factor: High Attack Type: Network/Host Based The Intel NetStructure 7180 e-Commerce Director is an Internet commerce product for enhancing secure transactions. A local or remote attacker can gain root access to the administration console of the NetStructure 7180 using two undocumented accounts, servnow and root. The passwords for these accounts are generated from the Ethernet MAC address of the device, which can be obtained through SNMP. Reference: L0pht Research Labs Security Advisory: "NetStructure 7180 remote backdoor vulnerability" at: http://www.lopht.com/advisories/ipivot7180.html _____ Date Reported: 5/8/2000 Vulnerability: netstructure-wizard-mode Platforms Affected: NetStructure 7110 Risk Factor: High Attack Type: Network/Host Based The Intel NetStructure 7110 e-Commerce Accelerator is an Internet device for speeding up secure transactions. An attacker can override the administrator password and gain root access to the administration console of the NetStructure 7110, by using an undocumented shell password in "wizard" mode. The shell password is generated from the Ethernet MAC address of the device, which can be displayed at the login prompt. Reference: L0pht Research Labs Security Advisory: "NetStructure 7110 console backdoor" at: http://www.lopht.com/advisories/ipivot7110.html _____ Date Reported: 5/8/2000 Vulnerability: allaire-clustercats-url-redirect Platforms Affected: ColdFusion Risk Factor: Low Attack Type: Network/Host Based The ColdFusion web application server could reveal sensitive information to users. The ClusterCATS management software included in ColdFusion running under Windows NT may append sensitive information to the end of a URL during HTML redirection. This information results from stale query string arguments, and may contain confidential data such as usernames and passwords. Reference: Allaire Security Bulletin ASB00-12: "ClusterCATS Appends Stale Query String to URL Line during HTML Redirection" at: http://www.allaire.com/handlers/index.cfm?ID=15697&Method=Full _____ Date Reported: 5/8/2000 Vulnerability: aolim-file-path Platforms Affected: AOL Instant Messanger 4.0 Risk Factor: Low Attack Type: Network Based AOL Instant Messenger (IM) is a communication program that lets users chat and exchange files with other AOL IM users on the Internet. The file transfer component of AOL IM reveals path information to others. When a user sends a file to another user, the complete file name and path is revealed to the recipient. This information could be helpful in an attack. Reference: BugTraq Mailing List: "AOL Instant Messenger" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=002401bfb918$7310d5a0$1ef084ce@karemor.com _____ Date Reported: 5/6/2000 Vulnerability: iis-shtml-reveal-path Platforms Affected: IIS (4.0, 5.0) Risk Factor: Low Attack Type: Host Based Shtml.exe is a program installed with Frontpage Extension server for viewing smart HTML files. Shtml.exe could reveal the local path of an IIS web server when a non-existent .html, .shtml, .htm or .asp file is requested. Reference: BugTraq Mailing List: "shtml.exe reveal local path of IIS web directory" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000506231635.11347.qmail@securityfocus.com _____ Date Reported: 5/5/2000 Vulnerability: http-cgi-dbman-db Platforms Affected: DBMan 2.0.4 Risk Factor: Low Attack Type: Network/Host Based Gossamer Threads DBMan reveals sensitive environment variables when an invalid database is requested. DBMan is a database manager with a web interface for accessing ASCII flatfile databases. If a remote user makes a request to the "db.cgi" program for a non-existent database, an error page is returned that contains configuration and environment information that could be helpful in an attack, including script location, HTTP root directory, and server name. Reference: Black Watch Labs Security Advisory #00-05: "Environment and Setup Variables can be Viewed through DBMan (db.cgi) Script" at: http://www.perfectotech.com/blackwatchlabs/vul5_05.html _____ Date Reported: 5/5/2000 Vulnerability: http-cgi-dnews-bo Platforms Affected: Netwin DNews Risk Factor: Medium Attack Type: Network/Host Based DNEWSWEB by Netwin is a CGI program for providing web-based news group access. The version of DNEWSWEB included with the DNEWS News Server version v5.3e1 is vulnerable to a remote buffer overflow. A remote attacker can send a specially-crafted QUERY_STRING to the program to overflow a buffer and execute arbitrary code on the mail server. Reference: Cerberus Information Security Advisory (CISADV000505): "DNewsweb Buffer Overflow" at: http://www.cerberus-infosec.co.uk/advdnw.html _____ Date Reported: 5/5/2000 Vulnerability: ultraboard-cgi-dos Platforms Affected: UltraBoard (1.x, 2000b) Risk Factor: Medium Attack Type: Network/Host Based UltraBoard is a web bulletin board system written in Perl. UltraBoard versions 1.x and possibly 2000 are vulnerable to a denial of service attack. A remote attacker can send a request to the UltraBoard CGI which will cause the script to execute itself in a loop. This will cause the server to rapidly consume available CPU and memory resources, slowing or possibly crashing the machine. Reference: BugTraq Mailing List: "Re: Fun with UltraBoard V1.6X" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-08&msg=20000505231056.B2092@itchy.coverlink.es _____ Date Reported: 5/4/2000 Vulnerability: aladdin-etoken-pin-reset Platforms Affected: eToken 3.3.3.x Risk Factor: High Attack Type: Host Based The Aladdin Knowledge Systems' eToken is a portable USB device token for two-factor authentication systems. An attacker with physical access to the device's circuit board could copy an 8-byte string from one area of external memory in the EEPROM to another to reset the PIN number of the eToken. Reference: L0pht Research Labs Security Advisory: "eToken Private Information Extraction and Physical Attack" at: http://www.l0pht.com/advisories/etoken-piepa.txt _____ Date Reported: 5/4/2000 Vulnerability: http-cgi-dmailweb-bo Platforms Affected: NetWin D-WebMail Risk Factor: Medium Attack Type: Network/Host Based D-MailWeb by Netwin is a CGI program for providing web-based email access. D-MailWeb 2.5d is vulnerable to a remote buffer overflow. A remote attacker can send a specially-crafted QUERY_STRING to the program to overflow a buffer and execute arbitrary code on the mail server. Reference: Cerberus Information Security Advisory (CISADV000504): "Dmailweb Buffer Overflow" at: http://www.cerberus-infosec.co.uk/advdmw.html _____ Date Reported: 5/4/2000 Vulnerability: interscan-viruswall-bo Platforms Affected: Interscan VirusWall (3.23, 3.3, 3.32) Risk Factor: High Attack Type: Network Based InterScan VirusWall works as a SMTP gateway which scans all inbound and outbound mail traffic for viruses before forwarding it to an SMTP server. A vulnerability exists in the VirusWall SMTP gateway that could allow a remote attacker to execute code with the privileges of the daemon. Reference: COVERT Labs Security Advisory: "Trend Micro InterScan VirusWall Remote Overflow" at: http://www.nai.com/nai_labs/asp_set/advisory/39_Trend.asp _____ Date Reported: 5/3/2000 Vulnerability: quake3-auto-download Platforms Affected: Quake3Arena Client 1.16 Risk Factor: High Attack Type: Network/Host Based Quake III Arena could allow an attacker to have read or write access to a Quake III Arena user's file system when the user connects to a server run by the attacker. This could allow attackers to install Trojan horse programs, gather passwords, and read or write files. The environment for Quake III Arena allows client-side modification to read and write files for purposes such as configuration. It is possible to open files in directories above the modifications directory allowing an attacker to open any file on the same drive. By combining the ability to access files with the automatic download feature that was added to Quake III Arena in the 1.16 update on March 5, 2000, this vulnerability could be used by an attacker to execute malicious code on any system that connects to a Quake III Arena server. Reference: Internet Security Systems Security Advisory #50: "Vulnerability in Quake3Arena Auto-Download Feature" at: http://xforce.iss.net/alerts/advise50.php3 _____ Date Reported: 5/3/2000 Vulnerability: ultraboard-printabletopic-fileread Platforms Affected: UltraBoard 1.x Risk Factor: Medium Attack Type: Network/Host Based UltraBoard version 1.6x could allow a remote attacker to access any file on the web server.. UltraBoard is a web bulletin board system written in Perl. A remote attacker can open any file on the web server running UltraBoard with the permissions of the web server. Reference: BugTraq Mailing List: "Fun with UltraBoard V1.6X" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000503091316.99073.qmail@hotmail.com _____ Date Reported: 5/3/2000 Vulnerability: cart32-expdate Platforms Affected: Cart32 (2.6, 3.0) Risk Factor: Low Attack Type: Network/Host Based Cart32 is an online shopping cart system developed by McMurtrey/Whitaker & Associates for the Windows platform. A vulnerability in the cart32.exe CGI component of Cart32 could allow a remote attacker to retrieve possibly sensitive information about the server installation, including environment settings and a list of programs in the CGI-BIN directory. This hole is exploited by appending the string "/expdate" to requests to the "cart32.exe" CGI. Reference: BugTraq Mailing List: "Another interesting Cart32 command" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-29&msg=200005030745.AAA07913@mail5.hushmail.com _____ Date Reported: 5/3/2000 Vulnerability: cisco-online-help Platforms Affected: Cisco Routers Risk Factor: Medium Attack Type: Network Based Cisco routers could reveal information to an attacker through the online help system. This vulnerability could allow a non-privileged local user to gain sensitive information that should be restricted to privileged users, such as access control lists. Reference: BugTraq Mailing List: "Possible issue with Cisco on-line help?" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=20000502222246.28423.qmail@securityfocus.com _____ Date Reported: 5/3/2000 Vulnerability: hp-shutdown-privileges Platforms Affected: HPUX (10.x, 11.x) Risk Factor: Medium Attack Type: Host Based The shutdown command in HP-9000 Series700/800 running HP-UX 11.x and 10.x handles input variables incorrectly. This could allow attackers to increase their privileges on the system. Reference: Hewlett-Packard Security Bulletin HPSBUX0005-113: "Sec. Vulnerability with shutdown command" at: http://us-support.external.hp.com/ _____ Date Reported: 5/3/2000 Vulnerability: http-cgi-listserv-wa-bo Platforms Affected: Listserv Risk Factor: High Attack Type: Network/Host Based L-Soft LISTSERV is a popular mailing list software package. LISTSERV Web Archive component in atleast versions 1.8c and 1.8d are vulnerable to a remote buffer overflow. A remote attacker can overflow a buffer and execute arbitrary code with the privileges the script is executed under. References: Cerberus Information Security Advisory CISADV000503: "Listserv Web Archives Buffer Overflow" at: http://www.cerberus-infosec.co.uk/advwa.html L-Soft web site: "SECURITY ADVISORY 5 May 2000" at: http://www.lsoft.com/news/default.asp?item=Advisory0 _____ Date Reported: 5/2/2000 Vulnerability: aaabase-execute-dot-files Platforms Affected: SuSE Linux Risk Factor: Medium Attack Type: Host Based The aaa_base package previous to version 2000.5.2 in SuSE Linux is vulnerable to command execution by a local user. The home directories for some system accounts in SuSE Linux are set by default to /tmp. An attacker could create dot files in this directory and execute them when someone switches to one of these system accounts, and could lead to a compromise of that account. Reference: SuSE Security Announcement #47: "aaabase < 2000.5.2" at: http://www.suse.de/de/support/security/suse_security_announce_47.txt _____ Date Reported: 5/2/2000 Vulnerability: aaabase-file-deletion Platforms Affected: SuSE Linux Risk Factor: Medium Attack Type: Host Based The aaa_base package previous to version 2000.5.2 in SuSE Linux is vulnerable to command execution by a local user. The home directories for some system accounts in SuSE Linux are set by default to /tmp. An attacker could create dot files in this directory and execute them when someone switches to one of these system accounts, and could lead to a compromise of that account. Reference: SuSE Security Announcement #47: "aaabase < 2000.5.2" at: http://www.suse.de/de/support/security/suse_security_announce_47.txt _____ Date Reported: 5/2/2000 Vulnerability: macos-appleshare-invalid-range Platforms Affected: AppleShare Web & File 6.3.2 Risk Factor: Low Attack Type: Host Based The web server in AppleShare IP 6.x for Mac OS 9.0 may leak information from memory. When an invalid range request is made, the server returns an extra 32 KB of data. This extra data may contain sensitive information. Reference: BugTraq Mailing List: "INFO:AppleShare IP 6.3.2 squashes security bug" at: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-01&msg=20000502133240.21807.qmail@securityfocus.com _____ Date Reported: 5/2/2000 Vulnerability: win-netbios-source-null Platforms Affected: Windows 95, 98 Risk Factor: Medium Attack Type: Network/Host Based Windows 95 and 98 are vulnerable to a remote denial of service attack that could cause the system to crash, reboot, or enter an unstable and unpredictable state. This vulnerability is exploited by making a NetBIOS session request to a Windows 9x host with a NULL NetBIOS source name. Exploit code has been made widely available. Reference: el8.org advisory: "Win 95/98 DoS (RFParalyze.c)" at: http://www.el8.org/adv/05012000_win98_winpopup.txt _____ Date Reported: 5/1/2000 Vulnerability: linux-knfsd-dos Platforms Affected: Linux Risk Factor: Medium Attack Type: Network/Host Based The Linux kernel nfsd server is vulnerable to a denial of service attack. An unauthenticated remote user can OOPS the host kernel, which could crash the NFS service. Reference: BugTraq Mailing List: "Linux knfsd DoS issue" at: http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.21.0005012042550.6419-100000@ferret.lmh.ox.ac.uk _____ Date Reported: 5/1/2000 Vulnerability: macos-filemaker-anonymous-email Platforms Affected: FileMaker Pro 5.0 Risk Factor: Medium Attack Type: Network/Host Based The Web Companion software in FileMaker Pro 5.0 could allow remote users to use the server to send anonymous email. The software's email capabilities are not restricted by certain security settings. A remote attacker can submit commands to Web Companion that would send an email written by the attacker to a specified email address or distribution list. Reference: Blue World Security Alert: "BLUE WORLD ANNOUNCES FILEMAKER PRO 5 WEB SECURITY ALERT" at: http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html _____ Date Reported: 5/1/2000 Vulnerability: macos-filemaker-email Platforms Affected: FileMaker Pro 5.0 Risk Factor: Medium Attack Type: Network/Host Based The Web Companion software in FileMaker Pro 5.0 could allow anonymous access to data contained in a Web Companion database. The software's email capabilities are not restricted by certain security settings. A remote attacker can request the contents of any field in the Web Companion database be sent to a specified email address, even if Web Database Security preferences are set to deny anonymous access. Reference: Blue World Security Alert: "BLUE WORLD ANNOUNCES FILEMAKER PRO 5 WEB SECURITY ALERT" at: http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html _____ Date Reported: 5/1/2000 Vulnerability: macos-filemaker-xml Platforms Affected: FileMaker Pro 5.0 Risk Factor: Medium Attack Type: Network/Host Based The Web Companion software in FileMaker Pro 5.0 could allow anonymous access to a Web Companion database. The software's XML publishing capabilities are not restricted by certain security settings. A remote attacker could use the XML publishing feature to access a Web Companion database and view sensitive data contained in the database, even if Web Database Security preferences are set to deny anonymous access. Reference: Blue World Security Alert: "BLUE WORLD ANNOUNCES FILEMAKER PRO 5 WEB SECURITY ALERT" at: http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security.html _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. _____ Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. About Internet Security Systems Internet Security Systems (ISS) is the leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite* security software, ePatrol* remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers and partners, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOTbMyzRfJiV99eG9AQEzKwP/V6cbAJBrssxgzhZRwOGQDWI+iU7k8qc1 w27oZQ2H6dZW28oPoy6iB8gcrI8vGt/+CMGBLyTyCznbDjYewXworB4ewpYuBF3D 4+ptHR57OdlLNvN2BJ4h2Ysg6mSGpKGOL56GD5BSCETmmojSw18sVqTM2yS1EHP5 0fnpvhCrbME= =ok8x -----END PGP SIGNATURE-----