From: Sweren, Scott (FUSA) Sent: Monday, June 07, 1999 8:27 AM To: Hayden, Thomas (Fusa); August, Kevin (FUSA); Fabioneri, Mike A. (FUSA); Brian O'Malley; Brian Trevey; Christopher Wilson; Ed Carlson; Glenn Everhart; Harvey Lieberman; Ian Rathie; Jason Fager; John Aupperle; Michael Smith; Penny Hogue; Tom Maples; Tom Steenkamer Subject: FW: SANS NT Digest Vol. 2 Num. 5 FYI -----Original Message----- From: The SANS Institute [mailto:sans@sans.org] Sent: Friday, June 04, 1999 12:45 AM To: Scott Sweren Subject: SANS NT Digest Vol. 2 Num. 5 To: Scott Sweren (SD110040) From: The SANS Institute +====================================================================+ | | |SANS | | @ @ @@@@@ @@@@ @@@@@ @@@@ @@@@@ @@@@ @@@@@ | | @@ @ @ @ @ @ @ @ @ @ @ | | @ @ @ @ @ @ @ @ @@@ @@@@ @ | | @ @ @ @ @ @ @ @ @@@ @ @ @ | | @ @@ @ @ @ @ @ @ @ @ @ @ | | @ @ @ @@@@ @@@@@ @@@@ @@@@@ @@@@ @ | | | | June 3, 1999 Volume 2, Number 5 | | | | The SANS NT Digest | | | | Editor: Jesper M. Johansson | | (University of Minnesota) | | | | Editorial Board: | | Dr. Matt Bishop (Univ. California, Davis) | | Jeff Brown (Merrill Lynch) | | Phil Cox (NTS) | | Mark T. Edmead (IBM Global Security Services) | | Chris Lalka (Exxon) | | Eric Maiwald (Fortrex) | | Rob Marchand (Array Systems), | | Dr. Gene Schultz Global Integrity Corporation, | | (an SAIC Company) | | | +=====A Resource for Computer and Network Security Professionals=====+ ********************************************************************** Copyright 1999. The SANS Institute. All rights reserved. You may forward this issue to your co-workers and encourage them to subscribe by sending a note with the subject "NT Digest" to digest@sans.org. Unsubscribe or change address by forwarding this note to with simple instructions. Anyone may subscribe by sending a note with the subject "NT Digest" to . ********************************************************************** This has been a busy month, in many respects. A number of important developments took place regarding Windows NT. Microsoft released six new security bulletins, and a new service pack for Windows NT. Several hotfixes were either released or updated. We also have information on a number of issues with third-party software, and we conclude with a discussion about NTLM V.2, which is a more secure authentication mechanism which was included in NT beginning with Service Pack 4. JMJ ********************************************************************** Table of Contents 1. Microsoft Security Bulletins 1.1 MS99-013 1.2 MS99-014 1.3 MS99-015 1.4 MS99-016 1.5 MS99-017 1.6 MS99-018 2. MS Hotfixes And Service Packs 2.1. Service Pack 5 Released 2.1.1 Disable Source Routing 2.1.2 No More Periodic Disk Access 2.2. Sp5 Hotfixes 2.2.1 ras-Fix 2.2.2 winhlp32-Fix 2.3. Sp4 Hotfixes 2.3.1 rnr-Fix 2.3.2 msmq-Fix 3. NT Issues 3.1 Registry Acl On Profilelist Represents Security Hole (Already Documented) 3.2 White paper on building an NT Bastion Host 3.3 PROQUOTA.EXE problem 4. IIS Issues 4.1 Tool To Help With Iis Security Configuration 5. Third-Party Software Issues 5.1 Installing Outlook 98 After IE5 Causes Crash 5.2 Cold Fusion Security Bulletins 5.2.1 ASB99-06: Netscape Servers for Win NT Exposure of Source Code with "%20" 5.2.2 ASB99-07: Possible Denial-of-Service Attack Using CF Admin. Start/Stop Utility 5.2.3 ASB99-08: Pages Encrypted with CFCRYPT.EXE Can Be Illegally Decrypted 5.3 Patches For ARCServe And Innoculan To Resolve Password Storage Issues 5.4 FTP Serv-U 2.5 Buffer Overflow 5.5 Problem With NAI Virus Scan Engine V. 4.0.2 6. Tip Of The Month: Use A More Secure Form Of NT Authentication ======================================================================= 1. Microsoft Security Bulletins Microsoft has released four new security bulletins this month. 1.1 MS99-013 This bulletin discusses another Sample Files issue with web servers. The sample files in question are installed by default with MS Site Server 3.0, and are an option on IIS 4.0. The sample files allow users to view the source of files on a server. As is the case with all sample file exploits, the work-around is to remove the samples. The security bulletin is available at http://www.microsoft.com/security/bulletins/ms99-013.asp. The related knowledge base article is available at http://support.microsoft.com/support/kb/articles/q231/3/68.asp. Microsoft has published patches for this issue at: - Internet Information Server: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/ - Site Server: ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/ 1.2 MS99-014 This bulletin covers a patch for Microsoft Excel 97. Apparently the virus warning whereby Excel warns users every time they open a spreadsheet that contains macros can be by-passed. Since the majority of Excel installations have this feature turned off in favor of real virus detection software, this is probably a very minor issue. At any rate, the bulletin is available at http://www.microsoft.com/security/bulletins/ms99-013.asp if this affects you. 1.3 MS99-015 Mnemonix Discovered a bug in the Windows NT Help File compiler. The bug results from a buffer overflow, and could therefore be used to run arbitrary code on the system. Microsoft has responded with a set of fixes. Unfortunately, the fixes are only available for Service Pack 5, not for Service Pack 4, so a pre-requisite for patching this problem is to install Service Pack 5. - X86 version: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-po stSP5/winhlp32-fix/winhlp-i.exe - Alpha version: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-po stSP5/winhlp32-fix/winhlp-a.exe The security bulletin about this issue is available at http://www.microsoft.com/security/bulletins/ms99-015.asp. 1.4 MS99-016 This bulletin deals with another buffer overflow vulnerability. This one affects Remote Access Service Clients. A carefully constructed phone book entry, if run on a RAS client, would cause a buffer overflow and allow arbitrary code to be run on the system. This fix as well is only available for Service Pack 5 at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/RAS-fix/. The security bulletin itself can be found at http://www.microsoft.com/security/bulletins/ms99-016.asp. 1.5 MS99-017 On May 27, Microsoft released a password caching fix for the client end of RAS and RRAS. When a client makes a connection, using either RAS or RRAS, and option is given to save the password. Apparently, RAS and RRAS save the password in the registry, regardless of whether the user chooses to save it or not. Microsoft has published two KnowledgeBase articles about the issue one each for RAS and RRAS: http://support.microsoft.com/support/kb/articles/q230/6/81.asp http://support.microsoft.com/support/kb/articles/q233/3/03.asp In addition, the bulletin itself is available at http://www.microsoft.com/security/bulletins/ms99-017.asp. The fixes, which are available only for Service Pack 5, are located at: - RAS: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/RASPassword-fix/ - RRAS: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/RRASPassword-fix/ 1.6 MS99-018 Also on May 27, Microsoft release fixes for two security vulnerabilities in Internet Explorer 5.0 and 4.0. The first vulnerability involved is related to the favicon.ico issue. By placing an icon file in the root of a web, a site will cause users marking the site as a favorite under IE 5 to display the icon in the favorites menu. Unfortunately, in IE 5.0 running under Win9x, there is an unchecked buffer in the implementation. This means that a malicious web-site operator could specially construct an icon to exploit this buffer overflow and run code on the user's computer. The second issue relates to an old ActiveX control included with IE 4 and IE 5. This, which was used by previous versions of IE but not by IE 4 and IE 5, could allow a remote user access to the hard drive of the system the client is running on. There are two KnowledgeBase articles available about these issues: Update Available for the "Malformed Favorites Icon" Issue in Internet Explorer 5, http://support.microsoft.com/support/kb/articles/q231/4/50.asp Update Available for "Legacy ActiveX Control" Issue in Internet Explorer 5, http://support.microsoft.com/support/kb/articles/q231/4/52.asp The security bulletin is available at http://www.microsoft.com/security/bulletins/ms99-018.asp, while the fix itself can be downloaded from www.microsoft.com/windows/ie/security/favorites.asp. 2. MS Hotfixes And Service Packs 2.1 Service Pack 5 Released Microsoft has released Service Pack 5 for Windows NT 4.0. Service Pack 5 includes few new features, but has all fixes since SP4. In addition, some issues with SP4 are resolved in SP5. Both the 40-bit (exportable outside the United States and Canada) and the 128-bit versions of SP5 are available at http://microsoft.com/windows/servicepacks/. Of the more interesting features in SP5 can be mentioned the following: 2.1.1 Disable Source Routing Windows NT can finally disable forwarding of source-routed IP packets. This is a new option with Service Pack 5. For more information see http://support.microsoft.com/support/kb/articles/q217/3/36.asp 2.1.2 No More Periodic Disk Access Under SP4 NT will access the hard disk every five minutes. This can interfere with power management, especially on notebook computers. This has been fixed in SP5. 2.2 Sp5 Hotfixes 2.2.1 ras-Fix The RAS fix was discussed in 1.4 above. 2.2.2 winhlp32-Fix The winhlp32 fix was discussed in 1.3 above. 2.3 Sp4 Hotfixes A couple of hotfixes for SP4 made it out, either as new or modified versions this month. 2.3.1 rnr-Fix The old rnr-fix for SP4 was updated on May 4th. No mention is made as to what changed. 2.3.2 msmq-Fix This fix is for Microsoft Message Queue Server. If you attempt to renew a certificate on February 29th of a leap year, MSMQ will generate an error. This fix addresses that issue. 3. NT Issues 3.1 Registry ACL On Profilelist Represents Security Hole (Already Documented) A message on NTBugTraq (http://www.ntbugtraq.com) by Mnemonix called attention to an already documented issue about profiles. Everyone is able to write to the following key in the registry: Hive: HKEY_LOCAL_MACHINE Key: Software\Microsoft\Windows NT\CurrentVersion\ProfileList. This key lists profiles stored on the computer, and their locations. However, since everyone has write accesses to that key, and everything underneath it, an ordinary user can exploit this to get an administrator to run a trojan horse which gives that user administrative access. This issue was discovered some time ago, and Microsoft's White Paper on Securing Windows NT documents this and recommends changing these permissions. However, as is usually the case when an issue like this is brought up again, the incidence of attempts to exploit this rises remarkably. Therefore, this may be a good time to ensure you have resolved this problem. Note also that if you have not restricted remote registry access for null users this could be an easy path into the system for an attacker. The proper permissions on this key are: SYSTEM: Full Control Authenticated Users: Read 3.2 White paper on building an NT Bastion Host If you are building an NT Bastion Host, you may be interested in a white paper on the topic published by Stefan Norberg of HP Consulting, Sweden. The paper is available at http://people.hp.se/stnor. 3.3 PROQUOTA.EXE problem It was reported on NTBugTraq (http://www.ntbugtraq.com) that users can easily bypass the profile quota limitations introduced with Service Pack 4. The PROQUOTA process is owned by the user that is being monitored. Consequently, that user can kill this process, effectively disabling the quota. The editorial board is not aware of a solution to this problem from Microsoft at this time. 4. IIS Issues This month has been surprisingly quiet with regards to IIS. However, there is a new tool available to assist in administration. 4.1 Tool To Help With IIS Security Configuration If you are having problems figuring out how to configure security in Internet Information Server 4.0, you are in luck. Microsoft has published a tool to help you understand the impact of various security settings. You can access this tool at http://support.microsoft.com/support/kb/articles/Q229/6/94.asp. 5. Third-Party Software Issues Numerous third-party software issues and new versions were announced this month 5.1 Installing Outlook 98 After IE5 Causes Crash If you have Internet Explorer 5 installed, and attempt to install Outlook 98, Outlook 98 will crash after the installation. Both applications replace the WINTRUST.DLL, but apparently the two versions are not the same, causing OL98 to crash. This problem does not occur with IE 5 and OL 2000. A work-around is to turn on the "Execute Unsigned" setting in IE 5 before the installation. 5.2 Cold Fusion Security Bulletins Allaire released three security bulletins for Cold Fusion this month. 5.2.1 ASB99-06: Netscape Servers for Win NT Exposure of Source Code with "%20" There is a vulnerability in Netscape Web Servers for Windows NT which allow the reading of CFM file source code by appending %20 to the URL. Netscape has posted a fix for this issue. For more information see the Allaire bulletin at http://www.allaire.com/handlers/index.cfm?ID=10967&Method=Full. 5.2.2 ASB99-07: Possible Denial-of-Service Attack Using CF Admin. Start/Stop Utility Interestingly, when Cold Fusion 4.x is configured for Advanced Security, the Start/Stop utility in the Cold Fusion Administrator does not check who has rights to start and stop the server. The bulletin describing this issue, which also includes a work-around is available at http://www.allaire.com/handlers/index.cfm?ID=10968&Method=Full. 5.2.3 ASB99-08: Pages Encrypted with CFCRYPT.EXE Can Be Illegally Decrypted If you are selling Cold Fusion applications, and are using the CFCRYPT.EXE utility to "encrypt" the source files, you may be interested in knowing that there are now utilities available to decrypt the source files. Of course, if you do not include a statement in the license agreement that reverse engineering is not allowed, there is nothing illegal about that. The full story is available at http://www2.allaire.com/handlers/index.cfm?ID=10969&Method=Full. 5.3 Patches For ARCServe And Innoculan To Resolve Password Storage Issues Computer Associates have published updates to ARCServe and Innoculan to resolve password storage issues with existing products. If you need these fixes, you may need to call CAI's technical support line to get them. They resolve issues with the storage of passwords locally on the server. 5.4 FTP Serv-U 2.5 Buffer Overflow A Buffer Overflow exploit was discovered in FTP Serv-U 2.5 by Arne Vidström. The issue has been fixed by the manufacturer in a beta version of the next release. That version is available for download at ftp://ftp.cat-soft.com/beta/. 5.5 Problem With NAI Virus Scan Engine V. 4.0.2 The Nomad Mobile Research Center discovered a problem with Network Associates virus scan engine version 4.0.2. The problem causes the virus definition file to not be updated. Unfortunately, the log will indicate that the file was indeed updated. This was fixed in NAI's version 4.0.3 scan engine, which is available for download from http://www.nai.com/download/default.asp. If you hold a license for only VirusScan for NT you need to click the "home user" link. Unfortunately this link leads you on a wild goose chase through more web pages than we can count, with more advertising than we care to see. If you have only a VirusScan license, go directly to http://download.mcafee.com/upgrades/userftp2.asp instead, and bypass the incredibly poorly designed web-site. 6. Tip Of The Month: Use A More Secure Form Of NT Authentication Service Pack 4 introduced NTLMv2 Authentication. This update to NTLMv1 provides a much higher level of security. Microsoft Knowledge Base article Q147706 describes the new features in depth, so this is just a synopsis of that article. The major enhancements of NTLMv2 are: Client input into the challenge, and stronger (128bit) keys. Both of these go a long way toward reducing the risk due to sniffed challenge and Challenge/Response packets. There are two different ways to deploy NTLMv2. First is in the "Workstation" and "Server" services. These services utilize a registry value named LMCompatibilityLevel. (From the KB #Q147706) Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Control\Lsa Value Name: LMCompatibilityLevel Value Type: REG_DWORD Value Data: 0 to 5 LMCompatibilityLevel can be set to a single digit number between 0 and 5. Numbers 0 through 3 apply to clients. Numbers 4 and 5 apply to domain controllers. The following table describes the results of these settings. Value Results 0 Sends both LM and NTLMv1 responses. (same as SP3 and earlier) 1 Negotiate NTMLv2. If unsuccessful, use LM and NTLMv1 authentication 2 Only use NTLMv1 authentication. Domain controllers must be upgraded to SP4 3 Only use NTLMv2 authentication 4 Accept NTLMv1 and NTLMv2, reject LM authentication 5 Accept NTLMv2 only For the widest compatibility, set the LMCompatibilityLevel to 1 on all Windows NT computers (including domain controllers). This will cause NTLMv2 to be used when possible, but yet allow backwards compatibility. For the greatest security, set the LMCompatibilityLevel to 5 on all Windows NT computers (including domain controllers). This will require ALL computers to have Windows NT with SP4, and appropriate LMCompatibilityLevel value set. The second method to deploy NTLM V.2 is by using the NTLM Security Service Provider (NTLMSSP). From Q147706: These changes affect the following Windows NT components: Any application that uses Microsoft remote procedure call (RPC) or that uses the NTLM SSP, use the authentication and session security described herein. The Workstation and Server services use authentication but support their own session security. To utilize this functionality in the client, you have the following registry keys: (From Q147706) Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\control\LSA\MSV1_0 The following values are valid for this key: Value: NtlmMinClientSec Value Type: REG_DWORD - Number Valid Range: the logical 'or' of any of the following values: 0x00000010 0x00000020 0x00080000 0x20000000 Default: 0 Value: NtlmMinServerSec Value Type: REG_DWORD - Number Valid Range: same as NtlmMinClientSec Default: 0 Description: This parameter specifies the minimum security to be used. 0x00000010 Message integrity 0x00000020 Message confidentiality 0x00080000 NTLMv2 session security 0x20000000 128 bit encryption Some Caveats 1. Domain Controllers must be upgraded to SP4 before clients can choose level 3 or greater 2. If using level 1 or greater, and the last password change came from a "downlevel" Windows client (WFW or MS-DOS LanManager 2.x client or earlier), only the LM data will be stored. This means that data needed for NTLM and NTLMv2 authentication will not be available on the domain controller, and SP4 clients will not be able to connect to SP4 servers. The workaround is to use level 0, or always change passwords from a Windows NT, Windows 95, or Windows 98 client. 3. If a server chooses level 4 or 5, users will not be able to connect from a "downlevel" client with a local account on that server. Thus all users with accounts on a server or domain have to be using Windows NT to connect. Deployment (From Q147706) ------------------------- Because of the above considerations, if you deploy NTLMv2, we recommend that you take the following steps first: 1. Upgrade the domain controllers where the accounts for all users that are to use NTLMv2 are stored. 2. Even before the upgrade of the domain controllers is completed, clients and servers can be upgraded to SP4 and will obtain enhanced security when connecting SP4 to SP4 by setting level 1. 3. When step 1 is completed, individual systems that have already been upgraded to SP4 can start setting level 3 or greater. 4. If users in some account domain never need to access resources from downlevel LM clients, that domain's domain controllers can have their level set to 4, and after all of those users' systems have been upgraded to SP4, that domain's domain controllers can have their level set to 5. ********************************************************************** The SANS NT Digest is provided at no charge. To subscribe, email with the subject NT Digest. == End ==