I. INTRODUCTION
II. BUGTRAQ SUMMARY
1. Multiple Vendor BSD /proc File Sytem Vulnerability
2. DNS TLD & Out of Zone NS Domain Hijacking
3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability
4. VMware Symlink Vulnerability
5. HP Path MTU Discovery DoS Vulnerability
6. Microsoft East Asian Word Conversion Vulnerability
7. NT RDISK Registry Enumeration File Vulnerability
8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability
9. NT Index Server Directory Traversal Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow
2. Vulnerability Patched: NT Index Server Directory Traversal
3. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
4. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
5. Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow
6. Vulnerability Patched: NT RDISK Registry Enumeration File
7. Vulnerability Patched: Microsoft East Asian Word Conversion
8. Vulnerability Patched: Multiple Vendor BSD make /tmp Race
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
1. Outpost Leaves Data Unguarded (Mon Jan 24 2000)
2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25
2000)
3. Task Force Battles Online Criminals (Wed Jan 26 2000)
4. Smart card 'inventor' lands in jail (Thu Jan 27 2000)
5. Visa acknowledges cracker break-ins (Fri Jan 28 2000)
6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000)
V. INCIDENTS SUMMARY
1. Got scanned again (Thread)
2. Unusual scan pattern (Thread)
3. Possible Probe = Possible Malfunction (Thread)
4. No Idea (Thread)
5. PC Anywhere client seems to probe class C of connected networks
(Thread)
6. unapproved AXFR (Thread)
7. Connect thru PIX & ports 1727, 2209, 9200 (Thread)
8. Anti-Death Penalty (Thread)
9. Strange DNS/TCP activity (Thread)
10. eri? (Thread)
11. source port 321 (Thread)
12. Korea (again) (Thread)
13. BOGUS.IvCD File (Thread)
14. port 768 (Thread)
15. Extrange named messages (Thread)
16. Probes to tcp 2766 ('System V Listner') (Thread)
17. Possible attempt at hacking? (Thread)
18. DNS update queries: another sort of suspicious activity.
(Thread)
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Shadow (Thread)
2. things to break.. (Thread)
3. HTTP scanners? (summary, long) (Thread)
4. CGI insecurities (Thread)
5. ICQ Pass Cracker. (Thread)
6. File Share Vacuum (Thread)
7. IIS4.0 .htw vulnerability (Thread)
8. Napster a little insecure? (Thread)
9. distributed.net and seti@home (Thread)
VII. SECURITY JOBS
Seeking Employment:
1. Prashant Vijay (Summer Internship) <vijay@eecs.tulane.edu>
Seeking Staff:
1. Security Research Engineer (Atlanta, Ga)
2. Practice Manager w/PKI experience NYC, Philly or DC)
3. Lead Security Engineer - Bay Area/San Jose
4. Senior security engineers - Bay Area/San Jose
5. Virus coder wanted (San Antonio, TX)
6. Junior Security Engineers Needed (Maryland)
VIII. SECURITY SURVEY RESULTS
IX. SECURITY FOCUS TOP 6 TOOLS
1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT)
2. SecurityFocus.com Pager (Win95/98/NT)
3. lidentd 1.0p1 (Linux)
4. Cgi Sonar 1.0 (any system supporting perl)
5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX,
Linux, NetBSD, OpenBSD, Solaris and SunOS)
6. Secret Sharer 1.0 1.0 (Windows 95/98)
X. SPONSOR INFORMATION - CORE SDI http://www.core-sdi.com XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the SecurityFocus.com 'week in review' newsletter issue 26 for
the time period of 2000-01-24 to 2000-01-30 sponsored by CORE SDI.
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
II. BUGTRAQ SUMMARY 2000-01-24 to 2000-01-30
---------------------------------------------
1. Multiple Vendor BSD /proc File Sytem Vulnerability
BugTraq ID: 940
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/940 Summary:
Certain BSD derivative operating systems use an implantation of the /proc
filesystem which is vulnerable to attack from malicious local users. This
attack will gain the user root access to the host.
The proc file system was originally designed to allow easy access to
information about processes (hence the name). It's typical benefit is
quicker access to memory hence more streamlined operations. As noted
previously certain implementations have a serious vulnerability. In short,
the vulnerability is that users may manipulate processes under system
which use /proc to gain root privileges. The full details are covered at
length in the advisory attached to the 'Credit' section of this
vulnerability entry.
2. DNS TLD & Out of Zone NS Domain Hijacking
BugTraq ID: 941
Remote: Yes
Date Published: 2000-01-23
Relevant URL:
http://www.securityfocus.com/bid/941 Summary:
A vulnerability exists in the mechanism used by DNS, in general, to
determine the name server associated with TLD's (top level domains). DNS
is built upon levels of trust, and by exploiting single points of failure
in this trust system, it becomes possible for an attacker to convince a
caching nameserver that allows for recursion through it that the root
server for a given TLD is something other than what it actually is. By
consecutively performing these cache attacks, it could be possible for an
attacker to entirely take over name service for any given domain.
The vulnerability is actually not specific to TLD's. The same attack can
be used to hijack any domain which has out of zone NS records, if any of
the servers that act as the name server for the out of zone domain can be
compromised.
The simplest explanation was presented in the example provided by it's
discoverer, Dan Bernstein, on the Bugtraq mailing list, on January 23,
2000: "Suppose an attacker can make recursive queries through your cache.
Let me emphasize that this does not mean that the attacker is one of your
beloved users; many programs act as DNS query-tunneling tools.
Suppose the attacker is also able, somehow, to take over ns2.netsol.com.
This isn't one of the .com servers, but it's a name server for the
gtld-servers.net domain. Here's what happens:
(1) The attacker asks your cache about z.com. Your cache contacts
(say) k.root-servers.net, which provides a referral:
com NS j.gtld-servers.net (among others)
j.gtld-servers.net A 198.41.0.21
These records are cached.
(2) The attacker asks your cache about z.gtld-servers.net. Your cache
contacts (say) f.root-servers.net, which provides a referral:
gtld-servers.net NS ns2.netsol.com (among others)
ns2.netsol.com A 207.159.77.19
These records are cached.
(3) The attacker takes over ns2.netsol.com.
(4) The attacker asks your cache about zz.gtld-servers.net. Your
cache contacts ns2.netsol.com, and the attacker answers:
zz.gtld-servers.net CNAME j.gtld-servers.net
j.gtld-servers.net A 1.2.3.4
These records are cached, wiping out the obsolete j glue.
(5) A legitimate user asks your cache about yahoo.com. Your cache
contacts j.gtld-servers.net, and the attacker answers:
yahoo.com A 1.2.3.4
The user contacts yahoo.com at that address."
The attack offered requires that an attacker be able to compromise the
operation of the DNS server running on, in this case, ns2.netsol.com,
although this is not the only server that could potentially be used to
launch an attack of this style. The author further indicates that there
are in excess of 200 servers that could be used to manipulate resolution
of all the .COM domains.
Vpopmail (vchkpw) is free GPL software package built to help manage
virtual domains and non /etc/passwd email accounts on Qmail mail servers.
This package is developed by Inter7 (Referenced in the 'Credit' section)
and is not shipped, maintained or supported by the main Qmail
distribution.
Certain versions of this software are vulnerable to a remote buffer
overflow attack in the password authentication of vpopmail.
4. VMware Symlink Vulnerability
BugTraq ID: 943
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/943 Summary:
VMware is software that runs multiple virtual computers on a single PC, at
the same time, without partitioning or rebooting.
Certain versions of the VMWare for Linux product do not perform /tmp file
sanity checking and create files in the /tmp directory which will follow
symlinks. This may be used by a malicious user to overwrite any file (with
log data) which falls within the write permissions of the user ID which
VMWare excecutes as. Typically this is root. This attack will most likely
result in a denial of service and not a root level compromise.
5. HP Path MTU Discovery DoS Vulnerability
BugTraq ID: 944
Remote: Yes
Date Published: 2000-01-24
Relevant URL:
http://www.securityfocus.com/bid/944 Summary:
A potential denial of service exists in Hewlett-Packard's proprietary
protocol for discovering the maximum path MTU (PMTU) for a give
connection. This feature could potentially be used to cause denial of
services, using HPUX machines as "amplifiers." Essentially, HP machines
which are vulnerable can, under certain conditions, be coerced in to
sending far more data outbound than they receive inbound. By forging
source addresses, it is possible to send a small quantity of packets
purporting to be from a given source, and cause the HPUX machine to send
multiple packets in response. This could potentially be used as a denial
of service.
HP's proprietary path discover protocol works by sending data in parallel
with ICMP packets being used for path discovery. While exact details of
the nature of the denial of service were not made public, presumably it
could be possible to utilize UDP packets, and default UDP services to
start the chain of events leading to a denial of service
6. Microsoft East Asian Word Conversion Vulnerability
BugTraq ID: 946
Remote: No
Date Published: 2000-01-20
Relevant URL:
http://www.securityfocus.com/bid/946 Summary:
East Asian language versions of Word and Powerpoint are susceptible to a
buffer overflow exploit. The overflowable buffer is in the code that
converts Word 5 documents into newer formats. Word 97, 98, and 2000 will
automatically convert older files into the new format upon loading.
If a specially-modified Chinese, Japanese or Korean Word 5 document is
loaded into a newer version of Word or PowerPoint, arbitrary code can be
executed during the conversion process, at the privilege level of the
current user.
7. NT RDISK Registry Enumeration File Vulnerability
BugTraq ID: 947
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/947 Summary:
The Rdisk utility shipped with all versions of Windows NT4.0 is used to
make an Emergency Repair Disk. During the creation of this disk, a
temporary file ($$hive$$.tmp) is created in the %systemroot%\repair
directory that contains the registry hives while they are being backed up.
The group Everyone has Read permission to this file, and in this manner
sensitive information about the server could be leaked.
The file is put in a location that is not shared by default, and is
removed immediately after the disk is created. The only likely scenario
where this could be exploited is in the case of NT Terminal Server, where
an administrator and a regular user could both be logged in interactively
at the same time.
There is a remotely exploitable buffer overflow in Qaulcomm's 'qpopper'
daemon which allows users already in possession of a username and password
for a POP account to compromise the server running the qpopper daemon.
The problem lies in the code to handles the 'LIST' command available to
logged in users. By providing an overly long user supplied argument a
buffer may be overflowed resulting in the attacker gaining access with the
user ID (UID) of the user who's account is being used for the attack and
the group ID (GID) mail.
This will result in remote access to the server itself and possibly
(depending on how the machine is configured) access to read system users
mail via the GID mail.
9. NT Index Server Directory Traversal Vulnerability
BugTraq ID: 950
Remote: Yes
Date Published: 2000-01-26
Relevant URL:
http://www.securityfocus.com/bid/950 Summary:
Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The
functionality provided by Index Service has been built into Windows 2000
as Indexing Services.
When combined with IIS, Index Server and Indexing Services include the
ability to view web search results in their original context. It will
generate an html page showing the query terms in a short excerpt of the
surrounding text for each page returned, along with a link to that page.
This is known as "Hit Highlighting". To do this, it supports the .htw
filetype which is handled by the webhits.dll ISAPI application. This dll
will allow the use of the '../' directory traversal string in the
selection of a template file. This will allow for remote, unauthenticated
viewing of any file on the system whose location is known by the attacker.
III. PATCH UPDATES 2000-01-24 to 2000-01-30
-------------------------------------------
3. Task Force Battles Online Criminals (Wed Jan 26 2000)
Excerpt:
Ground zero in California's war against Internet crime is behind a
dumpster hard by a hamburger stand in a faded Sacramento County welfare
building. This is the headquarters of the Sacramento Valley high-tech
task force, a multi-agency law enforcement team dedicated to tracking down
e-crime, from stock swindlers to child pornographers.
4. Smart card 'inventor' lands in jail (Thu Jan 27 2000)
Excerpt:
In another case destined to fuel e-commerce anxieties, a Parisian computer
programmer is facing counterfeiting and fraud charges after developing a
homemade "smart card" that he says gave him the ability to fraudulently
purchase goods and services throughout France.
5. Visa acknowledges cracker break-ins (Fri Jan 28 2000)
Excerpt:
Visa International Inc. acknowledged this week that computer crackers
broke into several servers in its global network last July and stole
information. The company said that in December, it received a phone call
and an e-mail demanding money in exchange for the data.
6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000)
Excerpt:
In its review of the last 12 months, Sophos, the IT security firm, says
that 1999 turned out to be a year when mass-mailed viruses arrived and
dominated the scene.
The annual review says that virus writers are now taking advantage of the
Internet and corporate e-mail systems to distribute their creations more
quickly.
5. PC Anywhere client seems to probe class C of connected networks (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01- 22&thread=Pine.GSO.4.21.0001251657260.10263-100000@barrel.dt.ecosoft.com
5. Virus coder wanted (San Antonio, TX)
Reply to: Drissel, James W. <james.drissel@cmet.af.mil>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 22&msg=CD11F9F59C6BD3118BF5009027B0F53B0884EC@adp-exch-1.cmet.af.mil
6. Junior Security Engineers Needed (Maryland)
Reply to: Brian Mitchell <bmitchell@icscorp.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01- 22&msg=NCBBKIMIMKKMLDMGEHFKAEAKENAA.bmitchell@icscorp.com
VIII. SECURITY SURVEY 2000-01-24 to 2000-01-30
----------------------------------------------
Our current month long survey is:
"Do you think security vendors exaggerate the importance of security
issues as a marketing strategy?"
Never 6% / 10 votes
Rarely 30% / 48 votes
Often 47% / 74 votes
Always 14% / 23 votes
Total number of votes: 155 votes
IX. SECURITY FOCUS TOP 6 TOOLS 2000-01-24 to 2000-01-30
--------------------------------------------------------
1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT)
by RedShadow
Relevant URL:
http://www.rsh.kiev.ua
Shadow Advantis Administator Tools - Ping (SSPing), Port Scanner, , IP
Scanner, Site Info (is intended for fast definition of services started on
the host), Network Port Scanner,Tracert, Telnet,Nslookup,
Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt,
Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info
Shadow Hack and Crack - WinNuke, Mail Bomber,POP3,HTTP,SOCKS,FTP Crack
(definitions of the password by a method of search),Unix password Crack,
Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files
ShadowPortGuard - code for detection of connection on the certain port
Shadow Novell NetWare Crack - code for breakings Novell NetWare 4.x And
more other functions
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
lidentd is an identd replacement with many features including fake users,
random fake users , restricted fake user responses, matching against the
passwd file for fake responses and more.
Logcheck is part of the Abacus Project of security tools. It is a program
created to help in the processing of UNIX system logfiles generated by the
various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper
and Log Daemon packages, and the Firewall Toolkit) by Trusted Information
Systems Inc.(TIS). Logcheck also works very well at reporting on other
common operating system security violations and strange events.
Secret Sharer is designed to help people keep secure back-up copies of
sensitive data such as PGP (or other cryptosystem) passphrases and
confidential files.
X. SPONSOR INFORMATION - CORE SDI
------------------------------------------
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
