From: Mark [mark@NTSHOP.NET]
Sent: Tuesday, November 02, 1999 11:37 PM
To: WINSD@LISTSERV.NTSECURITY.NET
Subject: [ Windows Security Digest ] 1999 - November 2
=====================================================================
WINDOWS SECURITY DIGEST 1999 SERIES
Watching the Watchers November 2, 1999
=====================================================================
SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY
-- C O N T E N T S --
<< IN FOCUS >>
* Security Training: Where'd You Get That?
<< WEB SITE NEWS >>
* New Resource: Win2K Security Advice
<< SECURITY RISKS >>
* Netscape Messaging Server Subject to Denial of Service
* Denial of Service Against SERVICES.EXE
* Avirt Mail Server 3.3a and 3.5 Buffer Overflow Condition
* Ximtami Web Server Subject to Buffer Overflow
* CMail 2.4 Might Allow Execution of Arbitrary Code
* ExpressFS 2.x FTPServer Subject to Buffer Overflow
* WFTPD v2.34 and 2.40 Subject to Buffer Overflow
* TCP/IP Sequence Number Randomness
* Java VM Sandbox Vulnerability
<< HOT THREADS>>
* November, Week 1
* October, Week 5
<< IN THE NEWS >>
* Ongoing MDAC Attacks Against IIS
* Winternals Releases NTFSDOS Professional
* DOJ Says Privacy is Antisocial
* Britain to Form Cybercrime Force
* Service Pack 6 for Windows NT !
<< FEATURE ARTICLES >>
* IIS 5.0's New Security Features
* Want to Tap the Security Job Market?
* Tools of the Trade
* Top 10 Cracks of All Time
* The E-commerce Legal Balancing Act
<< REVIEWS >>
* BO2K - Cracker Util or Hightech Admin Tool?
* Internet Scanner vs CyberCop
_____________________________________________________________________
______________________________ IN FOCUS _____________________________
SECURITY TRAINING: WHERE'D YOU GET THAT?
Hello Everyone,
As you know, security is a red hot topic and there is absolutely
no sign that it will cool down one iota anytime in the near future.
Many network administrators have already added network security
skills to their list of abilities. And administrators who have not
done so are flocking to training facilities in droves, and scouring
the Internet for the tiniest tidbits of useable information.
With so many people seeking out security training today, many
existing educational facilities have retooled and new training
organizations are popping up in an ever increasing frequency to
offer security-related courses.
I get a lot of email from administrators asking me who offers
various types of security training. To help arrive at answers for
those questions, there is probably no better way than to ask those
of you who have already taken security training in some form or
fashion.
So, if you're among those that have taken some kind of security
training anytime in the last two years, please take a moment of
your day to share with me what you trained in, where you received
that training, and your over all recommendation towards any courses
taken. I'll pool all the information together to create a list of
reader-recommended training programs and share that information with
all of you in an upcoming edition of this newsletter.
Please send your response to mark@ntsecurity.net (do not click reply
to this newsletter!) and use a subject of "Sec Training" so that I can
more easily identify your message. Thanks for any information you can
share - I look forward to receiving it.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net, http://www.ntsecurity.net
==== SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY ====
Start preparing for holiday customers NOW - protect your
site with 128-bit SSL encryption! Get VeriSign's FREE guide,
"Securing Your Web Site for Business." You will learn
everything you need to know about using SSL to encrypt
your e-commerce transactions for serious online security.
http://www.verisign.com/cgi-bin/go.cgi?a=n032602130009000
============================================================
_____________________________________________________________________
___________________________ WEB SITE NEWS ___________________________
*** NEW RESOURCE: WIN2K SECURITY ADVICE
NTSecurity.net has joined forces with Steve Manzuik to bring the
security community a brand new and much-requested Windows security
mailing list. The new moderated mailing list, Win2KSecAdvice, is
geared towards promoting the open discussion of Windows-related
security issues.
With a firm and unwavering commitment towards timely full
disclosure, this new resource promises to become a great forum for
open discussion regarding security-related bugs, vulnerabilities,
potential exploits, virus, worms, Trojans, and more. Win2KSecAdvice
promotes a strong sense of community and we openly invite all security
minded individuals, be they white hat, gray hat, or black hat, to join
the new mailing list.
While Win2KSecAdvice was named in the spirit of Microsoft's
impending product line name change, and meant to reflect the list's
security focus both now and in the long run, it is by no means limited
to security topics centered around Windows 2000. Any security issues
thatpertain to Windows-based networking are relevant for discussion,
including all Windows operating systems, MS Office, MS BackOffice, and
all related third party applications and hardware. The scope of
Win2KSecAdvice can be summarized very simply: if it's relevant to
security, it's relevant to the list.
The new list (hosted by LSoft on their speedy LISTSERV software) is
now a permanent part of NTSecurity.net, and Steve Manzuik
(steve@win2ksecadvice.net) will be your list moderator. NTSecurity.net
hosts the mailing list's Web-based searchable archives for your
research endeavors.
http://www.ntsecurity.net/go/load.asp?id=/security/win2ksecadvice.htm
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=171&TB=news
_____________________________________________________________________
___________________________ SECURITY RISKS __________________________
*** NETSCAPE MESSAGING SERVER DOS
Netscape's Messaging Server 3.6 is susceptible to denial of service
attacks because of the way it handles incoming mail commands. Using a
simple scheme, an attacker could make the server consume all available
memory and CPU cycles, thereby denying any further service to the
machine's users.
http://www.ntsecurity.net/go/load.asp?iD=/security/netscp-msg-srv.htm
*** DENIAL OF SERVICE AGAINST SERVICES.EXE
A person using the handle "rain forrest puppy" discovered a denial of
service condition in Windows NT, where an intruder can cause the
Services.Exe to crash. After the process crashes, all named pipe
activity on the system stops. In addition, user logons, remote system
access, local server management, and other crucial functions cease to
work properly.
Microsoft is aware of the problem but has made no public comments
regarding the discovery. In the mean time, protect yourself from
external attacks by blocking all inbound NetBIOS traffic. Protect
yourself from internal attacks by stopping the Server service. Be
advised that stopping the Server service might prevent the use of
management tools such as Server Manager, etc. For more information,
visit the following URL:
http://www.ntsecurity.net/go/load.asp?iD=/security/services.htm
*** AVIRT MAIL SERVER 3.3a and 3.5 BUFFER OVERFLOW CONDITION
Luck Martins reported a buffer overflow condition in Avirt Mail Server
3.3a and 3.5. The problem, found in the routine that collects a user's
name and password, could let arbitrary code execute on the server.
Avirt has not responded about how it will address this problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/avirt1.htm
*** XITAMI WEB SERVER SUBJECT TO BUFFER OVERFLOW
Meliksah Ozoral discovered a problem with Xitami Web Server v2.4c3,
where sending large amounts of data can cause the service to crash,
leading to denial of service for the machine. According to the report,
the problem is due to an Xitami service listening on port 81. Xitami
has provided no information regarding a fix for this problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/xitami1.htm
*** CMAIL 2.4 MIGHT ALLOW EXECUTION OF ARBITRARY CODE
Luck Martin reported a problem in Cmail's 2.4's SMTP service that
might let arbitrary code execute on the server. Using a buffer
overflow condition in the CMail code in the MAIL FROM: parsing
routine, an attacker can inject malicious code into the OS where
the system would act on it. A similar bug was present in CMail 2.3.
No fix is presently available for the problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/cmail1.htm
*** EXPRESSFS 2.x FTPSERVER SUBJECT TO BUFFER OVERFLOW
Luck Martin reported a buffer overflow condition in ExpressFS 2.x FTP
Server that can lead to the execution of arbitrary code on the server.
Playing against faulty code in the user name and password routines, a
certain-length string parameter can be passed in a particular order,
which causes the service to crash and execute any arbitrary code that
was passed in the parameter string. The vendor hasn't released any
information regarding a fix for this problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/expressfs1.htm
*** WFTPD v2.34 AND 2.40 SUBJECT TO BUFFER OVERFLOW
Luck Martin reported a buffer overflow condition in WFTPD 2.34 and 2.40
that might let arbitrary code execute on the system. By taking advantage
of poor coding in make-dir (MKD) and change-dir (CWD) commands, an
intruder can cause a string of exactly 255 characters to pass to the
server in a certain sequence, which causes the service to crash or to
execute the code passed in the character string. The problem minimally
effects WFTPD on Windows NT and Win98 systems. The makers of WFTPD,
Texas Imperial Software, have made no public comments regarding a fix
for the problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/wftpd1.htm
*** TCP/IP SEQUENCE NUMBER RANDOMNESS
National Bank of Kuwait discovered a problem with Windows NT's TCP/IP
stack implementation, where the initial sequence numbers (ISN) are
somewhat predictable. Because of this predictability, there is a
chance a TCP/IP session could be spoofed or hijacked. The problem
effects NT 4.0 Workstation, NT 4.0 Server, NT 4.0 Server Enterprise
Edition and Terminal Server Edition.
Microsoft issued a patch for and Intel and Alpha platforms that
improves the randomness of Windows NT 4.0 TCP/IP ISN generation, which
now provides 15 bits of entropy. The patch contains the same algorithm
as that found in Windows 2000. Be sure to read Microsoft's FAQ and
Support Online article Q243835 regarding this matter.
http://www.microsoft.com/security/bulletins/MS99-046faq.asp
http://support.microsoft.com/support/kb/articles/q243/8/35.asp
Intel patch:
http://download.microsoft.com/download/winntsrv40/patch/
4.0.1381.7014/nt4/en-us/q243835.exe
Alpha patch:
http://download.microsoft.com/download/winntsrv40/patch/
4.0.1381.7014/alpha/en-us/q243835.exe
*** JAVA VM SANDBOX VULNERABILITY
Microsoft reported a problem with their Java VM sandbox security.
According to Microsoft's security bulletin, "a web-hosted Java program
could take unauthorized, potentially malicious actions against visitors
to the web site. The specific actions that could be taken are limited
only by the privileges of the user."
In a nutshell, it is possible for a Java applet to escape the
security sandbox by using an illegal type conversion, often referred
to as "casting". The problem could reading, writing, and deleting files,
reformatting the hard drive, or copy data to/from a web page without
the user's knowledge. Microsoft has issued a bulletin, patch, FAQ, and
Support Online article Q244283 regarding this matter.
http://www.microsoft.com/java/vm/dl_vm32.htm
http://www.microsoft.com/security/bulletins/MS99-045faq.asp
http://support.microsoft.com/support/kb/articles/q244/2/83.asp
_____________________________________________________________________
____________________________ HOT THREADS ____________________________
*** NOVEMBER, WEEK 1
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list (covered in this newsletter.) In the
spotlight this week is a thread regarding password caching after the
installation of SP6, and a thread regarding the reported Services.exe
denial of service attack (also covered in this issue.)
1: Caching of Passwords Revealed After Installing SP6, by Richard Noel
2: RFP9906 - RFPoison Attack by Luke Leighton, by R.F.P.
FOLLOW THIS LINK TO READ ALL THE THREADS FOR NOV. WEEK 1:
http://www.ntsecurity.net/go/loadit.asp?id=page_listserv.asp?s=win2ksec
*** OCTOBER, WEEK 5
Win2KSecAdvice was launched in late October and user's wasted no time
getting right down to business. Several interesting threads appeared
from a variety of users. The highlights are as follows:
1: IFRAME Vulnerability Still Here, by Steve Manzuik
2: IIS Denial of Service?, by M.J.E.
3: Netscape "RCPT TO:" Vulnerability, by Steve Manzuik
4: Outlook Express Issue Similar to Netscape "RCPT TO:" Vulnerability
by David Sandor
FOLLOW THIS LINK TO READ ALL THE THREADS FOR OCT. WEEK 5:
http://www.ntsecurity.net/go/loadit.asp?id=page_listserv.asp?s=win2ksec
_____________________________________________________________________
________________________________ NEWS _______________________________
*** ONGOING MDAC ATTACKS AGAINST IIS
More than 25 Windows NT-based Web servers were defaced over the
weekend. And while not all of those attacks can be attributed to the
MDAC problem reported back in April 99, CERT has posted a notice on
their activity report that shows many recent attacks are due to
problems with MDAC.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=172&TB=news
*** WINTERNALS RELEASES NTFSDOS PROFESSIONAL
Winternals Software LP, an Austin-based developer of advanced system
utilities for Microsoft Windows 9x/NT/2000, released NTFSDOS
Professional. This latest addition of the product provides full
read/write access to NTFS drives from a DOS command shell.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=168&TB=news
*** DOJ SAYS PRIVACY IS ANTISOCIAL
The Internet Engineering Task Force (IETF) has been developing the
specifications to the IPv6 protocol for some time now, and as you
know, decisions are being considered to include robust support for
encryption over the protocol.
But as you also know, the FBI wants an easily tapable Internet,
and obviously encryption would confound that effort to a large extent.
So what does the United States government have to say about this? Ask
Scott Bradner, veteran IETF area coordinator and Harvard University
networking guru. When the IETF decided to include wire encryption in
the new IPv6 protocol, someone from the Department of Justice (DoJ)
gave Scott a hard slap. "Someone very high up in the US Justice
Department told me that week that for the IETF to support encryption
was an 'antisocial act,'" Bradner commented in a Wired Magazine
interview.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=167&TB=news
*** BRITAIN TO FORM CYBERCRIME FORCE
Britain is set to establish a national police force chartered to
fight cybercrime. The new force will include participants from
universities, the electronics industry, intelligence staff from the
security services MI6 and MI5, and specialized police officers.
The new force, tentatively named the "High Tech Crime Unit," is
taking advice from the American NSA and plans to exchange information
with the FBI regarding fraud, pornography, pedophile activity,
spreading race hate, counterfeiting, gambling, hacking and stealing
information, software piracy, money laundering, and sabotage involving
computer viruses.
*** SERVICE PACK 6 FOR WINDOWS NT !
Microsoft released Service Pack 6 (SP6) on October 27th. SP6 for
Windows NT 4.0 applies to Workstation, Server and Enterprise Editions
of Windows NT 4.0 - but not Terminal Server Edition. The new service
pack consolidates patches from SP1 through SP5, but Microsoft says
that SP6 remains optional. For a list of all items fixed within SP6,
be sure to review the Support Online articles Q241211 and Q244690.
http://support.microsoft.com/support/kb/articles/Q241/2/11.ASP
http://support.microsoft.com/support/kb/articles/Q244/6/90.ASP
_____________________________________________________________________
______________________________ FEATURES _____________________________
*** IIS 5.0'S NEW SECURITY FEATURES
Ken Spencer reviews the latest security features in the new Internet
Information Server 5.0 for Windows NT Magazine. Ken gives excellent
coverage of IIS 5.0's authentication, directory security, changes in
integration with MS Certificate Server, a new script source access
permission, the permissions wizard, and the support for Kerberos and
Active Directory.
http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=135&TB=f
*** WANT TO TAP THE SECURITY JOB MARKET?
We get mail every day from people asking us how they can get into the
security job market. And frankly, there is no single blanket answer
for that question. Many factors come into play - namely knowledge
and training. To defend against an intruder, you must think like an
intruder, and they only way we know of to achieve that is to become
one. Of course, that doesn't imply breaking into systems. More so, we
mean that people should learn the tools and tactics used by intruders
by practicing them against your own networks. But even so, that's a
long road to becoming proficient with security.
If you're among those seeking to become a security professional, you
should read what Margot Suydam has to say. In her article for
Information Security Magazine, Margot writes a revealing story about
the job market as it stands today. According to the article, the market
is hot for consultants and senior-level security professionals because
a lot of companies are beefing up their security teams.
http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=133&TB=f
*** TOOLS OF THE TRADE
In his feature for Information Security Magazine, Edward Skoudis
writes a compelling story that describes what's going on "in the
wild" regarding crack attempts, and outlines ways of defending your
organization against these sophisticated tools and techniques.
http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=132&TB=f
*** TOP 10 CRACKS OF ALL TIME
CNet has an interesting feature that details the top 10 network
attacks of all time. The article does a good job of explaining the
nature of the attacks, as well as some of the history behind their
occurrences.
http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=131&TB=f
*** THE E-COMMERCE LEGAL BALANCING ACT
Are you thinking about using e-commerce to stimulate your business?
If so, you obviously not alone. But are you aware of the pitfalls
you may face in doing so? What if your company is sued for damage
liabilities? Are you certain you're safe from prosecution?
Joseph Saul adequately points out how in many cases, the courts
decide to create standards that contradicted industry practice, which
is obviously jeopardous for anyone practicing e-commerce.
What if the courts were to suddenly decide that failure to install
a firewall or IDS as part of your security precautions was, in all
cases, grounds for liability in the event of penetration?
http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=134&TB=f
_____________________________________________________________________
_______________________________ REVIEWS _____________________________
*** BO2K - CRACKER UTIL OR HIGHTECH ADMIN TOOL?
When BO2K first came out, NTSecurity.net grabbed a copy and
immediately put it through the wringer. We found it to be a decent
tool, but lacking in several areas of functionality -- but the lack
is nothing that can't be fixed with further coding. Read our detailed
analysis to learn what it can and cannot do, and how this tool may
impact your network security.
http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=111&TB=r
*** INTERNET SCANNER VS CYBERCOP
David Ludlow writes a great comparative review between ISS' Internet
Scanner and NAI's CyberCop. David's test environment consisted of a
Dell PowerEdge 6300 server running Windows NT 4.0 and Service Pack 4,
along with Fast Ethernet connections to a variety of machines on
the LAN. Come read what David discovered
http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=110&TB=r
_____________________________________________________________________
______________________________ CONTACTS _____________________________
-- EDITOR: Mark Joseph Edwards, mark@ntsecurity.net
-- ADVERTISING: ads@ntsecurity.net
-- WEB SITE: webmaster@ntsecurity.net
Have something to contribute to this newsletter? Send it to us!
Email: press@ntsecurity.net
List your security products on our Web site for free!
http://www.ntsecurity.net/go/load.asp?id=/products/start.asp
______________________________________________________________________
Copyright (c) 1999 Duke Communications International Inc.
This newsletter maybe be forwarded or copied so long as the entire
content, including this notice, remain intact.