From: Mark [mark@NTSHOP.NET] Sent: Tuesday, November 02, 1999 11:37 PM To: WINSD@LISTSERV.NTSECURITY.NET Subject: [ Windows Security Digest ] 1999 - November 2 ===================================================================== WINDOWS SECURITY DIGEST 1999 SERIES Watching the Watchers November 2, 1999 ===================================================================== SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY -- C O N T E N T S -- << IN FOCUS >> * Security Training: Where'd You Get That? << WEB SITE NEWS >> * New Resource: Win2K Security Advice << SECURITY RISKS >> * Netscape Messaging Server Subject to Denial of Service * Denial of Service Against SERVICES.EXE * Avirt Mail Server 3.3a and 3.5 Buffer Overflow Condition * Ximtami Web Server Subject to Buffer Overflow * CMail 2.4 Might Allow Execution of Arbitrary Code * ExpressFS 2.x FTPServer Subject to Buffer Overflow * WFTPD v2.34 and 2.40 Subject to Buffer Overflow * TCP/IP Sequence Number Randomness * Java VM Sandbox Vulnerability << HOT THREADS>> * November, Week 1 * October, Week 5 << IN THE NEWS >> * Ongoing MDAC Attacks Against IIS * Winternals Releases NTFSDOS Professional * DOJ Says Privacy is Antisocial * Britain to Form Cybercrime Force * Service Pack 6 for Windows NT ! << FEATURE ARTICLES >> * IIS 5.0's New Security Features * Want to Tap the Security Job Market? * Tools of the Trade * Top 10 Cracks of All Time * The E-commerce Legal Balancing Act << REVIEWS >> * BO2K - Cracker Util or Hightech Admin Tool? * Internet Scanner vs CyberCop _____________________________________________________________________ ______________________________ IN FOCUS _____________________________ SECURITY TRAINING: WHERE'D YOU GET THAT? Hello Everyone, As you know, security is a red hot topic and there is absolutely no sign that it will cool down one iota anytime in the near future. Many network administrators have already added network security skills to their list of abilities. And administrators who have not done so are flocking to training facilities in droves, and scouring the Internet for the tiniest tidbits of useable information. With so many people seeking out security training today, many existing educational facilities have retooled and new training organizations are popping up in an ever increasing frequency to offer security-related courses. I get a lot of email from administrators asking me who offers various types of security training. To help arrive at answers for those questions, there is probably no better way than to ask those of you who have already taken security training in some form or fashion. So, if you're among those that have taken some kind of security training anytime in the last two years, please take a moment of your day to share with me what you trained in, where you received that training, and your over all recommendation towards any courses taken. I'll pool all the information together to create a list of reader-recommended training programs and share that information with all of you in an upcoming edition of this newsletter. Please send your response to mark@ntsecurity.net (do not click reply to this newsletter!) and use a subject of "Sec Training" so that I can more easily identify your message. Thanks for any information you can share - I look forward to receiving it. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net, http://www.ntsecurity.net ==== SPONSORED BY VERISIGN - THE INTERNET TRUST COMPANY ==== Start preparing for holiday customers NOW - protect your site with 128-bit SSL encryption! Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. http://www.verisign.com/cgi-bin/go.cgi?a=n032602130009000 ============================================================ _____________________________________________________________________ ___________________________ WEB SITE NEWS ___________________________ *** NEW RESOURCE: WIN2K SECURITY ADVICE NTSecurity.net has joined forces with Steve Manzuik to bring the security community a brand new and much-requested Windows security mailing list. The new moderated mailing list, Win2KSecAdvice, is geared towards promoting the open discussion of Windows-related security issues. With a firm and unwavering commitment towards timely full disclosure, this new resource promises to become a great forum for open discussion regarding security-related bugs, vulnerabilities, potential exploits, virus, worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community and we openly invite all security minded individuals, be they white hat, gray hat, or black hat, to join the new mailing list. While Win2KSecAdvice was named in the spirit of Microsoft's impending product line name change, and meant to reflect the list's security focus both now and in the long run, it is by no means limited to security topics centered around Windows 2000. Any security issues thatpertain to Windows-based networking are relevant for discussion, including all Windows operating systems, MS Office, MS BackOffice, and all related third party applications and hardware. The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to security, it's relevant to the list. The new list (hosted by LSoft on their speedy LISTSERV software) is now a permanent part of NTSecurity.net, and Steve Manzuik (steve@win2ksecadvice.net) will be your list moderator. NTSecurity.net hosts the mailing list's Web-based searchable archives for your research endeavors. http://www.ntsecurity.net/go/load.asp?id=/security/win2ksecadvice.htm http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=171&TB=news _____________________________________________________________________ ___________________________ SECURITY RISKS __________________________ *** NETSCAPE MESSAGING SERVER DOS Netscape's Messaging Server 3.6 is susceptible to denial of service attacks because of the way it handles incoming mail commands. Using a simple scheme, an attacker could make the server consume all available memory and CPU cycles, thereby denying any further service to the machine's users. http://www.ntsecurity.net/go/load.asp?iD=/security/netscp-msg-srv.htm *** DENIAL OF SERVICE AGAINST SERVICES.EXE A person using the handle "rain forrest puppy" discovered a denial of service condition in Windows NT, where an intruder can cause the Services.Exe to crash. After the process crashes, all named pipe activity on the system stops. In addition, user logons, remote system access, local server management, and other crucial functions cease to work properly. Microsoft is aware of the problem but has made no public comments regarding the discovery. In the mean time, protect yourself from external attacks by blocking all inbound NetBIOS traffic. Protect yourself from internal attacks by stopping the Server service. Be advised that stopping the Server service might prevent the use of management tools such as Server Manager, etc. For more information, visit the following URL: http://www.ntsecurity.net/go/load.asp?iD=/security/services.htm *** AVIRT MAIL SERVER 3.3a and 3.5 BUFFER OVERFLOW CONDITION Luck Martins reported a buffer overflow condition in Avirt Mail Server 3.3a and 3.5. The problem, found in the routine that collects a user's name and password, could let arbitrary code execute on the server. Avirt has not responded about how it will address this problem. http://www.ntsecurity.net/go/load.asp?iD=/security/avirt1.htm *** XITAMI WEB SERVER SUBJECT TO BUFFER OVERFLOW Meliksah Ozoral discovered a problem with Xitami Web Server v2.4c3, where sending large amounts of data can cause the service to crash, leading to denial of service for the machine. According to the report, the problem is due to an Xitami service listening on port 81. Xitami has provided no information regarding a fix for this problem. http://www.ntsecurity.net/go/load.asp?iD=/security/xitami1.htm *** CMAIL 2.4 MIGHT ALLOW EXECUTION OF ARBITRARY CODE Luck Martin reported a problem in Cmail's 2.4's SMTP service that might let arbitrary code execute on the server. Using a buffer overflow condition in the CMail code in the MAIL FROM: parsing routine, an attacker can inject malicious code into the OS where the system would act on it. A similar bug was present in CMail 2.3. No fix is presently available for the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/cmail1.htm *** EXPRESSFS 2.x FTPSERVER SUBJECT TO BUFFER OVERFLOW Luck Martin reported a buffer overflow condition in ExpressFS 2.x FTP Server that can lead to the execution of arbitrary code on the server. Playing against faulty code in the user name and password routines, a certain-length string parameter can be passed in a particular order, which causes the service to crash and execute any arbitrary code that was passed in the parameter string. The vendor hasn't released any information regarding a fix for this problem. http://www.ntsecurity.net/go/load.asp?iD=/security/expressfs1.htm *** WFTPD v2.34 AND 2.40 SUBJECT TO BUFFER OVERFLOW Luck Martin reported a buffer overflow condition in WFTPD 2.34 and 2.40 that might let arbitrary code execute on the system. By taking advantage of poor coding in make-dir (MKD) and change-dir (CWD) commands, an intruder can cause a string of exactly 255 characters to pass to the server in a certain sequence, which causes the service to crash or to execute the code passed in the character string. The problem minimally effects WFTPD on Windows NT and Win98 systems. The makers of WFTPD, Texas Imperial Software, have made no public comments regarding a fix for the problem. http://www.ntsecurity.net/go/load.asp?iD=/security/wftpd1.htm *** TCP/IP SEQUENCE NUMBER RANDOMNESS National Bank of Kuwait discovered a problem with Windows NT's TCP/IP stack implementation, where the initial sequence numbers (ISN) are somewhat predictable. Because of this predictability, there is a chance a TCP/IP session could be spoofed or hijacked. The problem effects NT 4.0 Workstation, NT 4.0 Server, NT 4.0 Server Enterprise Edition and Terminal Server Edition. Microsoft issued a patch for and Intel and Alpha platforms that improves the randomness of Windows NT 4.0 TCP/IP ISN generation, which now provides 15 bits of entropy. The patch contains the same algorithm as that found in Windows 2000. Be sure to read Microsoft's FAQ and Support Online article Q243835 regarding this matter. http://www.microsoft.com/security/bulletins/MS99-046faq.asp http://support.microsoft.com/support/kb/articles/q243/8/35.asp Intel patch: http://download.microsoft.com/download/winntsrv40/patch/ 4.0.1381.7014/nt4/en-us/q243835.exe Alpha patch: http://download.microsoft.com/download/winntsrv40/patch/ 4.0.1381.7014/alpha/en-us/q243835.exe *** JAVA VM SANDBOX VULNERABILITY Microsoft reported a problem with their Java VM sandbox security. According to Microsoft's security bulletin, "a web-hosted Java program could take unauthorized, potentially malicious actions against visitors to the web site. The specific actions that could be taken are limited only by the privileges of the user." In a nutshell, it is possible for a Java applet to escape the security sandbox by using an illegal type conversion, often referred to as "casting". The problem could reading, writing, and deleting files, reformatting the hard drive, or copy data to/from a web page without the user's knowledge. Microsoft has issued a bulletin, patch, FAQ, and Support Online article Q244283 regarding this matter. http://www.microsoft.com/java/vm/dl_vm32.htm http://www.microsoft.com/security/bulletins/MS99-045faq.asp http://support.microsoft.com/support/kb/articles/q244/2/83.asp _____________________________________________________________________ ____________________________ HOT THREADS ____________________________ *** NOVEMBER, WEEK 1 Each week we offer a quick recap of some of the highlights from the Win2KSecAdvice mailing list (covered in this newsletter.) In the spotlight this week is a thread regarding password caching after the installation of SP6, and a thread regarding the reported Services.exe denial of service attack (also covered in this issue.) 1: Caching of Passwords Revealed After Installing SP6, by Richard Noel 2: RFP9906 - RFPoison Attack by Luke Leighton, by R.F.P. FOLLOW THIS LINK TO READ ALL THE THREADS FOR NOV. WEEK 1: http://www.ntsecurity.net/go/loadit.asp?id=page_listserv.asp?s=win2ksec *** OCTOBER, WEEK 5 Win2KSecAdvice was launched in late October and user's wasted no time getting right down to business. Several interesting threads appeared from a variety of users. The highlights are as follows: 1: IFRAME Vulnerability Still Here, by Steve Manzuik 2: IIS Denial of Service?, by M.J.E. 3: Netscape "RCPT TO:" Vulnerability, by Steve Manzuik 4: Outlook Express Issue Similar to Netscape "RCPT TO:" Vulnerability by David Sandor FOLLOW THIS LINK TO READ ALL THE THREADS FOR OCT. WEEK 5: http://www.ntsecurity.net/go/loadit.asp?id=page_listserv.asp?s=win2ksec _____________________________________________________________________ ________________________________ NEWS _______________________________ *** ONGOING MDAC ATTACKS AGAINST IIS More than 25 Windows NT-based Web servers were defaced over the weekend. And while not all of those attacks can be attributed to the MDAC problem reported back in April 99, CERT has posted a notice on their activity report that shows many recent attacks are due to problems with MDAC. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=172&TB=news *** WINTERNALS RELEASES NTFSDOS PROFESSIONAL Winternals Software LP, an Austin-based developer of advanced system utilities for Microsoft Windows 9x/NT/2000, released NTFSDOS Professional. This latest addition of the product provides full read/write access to NTFS drives from a DOS command shell. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=168&TB=news *** DOJ SAYS PRIVACY IS ANTISOCIAL The Internet Engineering Task Force (IETF) has been developing the specifications to the IPv6 protocol for some time now, and as you know, decisions are being considered to include robust support for encryption over the protocol. But as you also know, the FBI wants an easily tapable Internet, and obviously encryption would confound that effort to a large extent. So what does the United States government have to say about this? Ask Scott Bradner, veteran IETF area coordinator and Harvard University networking guru. When the IETF decided to include wire encryption in the new IPv6 protocol, someone from the Department of Justice (DoJ) gave Scott a hard slap. "Someone very high up in the US Justice Department told me that week that for the IETF to support encryption was an 'antisocial act,'" Bradner commented in a Wired Magazine interview. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=167&TB=news *** BRITAIN TO FORM CYBERCRIME FORCE Britain is set to establish a national police force chartered to fight cybercrime. The new force will include participants from universities, the electronics industry, intelligence staff from the security services MI6 and MI5, and specialized police officers. The new force, tentatively named the "High Tech Crime Unit," is taking advice from the American NSA and plans to exchange information with the FBI regarding fraud, pornography, pedophile activity, spreading race hate, counterfeiting, gambling, hacking and stealing information, software piracy, money laundering, and sabotage involving computer viruses. *** SERVICE PACK 6 FOR WINDOWS NT ! Microsoft released Service Pack 6 (SP6) on October 27th. SP6 for Windows NT 4.0 applies to Workstation, Server and Enterprise Editions of Windows NT 4.0 - but not Terminal Server Edition. The new service pack consolidates patches from SP1 through SP5, but Microsoft says that SP6 remains optional. For a list of all items fixed within SP6, be sure to review the Support Online articles Q241211 and Q244690. http://support.microsoft.com/support/kb/articles/Q241/2/11.ASP http://support.microsoft.com/support/kb/articles/Q244/6/90.ASP _____________________________________________________________________ ______________________________ FEATURES _____________________________ *** IIS 5.0'S NEW SECURITY FEATURES Ken Spencer reviews the latest security features in the new Internet Information Server 5.0 for Windows NT Magazine. Ken gives excellent coverage of IIS 5.0's authentication, directory security, changes in integration with MS Certificate Server, a new script source access permission, the permissions wizard, and the support for Kerberos and Active Directory. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=135&TB=f *** WANT TO TAP THE SECURITY JOB MARKET? We get mail every day from people asking us how they can get into the security job market. And frankly, there is no single blanket answer for that question. Many factors come into play - namely knowledge and training. To defend against an intruder, you must think like an intruder, and they only way we know of to achieve that is to become one. Of course, that doesn't imply breaking into systems. More so, we mean that people should learn the tools and tactics used by intruders by practicing them against your own networks. But even so, that's a long road to becoming proficient with security. If you're among those seeking to become a security professional, you should read what Margot Suydam has to say. In her article for Information Security Magazine, Margot writes a revealing story about the job market as it stands today. According to the article, the market is hot for consultants and senior-level security professionals because a lot of companies are beefing up their security teams. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=133&TB=f *** TOOLS OF THE TRADE In his feature for Information Security Magazine, Edward Skoudis writes a compelling story that describes what's going on "in the wild" regarding crack attempts, and outlines ways of defending your organization against these sophisticated tools and techniques. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=132&TB=f *** TOP 10 CRACKS OF ALL TIME CNet has an interesting feature that details the top 10 network attacks of all time. The article does a good job of explaining the nature of the attacks, as well as some of the history behind their occurrences. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=131&TB=f *** THE E-COMMERCE LEGAL BALANCING ACT Are you thinking about using e-commerce to stimulate your business? If so, you obviously not alone. But are you aware of the pitfalls you may face in doing so? What if your company is sued for damage liabilities? Are you certain you're safe from prosecution? Joseph Saul adequately points out how in many cases, the courts decide to create standards that contradicted industry practice, which is obviously jeopardous for anyone practicing e-commerce. What if the courts were to suddenly decide that failure to install a firewall or IDS as part of your security precautions was, in all cases, grounds for liability in the event of penetration? http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=134&TB=f _____________________________________________________________________ _______________________________ REVIEWS _____________________________ *** BO2K - CRACKER UTIL OR HIGHTECH ADMIN TOOL? When BO2K first came out, NTSecurity.net grabbed a copy and immediately put it through the wringer. We found it to be a decent tool, but lacking in several areas of functionality -- but the lack is nothing that can't be fixed with further coding. Read our detailed analysis to learn what it can and cannot do, and how this tool may impact your network security. http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=111&TB=r *** INTERNET SCANNER VS CYBERCOP David Ludlow writes a great comparative review between ISS' Internet Scanner and NAI's CyberCop. David's test environment consisted of a Dell PowerEdge 6300 server running Windows NT 4.0 and Service Pack 4, along with Fast Ethernet connections to a variety of machines on the LAN. Come read what David discovered http://www.ntsecurity.net/go/2c.asp?f=/reviews.asp?IDF=110&TB=r _____________________________________________________________________ ______________________________ CONTACTS _____________________________ -- EDITOR: Mark Joseph Edwards, mark@ntsecurity.net -- ADVERTISING: ads@ntsecurity.net -- WEB SITE: webmaster@ntsecurity.net Have something to contribute to this newsletter? Send it to us! Email: press@ntsecurity.net List your security products on our Web site for free! http://www.ntsecurity.net/go/load.asp?id=/products/start.asp ______________________________________________________________________ Copyright (c) 1999 Duke Communications International Inc. This newsletter maybe be forwarded or copied so long as the entire content, including this notice, remain intact.