|
SANS Network Security Digest, 06/23/97
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
- ----------------------------------------------------------------
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 1, No. 5 |
| @ @@@@@@ @ @ @ @ June 23, 1997 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| The SANS Network Security Digest |
| Editor: Michele Crabb |
| Contributing Editors: |
| Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz |
| Rob Kolstad, Marcus Ranum, Dorothy Denning, Dan Geer |
| Peter Neumann, Peter Galvin, David Harley, Jean Chouanard |
- ----A Resource for Computer and Network Security Professionals---
CONTENTS:
i) Executive Summary
ii) CURMUDGEON'S EXECUTIVE SUMMARY
1) NETSCAPE COMMUNICATOR BUG
2) MULTIPLE IRIX PROGRAMS SUFFER SECURITY PROBLEMS
3) BUFFER OVERFLOW IN LIBXT LIBRARY
4) BUFFER OVERFLOW PROBLEMS IN METAMAIL
5) BUFFER OVERFLOW IN THE TALKD PROGRAM
6) BUFFER OVERFLOW IN SUIDPERL
7) BUFFER OVERFLOW IN AT PROGRAM
8) SUN RELEASES SEVERAL SECURITY PATCHES AND ALERTS
9) HP RELEASES A NUMBER OF SECURITY PATCHES FOR KNOWN PROBLEMS
10) QUICK TIDBITS AND SUMMARIES
11) THE PROBLEM WITH SPAM
12) WIN/NT DENIAL OF SERVICE ATTACK
13) WIN95 NETWORK PASSWORD VULNERABILITY
14) WIN/NT SMB DOWNGRADE EXPLOIT
***************************************************
Network Security '97 (October 20-25 in New Orleans) program
looks to be the best combination of courses and technical
sessions we've ever assembled. New courses on advanced NT
Security, Network Security War Games and more. New short courses
on Virtual Private Networks, PGP, SSH, and similar topics. The
program was just posted at www.sans.org/network.html. If you
want an email version, just ask.
***************************************************
- -----------------------------------------------------------------
- ------------------------------------------------------------------
ii) CURMUDGEON'S EXECUTIVE SUMMARY
Buffer overflows appear to be the most common problems reported
in May, with denial-of-service problems a distant second. Many
of the buffer overflow problems are probably the result of careless
programming, and could have been found and corrected by the vendors,
before releasing the software, if the vendors had performed elementary
testing or code reviews along the way.
- -----------------------------------------------------------------
- -----------------------------------------------------------------
1) NETSCAPE NAVIGATOR/COMMUNICATOR BUG (6/12)
There has been a lot of discussion in various newsgroups, mainly
the bugtraq list, about a privacy violation bug in Netscape
Communicator and Navigator. Reports indicate the bug would allow
malicious web site operators to retrieve files from the local hard
disks of visitors to their web site and without an indication of such
activity. The bug involves the use of the <INPUT TYPE=FILE> tag
facility. Netscape has released patches for this bug. For more
information, see the Netscape security bulletin at:
<http://www.netscape.com/flash1/misc/security_update.html>
A related story can be found at:
<http://www.news.com/News/Item/0,4,11487,00.html>
- -----------------------------------------------------------------
- ------------------------------------------------------------------
2) IRIX PROGRAMS SUFFER SECURITY PROBLEMS
May was certainly a "pick on SGI" month where the hacker community
found one buffer overflow after another. SGI, CERT and CIAC all
posted alerts regarding the problems, which are summarized below.
Expect to see continued alerts on these pesky buffer overflow problems.
SGI maintains a security web site at:
<http://www.sgi.com/Support/Secur/security.html>
May 6 - Vulnerability in the csetup program which is suid root. A
local user could gain root access by exploiting the bug.
See the SGI security alert for more information. Patches are
available. For more information, see:
<ftp://sgigate.sgi.com/security/19970101-02-PX>
------------------------
May 6 - Vulnerability in the webdist.cgi cgi-bin program, which is
part of the Mindshare Out Box package. Local and remote users can
exploit the vulnerability, which allows them to run programs as the
http daemon. For more information see the following alert:
<ftp://info.cert.org/pub/cert_advisories/CA-97.12.webdist>
------------------------
May 8 - New patch out for the netprint program. Original advisory
sent out in 12/97. More info at:
<http://www.sgi.com/Support/Secur/security.html>
------------------------
May 14 - Vulnerability in runpriv program, which is also suid root.
A local user could gain root access by exploiting this bug.
See the SGI Security alert for more information:
<ftp://sgigate.sgi.com/security/19970503-01-PX>
------------------------
May 14th - Vulnerability in the /usr/sbin/scanners program, which is
part of the Impresario Server V1 as shipped vi IRIX 5.x. If exploited,
local users could gain root access. For more information
see the AUSCERT bulletin at:
<ftp://ftp.auscert.org.au/pub/auscert/advisory/\
AA-97.16.IRIX.scanners.environ.vul>
------------------------
May 28th - Buffer overflow discovered in multiple IRIX programs: df,
pset, eject, login/scheme, ordist and xlock. These vulnerabilities
were first posted on various newsgroups and by AUSCERT. Aside from
the initial SGI announcement, there is no further information regarding
these problems or how to fix them. Exploit programs for some of the
bugs have been published on the Internet. A wrapper program,
available from AUSCERT, can protect against most of these buffer overflow
problems. See the page at:
<ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/\
overflow_wrapper.c>
You can also remove the SUID bit if that is possible for your environment.
Relevant AUSCERT advisories may be found at:
<http://www.auscert.org.au/information/advisories/aus_1997.html>
Two other SGI program vulnerabilities have been discussed on the bugtraq
mailing list:
/usr/lib/desktop/permissions and /usr/sbin/printers
------------------------
May 29th - Vulnerability in the run time linker program, /bin/rld.
The problem may allow local users to gain root access. A patch is
available from SGI. For more information see:
<ftp://sgigate.sgi.com/security/19970504-01-PX>
- ------------------------------------------------------------------
- ------------------------------------------------------------------
3) BUFFER OVERFLOW IN LIBXT LIBRARY (5/8)
A buffer overflow in the libXt library of the X11 distribution from
the Open Group has been discovered. Programs built using this library
from versions prior to X11 R6.3, which are SUID root, are potentially
vulnerable. CERT recommends upgrading to 6.3 to correct the problem.
The problem may also exist in some third-party vendor-derivatives of
the X11 code. The problem was first discussed in various news groups
in late 1996 and at that time exploitation scripts were made available.
For more information see the CERT bulletin:
<ftp://info.cert.org/pub/cert_advisories/>
- ------------------------------------------------------------------
- ------------------------------------------------------------------
4) BUFFER OVERFLOW PROBLEMS IN METAMAIL (5/23)
A vulnerability in the metamail program (all versions through 2.7)
can allow the sender of a MIME-encoded email message to cause the
recipient to execute an arbitrary command if the receiver processes
the message using the metamail package. Some vendors provide metamail
as part of their distribution. Apply patch if available. For more
information see the CERT bulletin at:
<ftp://info.cert.org/pub/cert_advisories/CA-97.14.metamail>
- ------------------------------------------------------------------
- ------------------------------------------------------------------
5) BUFFER OVERFLOW IN THE TALKD PROGRAM (5/8)
Vulnerability in talkd (otalkd, ntalkd) program. The vulnerability
involves overflowing the stack where the DNS information is kept
(see CERT advisory CA-96.04 ). By exploiting this vulnerability
remote users may be able to arbitrarily execute commands with root
privileges. CERT recommends that you upgrade to BIND 4.9.4 Patch
level 1 or later to solve the general problem, or disable the
talkd program to resolve this specific instance of the problem.
For more information refer to the following bulletins:
<ftp://info.cert.org/pub/cert_advisories/CA-97.04.talkd>
<ftp://info.cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers>
- ------------------------------------------------------------------
- ------------------------------------------------------------------
6) BUFFER OVERFLOW IN SUIDPERL (5/29)
Buffer overflow in suidperl included with Perl Versions 4.x and 5.x
(prior to 5.003). Vulnerability allows local users to potentially
gain root access by calling programs with "crafty" parameters. CERT
recommends removing the SUID bit on suidperl until you have installed
a patch. See the CERT bulletin for more information:
<ftp://info.cert.org/pub/cert_advisories/CA-97.17.sperl>
- ------------------------------------------------------------------
- ------------------------------------------------------------------
7) BUFFER OVERFLOW IN AT PROGRAM (6/14)
A buffer overflow has been discovered in the at program, which may
allow local users to run programs with root privileges. Many vendors
have released patches for this problem. For more information, see the
CIAC bulletin at: <http://ciac.llnl.gov/ciac/bulletins/h-71.shtml>
- ------------------------------------------------------------------
- ------------------------------------------------------------------
8) SUN RELEASES SECURITY PATCHES AND ALERTS
Sun security patches are available at:
< ftp://sunsolve1.sun.com/pub/patches/patches.html>
A) April 29th - Sun announced the release of the (Solaris 2.5.1)
security patch for the buffer overflow problem in the Pluggable
Authentication Module (PAM). Patches for 2.4 and 2.3 should also
be released soon. Under Solaris 2.5.1, the nispasswd, yppasswd,
and passwd programs use PAM. See the AUSCERT Bulletin for more
information:
<ftp://ftp.auscert.org.au/pub/auscert/advisory/\
AA-97.09.Solaris.passwd.buffer.overrun.vul>
-----------------------
B) May 14th - Sun announces release of patch to correct buffer
overflow problem in the ffbconfig program. For more information,
refer to the bulletin at:
<ftp://ftp.auscert.org.au/pub/auscert/advisory/\
AA-97.06c.solaris.ffbconfig.buffer.overrun.vul>
-----------------------
C) May 13th - Vulnerability under Solaris 2.X in method lp spooler
creates temporary files. By exploiting the bug a local user may
overwrite or create arbitrary files and possibly gain root access.
Exploits for this vulnerability are freely available on the Internet.
See the bulletin for more info:
<ftp://ftp.auscert.org.au/pub/auscert/advisory/\
AA-97.15.Solaris.lp.temp.file.creation.vul>
-----------------------
D) May 21st - Buffer overflow vulnerability in the /usr/bin/ps and
/usr/ucb/ps programs may allow local users to gain root access. No
patch is available, but AUSCERT recommends removing the SUID bit.
For more information see the AUSCERT bulletin at:
<ftp://ftp.auscert.org.au/pub/auscert/advisory/\
AA-97.17.solaris.ps.buffer.overflow.vul>
-----------------------
E) May 22nd - Buffer overflow vulnerability in the /usr/bin/chkey
program. The vulnerability may allow local users to gain root access.
Temporary workaround is to remove the SUID bit. For more information
see the AUSCERT bulletin at:
<ftp://ftp.auscert.org.au/pub/auscert/advisory/\
AA-97.18.solaris.chkey.buffer.overflow.vul>
-----------------------
F) June 4th - Sun announces release of patches for the rpcbind
vulnerability in the following O/S versions (Solaris 2.5.1,
2.5, 2.4, and 2.3). Since the vulnerability can allow a remote
user to gain unauthorized root access, the patches should be
applied as soon as possible. See Sun Bulletin #00142 for more
information.
-----------------------
G) June 5th - Vulnerability in getopt(3) function, which may allow
users to create programs using getopt which will run arbitrary commands.
Additional threat if the programs are SUID/SGID, which may allow users
to gain root access. Sun has provided patches for the problems. See
Sun alert #00141 or the CIAC bulletin for more information:
<http://ciac.llnl.gov/ciac/bulletins/h-69.shtml>
- ------------------------------------------------------------------
- ------------------------------------------------------------------
9) HP RELEASES SECURITY PATCHES
HP released several security patches during the last month, correcting
problems previously reported in HP, CERT, CIAC and AUSCERT bulletins.
The HP Electronic Support Center is located at:
<http://us-support.external.hp.com http> (US and Canada)
<http://europe-support.external.hp.com> (Europe)
To access the HP security bulletins you must go through a registration
process on the web.
April 30th - Patches for several sendmail vulnerabilities.
April 30th - Patch to correct buffer overflow in talkd
May 7th - Patch to protect against SYN flooding attacks.
May 13th - Patch for buffer overflow in libXt/Error.c
May 28th - Patch for CGI vulnerability in the VirtualVault
Transaction Server Product.
- ------------------------------------------------------------------
- ------------------------------------------------------------------
10) QUICK TIDBITS AND SUMMARIES
A) Early in June two major new web security books were released:
- --- Wiley released "Web Security Sourcebook" by Avi Rubin, Dan Geer,
and Marcus Ranum. Shows hands-on programming techniques necessary
to build secure Web sites, how to secure the server, use firewalls
and cryptography, write secure Java applets and CGI scripts, and more.
Ranum will teach two firewall courses and Geer will teach Kerberos and
Advanced Topics in Web Security at SANS Network Security '97 (October,
New Orleans) - see <http://www.sans.org/network.html>. Early registrants
can get a free copy of this or the O'Reilly book.
- --- O'Reilly released "Web Security & Commerce" by Simson Garfinkel
with Gene Spafford. Explains the risks of the Web and how you can
minimize them. Covers browser vulnerabilities, privacy concerns,
issues with Java, JavaScript, ActiveX, and plug-ins, digital
certificates, cryptography, Web server security (e.g., SSL, TLS,
server access methods, and secure CGI/API programming), blocking
software, censorship technology, and relevant civil and criminal
issues. You can find more information on the book at:
<http://www.ora.com/catalog/websec>. Spafford will join the faculty
at SANS'98 (May) in Monterey, California.
------------------------
C) Rep. Goodlatte's SAFE encryption bill was approved out of
committee and is scheduled for review by the full US House of
Representatives.
------------------------
D) Want to learn more about buffer overflow problems in Linux? See a
new web page on stack overflow exploits at:
<http://www-miaif.ibp.fr/willy/security>
------------------------
E) May 5th - Researchers at the University of Washington discovered
a security flaw in the JAVA Developer Kit Verifier which can allow
malicious users to crash JAVA programs at will. There are
discrepancies between reports from Sun and UOW. For more information
see the following web sites:
<http://java.sun.com/sfaq>
<http://java.sun.com/security/UW.html>
------------------------
F) May 6th - Vixie enterprises announced the release of BIND
version 8.1 which corrects several security flaws, some we
mentioned in the May SANS Digest. For information,
documentation and the source code, see:
<http://www.vix.com/isc/bind.html>
------------------------
H) Looking for yet another source of NT Security information
on the web? Check out <http://www.ntsecurity.net/>.
- ------------------------------------------------------------------
- ------------------------------------------------------------------
11) THE PROBLEM WITH SPAM
Subscribers to mailing lists are frequently targeted by spammers
(purveyors of junk E-mail). The issue has been much discussed
recently on several affected security-focused lists. While there
is no universal solution to this escalating problem, there's a
list of Internet resources relating to E-mail and other net abuse
at: <http://webworlds.co.uk/dharley/security/spam.txt>
Fortunately, help for SPAM victims may be on its way... Bills have
been introduced in both the House and Senate to regulate "spam"
mailings. The bills differ in details, and are supported by
different groups. The bills place various requirements on the
spammers and the ISPs. A common characteristic is that users can
request to be removed from lists, and there are penalties for
spammers who violate the proposed laws. One web site that contains
useful SPAM information is located at:
<http://www.vix.com> - see the "Boycott Internet Spam" link.
<http://www.cauce.org> - The Coalition Against Unsolicited Commercial Email
<http://spam.abuse.net> - The Fight Spam home page
- ------------------------------------------------------------------
- ------------------------------------------------------------------
12) WIN/NT DENIAL OF SERVICE ATTACK (5/12)
Yet another vulnerability discovered in NT. This time it is a
denial of service attack accomplished by sending out-of-band data.
According to the Microsoft announcement at,
<http://www.microsoft.com/ntserver/info/denial.htm>
only someone with a detailed knowledge of the TCP/IP protocol
could exploit this bug. A later alert issued by CIAC said this
type of attack could cause an NT system to crash, causing possible
data loss. For more information see the CIAC alert at:
<http://ciac.llnl.gov/ciac/bulletins/h-57.shtml>
Microsoft issued fixes in Service Pack 3; however, various postings
indicate this Service Pack did not completely fix the problem.
To protect against this problem, the alert centers recommend you
filter post 139/tcp on your perimeter routers.
- ------------------------------------------------------------------
- ------------------------------------------------------------------
13) WIN95 NETWORK PASSWORD VULNERABILITY (6/3)
A vulnerability has been discovered in the way network passwords
are stored for Windows95 systems. The file containing the cleartext
passwords is also stored in cleartext in memory. The vulnerability
can potentially allow someone to discover the password of the currently
logged in user by looking at the contents of memory structures. For
more information refer to the AUSCERT bulletin at:
<ftp://ftp.auscert.org.au/pub/auscert/advisory/\
AA-97.25.windows95.network.passwd.vul>
Microsoft released a patch for this problem. Refer to the page:
<http://www.microsoft.com/windows95/info/passwordmb.htm>
- ------------------------------------------------------------------
- ------------------------------------------------------------------
14) WIN/NT SMB DOWNGRADE EXPLOIT (5/6)
The vulnerability in the Server Message Block negotiation has been
known for some time. However, someone posted an exploit program for
this bug on the Internet. The exploit program causes the Server Message
Block negotiation to downgrade, which causes the client host to send
its cleartext password information over the net. For a more detailed
explanation of the problem, refer to the page:
<http://www.microsoft.com/ntserver/info/password.htm>
**********************
Copyright, 1997. All rights reserved.
This is the final SANS Network Security Digest that may be freely
forwarded to co-workers and other security professionals. After
July 1, all recipients should be registered. To register at no
cost (through December, 1998), act before July 1, 1997. Send your
name, job title, employer, a home or office surface mail address
(for the Network Security poster) telephone and preferred email.
Send to: [email protected].
After July 1, send the same registration information along with credit
card number and expiration date. The fee is $80 for the period ending
December, 1998. If you don't want to email credit card information,
fax it (but make sure the email is legible) to 301-229-1063.
Corporate discounts are available.
|
|
