From: ers@ers.ibm.com
Sent: Friday, September 17, 1999 7:35 AM
To: client-firstusa@ers.ibm.com
Subject: IBM-ERS Outside Advisory Redistribution: ISS, Inc. Security
Alert Summary: Volume 4, Number 7
-----BEGIN PGP SIGNED MESSAGE-----
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
======= ============ ====== ======
======= ============== ======= =======
=== === ==== ====== ======
=== =========== ======= =======
=== =========== === ======= ===
=== === ==== === ===== ===
======= ============== ===== === =====
======= ============ ===== = =====
EMERGENCY RESPONSE SERVICE
OUTSIDE ADVISORY REDISTRIBUTION
17 September 1999 11:30 GMT Number: ERS-OAR-E01-1999:144.1
===============================================================================
The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.
IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.
IBM-ERS is forwarding the following information from ISS, Inc. Contact
information for ISS, Inc. is included in the forwarded text below; please
contact them if you have any questions or need further information.
===============================================================================
********************** FORWARDED INFORMATION STARTS HERE **********************
- -----BEGIN PGP SIGNED MESSAGE-----
ISS Security Alert Summary
September 15, 1999
Volume 4 Number 7
X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to majordomo@iss.net, and within the body of the message
type: 'subscribe alert'.
_____
Contents
22 Reported Vulnerabilities
- http-powerdynamo-dotdotslash
- inn-inews-bo
- amd-bo
- wu-ftpd-dir-name
- nt-sequence-prediction-sp4
- ibm-gina-group-add
- linux-pt-chown
- oracle-dbsnmp
- oracle-dbsnmp-trace
- jet-text-isam
- jet-vba-shell
- lotus-ldap-bo
- smtp-refuser-tmp
- ciscosecure-read-write
- linux-telnetd-term
- qms-2060-no-root-password
- trn-symlinks
- aix-pdnsd-bo
- bsdi-smp-dos
- linux-termcap-tgetent
- suse-identd-dos
- win-ie5-telnet-heap-overflow
Risk Factor Key
_____
Date Reported: 1999-09-06
Vulnerability: http-powerdynamo-dotdotslash
Platforms Affected: Sybase PowerDynamo PWS
Risk Factor: Medium
Attack Type: Network/Host Based
PowerDynamo is a personal HTTP server produced by Sybase. A vulnerability
has been found that allows a remote attacker to traverse the server's file
system outside the document root by issuing GET requests with '../' in
them. This could allow any file to be remotely read by an attacker. If
directory browsing is enabled, the attacker doesn't need prior knowledge
of file names to exploit this flaw.
Reference:
BUGTRAQ Mailing List: "[Sybase] software vendors do not think about old
bugs" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSF.4.05.9909041428230.5675-100000@mx.nkm.lt
_____
Date Reported: 1999-09-02
Vulnerability: inn-inews-bo
Platforms Affected: InterNet News (INN)
Risk Factor: High
Attack Type: Host Based
The InterNet News (INN) daemon contains the program inews, which injects
new postings into the news system. It is possible for a local attacker to
overflow a buffer in the inews program, shipped with INN 2.2 and below
that, would give the user privileges of the news group. This could
theoretically allow the attacker to gain root privileges.
References:
Red Hat, Inc. Security Advisory: "Buffer overflow problem in the inews
program" at: http://www.redhat.com/corp/support/errata/RHSA1999033_01.html
SuSE Security Announcement: "Security hole in inn" at:
http://www.suse.de/security/announcements/suse-security-announce-16.txt
Caldera Systems, Inc. Security Advisory CSSA-1999:026.0: "buffer overflow
in inews" at:
ftp://ftp.calderasystems.com/pub/info/security/CSSA-1999:026.0.txt
_____
Date Reported: 1999-08-30
Vulnerability: amd-bo
Platforms Affected: FreeBSD
Linux: Red Hat (4.2, 5.2, 6.0)
Risk Factor: High
Attack Type: Network/Host Based
The Automounter daemon has a buffer overflow in the mount code that
affects Red Hat Linux. Passing a long string to the AMQPROC_MOUNT
procedure can cause a remote intruder to obtain root credentials.
References:
Red Hat, Inc. Security Advisory: "Buffer overrun in amd" at:
http://www.redhat.com/corp/support/errata/RHSA1999032_O1.html
Caldera Systems, Inc. Security Advisory CSSA-1999:024.0: "buffer overflow
in amd" at:
ftp://ftp.calderasystems.com/pub/info/security/CSSA-1999:024.0.txt
_____
Date Reported: 1999-08-26
Vulnerability: wu-ftpd-dir-name
Platforms Affected: wu-ftpd (2.5)
Risk Factor: High
Attack Type: Network/Host Based
A vulnerability has been discovered in Washington University's wu-ftpd
program. A buffer overflow condition exists in bounds checking of
directory names supplied by the user. It is possible for a local or
remote user to overwrite static memory space and create directory names
that could result in increased privileges.
Reference:
BUGTRAQ Mailing List: "WU-FTPD Security Update" at:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=NDBBKFDGMLFBPDALDAMOOEHFCBAA.yua@artlover.com
_____
Date Reported: 1999-08-25
Vulnerability: nt-sequence-prediction-sp4
Platforms Affected: Windows NT (4.0)
Risk Factor: Medium
Attack Type: Network/Host Based
Microsoft Windows NT 4.0 SP4 introduced a new method of generating TCP
sequence numbers. The method was designed to close a hole in previous
versions of Windows NT that allowed these numbers to be easily guessed. It
has been shown that SP4 and above systems are just as vulnerable to
sequence number prediction attacks as earlier service packs.
Reference:
NTA: "Leading Security testers ’NTA Monitor’ Discover Security Flaw in
Microsoft NT4 SP4" at: http://www.nta-monitor.com/news/NT4-SP4.htm
_____
Date Reported: 1999-08-23
Vulnerability: ibm-gina-group-add
Platforms Affected: IBM GINA for NT
Risk Factor: High
Attack Type: Host Based
IBM's GINA for Windows NT that allows a NT hosts to authenticate against
OS/2 domains. A vulnerability has been discovered that would allow a
local user to add themselves or another user to the "Local Administrators"
group by modifying a registry key. Once this key is modified, the user
has administrator privileges at the logon.
Reference:
NTBUGTRAQ Mailing List: "IBM Gina security warning" at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9908&L=ntbugtraq&F=&S=&P=5534
_____
Date Reported: 1999-08-23
Vulnerability: linux-pt-chown
Platforms Affected: Linux Redhat (6.0)
Risk Factor: High
Attack Type: Host Based
The GNU C Library (glibc) 2.1.x ships with the setuid helper program
"pt_chown", which is used to allow safe allocation of terminals to
non-privileged applications. A lack of security checks within this
program could allow a local attacker to take control of another user's
(including root) terminal and take ownership of that device.
Reference:
BUGTRAQ Mailing List: "[Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD /
lynx / vlock / mc / glibc 2.0.x" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl
_____
Date Reported: 1999-08-23
Vulnerability: oracle-dbsnmp
Platforms Affected: Oracle (8.x)
Risk Factor: High
Attack Type: Host Based
The Oracle 8 Intelligent Agent trusts certain environment variables. The
Intelligent Agent is also installed setuid root by default. Attackers may
manipulate these environment variables to create root owned files that
will follow symbolic links.
Reference:
ISS Security Advisory: "Root Compromise Vulnerabilities in Oracle 8" at:
http://xforce.iss.net/alerts/advise35.php3
- - -----
Date Reported: 1999-08-23
Vulnerability: oracle-dbsnmp-trace
Platforms Affected: Oracle (8.x)
Risk Factor: High
Attack Type: Host Based
Oracle can be tricked into reading rogue configuration files via trusted
environment variables. 'dbsnmp' then opens a 'trace' file that is owned
by root and created with mode 666. This file can be linked out. Another
vulnerability again depends on trusted environment variables. 'dbsnmp'
will execute rogue TCL scripts if environment variables are manipulated
correctly.
Reference:
ISS Security Advisory: "Additional Root Compromise Vulnerabilities in
Oracle 8" at: http://xforce.iss.net/alerts/advise36.php3
- - -----
Date Reported: 1999-08-20
Vulnerability: jet-text-isam
Platforms Affected: Microsoft Jet (3.5, 3.5.1, 4.0)
Risk Factor: High
Attack Type: Network/Host Based
Microsoft Jet is a database engine used in programs such as Office 97 and
Office 2000. It has functionality called Text I-ISAM that allows the Jet
driver to write to a text file. A malicious user could exploit a
vulnerability in Text I-ISAM and write to system files by performing a
database query.
Reference:
Microsoft Security Bulletin (MS99-030): "Patch Available for Office 'ODBC
Vulnerabilities'" at:
http://www.microsoft.com/Security/Bulletins/ms99-030.asp
- - -----
Date Reported: 1999-08-20
Vulnerability: jet-vba-shell
Platforms Affected: Microsoft Jet (3.5, 3.5.1)
Risk Factor: High
Attack Type: Network/Host Based
Microsoft Jet is a database engine used in programs such as Office 97 and
Office 2000. Microsoft Jet contains a vulnerability that could allow an
operating system command to be executed from a database query. Once the
query is executed from a spreadsheet or program, then a user could execute
virtually anything on the affected machine.
Reference:
Microsoft Security Bulletin (MS99-030): "Patch Available for Office 'ODBC
Vulnerabilities'" at:
http://www.microsoft.com/Security/Bulletins/ms99-030.asp
- - -----
Date Reported: 1999-08-20
Vulnerability: lotus-ldap-bo
Platforms Affected: Lotus Notes
Risk Factor: Medium
Attack Type: Network/Host Based
There is a buffer overflow in the Lotus Notes LDAP Service (NLDAP), the
service that handles the LDAP protocol. This buffer overflow is related to
the way that NLDAP handles the ldap_search request. By sending a large
parameter in the ldap_search request, an attacker can cause a PANIC in the
Domino server. This allows an attacker to stop all Domino services
running on the affected machine.
Reference:
ISS Security Advisory: "Denial of Service Attack against Lotus Notes
Domino Server 4.6" at: http://xforce.iss.net/alerts/advise34.php3
- - -----
Date Reported: 1999-08-20
Vulnerability: smtp-refuser-tmp
Platforms Affected: Linux: Debian
Risk Factor: Medium
Attack Type: Network/Host Based
The smtp-refuser package, installed on some versions of Debian Linux
systems, creates a logging facility in the system "/tmp" directory. This
facility is insecurely created and could allow a local attacker who has
write access to "/tmp" to delete arbitrary, root-owned files on the
system.
Reference:
Debian Security Information: "smtp-refuser: /tmp file creation problem"
at: http://www.debian.org/security/1999/19990823b
- - -----
Date Reported: 1999-08-19
Vulnerability: ciscosecure-read-write
Platforms Affected: CiscoSecure
Risk Factor: High
Attack Type: Network/Host Based
A vulnerability in CiscoSecure ACS version 1.0 through 2.3.2 for Unix
allows a remote attacker to read and write to the server database without
authentication. The attacker could modify access policies, add and delete
accounts, or elevate access privileges for accounts. CiscoSecure ACS for
Windows NT is not vulnerable to this problem.
Reference:
Cisco Field Notice: "CiscoSecure Access Control Server for UNIX Remote
Administration Vulnerability" at:
http://www.cisco.com/warp/public/770/csecure-dbaccess.shtml
- - -----
Date Reported: 1999-08-19
Vulnerability: linux-telnetd-term
Platforms Affected: Linux: Red Hat (4.2, 5.2, 6.0)
Risk Factor: Medium
Attack Type: Network/Host Based
The telnetd server and libncurses library of some Linux systems, notably
Red Hat and Caldera, could allow a remote or local attacker to cause the
system to crash or hang. By specifying a malformed terminal when
connecting to a vulnerable system's telnet server, the daemon could
possibly attempt to read files that would cause a denial of service by
crashing the system. This same attack can be exploited by local attackers,
giving bad terminal information to setuid programs linked against a
vulnerable libncurses library.
References:
Red Hat, Inc. Security Advisory: "Denial of service attack in in.telnetd"
at: http://www.redhat.com/corp/support/errata/RHSA1999029_01.html
Caldera Systems, Inc. Security Advisory CSSA-1999:022.0: "Security issues
with telnetd and libcurses" at:
http://www.calderasystems.com/news/security/CSSA-1999:022.0.txt
_____
Date Reported: 1999-08-19
Vulnerability: qms-2060-no-root-password
Platforms Affected: QMS CrownNet Unix Utilities for 2060
Risk Factor: High
Attack Type: Network Based
The QMS CrownNet Unix Utilities for 2060 use a file called passwd.ftp that
controls logins for users allowed to print to the QMS. This vulnerability
allows root to log on without a password, and therefore change the
passwd.ftp and other files.
Reference:
BUGTRAQ Mailing List: "QMS 2060 printer security hole" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=199908181402.KAA03077@alchemy.chem.utoronto.ca
_____
Date Reported: 1999-08-19
Vulnerability: trn-symlinks
Platforms Affected: Linux: Debian
Risk Factor: Medium
Attack Type: Host Based
Trn is an NNTP compatible newsreader for Unix systems. Some versions of
trn create temporary files insecurely in the system '/tmp' directory.
This could allow a local attacker to create symbolic links to a user's
files that would be overwritten when that user executes trn.
References:
Debian Security Information: "trn: /tmp file creation problem" at:
http://www.debian.org/security/1999/19990823c
SuSE Security Announcement: "Security hole in trn" at:
http://www.suse.de/security/announcements/suse-security-announce-14.txt
_____
Date Reported: 1999-08-17
Vulnerability: aix-pdnsd-bo
Platforms Affected: AIX
Risk Factor: High
Attack Type: Network/Host Based
The Source Code Browser's Program Database Name Server Daemon (pdnsd)
component of the C Set ++ compiler for AIX contains a remotely exploitable
buffer overflow. This vulnerability allows local or remote attackers to
compromise root privileges on vulnerable systems.
References:
IBM Emergency Response Service Security Vulnerability Alert
ERS-SVA-E01-1999:003: "The IBM C Set ++ for AIX Source Code Browser allows
local and remote users to become root." at:
http://www.brs.ibm.com/services/brs/ers/brspwadv.nsf/Date/E53CE3A5F5B41D44852567D0004A250F/$file/sva003.txt
CIAC Information Bulletin J-059: "J-059: IBM AIX (pdnsd) Buffer Overflow
Vulnerability" at: http://www.ciac.org/ciac/bulletins/j-059.shtml
_____
Date Reported: 1999-08-17
Vulnerability: bsdi-smp-dos
Platforms Affected: BSDi (4.0.1)
Risk Factor: Medium
Attack Type: Host Based
A local denial of service exists with Symmetric Multiprocessing (SMP) in
BSDi 4.0.1. When the CPU load average is initially high, a local user can
make the system halt or stop responding by executing fstat calls.
Reference:
BUGTRAQ Mailing List: "Symmetric Multiprocessing (SMP) Vulnerbility in
BSDi 4.0.1" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.BSI.4.10.9908170253560.19291-100000@saturn.psn.net
_____
Date Reported: 1999-08-17
Vulnerability: linux-termcap-tgetent
Platforms Affected: Linux: RedHat (4.2, 5.2)
Risk Factor: High
Attack Type: Host Based
A vulnerability in Red Hat 4.2 and 5.2 Linux systems libtermcap tgetent()
function could allow a malicious local user to overflow a buffer, allowing
them to execute arbitrary code with root privileges. This hole can be
exploited on systems that allow a user to specify their own termcap file.
Reference:
Red Hat, Inc. Security Advisory RHSA-1999:028-01: "Buffer overflow in
libtermcap tgetent()" at:
http://www.redhat.com/corp/support/errata/RHSA1999028_01.html
_____
Date Reported: 1999-08-16
Vulnerability: suse-identd-dos
Platforms Affected: Linux: SuSE
Risk Factor: Medium
Attack Type: Network/Host Based
In some SuSE Linux distributions, identd is started with inetd.conf with
the options -w -t120. Once an identd connection is made to the server, it
waits 120 seconds before answering another connection. A remote attacker
could send a large amount of identd connections to the server, and use up
all the memory on the server, causing it to crash.
Reference:
BUGTRAQ Mailing List: "DOS against SuSE's identd" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990814202948.26220.qmail@securityfocus.com
_____
Date Reported: 1999-08-16
Vulnerability: win-ie5-telnet-heap-overflow
Platforms Affected: Internet Explorer (4.0, 4.01, 5.0)
Risk Factor: High
Attack Type: Network/Host Based
A vulnerability exists in the Telnet.exe program shipped with Internet
Explorer 4 and some versions of Internet Explorer 5. An overflow in the
Telnet.exe application could allow arbitrary code to be remotely executed
by an attacker.
Reference:
BUGTRAQ Mailing List: "telnet.exe heap overflow - remotely exploitable" at:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=19990815220227.37285.qmail@hotmail.com
_____
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
ISS is the pioneer and leading provider of adaptive network security
software delivering enterprise-wide information protection solutions. ISS'
award-winning SAFEsuite family of products enables information risk
management within intranet, extranet and electronic commerce environments.
By combining proactive vulnerability detection with real-time intrusion
detection and response, ISS' adaptive security approach creates a flexible
cycle of continuous security improvement, including security policy
implementation and enforcement. ISS SAFEsuite solutions strengthen the
security of existing systems and have dramatically improved the security
posture for organizations worldwide, making ISS a trusted security advisor
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks
and over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.
________
Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby
granted for the redistribution of this Alert Summary electronically. It is
not to be edited in any way without express consent of the X-Force. If
you wish to reprint the whole or any part of this Alert Summary in any other
medium excluding electronic medium, please e-mail xforce@iss.net for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBN9+/tzRfJiV99eG9AQEokAP/Su3Ndb6NShK/H0xbEqCsQbKv+ju7XAAK
JYnzl8nBgESAxTfOoVDic4MA049YNONuKlN99bb3X9RZ7GbZq7WogA+G8BbQEbQ5
DkkbVD2ntjCwKpcuH9XcUiTFrQfGWblS9aJgYtX+tEhVqmMrSl/86cp664D1lKkn
J/j4/CsFi4A=
=AWqf
- -----END PGP SIGNATURE-----
*********************** FORWARDED INFORMATION ENDS HERE ***********************
===============================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).
As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services. From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources. To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@ers.ibm.com, or call 1-800-599-9950.
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information. The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.
The information in this document is provided as a service to customers of
the IBM Emergency Response Service. Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or implied,
or assumes any legal liability or responsibility for the accuracy, complete-
ness, or usefulness of any information, apparatus, product, or process
contained herein, or represents that its use would not infringe any privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring
by IBM or its subsidiaries. The views and opinions of authors expressed
herein do not necessarily state or reflect those of IBM or its subsidiaries,
and may not be used for advertising or product endorsement purposes.
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBN+InFfWDLGpfj4rlAQGIzAQAwp6hFJ83OuhrlJ9eMdtayRb45yqsF2uu
oH+HREzGMuqc3lnNC8gyBlJBBY55d6csWvTbRF2/ZYq3I5fRxPgpD/b31Pd+yzsp
L5Uwga2fJUMAFdgWMAVoBhHAFm926kGyONzv14PuqfLc3pvnjxISt5nA1XqEhVMq
mkYJMysPDd8=
=BjdA
-----END PGP SIGNATURE-----