I. INTRODUCTION
1. Info.sec.radio is on the air! Interview with Paul Proctor of
CyberSafe Corporation
II. BUGTRAQ SUMMARY
1. Multiple Vendor BSD make /tmp Race Condition Vulnerability
2. Netopia Timbuktu Cleartext Username/Password Vulnerability
3. W3C httpd (Formerly 'CERN httpd') Path Revealing Vulnerability
4. VCasel Filename Trusting Vulnerability
5. Nortel Contivity Denial of Service and File Viewing
Vulnerabilities
III. PATCH UPDATES
1. Vulnerability Patched: Malformed Conversion Data
2. Vulnerability Patched: Malformed RTF Control Word
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
1. Encryption Challenge Beaten (Wed Jan 19 2000)
2. Virus Attacks Cost $12Bil (Thu Jan 20 2000)
3. WTO Under Cyberattack (Thu Jan 20 2000)
4. Mitnick Gets Out of Lompoc (Fri Jan 21 2000)
5. The case of the kung fu 'phreak' (Fri Jan 21 2000)
6. Markoff responds to Mitnick's criticism (Fri Jan 21 2000)
V. INCIDENTS SUMMARY
1. Solaris BSM Audit Logs (Thread)
2. Name server probe from NS2.50megs.com (Thread)
3. UDP probing [ trojan? ] (Thread)
4. Strange behaviour (Thread)
5. traceroute ICMP packets (Thread)
6. SMTP bombing (Thread)
7. Log tools? (Thread)
8. AMD/Port 100099 and portmap (Thread)
9. Large quantity of traffic from amazon.com - source_port 3000
(Thread)
10. An Embryonic Counterintelligence Tool (Thread)
11. Slow scan (Thread)
12. Unusual scan pattern (Thread)
13. Probe from UK Provider ?(Thread)
14. I was scanned (Thread)
15. ANOTHER DNS MAC ADDRESS Change w/h Unix Log File (Thread)
16. Socks port 1080 (Thread)
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Overflows due to unexpected casts (Thread)
2. Generalized List of Threats and Vulnerabilities (Thread)
3. Administrivia #5218 (Thread)
4. unknown process (Thread)
5. Secure coding in C (was Re: Administrivia #4883) (Thread)
VII. SECURITY JOBS
Seeking Employment:
1. Bill Swearingen
2. Luke Borg
Seeking Staff:
1. Senior Data Security Analyst (Cranford, NJ or Ridgefield Park,
NJ)
2. Lead Data Security Analyst (Cranford, NJ or Ridgefield Park,
NJ)
3. Security Analyst - (Toronto, Canada) - #620
4. Information Security Specialist - (Columbus, IN) - #614
5. Information Security Director - (New York, New York) - #592
6. Unix Security Analyst/Architect - Englewood, CO - #623
7. Senior Software Engineer-Security (San Jose CA)
8. Software Engineer-Security (San Jose, CA)
VIII. SECURITY SURVEY RESULTS
IX. SECURITY FOCUS TOP 6 TOOLS
1. SecurityFocus.com Pager (Win95/98/NT)
2. PingSting 1.0 (FreeBSD, Linux and OpenBSD)
3. cgi-check99 v0.4 (REBOL)
4. Snort 1.6 Beta 5 (FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
OpenBSD and Solaris)
5. BUGS 2.0.1 (HP-UX, Linux, Solaris, SunOS, UNIX, Windows 2000,
Windows 3.x,
Windows 95/98 and Windows NT)
6. NSS Narr0w Security Scanner (PERL)
X. SPONSOR INFORMATION - CORE SDI http://www.core-sdi.com XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the SecurityFocus.com 'week in review' newsletter issue 25 for
the time period of 2000-01-16 to 2000-01-24 sponsored by CORE SDI.
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
1. 1. Info.sec.radio is on the air! Interview with Paul Proctor of
CyberSafe Corporation.
Info.sec.radio is on the air! After a well received debut, Info.sec.radio
returns on Monday January 24, 2000 from 10:00 - 11:00am Pacific. Broadcast
live on CJSW 90.9 FM in Calgary, Canada and over the Internet on
RealAudio, this weeks' edition features Part II of a III part series on
Intrusion Detection and an interview with Paul Proctor Director of
Technology at CyberSafe Corporation. Join host Dean Turner for an hour of
news and discussion on today's security concerns.
1:00 PM Eastern Standard
11:00 AM Mountain Standard
10:00 AM Pacific Standard
Please tune in and give us your feedback. Any questions may be directed to
Dean Turner <dtu@securityfocus.com>.
II. BUGTRAQ SUMMARY 2000-01-16 to 2000-01-24
---------------------------------------------
1. Multiple Vendor BSD make /tmp Race Condition Vulnerability
BugTraq ID: 939
Remote: No
Date Published: 2000-01-19
Relevant URL:
http://www.securityfocus.com/bid/939 Summary:
There is an exploitable race condition in BSD derived versions of make.
The problem lies in the way that make communicates with its children
processes when passed the -j parameter. "make" does so by writing shell
commands to temporary files in /tmp, which the children process read (and
then execute..). In the process of doing this, "make" creates and resuses
temporary files several times with known filenames. If the file name being
used were to be observed by an attacker, it is possible to write aribtrary
commands to these files immediately after legitimate ones are, then have
them executed by the childen processes if the race is won.
Netopia's Timbuktu Pro is a remote administration software package which
runs on Microsoft Windows NT (among other platforms). When a user of a
Windows NT host logs into their machine remotely via Timbuktu Pro, the
username and password of the user are sent to the host for authentication
in cleartext (unencrypted). This allows for anyone who is sniffing network
traffic to retrieve the username and password pair, exactly as were typed
in by the user, and access the host being logged into as the user logging
in (and possibly compromise the entire machine).
When requesting a cgi-bin document from W3C webserver (also known as CERN)
which doesn't exist, the error message will reveal the absolute path of
the web documents on the target host's filesystem. The following example
was taken from a post to bugtraq by Niklas Schiffler <nick@nightlabs.de>
regarding this issue:
Bad script request -- neither '/usr/local/etc/cat' nor '/usr/local/etc/cat.pp' is executable
4. VCasel Filename Trusting Vulnerability
BugTraq ID: 937
Remote: No
Date Published: 2000-01-18
Relevant URL:
http://www.securityfocus.com/bid/937 Summary:
Visual CASEL from Computer Power Solutions is a security product for
Novell and Windows NT networks. It (among other things) provides the
capability for limiting what a user on a network can execute based on
"trusted filenames". Unfortunately, Visual CASEL places all of its trust
in the name of the file _only_ instead of the absolute path and filename
of the trusted files (that users can execute). Because of this, it is
possible to run a malicious file which should not normally be executable
if the filename is that of a "trusted file". An example follows
(summarized example from xDeath's bugtraq post):
A user copies pong.exe to his home directory and attempts to execute it
(and is denied). The user renames pong.exe to write.exe and executes it.
("write.exe" is a trusted filename, as opposed to C:\windows\write.exe).
5. Nortel Contivity Denial of Service and File Viewing Vulnerabilities
BugTraq ID: 938
Remote: Yes
Date Published: 2000-01-18
Relevant URL:
http://www.securityfocus.com/bid/938 Summary:
Nortel's recently released Contivity series network devices (extranet
switches) shipped with an httpd (to provide an interface for remote
administration) which runs on top of VxWorks. A total system crash can
occur as a result of exploiting a vulnerability in a cgi-bin program
called "cgiproc" that is included with the webserver. If metacharacters
such as "!", or "$" are passed to cgiproc, the system will crash (because
the characters are not escaped).
foo <foo@blacklisted.intranova.net> provided the following example:
No evidence of this problem being exploited is saved in the logs.
Another vulnerability in cgiproc is a lack of authentication when
requesting administration webpages. A consequence of this is an attacker
being able to view any file on the webserver.
foo <foo@blacklisted.intranova.net> also provided an example for this vulnerability:
In order to perform the operations detailed in the report, the
"attackers" must be internal, private side users or authenticated tunnel
users and the site administrator must allow them HTTP as a management
protocol.
III. PATCH UPDATES 2000-01-16 to 2000-01-24
-------------------------------------------
1. Vendor: Microsoft
Product:
- Microsoft Converter Pack 2000 for Windows
- Microsoft Office 2000 for Windows with Multilanguage Pack
- Japanese, Korean, Chinese (Simplified and Traditional) versions of:
- Microsoft Word 97, 98 and 2000 for Windows, which is available as a
standalone product or as part of:
- Office 97, Office 97 Powered by Word 98, Office 2000 for Windows
- Works Suite 2000 for Windows
- Microsoft PowerPoint 97 and 2000 for Windows, which is available as a
standalone product or as part of:
- Office 97, Office 97 Powered by Word 98, Office 2000 for Windows
Vulnerability Patched: Malformed Conversion Data
Patch Location:
2. Vendor: Microsoft
Product:
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
Vulnerability Patched: Malformed RTF Control Word
Patch Location:
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
-----------------------------------------
1. Encryption Challenge Beaten (Wed Jan 19 2000)
Excerpt:
A 56-bit security challenge laid down by CS Communication & Systemes in
March, 1999, has been cracked in just two months by a team of students
working with no less than 38,000 Internet users around the world.
3. WTO Under Cyberattack (Thu Jan 20 2000)
Excerpt:
The Website dedicated to 1999's protest-plagued World Trade Organization
(WTO) Ministerial in Seattle was under siege by cyber- attackers
throughout the duration of the week-long meeting last November, according
to a source close to the event.
1. Senior Data Security Analyst (Cranford, NJ or Ridgefield Park, NJ)
Reply to: Allison <apetouvi@summitbank.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 15&msg=20000119160411.26874.qmail@securityfocus.com
2. Lead Data Security Analyst (Cranford, NJ or Ridgefield Park, NJ)
Reply to: Allison <apetouvi@summitbank.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 15&msg=20000119161517.27491.qmail@securityfocus.com
4. Information Security Specialist - (Columbus, IN) - #614
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 15&msg=20000119203821.18255.qmail@securityfocus.com
5. Information Security Director - (New York, New York) - #592
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 15&msg=20000119204721.19204.qmail@securityfocus.com
6. Unix Security Analyst/Architect - Englewood, CO - #623
Reply to: Joyce Brocaglia <joyce@altaassociates.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 15&msg=20000119205218.19709.qmail@securityfocus.com
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
Pingsting is a network monitoring application that determines
characteristics about ICMP Echo traffic. Pingsting is able to determine
the type of client that sent an ICMP Echo packet by comparing the data
portion of an ICMP Echo packet with known signatures.
3. cgi-check99 v0.4
URL: by deepquest URL: http://www.deepquest.pf/ Platforms:
BSDI, BeOS, DOS, FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
OS/2, OpenBSD, OpenVMS, PalmOS, Solaris, SunOS, UNIX, Windows 2000,
Windows 3.x, Windows 95/98, Windows CE and Windows NT
One of the worlds most cross platform cgi scanners, running on 37
operating systems! Even Palmos soon! Will check for 119 of common cgi and
other remote issues. Plus it will report you the Bugtraq ID of some
vulnerabilities. Get the rebol interpreter at http://www.rebol.com.
4. Snort 1.6 Beta 5
by Martin Roesch (roesch@clark.net)
URL: http://www.clark.net/~roesch/security.html >
Platforms: FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD, OpenBSD and Solaris
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules based
logging and can perform content searching/matching in addition to being
used to detect a variety of other attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and much more.
Snort has a real-time alerting capabilty, with alerts being sent to
syslog, a seperate "alert" file, or even to a Windows computer via Samba.
Narr0w Security Scanner checks for 153 remote vulnerabilities. Written in
perl.
X. SPONSOR INFORMATION - CORE SDI
------------------------------------------
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
